Update (Jan. 21): After investigating the issue described here, Instagram says it is confident that no private information was released through its API.
According to the company, the scenario mentioned at the end of this story is indeed what happened: Some users changed their privacy settings multiple times a day, so they were public when they turned up in search results and private when Quartz went to check the status of their account, sometimes minutes later. Instagram says that, separately, a bug in the API indicated that some user accounts were private when they were actually public.
The headline of this story has been updated to reflect Instagram’s investigation. The story below remains as it was originally published.
* * *
Instagram users who make their accounts private may still be exposed to the prying eyes of the public.
Last week, Instagram fixed an issue that made private photos publicly accessible. But Quartz has discovered another privacy hole that appears to leave any private photo posted with a hashtag at risk of becoming public.
Instagram’s API can be used to search for images posted to the social network, but it’s only supposed to give access to images from public accounts or private accounts that the user is permitted to view. However, in downloading more than 100,000 Instagram posts, Quartz was able to find many that were supposed to be private. The private photos that were made public included a selfie of a women in her underwear and a picture of someone holding marijuana.
“Obviously this is not the intended behavior,” said Alison Schumer, a spokeswoman for Instagram, which was acquired by Facebook in 2012. “We’re going to look into this with our team.”
Update (Jan. 16): After investigating the issue, Instagram said its API was occasionally reporting that a user’s account was private, when it was actually public. It also said that, in some cases, a user may have posted a photo publicly, then made his account private before Quartz checked its status. The company said it didn’t believe any private photos were actually made public against the user’s intent.
It’s not clear why certain private photos turn up in search results, but the problem appears to affect only some photos.
The issue further illustrates the difficulty that online social platforms like Instagram have in providing the unequivocal privacy they promise. Instagram accounts are public to everyone by default, but users are told, “You can make your posts private in the Instagram app so only approved followers can see them.”
Privacy glitches are especially sensitive for Facebook and its subsidiaries. The company is currently being monitored by the US Federal Trade Commission after the FTC sued Facebook for deceptive privacy practices.
Quartz was unable to determine why only some private photos show up in Instagram search results despite being private. The issue is different from but related to a privacy flaw Instagram fixed last week after Quartz pointed it out. That one allowed anyone to view photos from private accounts if they had the correct URL.
Hole in the API
The Instagram API allows developers to interact with the service programmatically. It allows third-party programmers to make applications that incorporate Instagram content or allow users to harness Instagram in more efficient ways. One aspect of the API is the ability to search for photos tagged with a certain hashtag, which is how Quartz first found this flaw while researching images for a different story.
For instance, a search for “#pizza” results in a list of photos posted with that hashtag along with a lot of other information: caption, where the image files are located on Instagram’s servers, filters used on the photo, the number of likes it has, when it was posted, where it was taken, and so on. Essentially anything you can see about an image in Instagram—and more—can be seen through the API.
Out of 20,000 posts recently tagged #pizza, 12 photos from private accounts showed up in the search results and could be viewed by Quartz. A similar search for #coffee returned seven private photos out of 20,000. #pearls exposed 26, and #tbt revealed 15.
It’s possible that some Instagram users posted photos publicly, then made their accounts private, which wouldn’t be a privacy flaw. But no more than a half hour elapsed between Quartz discovering the photos in search results and checking if the user was public or private.
The private images that show up in API results are not viewable through Instagram’s mobile apps or on instagram.com, but can be viewed by following the URL to the image file’s location on Instagram’s servers.