Personal data used to create detailed profiles without consent
An advertising partner of Instagram has been caught secretly harvesting vast amounts of user’s personal data by exploiting poor oversight and loopholes, according to Business Insider.
The marketing firm Hyp3r allegedly used information like users’ physical locations, bios, and photos – which are all supposed to be deleted after 24 hours – to construct highly-detailed profiles of potentially millions, Business insider reports.
“The wealth of the data contained in people’s fleeting Instagram activity, from family-vacation snapshots to restaurant appetizer photos, can provide valuable fodder for a variety of outside actors, who can repurpose the information in ways users never expected or agreed to,” reports Business Insider. “The total volume of Instagram data Hyp3r has obtained is not clear, though the firm has publicly said it has ‘a unique dataset of hundreds of millions of the highest value consumers in the world,’ and sources said more than of 90% of its data came from Instagram.”
The San Francisco startup Hyp3r, founded in 2015, reportedly deems itself as “a location-based marketing platform that helps businesses unlock geosocial data to acquire and engage high-value customers.”
Hyp3r reportedly utilized highly sought-after marketing information that Instagram users voluntarily give whenever they use the app with seemingly innocuous actions like posting selfies.
Here’s how Hyp3r made unauthorized use of people’s data, according Business Insider:
1. It took advantage of an Instagram security lapse, allowing it to zero in on specific locations, like hotels and gyms, and vacuum up all the public posts made from the locations.
2. At these locations, it systematically saved users’ public Instagram stories — a type of content designed to vanish after 24 hours —including the individual photos that users shared in the stories, in a clear violation of Instagram’s terms of service.
3. It scraped public user profiles on a broad basis, collecting information like user bios and followers, which it then combined with the other location information and data from other sources.
Upon confirming that Hyp3r broke their rules, Instagram sent Hyp3r a cease-and-desist letter while also demanding a full explanation of the firm’s actions.
“Hyp3r’s actions were not sanctioned and violate our policies,” said an Instagram spokesperson. “As a result, we’ve removed them from our platform.”
“We’ve also made a product change that should help prevent other companies from scraping public location pages in this way.”
Perhaps most concerning is the fact that Hyp3r is most likely not the only entity doing this, they simply got caught, Business Insider’s Rob Price explains.
“…the nature of Hyp3r’s activity raises significant questions about the extent of the due diligence that Instagram and parent company Facebook conduct on partners using their platform, as well as on their own procedures to safeguard user data,” said Price.