Facebook is launching a review of all its “Facebook Marketing Partners,” a group of more than 600 marketing and advertising firms bearing the social network’s official seal of approval, amid indications of widespread misuse of Instagram user data and other rule violations by third-party services.
Facebook, which owns photo-sharing app Instagram, initiated the review after Business Insider identified multiple companies that appear to flagrantly violate its rules for developers and companies that work on its platform.
These apparent violations ranged from illicitly harvesting Instagram users’ public data (“data scraping”) without their consent to storing ordinary users’ Instagram passwords, a major security risk.
The review is the latest sign that Instagram is not immune to the data issues that have bedeviled its parent company, Facebook, which has been rocked by two years of constant scandals. Earlier in August, Business Insider discovered a buzzy San Francisco marketing startup, Hyp3r, was scraping millions of Instagram users’ data, tracking their locations, and saving their Stories posts. Instagram had failed to notice Hyp3r’s actions, which took advantage of a security vulnerability in its systems, and it had even blessed Hyp3r as an official Facebook Marketing Partner (FMP).
Business Insider has subsequently identified a number of other companies that seem to run afoul of Instagram’s rules.
The findings raise significant questions about Facebook’s due diligence in policing apps that use Instagram data. While the vast majority of the companies identified by Business Insider were not Facebook Marketing Partners, they all openly advertised services that appeared to flout Instagram’s rules, and a single reporter at Business Insider was able to track them down in the space of about a week.
Instagram’s historic inaction has also created an uneven playing field for companies that rely on it, with firms willing to break its rules benefiting from an unfair advantage over those that choose to comply with Instagram’s policies — even if the firms are putting their employees’ livelihoods at risk in the process.
And in some cases, it can put ordinary Instagram users’ data at risk.
A Facebook spokesperson said that in response to Business Insider’s findings, the company would work to develop better tools for detecting data scraping, is launching a review of all its official marketing partners, and is taking action and sending cease and desist demands to some of the companies identified.
“Scraping violates our policies. We have taken action against several of these companies and are investigating the rest. This is an industry-wide problem,” the spokesperson said in a statement. “At Facebook we’re taking the following steps: developing more proactive data scraping detection methods, and conducting a review of our Facebook Marketing Partners. We know these efforts won’t catch every violation, but they will help.”
Instagram locked down its APIs in 2018 — but it didn’t stop misbehavior
Like many big tech platforms, Instagram has an API, or application programming interface. This allows other companies to build products and services that interact with some of Instagram’s data — APIs are the reason you can see your Facebook friends on Spotify, for example, or save files to Dropbox within Microsoft Office.
But revelations in March 2018 about the political-research firm Cambridge Analytica’s misappropriation of 87 million Facebook users’ data — data which was originally collected via a quiz app built on top of Facebook’s API years prior — prompted a sea change for how Facebook and Instagram treated their APIs, prompting them to lock down API access to user data far more tightly.
Still, multiple companies over the past year have flouted Instagram’s restrictions — collecting Instagram data their services rely upon in unauthorized ways, developing functionality not supported through the official API, and sometimes openly breaking Instagram’s rules.
Business Insider has identified multiple companies whose documentation — either in public-facing marketing material or accompanying free trials of their services — described functionality that has the potential to violate Instagram’s policies.
Some appear to be scraping data from Instagram through unauthorized means. Others are asking users to share their passwords for Instagram, something that breaks the app’s rules and can also put participating users’ security at risk if the company’s security is subsequently compromised (though there is no evidence of this happening for any of the companies named).
While Hyp3r was scraping data to create illicit profiles on millions of Instagram users, not all of the behavior of the companies identified affects ordinary people in the same way. But Instagram’s failure to enforce its own rules has long angered other companies who utilize its platform.
“It is frustrating to see how some vendors repeatedly violate core policies and even boast about this behavior publicly on websites and in marketing materials, while not getting sanctioned at all by Instagram,” said one Facebook Marketing Partner, who asked to remain anonymous to protect their professional relationship with Facebook. “Companies that intentionally violate official platform policies have a big competitive advantage over compliant partners because the risk of sanctions is almost zero, while the reward is huge.”
Facebook Marketing Partners are an exclusive category of companies that have been vetted by and endorsed by Facebook, and are billed as being able to “give you superior insights and data for better marketing decisions.” There are currently more more than 600 of them.
Another added: “My experience is that the vast majority of partners follow Facebook’s rules as well as the spirit in which they were written, but by not weeding out smaller rogue developers, Facebook implicitly gives consent to rogue developers to maintain an advantage.”
The companies in question
Of the companies Business Insider identified, Instagram said it was taking action against some, and was still in the process of investigating others.
Sked Social is a tool for scheduling Instagram posts and Stories that says it is used by organizations including the BBC, Fox Networks Group, Oglivy, and WPP.
Instagram’s official API doesn’t allow users to schedule posts — apart from a closed beta for Facebook Marketing Partners, which does not include Stories posts or multi-image posts. (Some compliant post-scheduling services work by sending a notification to the account owner to manually post a drafted post through the official Instagram app at a designated time.)
The company’s founder Hugh Stephens said in an email that Instagram knew about Sked Social, and that he believes it complies with its rules.
“Sked Social keeps the business client’s login details and password secure in an encrypted format, and operates as the agent of the client, in the same way that an agency does – e.g. when a brand hires an agency the password needs to be disclosed and ‘stored’ in some way,” he wrote. “Instagram is aware of Sked Social, its service offering and that we support many of their largest business advertisers to get value out of the platform for their organic content. Sked Social has actively engaged with Instagram to discuss how and why our customers use our product.”
