Facebook sends legal warning to developer who made an Instagram location-tracking app to demonstrate data issues (FB)

facebook mark zuckerberg ceo f8

  • Facebook sent a cease-and-desist letter to the developer of an app that lets you track your friends’ locations.
  • The developer of Who’s in Town said he built the app to highlight privacy issues with Instagram’s services.
  • The legal threat comes after Business Insider revealed that the startup Hyp3r was harvesting millions of Instagram users’ data and tracking their locations.
  • Instagram is now cracking down and has also warned its marketing partners against data scraping.
  • Click here for more BI Prime stories.

Facebook has sent a cease-and-desist letter to the creator of a controversial app that lets Instagram users track their friends’ locations, in what appears to be a renewed effort to clamp down on flagrant abuses of its user-data rules. 

The move comes as the Facebook-owned photo-sharing app attempts to secure its platform in the wake of a Business Insider investigation revealing that a buzzy marketing startup, Hyp3r, had been harvesting millions of users’ data, tracking their locations, and saving their stories.

Who’s in Town, built by the developer Erick Barto, is a service that monitors the locations of people you follow on Instagram. It does so by keeping an ongoing record of where your connections tagged their posts and stories. By recording this data over time, the app is able to build a detailed map of people’s movements.

It’s a similar concept to the data scrapping that Hyp3r engaged in — though Hyp3r used the collected data for advertising and marketing purposes, while Who’s in Town is geared toward ordinary people who want to see their contacts’ locations.

The purpose, Barto said, was to highlight the amount of data people are sharing online all the time, how Instagram makes it easily available for collection, and how it can be misused.

“The reason we made Who’s in Town is first and foremost to show people how much data they are sharing and to ask themselves if they are OK with how much and who they are sharing it with,” Barto wrote in an email.

“If [Facebook and other platforms] found a way to provide developers access to use some data without the ability to centralize it (ie using it only on the end user’s device), like Who’s in Town does, it would allow for great products to be built in a safe way. But the first step towards that would have to be shutting down the backdoors used by hundreds of unauthorized [developers] today,” Barto added.

On Thursday, lawyers for Instagram sent Barto a formal cease-and-desist letter, demanding that he immediately close down his app and account for all data that was collected. Barto shared the letter with Business Insider, and you can read it in full below.

“We represent Facebook, Inc., based in Menlo Park, California. It has come to Facebook’s attention that you are scraping and storing Instagram users’ login credentials and location data for monetary gain,” an attorney at the Perkins Coie law firm wrote. “Facebook demands that these activities stop immediately.” Barto has also had his personal Facebook account disabled. 

Who's In Town app store

Who’s in Town first got widespread attention in July after Wired wrote a feature about the app and Barto, and it was subsequently covered elsewhere in the press.

It’s not clear why Instagram, if it believes Who’s in Town is in violation its policies, waited almost a month to send it a cease-and-desist letter.

The timing suggests that it is at least in part a response to Hyp3r’s activities; the letter is dated August 8, a day after Business Insider published its investigation.  

In an email, a Facebook spokesperson said that it blocked Who’s in Town after conducting an investigation that finished last week. “We have shut down the app Who’s in Town after determining that it violated our policies by requesting information from Instagram users — including usernames and passwords. That then allowed it to collect location data on people. Our action follows an internal investigation of the company’s practices that was completed last week,” they said.

Hyp3r was also issued a cease-and-desist notice and subsequently closed its platform. An Instagram spokesperson declined to comment on whether the company has also sent cease-and-desist notices to other developers beyond Hyp3r and Who’s in Town.

Instagram failed to notice Hyp3r’s activities for a year and even added it to its list of Facebook Marketing Partners — an exclusive collection of vetted marketing firms it recommends. The company has since sent an email to other marketing partners, informing them of the action taken against Hyp3r and reminding them of its rules against data scraping.

Here’s the full cease-and-desist letter:

Re: Cease and Desist Abuse of Facebook – Who’s in Town

Dear Mr. Barto:

We represent Facebook, Inc., based in Menlo Park, California. It has come to Facebook’s attention that you are scraping and storing Instagram users’ login credentials and location data for monetary gain. Specifically, your application Who’s in Town requires users to grant access to their accounts by inputting their Instagram usernames and passwords, which your application then collects and stores. The application then collects location data from Instagram user accounts without permission. Your privacy policy also fails to inform Instagram users of what you gather and how you will use this information. These actions violate Instagram’s Terms of Service and Platform Policy.

