Instagram has banned one of its owner Facebook’s official marketing partners, San Francisco-based HYP3R, after “a combination of configuration errors and lax oversight” on its behalf allowed HYP3R to scrape massive amounts of data on Instagram users, Business Insider reported on Wednesday.
HYP3R, which has raised tens of millions of dollars in funding, relies on tracking social-media posts tagged in real-world locations, then allowing its marketing clients to interact with the users who uploaded them (say, to address complaints about service) or use that data for targeted advertising purposes. But following the fallout of the Cambridge Analytica data-harvesting scandal at Facebook in early 2018, Instagram began disabling some parts of its API—including location tools. According to Business Insider, while HYP3R publicly supported the decision, it also created tools meant to continue scraping that data in ways that took advantage of Instagram’s sloppy implementation of the API rollbacks and sure look like violations of its terms of service.
Business Insider wrote that HYP3R took “advantage of an Instagram security lapse” that allowed users who were not logged in to view posts from public location pages. Using that access, the company created geofenced locations ranging from stadiums to hotels, harvested “every public post tagged with that location on Instagram,” and stored them indefinitely. It also built a tool to download Instagram Stories, which are supposed to auto-delete after 24 hours, from those locations and similarly store them forever. (In both cases, only users who set their accounts to public would be affected.)
This allowed HYP3R to “build up detailed profiles of huge numbers of people’s movements, their habits, and the businesses they frequent over time,” Business Insider wrote, with sources telling the site that Instagram accounted for over 90 percent of what HYP3R has advertised as a database of “hundreds of millions of the highest value consumers in the world.” But the practice also seemed to be in clear violation of Instagram terms of service forbidding storing content longer than “necessary to provide your app’s service,” as well as a ban on reverse-engineering Instagram’s APIs. Facebook also forbids automated data collection without express written permission. On Tuesday, Instagram sent HYP3R a cease and desist and banned it from its platform.
Business Insider noted that HYP3R never hid what it was doing, touting its API as allowing more access to data than through official Instagram tools and listing “support for Instagram Stories” in release notes for the iOS version of its app. But Facebook nonetheless included the company on a list of recommended, and supposedly vetted, marketing partners. Business Insider added it is “not clear” how Instagram failed to detect the mass data scraping, which seems to stretch the bounds of credulity given that HYP3R was openly carrying out the practices while holding recommended marketing partner status.
“HYP4R’s actions were not sanctioned and violate our policies,” a spokesperson for Instagram told CNBC in a statement. “As a result, we’ve removed them from our platform. We’ve also made a product change that should help prevent other companies from scraping public location pages in this way.”
HYP3R denies that it violated any Instagram policies.
“Hyp3r is, and has always been, a company that enables authentic, delightful marketing that is compliant with consumer privacy regulations and social network Terms of Services,” Hyp3r CEO Carlos Garcia told CNET. “We do not view any content or information that cannot be accessed publicly by everyone online.”