Latest in Gear

Image credit: SOPA Images via Getty Images

Instagram removes ad partner that tracked millions of users' locations

Hyp3r also saved Stories and otherwise broke the rules.
162 Shares
Share
Tweet
Share
Save

Sponsored Links

SOPA Images via Getty Images

Facebook's privacy woes aren't over in the wake of its FTC fine. The company has pulled the marketing company Hyp3r from Instagram's ad platform after Business Insider learned that the agency had been collecting massive amounts of data in violation of the social network's rules. Hyp3r reportedly exploited a "security lapse" that let it collect the specific locations of "millions" of public posts. It also violated terms of service by saving public Stories and automatically scraping data from public profiles (including bios and followers), according to BI.

The company didn't collect any private information. However, it still resulted in detailed profiles of users that it didn't have permission to generate and could make people uncomfortable, such as targeted ads and surprise comments from location owners. Facebook's rules specifically prohibit relying on "automated means" to collect data without its explicit approval, and it doesn't even offer Stories through its official developer framework.

Moreover, BI alleged that Hyp3r flaunted Facebook's privacy changes in the wake of the Cambridge Analytica scandal. While it publicly welcomed restrictions on location tools and other features, it privately developed a system that could circumvent Facebook's restrictions and scoop up Instagram location info regardless. The firm supposedly went on to reverse-engineer an Instagram framework that had been shut down after the Cambridge Analytica affair.

In a statement, Hyp3r chief Carlos Garcia maintained that its marketing system was "compliant with consumer privacy regulations and social network Terms of Services." He also maintained that the company never viewed private content, although that's not entirely true when the company could view Stories after the usual 24-hour period. Facebook certainly disagrees -- a spokesperson said Hyp3r's behavior was "not sanctioned" and "violate[d] our policies."

Facebook has also taken steps to prevent similar data scraping. On top of a cease-and-desist request to Hyp3r, it's requiring logins for access to location pages and fixing the security lapse (apparently linked to a publicly available JSON package).

While the move is likely to be welcome to privacy advocates, it also illustrates some possible shortcomings in Facebook's policies. The social site had included Hyp3r as part of its list of trusted Marketing Partners. While Instagram regularly reviews those partners to ensure they're honoring the rules, it might not have been paying close attention to Hyp3r's behavior despite the marketer publicly advertising its behavior. Simply put, it might have slipped through the cracks.

All products recommended by Engadget are selected by our editorial team, independent of our parent company. Some of our stories include affiliate links. If you buy something through one of these links, we may earn an affiliate commission.
Comment
Comments
Share
162 Shares
Share
Tweet
Share
Save

Popular on Engadget

Engadget's 2019 Back-to-School Guide

Engadget's 2019 Back-to-School Guide

View
Hyundai teases all-electric concept '45' for Frankfurt

Hyundai teases all-electric concept '45' for Frankfurt

View
iPhone Pro, new iPad and 16-inch MacBook Pro details emerge

iPhone Pro, new iPad and 16-inch MacBook Pro details emerge

View
Russia tests new Soyuz rocket by sending a humanoid robot to the ISS

Russia tests new Soyuz rocket by sending a humanoid robot to the ISS

View
Android Q is now simply Android 10

Android Q is now simply Android 10

View

From around the web

Page 1Page 1ear iconeye iconFill 23text filevr