Facebook-owned Instagram retained photos and private messages deleted by users on its servers; says it was a bug
We had reported yesterday how Facebook and Instagram could face a $500 billion penalty if found guilty under the BIPA law for storing biometric information of 100 million Instagram users from America. Facebook and Instagram are doing the same with user deleted photos and messages. The popular photo-sharing app was found to be retaining users’ photos and private direct messages on its servers even after the user had deleted them.
This was found out by a security researcher when he used a tool provided by Instagram to comply with the GDPR rules. Under the GDPR rules, service providers have to provide users with tools to download the data that is retained by them.
When security researcher Saugat Pokharel downloaded old data from Instagram, he found that the data included photos and private messages that he’d previously deleted. This deleted data shouldn’t be available to either to him or Facebook/Instagram so he alerted the Instagram security team about the issue. Instagram acknowledged the slipup and awarded a security researcher $6,000 for finding the bug.
“Instagram didn’t delete my data even when I deleted them from my end,” Pokharel stated. Pokharel reported the bug in October 2019 through Instagram’s bug bounty program. The bug was fixed earlier this month, he said.
A spokesperson for Instagram said “The researcher reported an issue where someone’s deleted Instagram images and messages would be included in a copy of their information if they used our Download Your Information tool on Instagram. We’ve fixed the issue and have seen no evidence of abuse. We thank the researcher for reporting this issue to us.”
Since GDPR rules were enforced in May 2018, it seems that Instagram has been saving such user deleted photos and private messages for years. Now Instagram can blame a bug/flaw for the same but that won’t stop a future class-action lawsuits against the company in the United States for privacy breach. It could also be penalized by European data protection watchdog for GDPR rules violation.