Press Release

Public Knowledge Responds to Hyp3r Scraping Instagram User Data Without Consent

August 8, 2019 , , , ,

Today, reports surfaced that a Facebook third-party marketing partner, Hyp3r, collected public Instagram user data that was intended to disappear after 24 hours over the course of a year. This data includes records of Instagram users’ geolocation, personal bios, followers, metadata, and photos. According to reports, Hyp3r used its data-scraping capabilities following Instagram’s changes enacted to enable more consumer privacy in the wake of the Cambridge-Analytica scandal. Public Knowledge remains concerned about Instagram’s privacy practices and urges Congress to protect consumers by creating comprehensive privacy laws.

The following can be attributed to Dylan Gilbert, Policy Fellow at Public Knowledge:

“Once again, we learn that a third-party company, Hyp3r, harvested sensitive user data, including precise geolocation information, from a Facebook-owned company. Reportedly, this took place without the knowledge or consent of Instagram’s users, who believed that their posts would disappear after 24 hours. Instead, Hyp3r saved the content and then used the information to build and sell extensive profiles of their daily lives. 

“Contrary to the statement from Hyp3r, there is nothing ‘delightful’ about being invasively surveilled by unknown actors so that others may profit off the intimacies of your life without your knowledge or consent. Rules should be put in place that will empower consumers to better control their data. And because other data practices such as this kind of behind-the-scenes data scraping are commonplace, restrictions should be placed on the collection and use of geolocation data. The burden shouldn’t be solely on the shoulders of consumers and users to ensure that their privacy is protected.

“In addition, while this was done in violation of Instagram’s rules, Hyp3r appears to have been free of any meaningful oversight or accountability from Instagram. If true, this is obviously problematic. Unfortunately, it is also unsurprising given that Facebook likely indirectly profited from Hyp3r’s data collection via the Facebook ad manager tool. So long as any company can operate in the U.S. as it does now, free of any strong consumer privacy and security laws to hold it accountable, companies will continue to turn a blind eye to user privacy and security violations. It’s well past time for Congress to enact strong, comprehensive federal privacy legislation.”