Instagram removes ad partner that tracked users' locations

Facebooks privacy woes arent over in the wake of its FTC fine. The company has pulled the marketing company Hyp3r from Instagrams ad platform after Business Insider learned that the agency had been collecting massive amounts of data in violation of the social networks rules. Hyp3r reportedly exploited a "security lapse" that let it collect the specific locations of "millions" of public posts. It also violated terms of service by saving public Stories and automatically scraping data from public profiles (including bios and followers), according to BI.

The company didnt collect any private information. However, it still resulted in detailed profiles of users that it didnt have permission to generate and could make people uncomfortable, such as targeted ads and surprise comments from location owners. Facebooks rules specifically prohibit relying on "automated means" to collect data without its explicit approval, and it doesnt even offer Stories through its official developer framework.

Moreover, BI alleged that Hyp3r flaunted Facebooks privacy changes in the wake of the Cambridge Analytica scandal. While it publicly welcomed restrictions on location tools and other features, it privately developed a system that could circumvent Facebooks restrictions and scoop up Instagram location info regardless. The firm supposedly went on to reverse-engineer an Instagram framework that had been shut down after the Cambridge Analytica affair.

In a statement, Hyp3r chief Carlos Garcia maintained that its marketing system was "compliant with consumer privacy regulations and social network Terms of Services." He also maintained that the company never viewed private content, although thats not entirely true when the company could view Stories after the usual 24-hour period. Facebook certainly disagrees -- a spokesperson said Hyp3rs behavior was "not sanctioned" and "violate[d] our policies."

Facebook has also taken steps to prevent similar data scraping. On top of a cease-and-desist request to Hyp3r, its requiring logins for access to location pages and fixing the security lapse (apparently linked to a publicly available JSON package).

While the move is likely to be welcome to privacy advocates, it also illustrates some possible shortcomings in Facebooks policies. The social site had included Hyp3r as part of its list of trusted Marketing Partners. While Instagram regularly reviews those partners to ensure theyre honoring the rules, it might not have been paying close attention to Hyp3rs behavior despite the marketer publicly advertising its behavior. Simply put, it might have slipped through the cracks.