Instagram has pulled the marketing company Hyp3r from Instagram’s ad platform after “a combination of configuration errors and lax oversight” on its behalf allowed HYP3R to scrape massive amounts of data on Instagram Business Insider reported.
HYP3R didn’t collect any private information. However, it still resulted in detailed profiles of users that it didn’t have permission to generate and could make people uncomfortable, such as targeted ads and surprise comments from location owners. Facebook’s rules specifically prohibit relying on “automated means” to collect data without its explicit approval, and it doesn’t even offer Stories through its official developer framework.
Business Insider wrote that HYP3R took “advantage of an Instagram security lapse” that allowed users who were not logged in to view posts from public location pages. Using that access, the company created geofenced locations ranging from stadiums to hotels, harvested “every public post tagged with that location on Instagram,” and stored them indefinitely. It also built a tool to download Instagram Stories, which are supposed to auto-delete after 24 hours, from those locations and similarly store them forever. (In both cases, only users who set their accounts to public would be affected.)
This allowed HYP3R to “build up detailed profiles of huge numbers of people’s movements, their habits, and the businesses they frequent over time,” Business Insider wrote, with sources telling the site that Instagram accounted for over 90 percent of what HYP3R has advertised as a database of “hundreds of millions of the highest value consumers in the world.” But the practice also seemed to be in clear violation of Instagram terms of service forbidding storing content longer than “necessary to provide your app’s service,” as well as a ban on reverse-engineering Instagram’s APIs. Facebook also forbids automated data collection without express written permission. On Tuesday, Instagram sent HYP3R a cease and desist and banned it from its platform.
In a statement, Hyp3r chief Carlos Garcia maintained that its marketing system was “compliant with consumer privacy regulations and social network Terms of Services.” He also maintained that the company never viewed private content, although that’s not entirely true when the company could view Stories after the usual 24-hour period. Facebook certainly disagrees a spokesperson said Hyp3r’s behavior was “not sanctioned” and “violate[d] our policies.”
Facebook has also taken steps to prevent similar data scraping. On top of a cease-and-desist request to Hyp3r, it’s requiring logins for access to location pages and fixing the security lapse.
While the move is likely to be welcome to privacy advocates, it also illustrates some possible shortcomings in Facebook’s policies. The social site had included Hyp3r as part of its list of trusted Marketing Partners. While Instagram regularly reviews those partners to ensure they’re honoring the rules, it might not have been paying close attention to Hyp3r’s behavior despite the marketer publicly advertising its behavior. Simply put, it might have slipped through the cracks.
