Latest in Gear

Image credit: SOPA Images via Getty Images

Instagram removes ad partner that tracked millions of users' locations

Hyp3r also saved Stories and otherwise broke the rules.
172 Shares
Share
Tweet
Share

Sponsored Links

SOPA Images via Getty Images

Facebook's privacy woes aren't over in the wake of its FTC fine. The company has pulled the marketing company Hyp3r from Instagram's ad platform after Business Insider learned that the agency had been collecting massive amounts of data in violation of the social network's rules. Hyp3r reportedly exploited a "security lapse" that let it collect the specific locations of "millions" of public posts. It also violated terms of service by saving public Stories and automatically scraping data from public profiles (including bios and followers), according to BI.

The company didn't collect any private information. However, it still resulted in detailed profiles of users that it didn't have permission to generate and could make people uncomfortable, such as targeted ads and surprise comments from location owners. Facebook's rules specifically prohibit relying on "automated means" to collect data without its explicit approval, and it doesn't even offer Stories through its official developer framework.

Moreover, BI alleged that Hyp3r flaunted Facebook's privacy changes in the wake of the Cambridge Analytica scandal. While it publicly welcomed restrictions on location tools and other features, it privately developed a system that could circumvent Facebook's restrictions and scoop up Instagram location info regardless. The firm supposedly went on to reverse-engineer an Instagram framework that had been shut down after the Cambridge Analytica affair.

In a statement, Hyp3r chief Carlos Garcia maintained that its marketing system was "compliant with consumer privacy regulations and social network Terms of Services." He also maintained that the company never viewed private content, although that's not entirely true when the company could view Stories after the usual 24-hour period. Facebook certainly disagrees -- a spokesperson said Hyp3r's behavior was "not sanctioned" and "violate[d] our policies."

Facebook has also taken steps to prevent similar data scraping. On top of a cease-and-desist request to Hyp3r, it's requiring logins for access to location pages and fixing the security lapse (apparently linked to a publicly available JSON package).

While the move is likely to be welcome to privacy advocates, it also illustrates some possible shortcomings in Facebook's policies. The social site had included Hyp3r as part of its list of trusted Marketing Partners. While Instagram regularly reviews those partners to ensure they're honoring the rules, it might not have been paying close attention to Hyp3r's behavior despite the marketer publicly advertising its behavior. Simply put, it might have slipped through the cracks.

All products recommended by Engadget are selected by our editorial team, independent of our parent company. Some of our stories include affiliate links. If you buy something through one of these links, we may earn an affiliate commission.
Comment
Comments
Share
172 Shares
Share
Tweet
Share

Popular on Engadget

Qantas completes record 19-hour flight to test limits of air travel

Qantas completes record 19-hour flight to test limits of air travel

View
The best trackballs

The best trackballs

View
After Math: Stand and Delivery

After Math: Stand and Delivery

View
Honda's Accord Hybrid is a value-packed sedan

Honda's Accord Hybrid is a value-packed sedan

View
NASA's InSight lander can finally dig a hole for its Mars heat probe

NASA's InSight lander can finally dig a hole for its Mars heat probe

View

From around the web

Page 1Page 1ear iconeye iconFill 23text filevr