Instagram has quietly released an update to address a loophole in its privacy settings that had allowed public access to photos marked private.
Typically, photos posted to private accounts are inaccessible outside of the user's custom friend network. Direct links to private photos return the message “Page Not Found.” However, prior to Instagram's recent fix, if a user had uploaded an image while their profile was public, that image would remain publicly accessible on the web even after the account had been made private. The direct URL would display the image to anyone with the link.
Instagram did not disclose the gaping flaw, which was first discovered by Quartz. The company’s help documents contain no mention of it. The flaw has since been patched to ensure that images on a private account remain private regardless of the account setting at upload time.
Instagram’s privacy settings still do not address a second, related publication issue. If a private user shares an Instagram post with another service, such as Twitter or Facebook as part of the upload process, that shared photo will remain viewable to the public despite its privacy settings. This functionality is described in Instagram’s help documents.
The sharing feature uses a publicly accessible link even if the user uploads the image privately and shares it to a locked social networking account. The only way to ensure that an Instagram post remains private while sharing it on other platforms is to share the link after it has been uploaded to Instagram, not as part of the upload process. Then, only someone's Instagram followers will be able to view their content, despite the link existing in public view.
This nuance in the privacy settings has not detailed by Instagram.
For Instagram—and Facebook, the company that acquired the photo-sharing service in 2012—privacy loopholes raise questions about the accuracy and extensiveness of support documentation and about the clarity of privacy-related communications to users.
This latest photo-privacy issue may also have legal ramifications. Facebook is in the middle of settling a lawsuit with the Federal Trade Commission (FTC), and the settlement requires the company to “take several steps to make sure it lives up to its promises in the future, including by giving consumers clear and prominent notice and obtaining their express consent before sharing their information beyond their privacy settings.”
Instagram did not respond to a request for comment.
Illustration by Max Fleishman