Latest in Gear

Image credit:

Instagram removes ad partner that tracked millions of users' locations

Hyp3r also saved Stories and otherwise broke the rules.
Jon Fingas, @jonfingas
August 7, 2019
Share
Tweet
Share

Sponsored Links

SOPA Images via Getty Images

Facebook's privacy woes aren't over in the wake of its FTC fine. The company has pulled the marketing company Hyp3r from Instagram's ad platform after Business Insider learned that the agency had been collecting massive amounts of data in violation of the social network's rules. Hyp3r reportedly exploited a "security lapse" that let it collect the specific locations of "millions" of public posts. It also violated terms of service by saving public Stories and automatically scraping data from public profiles (including bios and followers), according to BI.

The company didn't collect any private information. However, it still resulted in detailed profiles of users that it didn't have permission to generate and could make people uncomfortable, such as targeted ads and surprise comments from location owners. Facebook's rules specifically prohibit relying on "automated means" to collect data without its explicit approval, and it doesn't even offer Stories through its official developer framework.

Moreover, BI alleged that Hyp3r flaunted Facebook's privacy changes in the wake of the Cambridge Analytica scandal. While it publicly welcomed restrictions on location tools and other features, it privately developed a system that could circumvent Facebook's restrictions and scoop up Instagram location info regardless. The firm supposedly went on to reverse-engineer an Instagram framework that had been shut down after the Cambridge Analytica affair.

In a statement, Hyp3r chief Carlos Garcia maintained that its marketing system was "compliant with consumer privacy regulations and social network Terms of Services." He also maintained that the company never viewed private content, although that's not entirely true when the company could view Stories after the usual 24-hour period. Facebook certainly disagrees -- a spokesperson said Hyp3r's behavior was "not sanctioned" and "violate[d] our policies."

Facebook has also taken steps to prevent similar data scraping. On top of a cease-and-desist request to Hyp3r, it's requiring logins for access to location pages and fixing the security lapse (apparently linked to a publicly available JSON package).

While the move is likely to be welcome to privacy advocates, it also illustrates some possible shortcomings in Facebook's policies. The social site had included Hyp3r as part of its list of trusted Marketing Partners. While Instagram regularly reviews those partners to ensure they're honoring the rules, it might not have been paying close attention to Hyp3r's behavior despite the marketer publicly advertising its behavior. Simply put, it might have slipped through the cracks.

All products recommended by Engadget are selected by our editorial team, independent of our parent company. Some of our stories include affiliate links. If you buy something through one of these links, we may earn an affiliate commission.
Comment
Comments
Share
Tweet
Share

Popular on Engadget

The best games for Nintendo Switch

The best games for Nintendo Switch

View
Netflix’s ‘Space Force’ spoof starring Steve Carell arrives on May 29th

Netflix’s ‘Space Force’ spoof starring Steve Carell arrives on May 29th

View
See every square foot of asteroid Bennu, Earth's little frenemy

See every square foot of asteroid Bennu, Earth's little frenemy

View
Stadia Pro is free for two months starting today

Stadia Pro is free for two months starting today

View
Rocket Lab proves it can recover a rocket in mid-air

Rocket Lab proves it can recover a rocket in mid-air

View

From around the web

Page 1Page 1ear iconeye iconFill 23text filevr