When you delete something from Instagram you expect it to be gone for good. But when security researcher Saugat Pokharel requested a copy of photos and direct messages from the photo-sharing app, he was sent data he’d deleted more than a year ago, showing that the information had never been entirely removed from Instagram’s servers.
Pokharel reported the issue in October last year through Instagram’s bug bounty program. The company says it was due to a bug that was addressed last month, and the researcher has been awarded $6,000 for discovering it.
“The researcher reported an issue where someone’s deleted Instagram images and messages would be included in a copy of their information if they used our Download Your Information tool on Instagram,” said an Instagram spokesperson. “We’ve fixed the issue and have seen no evidence of abuse. We thank the researcher for reporting this issue to us.”
In this case, the problem was only exposed because Pokharel had the option to download a copy of his data from Instagram. The Facebook-owned company introduced this download tool in 2018 to comply with the EU’s data privacy GDPR regulations.
GDPR mandates that EU citizens have a “right of access” to their data, allowing them to request a copy of all the information a company stores on them within a reasonable amount of time. As we found with our experiments exercising this right, the information you receive is not always self-explanatory, but in the case of Instagram it’s easy enough to sort through. It’s also the only easy way to find out if companies have been keeping your data long after you asked them to delete it.