See discussions, stats, and author profiles for this publication at: https://www.researchgate.

net/publication/331743066

Privacy Impact Assessment: Instagram

Article · January 2018

CITATIONS READS

0 8,053

1 author:

Sai Lakshmi Harichandana Nandyala

KU Leuven
2 PUBLICATIONS 0 CITATIONS

SEE PROFILE

All content following this page was uploaded by Sai Lakshmi Harichandana Nandyala on 14 March 2019.

The user has requested enhancement of the downloaded file.

 Privacy Impact Assessment: Instagram
Sai Lakshmi Harichandana Nandyala – r0727968
4 January 2018

1 Introduction
Instagram is a social media platform that mainly focused on sharing photos with the
use of filters in the past, but over recent years it has grown to provide various
services. The mobile application gained huge momentum in terms of users; by 2018 it
gained over 800 million monthly active users [1]. It was initially released in 2010 for
sharing phots and videos and was later purchased by Facebook [2]. Eventually the
latest version has multiple features to add filters, send messages, add stories, provide
user insights for a business profile. Approximately 888 Instagram photos are
uploaded in one second[3],which leads to collection of enormous amounts of
personal information of the users.
The aim is to make user experience better and use the same for advertising products
of a company which pay Instagram for their promotion. This is a business model in
which users are the products of the company. Despite the measures taken by the
company for user privacy protection, lot of risks still prevail that need to be avoided.
We will go through the application description, data collection and other factors to
perform a privacy impact assessment and come up with strategies to decrease the
privacy issues.

2 Application description : Instagram

2.1 Functionality

Every new user has to sign up using an email id or Facebook account to become a
member of the instagram community as both the accounts are interlinked. You can
sign into Instagram using your phone number, email id or Facebook credentials and
even have multiple accounts under same user .The users can view their profiles
through a web browser but can only use the functionalities using a smartphone.

1
A profile can be made public or private based on user choice. Another kind of
commercial accounts are the business profiles where one can promote a brand or
personal blog. Upon creation, the users share their pictures and videos for the
followers to like, comment and share the content. Users can follow the people they
are interested in and tag their friends in pictures. The stories feature taken from
Snapchat enables the user to post photos and videos that last until 24 hours. Instagram
now has enabled its users to shop the products they like by introducing a feature in
which users click on the product links embedded in the photos [4].

The archive feature helps in hiding posts which only the user can see, which is a
step towards enhancing privacy of posts. The insights feature is based on data
analytics where a business profile is provided with details like the reach of a post,
impressions and profile visits[5]. For promotion of accounts, users must have a
Facebook page and upon payment, their post’s reach is boosted and it appears as an
ad on audience feed[6]. The “explore” feed shows photos and videos of all the public
accounts the user has previously showed interest in and it’s created using the user
activity of the accounts followed by the user.[7]

Figure 1: Interface of an Instagram profile

2
2.2 Stakeholders
Firstly the main stakeholders are its active end-users of age 13 and above all over
the world. Second section of stakeholders are corporate companies which invest
in advertising their brands and even the shareholders of Facebook as it owns this
application[8]. Due to Instagram’s huge user base, all the top companies in the
world are trying to reach out and market themselves on Instagram to keep their
customers updated about their latest developments. Various news channels, public
figures, food and fashion industry constantly use it to gain popularity by
increasing their followers with quality content. Various non-profit organisations
collaborate and try to create awareness on various issues for social causes on their
profiles.

2.3 Data Collected

Data collected on instagram is an amalgamation from different sources. The
fundamental information is the user information during the profile creation that
includes phone number, email id or Facebook credentials. Each user has to
choose an instagram handle which needs to be unique. Apart from this, data is
constantly being collected from the user activities. The machine learning
techniques collect various features like the type of posts a user frequently
comments, likes or tags other users. Based on this, the algorithm predicts and
maps certain posts which are similar to the ones previously liked by the user onto
the “explore” feed section[9]. This is an attempt to engage the user to posts which
he or she might most likely be interested in. Every tiny social media footprint left
by a user is constantly being monitored. Since user’s Facebook account is linked,
information from both applications is shared internally such as contacts, friend
lists, kind of posts liked, shared, saved and commented on. Facebook uses all this
information to predict user personality and personal interests[10].

3
 Further this data is usually shared by Instagram to third party companies which use
data analytics to figure out what kind of advertisements can be shown on the user’s
feed. The location tags used help the algorithm to learn about future locations the
user might like to visit, or calculate the popularity of a restaurant by the number of
posts with the location tag . This also gives information to different travel companies.
Business profiles can obtain a daily feedback on how well their posts are doing by
gaining insights on number of likes per post, age range and gender; the user details
are continuously being extracted for this feature[11].

Figure 2: User details collected for profile creation

2.4 Implementation
Instagram had a paradigm shift from a reverse chronological display of posts to its
latest algorithm which is more intelligent and personalised[12]. The algorithm works
using machine learning techniques that extract feature functions from the user’s
activity. The learning models further process the features based on hashtags, likes,
comments and geo-tags and cookies stored by browsing data. The models use
4
artificial intelligence to create a unique feed for every user which helps Instagram
know its customers better.
The users are shown advertisements of the companies that pay Instagram to promote
their products, based on interest prediction done by the machine learning models.
This constitutes to the social media marketing strategies implemented by companies
that use Instagram. The daily activity of a user is recorded for personalising the feed.
Instagram is also used as a search engine by users. The user search for the
information they want using hashtags and geo-tags for example, by searching for a
place, Instagram shows all the pictures and videos related to that location. The latest
features incorporated features enable the application to broaden its horizons in terms
of user engagement.

Figure 3: Architecture of Instagram

3 Privacy Impact Assessment

Instagram being a social media platform has huge number of active users sharing
information constantly. The personal information is most often at risk and hence
some of the issues faced or potential harm to user’s privacy has to be discussed.

5
3.1 Technical privacy risks
3.1.1 Location Tracking through GPS
The Data Policy of Instagram states that,“We use location-related information-such
as your current location, where you live, the places you like to go, and the businesses
and people you're near-to provide, personalise and improve our Products, including
ads, for you and others”[Section 2]. By this we can infer that Instagram is constantly
tracking your location and storing every move of yours. Although the user grants the
permission to the application to track location, there is a threat for life if an external
factor like a hacker, attacks the system and gains access to this private information.
Instagram is using various protection methods to avoid hackers but what is bothering
is the credibility of the third parties. How can one trust the third party with this
information is a major concern.The users can choose to opt out of sharing location,
but this restricts the user from experiencing certain features of the application.

3.1.2 Screenshots and Screen Recording

Anyone can screenshot a picture or record the videos shared by other users on
Instagram. When the “Stories” feature was introduced on Instagram, the users were
alerted if their pictures were being screenshot. But soon this was disabled in the
future versions of the application[13]. The risks that follow this can be, anyone can
store your pictures or repost them without your knowledge. This is further connected
to the problem of copyrights for example, Instagram has a huge number of
photographers who share their content. There is a high risk of other profiles using the
screenshots and reposting the content without giving credits to owner. The
application has an option to report a picture on the basis of copyright issue, but often
there are cases where the owner has no knowledge which profile to report since there
is a deadlock situation where user fails to track back the profile which reposted the
first time.

6
3.1.3 Under Age Users and Fake Profiles
The eligibility criteria for creating an Instagram account is to have an email address
or a Facebook account. This is not enough to identify if someone is above the
certified age to access the application. This lack of identification is the reason behind
huge number of under age and fake profiles on the platform. The absence of an age
evidence system leads to an environment where under age kids are exposed to adult
content and advertisements not suitable for children. In the privacy and safety centre
description, Instagram clearly states that, “Anyone signed into the Instagram app can
view photos or videos on someone's public profile. If you'd like to make sure that only
approved followers can see your child's posts, we suggest setting your posts to
private. Once you set your posts to private, anyone who wants to see your child's
posts will have to send your child a follower request which they can then approve or
ignore” [tips for parents section]. The application gives the warning that the children
profiles can be accessed by anyone who is on it.
Despite the option of reporting an underage profile activity if found, this
precautionary approach is not enough to curb down the problem due to profile
creations done without the parent’s knowledge. Secondly, there is an alarming
increase in third party companies which gain money by creating bots that signup as
fake profiles, whose purpose is to provide likes and comments to increase popularity
of the customer profile[14]. Existence of users who don’t have an evidence to prove
their identity must be handled.

