It’s 2nd September 2022, the decision of an inquiry against Instagram’s loose handling of children data finally arrives two years after it started in 2020.
The European Union’s data regulators including the Irish Data Protection Commission (DPC) indicted Instagram for going against EU’s General Data Protection Regulations (GDPR) for children’s online safety.
The charge amount was not disclosed until it reached Instagram in a news leak, and turned out to be the highest received to date, about $402m.
The media agency, TechCrunch, reached out to the DPC to confirm the fine amount, finding out that it was correct.
“We adopted our final decision last Friday and it does contain a fine of €405m [£349m],” quoted Ireland’s Data Protection Commissioner (DPC).
On the other hand, Instagram owner Meta, in a response to the conviction, contested the court’s decision saying:
“This inquiry focused on old settings that we updated over a year ago and we’ve since released many new features to help keep teens safe and their information private”.
What does data leak mean on Instagram?
A data leak on Instagram exposes the user’s personal information; such as phone number and email address, in two ways.
- Hackers scrape your data from social media
If the user’s private information is embedded within the HTML code of the social media website or mobile application, a hacker can easily set up to steal info by scraping. Scrapping is the collection of large data from an application for reuse.
Surprisingly, in 2019, Instagram had been making such HTML code in its mobile application for four months, until a data scientist David J. Stier exposed it.
There’s a possibility, if a hacker knew this vulnerability, they would have actively scraped personal information from Instagram further selling it to marketing companies.
Read the Instagram’s scrape story here!
- You encounter lengthy and difficult to understand security policies.
The second way of a data breach is in the form of making vague security policies.
Users who are less aware of their privacy rights, or those who don’t understand how the cybersecurity system works; such as children, would remain unaware of the policies.
For the case of Instagram, the second data leak scenario was discovered in the same year by the same data scientist, when in a response to his earlier email on data breach, Instagram mentioned that children’s business accounts were already showing personal phone numbers and emails.
Within this scenario, when the audience went on to ‘contact information’ on a child’s business account, the personal contact details were clearly displayed instead of anonymized data (see attached graphic for demonstration).
While secure apps always apply a ‘data anonymization’ method for business communication, Instagram didn’t just think of using this privacy method.
An application of anonymized contact is in the Careem Car booking app where there’s a safe option of keeping your contact information hidden from drivers by using the ‘Call Anonymously’ option.
"This was a major breach that had significant safeguarding implications and the potential to cause real harm to children using Instagram," quotes Andy Burrows, head for making children-safety-online policies at the National Society for the Prevention of Cruelty to Children (NSPCC).
The Cybersecurity landscape has seen massive vulnerabilities by tech giants in the past years, but fortunately cybersecurity heroes (aka white hackers) always came to the rescue.
Learn about one such hero who’s a Pakistani ethical hacker: Rafay Baloch. The cybersecurity expert used penetration testing and found a nasty bug in Chrome back in 2014.
Learn ethical hacking with Dice Analytics’ affordable, 8 weeks training program.
We empower the digital economy of Pakistan by offering affordable tech education for the youth. Find details on our course offering here.