Facebook shuts location apps for privacy violation: First steps in cleaning up its act?

Facebook has shut down the app, Who's in Town, after it allegedly violated Instagram's privacy policies. Users who download Who's in Town grant the app access to their Instagram accounts, and the ability to see the different places that their followers have visited. This is based on the location tags included in posts or Instagram Stories that have been made public. Over time, the app is able to form a detailed list of users' movements.

In a conversation with Marketing, a Facebook spokesperson said that the app had violated its policies by requesting information from Instagram users, including usernames and passwords. This then allowed Who's in Town to collect location data on individuals. According to the Facebook spokesperson, the Who's in Town's privacy policy also failed to inform Instagram users of what it gathers and how the information will be used. As such, these actions violate Instagram's Terms of Service and Platform Policy and Facebook "demanded that these activities stop immediately".

An internal investigation led to Facebook issuing a cease-and-desist letter to Who's in Town, and removed the app from its platform and disabled Instagram and Facebook accounts associated with the app. The spokesperson added:

Our action follows an internal investigation of the company's practices that was completed last week.

In the cease-and-desist letter seen by Marketing, Facebook alleged that app developer Eric Barto has been "scraping and storing" Instagram users' login credentials and location data for monetary gain. Marketing also understands that Facebook removed all other apps from the same developer on Facebook and Instagram, and banned it from future use of Facebook's services. The social media giant revoked Barto's licence to access the platform, adding that him or his agents and employees may not access the Facebook or Instagram websites and applications, employ their APIs, or use any of the services offered by Facebook for any reason whatsoever.

In a statement to Marketing, Barto said that unlike other apps, it does not use an unofficial login page that would allow the company to phish credentials. He explained:

The users who login to Who's In Town are logging directly into the Instagram login page. This means we are unable to save the credentials of any user.

He added that the app is also allowing users to curate the data that is shared with them on Instagram by the people they follow. "With Who's in Town they can only see locations that have been shared with them, albeit in a much more useful way," Barto said. He also confirmed to Marketing that his personal accounts for both Facebook and Instagram have been disabled.

The app first came to light in July this year when American magazine WIRED reported about it. According to WIRED, Who's In Town converts data points "seemingly meaningless in isolation" into a "comprehensive chronology of" the habits and places of users with a public Instagram account. Barto told WIRED back then the amount of data is equal to individuals crawling through every single story and noting down all the locations consistently.

Other violations

Who's in Town is not the only app to have received a cease-and-desist letter from Facebook. It also fired a similar letter to location-based marketing firm HYP3R and removed the company from its Facebook Marketing Partners page, Marketing understands.

Marketing also understands that HYP3R violated Facebook's policies, specifically in the area of accessing or collecting data from its products using automated means without prior permission, or attempting to access data it does not have permission to access. As for Instagram, HYP3R was also said to have violated the terms of attempting to create accounts or accessing or collecting information in unauthorised ways. Marketing understands that this includes creating accounts or collecting information in an automated way without Instagram's permission.

Facebook's spokesperson told Marketing in a statement that HYP3R’s actions were not sanctioned and violate its policies. "As a result, we’ve removed them from our platform. We've also made a product change that should help prevent other companies from scraping public location pages in this way," the spokesperson added.

Marketing understands that among the product changes include disabling access to location pages if the user is not logged in to their Instagram account. While scraping is still possible if the user is logged in, Instagram is able to identify bad actors and immediately remove their accounts for engaging in scraping or any other inauthentic activity. The company is also continuing to invest in ways to block inauthentic engagement and activity across Instagram, Marketing understands.

Can Facebook win back consumer trust?

These moves by Facebook have come to fruition after the scrutiny the network felt over the past year after being hit with privacy issues such as the Cambridge Analytica scandal, and a data breach that impacted about 50 million Facebook accounts. It also recently announced that it is renaming Instagram and WhatsApp in an attempt to be clearer about the products and services it owns.

In a statement to Marketing, Charanjit Singh, managing partner at Construct Digital said Facebook is trying very hard to win back the confidence of its users, and will take any such action necessary to show that they take privacy seriously. However, he said that not many everyday users will take notice of such efforts. He explained:

Facebook has to start developing a track record so when the next big [issue occurs], it can show that it has been taking appropriate action.

Carolyn Camoens, managing director, Asia at Hume Brophy added that while these moves will be seen as a sign of Facebook’s commitment to data protection and user privacy,

It’s the first step in a journey of a thousand miles.

“The wounds of the Cambridge Analytica scandal are still raw and it will take a while before trust is re-established. That said, many of us are still active on the platform for all the things they do get right in an increasingly social and digital world,” she added. Nonetheless given its position in this space, Facebook has a genuine opportunity to lead on setting the standard on data protection, she added.

Meanwhile, Ben Wightman, head of data strategy, Asia Pacific and media and performance partnership lead, Singapore at Dentsu Aegis Network added that the move against Who's in Town further proves that Facebook is willing to aggressively address breaches of its platforms’ Terms of Use.

"However, the surrounding publicity on the delay in action against Who’s In Town and HYP3R likely results in a further erosion of trust with the platform, especially post the recent Netflix release of 'The Great Hack' on Cambridge Analytica," Wightman said.

[ The issue of responsible marketing and data handling will be covered in Marketing's upcoming Digital Marketing Asia Conference 2019! Join us on 8-9 October as we hear from experienced practitioners and thought-leaders on how they are managing complex digital transitions and reimaging new ways for their marketing to become more customer focused, agile and interactive. Visit our website and book your seats today.]

(Photo courtesy: 123RF)