Instagram boots ad partner Hyp3r for mass collection of user data

The startup has allegedly been scraping data for the purposes of user profiling.
Written by Charlie Osborne, Contributing Writer

Instagram has banned advertising partner Hyp3r for reportedly breaking the rules when it comes to the collection of user data. 

Facebook-owned Instagram sent a cease-and-desist letter to the company on Wednesday. The same firm has previously earned the accolade of being tagged as a valuable "Facebook Marketing Partner."

Instagram, used for image sharing and messaging, confirmed findings of mass user data collection following an investigation by Business Insider

Hyp3r secretly harvested and stored "millions of Instagram users' stories," locations, biographies, images, and interests in order to build up detailed profiles, a practice which flies in the face of Instagram's rules. 

The publication says the mass data collection was possible due to a "combination of configuration errors and lax oversight by Instagram."

San Francisco-based Hyp3r was able to collect the data for at least a year. Sources told Business Insider that over 90 percent of the startup's data came from Instagram and at least one million posts were swallowed up by the firm on a monthly basis. 

"HYP3R's actions were not sanctioned and violate our policies," an Instagram spokesperson said. "As a result, we've removed them from our platform. We've also made a product change that should help prevent other companies from scraping public location pages in this way." 

See also: MegaCortex ransomware slams enterprise firms with $5.8 million blackmail demands

Hyp3r describes itself as "a location-based marketing platform that helps businesses unlock geosocial data to acquire and engage high-value customers." In addition, the company says it is able to help clients engage with clients through "timely, relevant campaigns" and is able to reduce customer acquisition costs by up to 60 percent. 

In other words, track user social media activity and their locations, and create tailored adverts for them based on this information.

According to the publication, Hyp3r took advantage of a security "lapse" which permitted tools to zoom in on specific locations and harvest any posts relating to them; stories were saved -- despite being designed to vanish after 24 hours -- and image recognition software was also used to analyze posts.

Those with settings set to "private" were not included in any data collection. 

The startup has denied any wrongdoing, arguing that as information was made public, it was essentially up-for-grabs -- and any issues with Instagram will be quickly resolved. 

CNET: Microsoft workers listen to some Skype calls, report says

"Hyp3r is, and has always been, a company that enables authentic, delightful marketing that is compliant with consumer privacy regulations and social network Terms of Services," Hyp3r CEO Carlos Garcia told sister site CNET. "We do not view any content or information that cannot be accessed publicly by everyone online."

The case brings to mind the Cambridge Analytica scandal, in which the company scraped the details of up to 87 million Facebook users without their consent. Improper sharing practices led to this information being used for voter profiling ahead of the last US presidential election.

TechRepublic: Why do so many wireless routers lack basic security protections?

In related news this week, Twitter disclosed a bug on its advertising platform which resulted in user data being shared with some advertising partners without their consent. 

The issue, now resolved, impacted users of the microblogging platform between May 2018 and August 5, 2019. Data including country code, mobile device type, and ad-related details were exposed. 

Facebook's worst privacy scandals and data disasters

Previous and related coverage

Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0

Editorial standards