3.2 Ethical privacy concerns

3.2.1 Sensitive Data Collection
According to the cookie centre of Instagram, “Third-party cookies may also be
placed on your device by our business partners so that they can use them to advertise
products and services to you elsewhere on the Internet”[5th section]. Having said
that, it also gives a warning in the cookie duration section saying,“The length of time
a cookie will stay on your computer or mobile device depends on whether it is a
"persistent" or "session" cookie. Session cookies will only stay on your device until
7
you stop browsing. Persistent cookies stay on your computer or mobile device until
they expire or are deleted”,most of the users are unaware about the purpose behind
persistent cookie collection.Third party cookies collect a lot of information for their
analysis. Personal data, contact information, payment details in case of any purchase
are constantly being extracted. This is valuable information according to GDPR and
the users often do not interpret what they are agreeing for, while giving consent.
Under any case of attacks by hackers, vital information can be leaked. Facebook’s
security breach that affected 50 million accounts recently, did not spare the Instagram
accounts, since Facebook owns Instagram[15]. Enormous amount of personal
information is at risk and that is something every user must be aware of.

3.2.2 Access of Inappropriate information by Underage users

As mentioned before in section 3.1.3, underage users are prone to adult content that
exists on the application. Ads that promote alcohol and hashtags that contain
pornographic content are a tap away from the kids. This can have negative impact at
a very young age and it’s one of the huge concern by the parents. Despite the
measures taken by Instagram which include parental permission for an account for
their kids, there are accounts being created without the knowledge the parents.
Over usage of the application for prolonged hours could have side-effects on
children.

3.2.3 Anxiety, Depression, Mental Health risks

Instagram is known for users sharing their experiences, lifestyle, personal thoughts
via pictures and videos. This community culture has helped lot of users to stay
connected to their friends and family and cope with loneliness. But the other side of
the coin has some dark effects as well. The term “Fomo” (fear of missing out) is
surfacing up, which shows that people often feel left out or feel inferior about their
life when they see other users having a great time in the pictures[16]. This constant
struggle of feeling discontent about one’s life can cause depression. The other issues
include body image, where many young girls feel the pressure to look fit all the time
due to the pictures they see about fitness and perfect bodies[16].
8
 Harassment is also often a problem on social media. On Instagram, you can report
an account if you experience any sort of harassment or receive any hateful comments.
But one drawback that still persists is, due to the huge amount of users, the hateful
comments still exist and are not deleted because the hate comment detector /
algorithm of Instagram cannot detect foul language of some non-english speakers
automatically. This is usually observed on celebrity pictures where every picture has
thousands of comments. Instagram came up with a solution for users who don’t want
any comments on their pictures by giving an option of “turn-off commenting” where
the followers cannot comment on that particular post which partially cuts down the
problem in a good way but not completely.

3.3 Legal Issues

3.1.1 Forced consent, potential GDPR violation
GDPR on data protection in context to cookies states that, (30): “Natural persons
may be associated with online identifiers […] such as internet protocol addresses,
cookie identifiers or other identifiers […]. This may leave traces which, in particular
when combined with unique identifiers and other information received by the servers,
may be used to create profiles of the natural persons and identify them.”
In simpler terms this means that, cookies can be used to track down one’s identity and
GDPR considers this as personal data. GDPR has made it mandatory for applications
to ask for consent before they collect the user information for processing. The choice
of user to give consent is done on free-will. But what is the concern here is, when a
user refuses to provide with cookies, the application restricts them from experiencing
some services. Instagram in its cookie control and collection mechanisms states that,
“ Please note that if you set your browser to disable cookies or other technologies,
you may not be able to access certain parts of our Service and other parts of our
Service may not work properly.”

9
The language used here is not very accurate. There is a lack of definition when it
comes to “parts of service” as there is no clear distinction between what services the
user will be denied post rejection of consent and what are the consequences following
that decision. Many users might not be interested in viewings ads from third party
users, and hence might not give consent. But this does not mean that the user should
be exempted from accessing services from the application.
This creates a situation of forced consent where the user is indirectly pressurised to
accept to provide the persistent cookies without knowing the purpose behind
collection of data[17]. GDPR does not mention about rejecting services to a user
explicitly. It’s quite unsure whether this behaviour of applications is obeying the
regulations or not. There has to be more transparence between the application and its
users.

