Facebook has sent a cease-and-desist letter to the creator of a controversial app that lets Instagram users track their friends’ locations, in what appears to be a renewed effort to clamp down on flagrant abuses of its user-data rules.
The move comes as the Facebook-owned photo-sharing app attempts to secure its platform in the wake of a Business Insider investigation revealing that a buzzy marketing startup, Hyp3r, had been harvesting millions of users’ data, tracking their locations, and saving their stories.
Who’s in Town, built by the developer Erick Barto, is a service that monitors the locations of people you follow on Instagram. It does so by keeping an ongoing record of where your connections tagged their posts and stories. By recording this data over time, the app is able to build a detailed map of people’s movements.
It’s a similar concept to the data scrapping that Hyp3r engaged in — though Hyp3r used the collected data for advertising and marketing purposes, while Who’s in Town is geared toward ordinary people who want to see their contacts’ locations.
The purpose, Barto said, was to highlight the amount of data people are sharing online all the time, how Instagram makes it easily available for collection, and how it can be misused.
“The reason we made Who’s in Town is first and foremost to show people how much data they are sharing and to ask themselves if they are OK with how much and who they are sharing it with,” Barto wrote in an email.
“If [Facebook and other platforms] found a way to provide developers access to use some data without the ability to centralize it (ie using it only on the end user’s device), like Who’s in Town does, it would allow for great products to be built in a safe way. But the first step towards that would have to be shutting down the backdoors used by hundreds of unauthorized [developers] today,” Barto added.
On Thursday, lawyers for Instagram sent Barto a formal cease-and-desist letter, demanding that he immediately close down his app and account for all data that was collected. Barto shared the letter with Business Insider, and you can read it in full below.
“We represent Facebook, Inc., based in Menlo Park, California. It has come to Facebook’s attention that you are scraping and storing Instagram users’ login credentials and location data for monetary gain,” an attorney at the Perkins Coie law firm wrote. “Facebook demands that these activities stop immediately.” Barto has also had his personal Facebook account disabled.
Who’s in Town first got widespread attention in July after Wired wrote a feature about the app and Barto, and it was subsequently covered elsewhere in the press.
It’s not clear why Instagram, if it believes Who’s in Town is in violation its policies, waited almost a month to send it a cease-and-desist letter.
The timing suggests that it is at least in part a response to Hyp3r’s activities; the letter is dated August 8, a day after Business Insider published its investigation.
In an email, a Facebook spokesperson said that it blocked Who’s in Town after conducting an investigation that finished last week. “We have shut down the app Who’s in Town after determining that it violated our policies by requesting information from Instagram users — including usernames and passwords. That then allowed it to collect location data on people. Our action follows an internal investigation of the company’s practices that was completed last week,” they said.
Hyp3r was also issued a cease-and-desist notice and subsequently closed its platform. An Instagram spokesperson declined to comment on whether the company has also sent cease-and-desist notices to other developers beyond Hyp3r and Who’s in Town.
Instagram failed to notice Hyp3r’s activities for a year and even added it to its list of Facebook Marketing Partners — an exclusive collection of vetted marketing firms it recommends. The company has since sent an email to other marketing partners, informing them of the action taken against Hyp3r and reminding them of its rules against data scraping.
Here’s the full cease-and-desist letter:
Re: Cease and Desist Abuse of Facebook – Who’s in Town
Dear Mr. Barto:
Facebook demands that these activities stop immediately.
Facebook takes the protection of the user experience very seriously and is committed to keeping its websites a safe place for users to interact and share information. Instagram has developed its Terms of Service and Platform Policy to protect its users and facilitate these goals.
They prohibit, among other things:
- Permitting unauthorized access, use, or disclosure of data obtained from Instagram;
- Accessing or collecting data through automated means outside of approved application channels;
- Using or sharing data on Instagram without users’ consent; and
In addition to breaching the Terms of Service and Platform Policy, and interfering with Facebook’s business expectations and interests, your activities may violate other federal and state laws. See Computer Fraud and Abuse Act, 18 U.S.C. § 1030 and the California Comprehensive Computer Data Access and Fraud Act, Cal. Penal Code § 502(c).
Your license to access Facebook has been revoked.You, your agents, your employees and/or anyone acting on behalf of Who’s in Town (collectively “You” or “Your”) may not access the Facebook or Instagram websites and applications, employ their APIs, or use any of the services offered by Facebook for any reason whatsoever.Facebook will consider further activity by You on its websites or services as unauthorized access to its protected computer networks.
Please respond to me WITHIN 48 hours confirming that You:
- Have stopped and will not in the future access the Facebook websites and/or use Facebook’s services for any reason whatsoever;
- Have stopped and will not in the future collect, offer, transfer, market, offer to sell any data or services related to Facebook and Instagram;
- Have removed all references to Facebook and Instagram from any and all other websites that you own or have the ability to control;
- Will, following compliance with all terms of this letter, including the accounting required below, delete all data collected from Facebook and Instagram in any manner;
- Have preserved and will continue to preserve in the future all other information related to Your scraping of Instagram data;
- Will account for and disgorge any and all revenue earned from Your unauthorized activities related to Facebook; and
- Will memorialize in writing your commitment to comply with the demands of this letter.
Along with your response, you must provide the following information:
- A complete and detailed technical explanation of your activities, including a full list of all applications or APIs that you utilized or developed;
- A complete accounting of any and all Instagram user data (regardless of how it was gathered) in your possession, and thereafter confirm that it has been deleted;
- A complete list of any and all third parties to whom you have provided access to Instagram data through your API or in any other manner other than through your publicly available application;
- A complete list of any and all Facebook and Instagram accounts You have created, developed, maintained, or controlled; and
- A copy of each and every version of any software code You have developed or used to interact with the Facebook and Instagram websites and/or services.
If you ignore this letter and continue your current improper conduct, Facebook will take whatever measures it believes are necessary to enforce its rights, maintain the quality of its respective websites, and protect users’ information and privacy.
This letter is not intended by Facebook, and should not be construed by you, as a waiver or relinquishment of any of Facebook’s rights or remedies in this matter. Facebook specifically reserves all such rights and remedies, whether at law or in equity, under applicable domestic and foreign laws.
Ariel B. Glickman
Got a tip?Contact this reporter via encrypted messaging app Signal at +1 (650) 636-6268 using a non-work phone, email at firstname.lastname@example.org, Telegram or WeChat at robaeprice, or Twitter DM at @robaeprice. (PR pitches by email only, please.) You can also contact Business Insider securely via SecureDrop.
- Instagram’s lax privacy practices let a trusted partner track millions of users’ physical locations, secretly save their stories, and flout its rules
- Mark Zuckerberg’s personal security chief accused of sexual harassment and making racist remarks about Priscilla Chan by 2 former staffers
- Facebook says it ‘unintentionally uploaded’ 1.5 million people’s email contacts without their consent
- Years of Mark Zuckerberg’s old Facebook posts have vanished. The company says it ‘mistakenly deleted’ them.