The Expert's View with Jeremy Kirk

Fraud Management & Cybercrime , Governance & Risk Management , Privacy

Despite Instagram Changes, Minors Are Still at Risk

Minors With Business Profiles Can Shield Contact Information, But May Be Unaware
Despite Instagram Changes, Minors Are Still at Risk

In June, I wrote an in-depth story about how millions of Instagram users worldwide under 18 years old were exposing their email addresses, phone numbers or both (see: Instagram Shows Kids' Contact Details in Plain Sight).

See Also: ON-DEMAND WEBINAR: Secure Your Applications: Learn How to Prevent AI-Generated Code Risks

The situation was uncovered by David Stier, a San Francisco area data scientist, while he was investigating a different privacy issue in Instagram.

The kids had converted their personal profiles to "business" profiles, a category Instagram introduced in 2016. The type of account is intended for users to market themselves or a business. But it also required users with business profiles to have, at minimum, an email address, phone number or both available.

On the surface, that made sense. If you run a business, you want to be found. For business profiles, Instagram made available analytics tools that weren't available for personal accounts. But the implications weren't fully thought out.

Those tools proved attractive to minors, who converted their accounts even though they weren't businesses in order to see granular metrics on their posts. In another worrying privacy angle, all photographs are public as a requirement of a business profile.

Although Instagram doesn't display a user's age, many minors self-identified, and it was clear from their photos they were underage. Child safety experts I spoke to, including those within the Australian government, said the situation was concerning - given the potential for online grooming.

Stier reported it to Instagram, but nothing happened. Instagram told me at the time that it was concerned about child safety but didn't directly address the specifics.

The child safety implications were startling: Finding minors was easy. Because all photographs were public, some minors had photos from family vacations or easily discernable information, such as where they go to school.

Once a minor profile with a business account is found, it is possible to click a button within Instagram's mobile app and either email or send a text message to a child, depending on what they've disclosed publicly.

The capability was so simple and astounding I thought at first I'd overlooked some security control or was just interpreting the situation wrong. Could I really just start texting a random, 14-year-old girl? There was no mistake. It seemed very wrong.

"There are people out there who want to do harm to kids," Stier told me on Sunday. "We need to be vigilant about making sure they do not have the opportunity, or that we limit any possible opportunity, for them to do so.

An example of a self-identifying 14-year-old in Australia and the availability of the child's phone number.

Privacy Setting Change

After reporting the issue to Instagram, Stier later raised the issue with Ireland's Data Protection Commission, which has jurisdiction over Instagram's owner, Facebook. The DPC has the power to enforce the European Union's General Data Protection Regulation. The DPC has been assessing the situation since July, and its work is continuing (see: Ireland Assessing Minors' Profiles on Instagram).

Stier believes there's a case to be made for a GDPR violation. At one point, Instagram exposed contact details for its users within the HTML on the desktop version of its app. After Stier raised concern with Instagram earlier this year over the potential that the contact details could be scraped, the company removed it from the HTML.

That also meant the minors' details would have been available that way, which would have been easier to scrape en masse, although that would violate Instagram's terms and conditions. In May, Instagram banned an Indian social media marketing company, Chtrbox, for doing exactly that. A security researcher discovered that Chtrbox left a database open on the internet that contained 350,000 records, many of which were collected from Instagram profile that made that information public (see: Database May Have Exposed Instagram Data for 49 Million).

In the months since I wrote the story, not much has happened. Bloomberg wrote a story in late July. But there's now been a change on Instagram's end.

On Friday, NBC News' technology investigation unit published a thorough piece. Ahead of the story, however, Instagram quietly changed a privacy setting for business profiles.

It's not uncommon for organizations to pre-empt a potentially negative story, although it's pure speculation on my part to suggest that is what may have happened here.

The Wayback Machine shows that between Oct. 18 and 20, Instagram added an option to hide contact information for business profiles. Instagram couldn't be immediately reached about why it made the change.

Social Media Responsibility

Instagram's carelessness with business profiles and minors goes to the heart of the debate over the responsibilities of social media companies.

Did Instagram not notice that millions of kids were exposing their contact details? How did this pass muster with internal child safety checks? How could a company with 15 years experience in social media not see this as immediately problematic? Why didn't Instagram immediately make changes after it was notified by Stier?

No answer from Instagram would satisfactorily answer any of those questions. The problem should have been either anticipated or quickly spotted after business profiles launched three years ago. But even Instagram's latest change is far from a fix.

Instagram changed the privacy setting, but that doesn't mean kids with their contact information exposed know about it, writes Cyrus Farivar, the author of the NBC piece, on Twitter. The devil is in the user interface: Unless kids go digging through their settings, they're unlikely to make changes that would protect them from unwanted contact unless Instagram lets them know of the setting.

In the meantime, millions of kids will still have their details exposed. And that's unacceptable.



About the Author

Jeremy Kirk

Jeremy Kirk

Executive Editor, Security and Technology, ISMG

Kirk was executive editor for security and technology for Information Security Media Group. Reporting from Sydney, Australia, he created "The Ransomware Files" podcast, which tells the harrowing stories of IT pros who have fought back against ransomware.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing govinfosecurity.com, you agree to our use of cookies.