Instagram Turns Off Public Location Pages, After Trusted Partner Tracked Millions Of User

Not matter how long Terms of Services and the Policies are, some people can still find their weaknesses.

Combine that with some configuration errors, a San-Francisco-based marketing firm HYP3R managed to get away with millions of Instagram users' detailed records on their whereabouts, personal bios, photos and Stories.

HYP3R got its hands on those data by scraping Instagram, and the web, and stitched all the information together to profile each of the individuals, to then sell them to its clients.

The company managed to do all these because it has been one of “Facebook Marketing Partners.”

According to a spokesperson for Instagram in a statement:

"HYP3R’s actions were not sanctioned and violate our policies. As a result, we’ve removed them from our platform. We’ve also made a product change that should help prevent other companies from scraping public location pages in this way."
Salesforce - HYP3R
In a post on Salesforce’s website in June 2019, HYP3R shared this screenshot of a profile it built of someone based on their traveling patterns

It was Business Insider that first found and confirmed that HYP3R broke Instagram rules.

But on its defense, HYP3R said that its tools only collected public Instagram data, including user posts, profile information and locations they visited. And that, it didn't violate any of Instagram's rules.

"HYP3R is, and has always been, a company that enables authentic, delightful marketing that is compliant with consumer privacy regulations and social network Terms of Services," said HYP3R's CEO Carlos Garcia. "We do not view any content or information that cannot be accessed publicly by everyone online."

In other words, HYP3R only collected public information that is widely available, and searchable on both the web and Instagram.

But the problem here is that, HYP3R was exploiting Instagram's feature that allowed anyone to see information on public Location pages, whether or not they're logged in to Instagram.

Instagram allowed the public to see this kind of information, in part was to showcase contents and its services, and to also ensure that they show up on Google and other search engines. But apparently, this put some sensitive users' information public, in which HYP3R managed to collect.

This incident comes after Facebook's Cambridge Analytica scandal in 2018, in which a political consulting firm accessed the data of 87 million Facebook users without authorization, setting off waves of negative concerns about how tech companies collect, stores and secures user information.

Facebook’s continuous struggle to contain user's personal information is because they extend beyond Facebook's core app.

In this case, Instagram which is owned by Facebook, operates mostly as a separate business. With the platform having more than a billion users, the wealth of data is staggering. Anyone who can get their hands on that data, can repurpose them in ways users never expected or agreed to.

An example of the data available in the JSON packet for a location page. Red is information about the location, orange is direct URLs for people’s posts, yellow is captions on posts, green is unique reference for each post, and blue is the number of likes

As for HYP3R, the company publicly said that it has "a unique dataset of hundreds of millions of the highest value consumers in the world," and sources said that more than of 90% of its data came from Instagram.

The sources also said that HYP3R collected and processed more than 1 million Instagram users in July 2019 alone.

Data scrapping is nothing new. On the web where many information can be found publicly by using dedicated tools and search engines, and Instagram is far from the first online service to have been affected.

But HYP3R's case is further highlights the complexity of safeguarding user information, showing how vulnerable users are when it comes to using social media networks. It also raises questions about how transparent are Instagram and its parent company Facebook to their partners.

“For [Instagram] to leave these endpoints open and let people get to this in a back channel sort of way, I thought was kind of hypocritical," saud one former HYP3R employee. It takes little effort for Instagram to protect the location data accessed by HYP3R, but it took them years to finally implemented that.

In response to HYP3R's actions, Instagram is turning off access to these Location pages to anyone, unless they are logged in to Instagram. It has also completely revoked HYP3R's access to its APIs, and effectively removed it from its list of Facebook Marketing Partners.