Instagram removes ad partner that tracked millions of users' locations

Hyp3r also saved Stories and otherwise broke the rules.

Facebook's privacy woes aren't over in the wake of its FTC fine. The company has pulled the marketing company Hyp3r from Instagram's ad platform after Business Insider learned that the agency had been collecting massive amounts of data in violation of the social network's rules. Hyp3r reportedly exploited a "security lapse" that let it collect the specific locations of "millions" of public posts. It also violated terms of service by saving public Stories and automatically scraping data from public profiles (including bios and followers), according to BI.

The company didn't collect any private information. However, it still resulted in detailed profiles of users that it didn't have permission to generate and could make people uncomfortable, such as targeted ads and surprise comments from location owners. Facebook's rules specifically prohibit relying on "automated means" to collect data without its explicit approval, and it doesn't even offer Stories through its official developer framework.

Moreover, BI alleged that Hyp3r flaunted Facebook's privacy changes in the wake of the Cambridge Analytica scandal. While it publicly welcomed restrictions on location tools and other features, it privately developed a system that could circumvent Facebook's restrictions and scoop up Instagram location info regardless. The firm supposedly went on to reverse-engineer an Instagram framework that had been shut down after the Cambridge Analytica affair.

In a statement, Hyp3r chief Carlos Garcia maintained that its marketing system was "compliant with consumer privacy regulations and social network Terms of Services." He also maintained that the company never viewed private content, although that's not entirely true when the company could view Stories after the usual 24-hour period. Facebook certainly disagrees -- a spokesperson said Hyp3r's behavior was "not sanctioned" and "violate[d] our policies."

Facebook has also taken steps to prevent similar data scraping. On top of a cease-and-desist request to Hyp3r, it's requiring logins for access to location pages and fixing the security lapse (apparently linked to a publicly available JSON package).

While the move is likely to be welcome to privacy advocates, it also illustrates some possible shortcomings in Facebook's policies. The social site had included Hyp3r as part of its list of trusted Marketing Partners. While Instagram regularly reviews those partners to ensure they're honoring the rules, it might not have been paying close attention to Hyp3r's behavior despite the marketer publicly advertising its behavior. Simply put, it might have slipped through the cracks.