Instagram ad partner secretly sucked up and tracked millions of users' locations and stories – TechCrunch

Hyp3r, a seemingly reliable marketing partner of Facebook and Instagram, has secretly collected and stored millions of users' location and other data against social networking guidelines, Business Insider reported today. It's hard to see how it could do this for years without the intervention of the platforms, except if the latter was either ignorant or complicit.

After BI informed Instagram, the company confirmed that Hyp3r (styled HYP3R) had violated the guidelines and is now removed from the platform. In a statement to TechCrunch, a Facebook spokesman confirmed the report, saying:

HYP3R's actions were not sanctioned and violated our policies. As a result, we have removed them from our platform. We have also made a product change that will help prevent other companies from scraping public site pages in this way.

The company started several years ago as a platform where advertisers could target users attending a given event, such as a baseball game or concert. It used Instagram's official API to collect data originally, the type of data collection that has taken place for many years by tech-savvy firms, most notorious Cambridge Analytica.

The idea of ​​getting an ad because you are at a ball game is not that scary, but if the company keeps a persistent record, not only of your exact locations, but objects in the images and types of places you visit, to combine that with different demographics and building a detailed shadow profile … well, it's a little scary. And that's how Hyp3r's business model developed.

Unfortunately, the API was severely limited in early 201[ads1]8, limiting Hyp3r's access to location and user data. Although there were unconfirmed reports that this led to layoffs at the company around time, it appears the company survived (and collected millions shortly after) not by adapting the business model, but by sneaking around the seemingly minimal Barriers Instagram put in place to prevent scraping of location data.

Some of this was done by taking advantage of Instagram's location pages, which would serve up public accounts that visited them to anyone who asked, logged in or not. (This was one of the features turned off today by Instagram.)

According to BI's report, Hyp3r built tools to circumvent restrictions on both site collection and storage of personal account stories – content intended to disappear after 24 hours. If a user posted something to one of thousands of sites and regions monitored by Hyp3r, their data would be sucked up and added to the shadow profile.

To be clear, it only collected information from public stories and accounts. Of course, these people opted out of some privacy by choosing a public account, but as the Cambridge Analytica case and others have shown, no one expects or should expect their data to be secretly and systematically aggregated into a personal profile by a company they have never heard of.

However, Facebook and Instagram had definitely heard about Hyp3r. In fact, until today Hyp3r could be found in the official Facebook Marketing Partners directory, a curated list of companies it recommends for various tasks and services that advertisers may need.