Facebook-owned Instagram has banned one of its advertising partners HYP3R after a security lapse and configuration error on its behalf allowed the marketing company to scrape data of millions of users, without explicit consent.
Founded in 2015, HYP3R describes itself as a location-based marketing platform that uses geosocial data to acquire customers for businesses and engage them with deals and offers. The company relies on social media posts tagged with real-world locations to place relevant ads into the Instagram feed.
Following the data harvesting scandal of Cambridge Analytica on Facebook which was unearthed in 2017, Instagram took action by disabling some parts of its API, that also included geo-location features. Even though HYP3R publicly supported the decision, it also seemingly created tools to scrape data without the knowledge or consent of users, taking advantage of the loopholes in Instagram’s APIs.
According to a Business Insider report, HYP3R used Instagram data by zeroing down on specific user locations such as gyms or hotels. Second, it collected geo-tagged stories, which are meant to disappear after 24 hours.
Third, the marketing firm also scrapped user data on a broad basis and collected information such as bios and followers. This was combined with all the other data collected through other sources and geotagged photos. It also used image recognition software to analyse what users are depicting in the photos, however, the company did not collect any non-public data from users who have private profiles.
Despite the fact that Instagram’s policies were created and changed to avoid wanton user data collection, HYP3R managed to get detailed information about users, the liked photos and their movements, which definitely gave it an edge over other hybrid marketing companies. It raised $17.3 Mn funding in September 2018 from Silicon Valley Bank and Thayer Ventures.