3.1.2 Lack of Lucid Data Policy description

Instagram mentions in its Data Policy that, “We provide advertisers with reports
about the kinds of people seeing their ads and how their ads are performing, but we
don't share information that personally identifies you (information such as your name
or email address that by itself can be used to contact you or identifies who you are)
unless you give us permission. For example, we provide general demographic and
interest information to advertisers (for example, that an ad was seen by a woman
between the ages of 25 and 34 who lives in Madrid and likes software engineering)”.
Even though this statement is coherent, there is some ambiguity to the part where
name and email address will be shared when a user gives consent. The question is
where exactly is the consent asked for. Since most of the users still don’t understand
that Facebook and Instagram are interlinked, there is a lack of awareness as to what
one can do about their data.
Facebook has options where one can opt out of their data being collected for
personalised ads,Yet it mentions that, “If you don't allow your Facebook ad
preferences to be used:You'll still see ads, but they won't be as relevant to you; You
may still see ads for other reasons, such as;Your age, gender or location;The content
in the app or website you're using;Your activity off of the Facebook Companies".
10
[privacy settings] The second part where is says for reasons such as “age, gender,
location” are being collected, comes under personal data, which can be used to
identify the user. Even though Facebook and Instagram are transparent about the data
they are collecting, there is still some contradictions among their data regulations.
The main challenge here is, the users give complete consent to the applications and
hence its difficult to legally challenge Instagram for its data processing activities.

4 Alleviation Suggestions
In this final section, we discuss some of the strategies Instagram can adapt to
strengthen privacy of its users. The application is experiencing mammoth increase in
users which comes with huge risks concerning safety. To overcome some of the
problems discusses in section 3, here are some ideas that are potential and practical.

4.1 What can Instagram do to become better ?

Methods for enhancing safety of user content:
4.1.1 Screenshot and Video Recording alerts
Similar to notifications provided by the application Snapchat, Instagram can provide
the users with an option to receive alerts when someone takes a screenshot or screen
recording of their content. This helps the user to be more aware about whites
happening with the content being posted. Another alternate is incorporating the
feature of Facebook where one can choose to apply security on selected posts they
think need privacy, this feature disables other users from taking screenshots of posts.

4.1.2 Government ID for sign-up

Instagram should make it mandatory for users to show official proof of their identity
by submitting a government licensed identity proof for joining the application. This
can avoid the problem of underage users being active on the application and fake
profiles being generated. This leads to a trustworthy community and in case of any
breakage of community guidelines, it is easier to track the identity of the user. The

11
application’s motive should not be quantity of users, rather it must concentrate on the
quality of users.

4.1.3 Detailed cookie consent form

In complying with the GDPR regulations, Instagram has to explain its users in detail,
where the information collected is being used. The consent form can include
checkboxes with various purposes like collection of data for the application service to
execute, data for ads and data for analytics. By giving options, the user gains control
over the data and more comfortable about sharing information. Based on the choices
provided, the user can choose if he or she is willing to give consent to these
categories of information collection.

4.1.4 Improved Hashtag classifiers for filtering inappropriate content

Pornographic content can easily be accessed using some of the hidden hashtags on
Instagram. Despite the developer’s attempt to ban the hashtags with abusive content,
there are hashtags with special characters which contain adult content which could be
accessed by children.
The application can move from the user feedback method, where the user must
report if abusive content found, to a more automated technology to prevent this.
Instagram can incorporate Natural language Processing techniques which use the
LSTM (long short term memory) neural nets to detect nudity and abusive texts in
pictures and comments.
The application currently uses “comment-filtering” option where users can input
certain keywords they don’t want on their posts, but this doesn’t solve the entire
problem. Since Instagram is used by millions throughout the world, users tend to
receive comments in multiple languages, so the feedback from a single user manually
might not solve this issue (usually problems faced by celebrities). What can be done
is integrate different language models of various languages into LSTMS to detect
abusive comments automatically.

12
4.1.5 User friendly explanation of data and platform policies
The common scenario experienced is, most of the users find it time consuming to go
through the entire description of terms and conditions before they signup for the
application. As Instagram has users as young as 13 and above, it is very important for
the application to make sure that the customer understands the terms. Due to lack of
patience the users click the forward button multiple times and tap the “I agree” button
way too fast. This can be avoided if Instagram adopted a user friendly interactive
policy form where, the language can be understood by a thirteen year old, a mini-quiz
can be asked to the users to check their knowledge about the application and their
data. This can create awareness among the users regarding the policies i.e what is
Instagram responsible for and not.
For example, a lot of users might not know that Instagram explicitly states in its
platform policy number 15 that, “ Instagram shall not, under any circumstances, be
liable to you for any indirect, incidental, consequential, special or exemplary
damages arising out of or in connection with use of the Instagram Platform and any
data derived through such Platform, whether based on breach of contract, breach of
warranty, tort[…] Under no circumstances shall Instagram be liable to you for any
amount.”

