Recent Instagram data leak reveals ‘backdoor’ feature exposing kids’ phone # and email in plain sight to 1B users
Imagine that a stranger asks you for your teenage cousin’s phone # and email. Would you give it to them? If your cousin is on Instagram, you may be too late.
Over 60 million kids can easily change their profile to a “business account” for which Instagram requires the public display of their email address and/or phone # in app. Today, approx 2 million12–15 y/o’s have phone and or email shown.
Perhaps you recall the news story about the leak of personal contact information for up to 49M Instagram users who are “Creators” on their platform. Jeremy Kirk’s story in databreachtoday.com further explores this issue. I’m the data scientist who found this problem and reported it to Facebook’s white hat program earlier this year.
Here’s a quick recap of the research methods used for my report. I analyzed the profiles of nearly 200,000 Instagram users in multiple countries. To ensure that my findings were representative of the global base of users, including those living in GDPR countries, I created three different methods to gather profile ids. One method compiled the profile ids of users whose posts appeared on one of more than 1,700 separate location pages in Germany and Austria [here’s an example of a location page]. The second method involved extracting the profile ids for all the followers of 10 EU based users who each had between 700–2,500 followers. My third method grew out of my initial research for a client about how US based office furniture manufacturers use social media. Significantly, the findings I reported were consistent among all three sample groups. Since this story initially posted, I’ve reviewed an additional 150,000 profiles and have shared my findings with several reporters.
A data leak on its own is concerning, but more troubling than the months’ long data leak was my discovery that the personal contact information of minors — specifically their phone # and/or email address — was also leaked online for months. My report to Instagram notified them of this fact and I provided them with specific profile names of individuals under the age of 15 from several different countries whose email and/or phone number — and sometimes their city and postal code had been leaked.
To make matters worse, Instagram revealed to me that the contact information of these minors was already currently displayed in plain sight on their profile page in the Instagram app — meaning that over 1,000,000,000 users could view their profile and extract that person’s phone number or email address.
Since my report in late February, Instagram still has not taken any action to stop displaying these kids’ contact information within the app. In fact, they specifically affirmed that displaying this contact information in plain sight within the app was a feature that they did not intend to change — regardless of whether kids’ personal email and phone #s were visible.
On March 7, in response to my report they stated “After discussing this functionality with the Instagram team we did take steps to remove the contact information from the HTML of the page, since it was not necessary to include in its current form. However this information is still accessible to Instagram users via the Contact button [within the Instagram app].” — Neal, Facebook security
Instagram’s practice of not masking the email address and of not assigning an anonymized phone number runs counter to the practice of nearly every website and app today. Most people who click an “Email Me” button assume that they will be directed to a form of some kind in which they compose their message and that the website or app will keep the end recipient’s address hidden. As just one example, Craigslist, the famous classified ads website has used anonymized email addresses for years.
It appears that Instagram chose not to devote resources to having such functionality within their app — instead they decided that allowing any Instagram user to click on the “email” link should cause that user’s default email program to launch and that the actual email address of the recipient would be clearly displayed in the “To:” section of the email. Because of this, you can choose to save the message to your drafts folder or simply copy and paste the email address for later use and the person whose profile page you visited will never know that you have harvested their email address.
Here are live screenshots (with personal information blocked out) from a 14 year old girl’s profile that demonstrate how this works :
Surprisingly, the use of this ‘backdoor’ functionality by kids has not been previously reported to any of the leading child safety watchdog organizations who are working diligently to keep kids safe online. These organizations have provided excellent guidance to parents on the numerous detailed steps that they can take to help their child stay safe. My hope is that they will now include information about the availability of this functionality in their guidance for parents.
How can Instagram display kids’ contact details?
To best understand what’s happening, let’s first review how Instagram works:
- Anyone over the age of 13 can set up a personal Instagram account (in fact, the only people restricted from establishing an account are sexual predators and people who have previously been banned from the platform).
- When you set up your personal account, there are a number of settings that you can adjust to control what you see, who contacts you and who follows you. Instagram and child safety organizations have published clear guidelines and instructions to help parents keep their kids safe online.
- Age verification is typically not required unless you give some indication that you are under the age of 13 (such as writing in your bio that you are in the 4th grade or were born 10 years ago).
- Now that you’ve set up your account you’re welcome to post, comment, tag and explore.
