Instagram has taken action against one of its own “preferred marketing partners,” after the devastating abuse of the privacy and security of millions of its users was exposed. The U.S. marketing start-up HYP3R has been accused by the photo-sharing platform of scraping and storing millions of users’ locations, posts and stories, without any of them giving permission or even being aware. HYP3R was reportedly storing a million Instagram posts every month, and the company’s own marketing boasted of having access to “hundreds of millions” of user profiles.
If there was ever a case of hiding in plain sight, this is it. The biggest surprise here is that it has taken this long to expose the data abuse and prompt action to be taken.
Instagram pulled the plug on HYP3R’s activities on Wednesday, sending a cease-and-desist letter and exiting the company from the platform. A Facebook spokesperson said that “HYP3R’s actions were not sanctioned and violate our policies—we’ve removed them and made a product change that should help prevent other companies from scraping public location pages in this way.”
Business Insider broke the news, reporting on Wednesday that “Instagram’s lax privacy practices” have enabled “a trusted partner track millions of users’ physical locations, secretly save their stories, and flout its rules.” While there are clear shades of Cambridge Analytica, the stakes are not so extreme. No elections were skewed, no national-state interference enabled. But if you’re one of the millions impacted by the nefarious stealing ands storing of data, that is likely cold comfort today.
HYP3R describes itself as “a location-based marketing platform that helps businesses unlock geosocial data to acquire and engage high-value customers.” The San Francisco company has raised tens of millions of dollars to develop that platform, one that “helps” marketing companies intelligently engage with Instagram users. Business Insider reports that those users profiles were “scraped and stitched together,” in a violation of rules but—until now—all “under Instagram’s nose—by a firm blessed as a preferred ‘Facebook Marketing Partner’.”
Because HYP3R’s marketing materials make it quite clear what the company has been able to offer—the debate will now begin as to what Instagram (and parent Facebook) knew and for how long. It is yet another example, critics will argue, of the lack of trust that rightly now exists in the ability of social media giants to safeguard user data and privacy with the financial returns of not doing so being so compelling.
HYP3R was able to operate “in this way,” because loose security enabled the company to ingest “in excess of 1 million Instagram posts a month,” with the company claiming in its own marketing to have a “a unique dataset of hundreds of millions of the highest value consumers in the world.” According to Business Insider, HYP3R was then able “to build up detailed profiles of huge numbers of people’s movements, their habits, and the businesses they frequent over time.”
Here are the real parallels with Cambridge Analytica. A Facebook business partner openly touting the services it can provide with Facebook user data, with the implication that somewhere within the platform must have been some level of awareness and, therefore, people turning a blind eye.
The locating of users, the storing of stories indefinitely and the mass scraping of public data are the three allegations being made by Instagram against HYP3R. Taking advantage of the security gap, the marketing company was able to scrape all public posts within specific geofenced locations and store them own its platform. Not only did this violate the privacy of the users concerns, but those posts and stories were then stored “indefinitely,” and not deleted after 24-hours as users would normally expect.
The immediate red flag for Facebook will be the sheer volume of data involved, as well as the longevity of the operation, with the Cambridge Analytica scandal still fresh in the mind. “It takes very little effort for Instagram to protect the location data accessed by HYP3R,” a former employee told Business Insider. “Why they haven’t done it remains a mystery.”
In response, HYP3R denied breaking Instagram’s rules. The company “enables authentic, delightful marketing that is compliant with consumer privacy regulations and social network Terms of Services, HYP3R CEO Carlos Garcia explained to CNET. “We do not view any content or information that cannot be accessed publicly by everyone online.”
It is encouraging that Facebook/Instagram have acted. Whether or not the companies would have done so without the huge public and political backlash against data abuse is up for debate. But for the millions of users taking to these social media platforms every day, the news is mixed. The platforms are now acting, but more and more examples of serious privacy and data abuses are now coming to light.