A privacy hole was publicly exposing an untold number of photographs Instagram users believed were private, until Instagram fixed it this weekend in apparent response to queries by Quartz.
Tests by Quartz had showed that a photograph posted to Instagram when a user’s account is set to public—the default setting—would remain publicly viewable on the web, even if the user made her account private.
Instagram—the Facebook-owned social network with more than 300 million users—acknowledged the situation in a statement responding to Quartz late last week. It then updated its software to fix the privacy hole. As of this weekend, some images posted on private accounts that were once publicly accessible are no longer viewable.
Even with this hole now patched, any privacy glitches are potentially sensitive for Facebook, which agreed to submit to audits of its privacy practices for two decades when it settled a lawsuit brought by the Federal Trade Commission that charged it with deceptive practices. ”The settlement requires Facebook to take several steps to make sure it lives up to its promises in the future, including by giving consumers clear and prominent notice and obtaining their express consent before sharing their information beyond their privacy settings,” the FTC said at the time.
Quartz was unable to find any instance in Instagram’s support documents where the company makes clear how photos a user believes are private could be publicly available in the way they were until this weekend.
Instagram declined to comment on any implications for Facebook’s FTC settlement from this latest lapse, and the FTC did not return multiple requests for comment.
Regardless, the Instagram loophole is an example of the sort of complexity that ordinary users are required to navigate if they aim to control the online availability of personal information such as photos. And it highlights how internet companies such as Instagram arguably under-communicate to users the nuances of privacy settings as those controls increase in complexity.
How the loophole worked
This privacy lapse revealed itself on the Instagram website instagram.com. A user logged into the website can browse the photographs posted by the users she follows—whether they are public or private. She can then copy the URL (web address) for a posted image from her browser and send a link to it to whomever she choses.
Typically, if the link is to a photograph taken by a user who has set his account to private, a person navigating to the URL will be presented with a webpage stating “Page Not Found.” However if the shared photograph was taken at any point while an account was public—even if that account was made private—until Instagram’s latest patch the image would still have been displayed to anyone with the link. In a sense, these photographs were hiding in plain sight—there was nothing stopping anyone from looking at them, but you needed to know where to look to see them.
A user can also share the URLs of their own posts to other online services such as Twitter and Facebook though the Instagram app. That means if someone has shared an Instagram post taken while her account is public via a Twitter account, that link will continue to show the posted image, even if she subsequently makes her Instagram account private.
Instagram describes this latter functionality in its help documents and the recent update does not change how it works.
To illustrate the loophole before it was fixed, Quartz made a post to Instagram immediately after creating an account—while the account was still public by default. The account was later set to private, yet the image was still viewable to anyone with the URL—as you can see in the screenshot below. Neither the image nor its URL were shared on any other social media sites.
However someone looking to browse photos of the account—@qz_privacy_test—couldn’t have and still can’t do so without being approved.
An image that was posted after the account went private was also not viewable. Here’s what that looked like.
Before the latest update, in a circumstance where a user has changed the privacy on their account multiple times, all of the images were public when the account was, but only images posted while a user was private would be entirely private when that setting was re-enabled.
The only way to have a post that was made while an account was public not viewable to anyone with the link was to delete the post entirely.
Images from private accounts never showed up in public search results during Quartz’s test, regardless of the account’s status when they were posted.
Fixing the problem
“This is not an area where we have received feedback or concerns from the community but will continue to revisit,” a spokesperson for Instagram initially told Quartz in an emailed statement on Jan. 8. “If you choose to share a specific piece of content from your account publicly, that link remains public but the account itself is still private.”
On Jan. 9, after the update was in progress, the spokesperson made another statement to Quartz. “In response to feedback, we made an update so that if people change their profile from public to private, web links that are not shared on other services are only viewable to their followers on Instagram.”
Members of the company’s product and policy teams, in a phone call with Quartz, declined to say who gave the new feedback nor why they decided to make this update now. The two Instagram officials declined to say if Instagram’s developers were aware of the privacy implications contained in the software’s previous configuration.
The missing documentation of Instagram’s complex privacy settings
Still, Instagram’s own support documents fail to fully describe what happens when someone has a link to a private photo. A support page says that if someone with a private profile shares a post to a social network that it will be publicly accessible to anyone with the link. The documentation does not point out that a photo shared from a public profile will be permanently viewable through a link, even if the account is made private later. The support page was last updated on March 18, 2014, according to the page’s source code.
A photo simultaneously posted to a private Instagram account and as a private Facebook post is assigned a link which is viewable by anyone. The same goes for a private Instagram post being simultaneously shared to a protected Twitter account.
Private photos are, in fact, only given publicly accessible links when they are posted to Instagram and shared to another service simultaneously. If a user shares her private Instagram post to another service at a later time the link is not made publicly accessible, even if it is done through the Instagram app. This complexity is not disclosed in Instagram’s support documents.
As of publication, none of Instagram’s support pages on the topic of privacy had been updated since Dec. 22, 2014. Quartz first contacted Instagram about this story on Jan. 8, 2015.
Where the links can come from
At the core of this issue is how users can gain access to the URLs of Instagram posts, since they are not typically revealed from inside the Instagram apps. As noted above, links to Instagram content can be obtained through other social media sites where a user has posted it.
An Instagram user who visits instagram.com can gain access to the URL of any private image in their stream as well as any publicly posted image.
Developers who have used the Instagram API to programmatically collect images or even just the information about them no doubt have incidentally captured the URLs to images for accounts that were since made private. (Quartz’s use of the API for a reporting project is how it became aware of this issue.) That’s one way bad actors could have exploited the loophole that Instagram just closed. In the other case described above involving social sharing of private images, these links can still be used to view private images on instagram.com.
Unaffected by the privacy hole were Instagram’s iOS and Android apps—the primary way its users access the service. Links from images that were viewable in a web browser failed to appear in the apps. When opened, the app on those types of devices give the message “Couldn’t load media” or “This User is Private.”
Instagram’s privacy settings vs. the world
Facebook has significantly more granular privacy settings on its flagship service facebook.com than on Instagram. Facebook users can specify the visibility of nearly every bit of information they put on the site on a user-by-user level. A Facebook user can make a post hidden to some users or groups of users but visible to others.
It allows a user to retroactively change the privacy on any of her information. Facebook even provides tools to do so en masse. Having the URL to a piece of Facebook content does not automatically provide public access to the post.
Yahoo’s photo-sharing service Flickr allows users to specify their privacy on an image-by-image and album-by-album basis. It can create links to private images known as a “Guest Pass link” that can be tracked and revoked.
Twitter, arguably the most similar to Instagram of widely popular social media platforms, has an all-or-nothing approach to privacy that’s similar to Instagram’s. However when a user makes her account private, none of the user’s previous tweets can be viewed unless by an approved follower (or if the tweet had been previously embedded into a webpage.) When a Twitter user turns her account to private from public, all of her previous tweets become private—even via a direct link.