Facebook is known for allowing advertisers to pilfer data from users. It aided in a big way in the overall mistrust of tech and Internet companies.
It won’t be very surprising to many then that the Facebook-owned Instagram was caught doing something very similar. An advertising partner secretly collected and tracked the locations and stories of millions of users.
Instagram User Info Collected and Tracked
HYP3R is actually a marketing partner of both Facebook and Instagram. The latter committed both configuration errors and lax oversight that allowed the advertisers to misappropriate vast amounts of user data to create detailed records of locations, bios, and photos, the same information the social network’s users thought was disappearing after twenty-four hours.
The advertisers put the information together to form profiles of the users, violating Instagram’s rules. The social network didn’t realize this was going on behind their back and referred to the company as one of its preferred “Facebook Marketing Partners.”
After Business Insider alerted Instagram to what was going on, the social network confirmed HYP3R broke the rules and sent their formerly-trusted partner a cease-and-desist letter.
“HYP3R’s actions were not sanctioned and violate our policies. As a result, we’ve removed them from our platform. We’ve also made a product change that should help prevent other companies from scraping public location pages in this way,” said a spokesperson in a statement.
The data this advertiser lifted seems much more personal than the data taken from Facebook users in the Cambridge Analytica scandal. These are complete stories and pictures of events from users’ lives. It’s unknown how HYP3R was using or planning on using the data.
Business Insider learned about HYP3R’s practices by interviewing multiple former employees and also reviewed public documents and marketing materials.
The complete volume of data lifted and kept is unknown, but sources said more than 90% of the company’s data came from Instagram, and the advertiser has claimed to have “a unique dataset of hundreds of millions of the highest value consumers in the world.”
“For [Instagram] to leave these endpoints open and let people get to this in a back channel sort of way, I thought was kind of hypocritical,” said a former HYP3R employee. They believe it wouldn’t take much effort to protect the data, so “why they haven’t done it remains a mystery.”
For its part, HYP3R has denied they broke Instagram’s rules, believing that accessing publicly-accessible data on Instagram is legitimate and justifiable. They are confident the issues will be resolved quickly.
“HYP3R is, and has always been, a company that enables authentic, delightful marketing that is compliant with consumer privacy regulations and social network Terms of Services,” claimed CEO Carlos Garcia in a statement. “We do not view any content or information that cannot be accessed publicly by everyone online.”
Despite this claim, the advertiser took custody of the Instagram data by taking advantage of security lapses, such as collecting data in locations that aren’t as protected, like hotels and gyms. It saved the public Instagram stories from these locations, including the photos. It also pulled in user profiles, collecting bios and followers.
Ironically, giving up data like this was once allowed by Instagram. Or rather, some of the methods HYP3R used were previously allowed. But Facebook learned after the Cambridge Analytica scandal, and they made changes, changes that were reflected in Instagram as well.
They’re still learning, however, as they made more changes after learning of HYP3R’s actions, to prevent public location pages from being available to users who are logged out. They’ve also revoked HYP3R’s access to APIs and removed it from that coveted “Facebook Marketing Partners” list.
Are you worried your Instagram data ended up in the hands of HYP3R? What do you think they were doing with it? Tell us your thoughts in the comments below.