However, an Instagram spokesperson said that it was already reviewing Sked Social before Business Insider reached out, is “already in process with legal,” and is issuing a cease-and-desist letter to the company.
Storrito is another post-scheduling service that requests users’ passwords and automatically posts on their behalf. Instagram said it had also already been looking into it, and sent a cease and desist legal letter to the organisation in June 2019, before Business Insider’s inquiry.
Cofounder Max Weber declined to comment on legal matters, writing in an email: “The Storrito.com service offers considerable value to Instagram’s platform. Many large and trusted brands and publishers are using Storrito to legitimately post valuable and creatively attractive content to Instagram.
“We can’t comment on specific legal matters. Only that we are not in a contractual relationship with Instagram, we simply provide a useful service for Instagram users. Under German law (Storrito is based out of Germany), this is perfectly legal. Last but not least the whole situation would not exist, if Instagram would finally provide a normal API to do story posts.”
Brand24 is a Poland-headquartered company that offers a subscription tool that allows customers to search for hashtags and keywords across Instagram and other social network. In tests, its tool surfaced data not available through Instagram’s official API, including ordinary users’ profile pictures, and CEO Michal Sadowski confirmed that it used web crawlers to scrape data.
“We do use the Instagram API while supplementing it with our own web crawlers. It is possible that our crawlers were unable to make the distinction between business / non-business public profiles,” he said in an email. “That being said, we show publicly available data only. For Instagram, we offer hashtag search, but no detailed information about authors … We offer no geolocation data. No Insta Stories. No users bio. No data for private profiles obviously. We do not host Instagram avatars. We are a search engine that allows businesses of all sizes to access their web mentions or track results of hashtag based campaigns. We save time for our users, we don’t give them any data they would be unable to get themselves.”
The company is now making changes to its platform, he said, and it no longer displays usernames or profile pictures.
Stackla, an Australian company, helps customers track down photos on social media so they can license them, and has been an official Facebook Marketing Partner.
In documentation on its website, Stackla repeatedly indicated that it could surface data from Instagram via location (functionality that was removed by Instagram in 2018 after Cambridge Analytica), but deleted this information over the past week or so. Another company it works with also posted and quickly deleted a blog post in August that said Stackla could “find and aggregate [user-generated content] by location tags on Instagram.”
Damien Mahoney, the CEO of Stackla, strongly denied accessing Instagram location data, saying in an an email that the information online was wrong or out-of-date. “The third party content and support documentation you reference is inaccurate and was removed accordingly before your outreach,” he wrote. He said that Stackla stopped offering Instagram location functionality back when Facebook changed the official API in 2018.
However, Instagram said that it believed Stackla has violated its polices, and has now booted the company from the platform and revoked its FMP badge. A Facebook spokesperson declined to say what policies it believes Stackla has violated.
In response, Mahoney said: “Stackla has had no conversation with Facebook or Instagram about any violation of protocol or improper use of data and we refute any such claim.”
Some online services charge money to offer other automated features not available through Instagram’s official app or its API, including automatically sending messages to people, automatically following people, and automatically commenting — effectively turning a paying user’s account into a bot.
None of these firms are Facebook Marketing Partners, but their activities underscore the ease with which Instagram’s rules can be flouted.
The websites AiGrow and Bigbangram both offer these services, and both request users’ Instagram passwords in order to function, in seeming violation of Instagram’s terms of service. Neither responded to requests for comment.
There are also services aimed at non-business users that appear to violate Instagram’s rules. Multiple Android apps available in Google’s Play Store that promise to help people keep track of who followed and unfollowed them, and request users’ passwords and login details in order to do so.
Followers Tracker, which has been downloaded more than 500,000 times is one of these. In an email, it said that it doesn’t store or cache user credentials: “What we are storing is the cookies after login so so when the user opens the application again he doesn’t need to login again, Only if the login session expires.”
A Facebook spokesperson said this activity still breaks its rules: “We do not encourage this as it is a poor security practice, and is against our policies. We are continuing our investigation.”
Follow Cop is another app that functions similarly and has been downloaded more than 1 million times. It did not respond to a request for comment.
Facebook has automated systems in place that are designed to detect and block prohibited behaviour of this kind, but they seem to have failed to detect these companies’ services. Beyond this, it’s not clear what legal authority Instagram has to demand the behaviour stops if these companies choose not to comply with its rules.
Instagram is cracking down, publicly and privately
A spokesperson for Facebook said that the company is “committed to doing more” to combatting scraping and rule-breaking by developers.
“Our review process can take time, but we try to take quick action when we find violations. We are investigating and planning further enforcement on these entities,” they said in an email. “We’ve learned a lot from our App Review process and are committed to doing more. For Facebook Marketing Partners, we are implementing a new review. This will include reviewing marketing materials and business practices.
“Scraping of public data can be hard to detect and is an industry-wide problem. We’re going to continue to develop and evolve solutions to keep up with new methods.” They added that they are “open to working with others” across the tech industry on the issue.
Facebook has also quietly been taking other actions to clamp down in recent weeks. It earlier sent its marketing partners a reminder of its rules on bots and data-scraping, and also sent a cease and desist letter to a developer that built an app to track people’s locations in what he said was an attempt to highlight data issues on Instagram.
And last week, Instagram publicly announced that it would start offering bounties to outside security developers who identified rogue developers misusing Instagram user data.
Do you work at Instagram, or a company that uses its platform? Contact this reporter via encrypted messaging app Signal at +1 (650) 636-6268 using a non-work phone, email at email@example.com, Telegram or WeChat at robaeprice, or Twitter DM at @robaeprice. (PR pitches by email only, please.) You can also contact Business Insider securely via SecureDrop.