4.1.6 Control over tagged pictures

When a person A tags a person B in the picture ( could be friends or business related)
usually the person who tags has greater control of hierarchy over the tagged person.
Instagram has an option to let the users to manually choose the pictures they are
tagged to be visible in the profile or not, and if a person is unwilling to be tagged in a
picture, they can either remove the tag or report the picture for being tagged without
consent. But once the picture has already been posted without consent, there is
nothing much one can do to stop it.

13
So an alternative solution to this is, a request-response mechanism where a tagger
has to send a request to tag the other person, and upon acceptance of the tagged, the
post will be published. This can be provided as an optional service for those users
who want tag alerts. This can cut down the post process of reporting a picture once it
has been posted or deal with the tension of having no control over a picture that you
own.

4.1.7 Excess screen time alert

One of the current concerns about social media is the amount of time one spends on a
particular application. This is also the prime concern of parents who are worried
about their children spending hours together on their mobile phones accessing
applications like Instagram which are quite user engaging. There is infinite amount
of data being generated very second which can lead to addiction.
Even though it’s not Instagram’s concern to be worried about this issue, what it can
do to help the individual’s concern is to provide with an option to set an alert if one
exceeds the screen time on the application. The duration can be set by the users based
on their own will. Parents can set the duration for children’s account. This option can
help the user to keep track of the amount of time spent on Instagram.

CONCLUSION

Instagram has evolved over the years from a basic photo sharing application to a
concoction of various social media services as discussed above. This work focuses on
the privacy aspects of Instagram and the risks associated with it. Various mitigation
approaches were proposed to prune the threats concerned to user’s personal
information. Instagram has been a game changer in the evolving world of social
media where each application is interlinked or dependent on various other third party
sites, leading to a situation where implementing security measures can get complex.
Future of social media security needs to develop highly robust systems to handle the
ever growing data and provide feasible solutions for user safety without leaving any
space for errors.
14
REFERENCES

[1] Instagram now has 1 billion users worldwide by Ashley Carman, June
20,2018. The Verge [url: https://tinyurl.com/y7tocswf]

[2] Instagram, Wikipedia [url: https://en.wikipedia.org/wiki/Instagram]

[3] Live Stats, Instagram [url: https://tinyurl.com/ycq2yr7m]

[4] Shopping on Instagram, Instagram Business [url: https://tinyurl.com/

ycbcjyck]

[5] Instagram Insights: What do they mean? By Aminur, December 12,2018.

Hopper[https://tinyurl.com/ybl6fplu]

[6] How do I view insights on Instagram, Facebook Help Centre [url: https://
tinyurl.com/ybn2ya5d]

[7] How Does the Instagram Algorithm Work ? By Caroline Forsey, HubSpot
[https://tinyurl.com/ycnc4jl6]

[8] who is the owner of Instagram now(2018), Julie Kwach Feb 2018. Tuko [url:
https://tinyurl.com/ybl4hvcy]

[9] Unlocking the Instagram Explore Page Algorithm(2018 update) by Nathan

Olson, July 2,2018. YourCharisma[url: https://tinyurl.com/ydfsz977]

15
[10] Facebook explored unpicking personalities to target ads by Rory Cellan-
Jones, 24 April 2018, BBC News [ url: https://tinyurl.com/yccgczcf]

[11] Provide measurement, analytics, and other business services, Instagram [url:
https://tinyurl.com/yd9kpgtb]

[12] Top Instagram Updates you need to know in 2018 , Ana Gotter, December
18, 2018 [url: https://tinyurl.com/yccgopjn]

[13] Instagram will no longer notify people when you screenshot their stories,
Sean Wolfe June 15, 2018. Business Insider [url:https://tinyurl.com/yadf6uh6]

[14] Why fake instagram followers can put your online safety at risk, Chelsea
Ritschel, independent.co.uk ,New York(Friday 18 May 2018) [url: https://
tinyurl.com/y7zsz5to]

[15] What Instagram users need to know about Facebook’s security breach,
Taylor Hatmaker, Tech Crunch, September 2018. [url: https://tinyurl.com/
y85fsz8p]

[16] Why Instagram is the worst social media for Mental Health by Amanda
Machmillan, May 25, 2017. TIME [url: https://tinyurl.com/ko3cws8]

[17] Google, Facebook, Instagram, Whatsapp Face GDPR Related Lawsuits by

Mike O’ Brien, May 30, 2018, MultichannelMerchant[https://tinyurl.com/
yb9pc99m]

16
 17

View publication stats