Public Knowledge Blasts Latest Privacy Meltdown, This One at Instagram Affiliate Hyp3r

WASHINGTON, August 8, 2019 – News of another data breach at Facebook marketing partner Hyp3r on Thursday prompted more demands for federal privacy legislation.

According to the non-profit group Public Knowledge, Hyp3r collected public records of Instagram users’ geolocation, personal bios, followers, metadata and photos – all without users’ consent.

“It’s well past time for Congress to enact strong, comprehensive federal privacy legislation,” said Dylan Gilbert, policy fellow at Public Knowledge.

As long as companies operate free of strong consumer privacy and security laws, he said, companies will continue to turn a blind eye to user privacy and security violations.

Instagram, which is owned by Facebook, said it has terminated its partnership with Hyp3r. Hyp3r had been using data harvesting tools to download users’ Instagram stories that are supposed to auto-delete after 24 hours.

Hyp3r also reportedly took advantage of a security lapse in the Instagram app to harvest posts tagged with geofenced locations. In both cases, only public accounts were compromised.

In the wake of Facebook’s Cambridge Analytica scandal, Instagram had begun disabling parts of its API, including location tools. However, Instagram’s faulty implementation of API rollbacks prompted Hyp3r to create tools that take advantage of these discrepancies, according to a report in  Gizmodo.

Hyp3r saved the content and then used the information to build and sell extensive profiles of users’ daily lives, said Gilbert. While this was done in violation of Instagram’s rules, Hyp3r appears to have been free of any meaningful oversight from Instagram or Facebook.

Rules should be put in place that will empower consumers to better control their data, said Gilbert. The situation is also unsurprising, given that Facebook likely indirectly profited from Hyp3r’s data collection via the Facebook ad manager tool.

(Photo from Hyp3r's Twitter stream.)