Facebook demands that these activities stop immediately.

Facebook takes the protection of the user experience very seriously and is committed to keeping its websites a safe place for users to interact and share information. Instagram has developed its Terms of Service and Platform Policy to protect its users and facilitate these goals.

They prohibit, among other things:

  • Permitting unauthorized access, use, or disclosure of data obtained from Instagram;
  • Accessing or collecting data through automated means outside of approved application channels;
  • Using or sharing data on Instagram without users’ consent; and
  • Failing to provide a publicly accessible privacy policy that informs users of what you collect and how the information will be used.

See Instagram Terms of Use, http://instagram.com/about/legal/terms/; and Instagram API Terms of Use, http://instagram.com/about/legal/terms/api/.

In addition to breaching the Terms of Service and Platform Policy, and interfering with Facebook’s business expectations and interests, your activities may violate other federal and state laws. See Computer Fraud and Abuse Act, 18 U.S.C. § 1030 and the California Comprehensive Computer Data Access and Fraud Act, Cal. Penal Code § 502(c).

Your license to access Facebook has been revoked. You, your agents, your employees and/or anyone acting on behalf of Who’s in Town (collectively “You” or “Your”) may not access the Facebook or Instagram websites and applications, employ their APIs, or use any of the services offered by Facebook for any reason whatsoever. Facebook will consider further activity by You on its websites or services as unauthorized access to its protected computer networks.

Please respond to me WITHIN 48 hours confirming that You:

  • Have stopped and will not in the future access the Facebook websites and/or use Facebook’s services for any reason whatsoever;
  • Have stopped and will not in the future collect, offer, transfer, market, offer to sell any data or services related to Facebook and Instagram;
  • Have removed all references to Facebook and Instagram from any and all other websites that you own or have the ability to control;
  • Will, following compliance with all terms of this letter, including the accounting required below, delete all data collected from Facebook and Instagram in any manner;
  • Have preserved and will continue to preserve in the future all other information related to Your scraping of Instagram data;
  • Will account for and disgorge any and all revenue earned from Your unauthorized activities related to Facebook; and
  • Will memorialize in writing your commitment to comply with the demands of this letter.

Along with your response, you must provide the following information:

  • A complete and detailed technical explanation of your activities, including a full list of all applications or APIs that you utilized or developed;
  • A complete accounting of any and all Instagram user data (regardless of how it was gathered) in your possession, and thereafter confirm that it has been deleted;
  • A complete list of any and all third parties to whom you have provided access to Instagram data through your API or in any other manner other than through your publicly available application;
  • A complete list of any and all Facebook and Instagram accounts You have created, developed, maintained, or controlled; and
  • A copy of each and every version of any software code You have developed or used to interact with the Facebook and Instagram websites and/or services.

If you ignore this letter and continue your current improper conduct, Facebook will take whatever measures it believes are necessary to enforce its rights, maintain the quality of its respective websites, and protect users’ information and privacy.

This letter is not intended by Facebook, and should not be construed by you, as a waiver or relinquishment of any of Facebook’s rights or remedies in this matter. Facebook specifically reserves all such rights and remedies, whether at law or in equity, under applicable domestic and foreign laws.


Ariel B. Glickman

Got a tip? Contact this reporter via encrypted messaging app Signal at +1 (650) 636-6268 using a non-work phone, email at rprice@businessinsider.com, Telegram or WeChat at robaeprice, or Twitter DM at @robaeprice. (PR pitches by email only, please.) You can also contact Business Insider securely via SecureDrop.

Read more:

  • Instagram’s lax privacy practices let a trusted partner track millions of users’ physical locations, secretly save their stories, and flout its rules
  • Mark Zuckerberg’s personal security chief accused of sexual harassment and making racist remarks about Priscilla Chan by 2 former staffers
  • Facebook says it ‘unintentionally uploaded’ 1.5 million people’s email contacts without their consent
  • Years of Mark Zuckerberg’s old Facebook posts have vanished. The company says it ‘mistakenly deleted’ them.

Join the conversation about this story »

NOW WATCH: 5 things wrong with Apple’s lightning cable