- There are many businesses and brands on Instagram and you can follow any company or brand that interests you.
- Over the past few years, Instagram has allowed people to change their profile to that of a “Business Account”. To do so, you just complete the information requested on a few screens and choose which method of contact you want to display on your profile. You must choose to have either your email or phone number appear on your profile page. Currently, there’s no requirement that you need to actually have a business, instead it appears that Instagram trusts you to represent yourself accurately. [To see live screenshots of the process, scroll to the end of this article]
- Because there are seemingly no restrictions on who can change their personal profile to a business account, many kids have figured out that they can ‘claim’ to have a business so that they can add the contact buttons onto their own profile page. Here are two examples of profiles that are currently active on the site. I’ve hidden their names and masked personally revealing information:
To keep kids safe, Facebook needs some natural (human) intelligence to augment its huge artificial intelligence efforts
It seems that Data Science, AI and machine learning are the new bright and shiny objects that have distracted business leaders from the inherent power of human intelligence. Instagram could add many simple rules-based programs to identify users whose personal contact information should not be disclosed to the billion plus users of its app.
There are many easy ways to identify minors whose profiles may include their phone number and/or email. I won’t disclose how to programmatically find these kids on a global basis, but it is worthwhile to point out some simple ‘tricks’ that bad actors are likely using now to find vulnerable kids. Here are just a few:
- Many kids include their year of birth or age in their profile id (eg “raymond_2005_x” may be someone who was born in 2005 and “sara_14y” seems to be 14 years old). A simple prompt at the time of account setup could alert young users to the risk of using such numbers in their profile id.
- Similarly, many kids still include text in their bio that directly states their age — anything from the obvious “I’m 13 years old” to more obtuse methods such as just including your age as a number with no other reference (eg “Swimmer, 14, CHBS fan”) or using roman numerals to identify your age. Instagram could regularly scan users’ biographies and, if they suspect that the user is a minor, send them a prompt when they next log in that would encourage them to remove the age-related text.
- Even though many kids don’t put their full name in their bio, their email address often makes it easy to figure out their name. If Instagram chooses to continue displaying the email addresses of anyone over the age of 13 perhaps they could notify kids whose email address contains both their first and last name. They could then suggest using an alternate email address.
- Google, Picdeer, numerous social media aggregators and the Instagram app itself all make it easy to use the above rules to find kids in the app. Given how easy it is to find kids online, does Instagram has a process to internally flag all users who appear to be minors? If so, they could use this to deploy additional behind-the-scenes monitoring and user messaging to further ensure kids safety.
- Artificial intelligence can play its part to improve these screening efforts. For instance, computer vision programming could be used to estimate the prevailing age of everyone who appears in the photos of a particular user. Once a user posts some predetermined number of photos, the algorithm could estimate the user’s age so that Instagram could take action if the user is under a certain age.
Where to go from here?
Do we have a responsibility to keep kids’ phone #s and emails hidden so that strangers can’t find them just by clicking a button? For those companies marketing to teens, how much input do they receive from parents? Should a company’s mission and statement of values indicate what its position is on how much the company wants to be influenced by parents’ concerns as it makes product strategy and business operation decisions? What is the standard of care and level of effort that we expect from companies for guarding kids’ privacy?
Instagram plays a significant role in the lives of our youth. Kids use Instagram to make connections, share memories, create new ones and experience the feeling of being connected with a larger community. As the conduit and platform for all these experiences, Instagram can draw upon the perspective of parents, educators and youth leaders when designing its products, user interface and community building.
Speaking as a parent, I want to be assured that the experience Instagram offers to teens is as ‘adult-overseen’ as possible. Instagram has an opportunity to see its role in teens’ lives as the ‘parent behind the wheel’. If you’re a parent who has driven a group of teens, you know the surprise and delight you feel when you hear your kids talking away in the back seat as though there was no one else around — and certainly not one of their parents. They seem to have entered a special safety zone where they can talk easily and openly with each other. This safe zone takes sustained energy and effort to create.
What would happen if Instagram and other companies that provide content to our teens approach their role as the ‘parent behind the wheel’? Would they make different decisions about their products, services and the overall experience that they provide our teens?
I hope that you’ll share this information with a teen or parent and add your voice to the conversation.
See also Jeremy Kirk’s story in databreachtoday.com
Live screenshots showing how to change to a business account