While Instagram, the popular photo-sharing website, made a fast retreat last month after releasing new Terms of Service and Privacy policies, it appears that there are more issues. During the holidays last month, a class-action lawsuit was filed against Instagram claiming unauthorized data collection, retention, and tracking via the photo sharing site's mobile app.
The complaint alleges that Instagram uploaded via its mobile app users' entire address books, accessed and modified both the geolocation and metadata in users' photos uploaded, collected and stored users' fine geolocation data, accessed users' data stored within Amazon-provided cloud-based services, and distributed users' sensitive personal data to third-party companies without notice nor consent. The complaint alleged that Instagram:
"... used Plaintiff's and Class Members' computing devices to access, use, disclose, retain, and store personal information ("PI"), personal identifying information ("PII"), and/or sensitive identifying information ("SII") derived in whole, or part, from Plaintiff and Class members' computing devices' contact address book, aggregating such data derived from the unauthorized access to, and use of Plaintiff and Class members' photo metadata, for purposes not granted..."
There is more. The complaint also states that the plaintiffs:
"... were unaware of the harm that would be imposed... including use, retention, and storage of their computing devices contact address data, installation of geo-tags for tracking, the misappropriate of their Mobile Device resources and bandwith... [the plaintiffs] had not knowledge that contact book data was obtained and stored on Defendant's servers and/or third-party servers, such as on Amazon EC2's remote servers and was stored in an unreasonably insecure manner contrary to accepted standards... [the plaintiffs] did not consent to having their data collected by Defendant. Had [the plaintiffs} known of Defendant's practices, they would not have downloaded its app..."
Of course, mobile apps that consume large amounts of consumers' data plan minutes are undesirable, and consumers should be provided with warnings by these apps. The suit was filed December 27, 2012 in Northern California District Court by attorneys
Parisi & Havens LLP, Strange and Carpenter LLP, and the Law Office of Joseph H. Malley, P.C.. Recently, Facebook purchased Instagram in 2012 for $1 billion.
While reading the complaint, I recognized Malley's name, since he is
often referred to as a "Privacy Crusader." Malley was involved with class-action suits against Adzilla, NebuAd, Quantcast ("zombie cookies"), Ringleader, Facebook, and Apple. In 2010, Facebook settled its suit for $9.5 million. So, these attorneys know what they are doing.
For the lead plaintiff, Steven Gutierrez, the alleged data collection, retention, and tracking by Instagram affected his minor child and warnings weren't timely enough for consumers who registered and installed the Instagram app early on:
"... ignoring the intent of [the plaintiffs] that used Defendant's application to up upload and/or take photos using Defendant's application and also creating a digital dataset, link to their exact location, posted to a publicly accessible form that revealed their exact fine GPS settings, violating not only their privacy rights, but also posing a security risk, as evidenced by Plaintiff Steven Gutierrez, with his one year old daughter, pictured above, that included within the photo's metadata, the exact location where the picture was taken, his home, and a detailed map of the home's exact location... Defendant failed to adequately disclose, or obtain permission for such activities, evidenced by failing to provide a Terms of Service or Privacy Policy within its application or website for a period in excess of a year after its initial operation... Defendant's access to, deletion, modification, and use of Plaintiff and Class Members' metadata within their photos, was without notice or authorization, and is evidenced by an analysis of the photo metadata at various stages. In order to view such activity, a software program is required, such as the one at [Jeffrey's EXIF Viewer]... Defendant's alteration of the digital content's metadata, in addition to the inclusion of fine GPS actual coordinates, provided a Unique Identifier..."
Photo metadata includes a lot of descriptive information, including but not limited to a photo description (e.g., title, subject, tags, comments), author, date and time created, copyright information, image description (e.g., dimensions, resolution, color details, compression), camera description (e.g., make, model, F-stop, exposure, flash mode, zoom setting, lens maker, lens model, serial number, EXIF version), and file information (e.g., date created, date modified, file type, file name, size, attributes, owner, computer name). From photo metadata, a company can tell a lot about you, your purchases, and your lifestyle.
If Instagram adds fine geolocation data to photos after upload, then this is very troubling. For privacy reasons and safety, many consumers turn off the camera setting on their smart phones that automatically adds GPS data to each photo and video taken. By re-adding this geolocaton data later to photos/videos uploaded, Instragram is overriding and ignoring users' privacy choices, and enabling tracking of consumers in the real world.
The complaint is rich with detail. Of course it provides background information on the Instagram service, its mobile apps, and usage terms/policy. The complaint also includes information about the public outcry about the new usage terms/policy which it later reversed, smart phone technologies, online tracking, cloud computing, photo metadata, and U.S. Congressional correspondence about app privacy. About the data collection, the complaint states:
"Defendant did not deny it had obtained Plaintiff's and Class Members' contact address data, but attempted to diminish the impact of its public relations nightmare by providing an immediate "Mea Culpa," of sorts, staying out of the press, and quietly adding a new pop-up requesting user authority to obtain contact address data information all users... Defendant's public response that it's activities were a common practice was without merit upon review of the app store guidelines..."
For consumers, letting mobile apps upload your entire address book is a bad idea for several reasons. First, the contact data is valuable to spammers and identity criminals because both issue fake messages (e-mail or text) pretending to be a relative or friend to trick consumers to making payments or disclosing other sensitive data. Second, many consumers use their smart phones for both business and pleasure. That means, the data collected contains valuable business contacts, useful to both advertisers and spies -- a corporate espionage risk.
I really like how the complaint describes in great detail the damages with specific dollar amounts for affected smart phone users. The lawsuit also highlights the issue of who ultimately controls image (e.g., photograph, video) metadata -- the consumer or the social networking service.
View the
Gutierrez et. al. vs Instagram Inc. complaint (Adobe PDF, 1.8 Mbytes). Learn more about: