The Problem

Every day millions of people end up on this screen. It’s a simple screen that you barely think twice about. When I go through it, it is pretty much an automated process: type a caption, maybe name the location, and post to Facebook and Twitter. The issue with this screen is that many people (myself included) overlook the fact that “Add to Photo Map” is on by default if you used the function on the previous photo you uploaded. It’s easy to glance over this and tell yourself, “Hey! Photo Map is a nifty feature, it let’s me keep track of where I’ve taken pictures and it is relatively harmless.” What many do not understand is that leaving this on can reveal you home address to your followers as well as the public. Instagram attempted to make it clear with a dialog box (see first image) stating that you should be careful of sharing to your photo map (not sure if Instagram still even displays this dialog box). The fact that “Add to Photo Map” is on by default almost nullifies this dialog box (again, the dialog box may not still exist) and can be a privacy hazard. I hope this article helps you understand the implications the data that this creates can lead to.

Explanation

What is the place where you upload the most photos. The awesome diner down the road? Chipotle? Le Cirque? Most likely not. While you may upload several photos from the location that comes to mind over the lifetime of your Instagram profile, the most consistent place where people tend to upload photos is their home. Where do you find all those old polaroids to upload to Instagram on “Throwback Thursday” (#tbt)? Where do you put together a pic-stitch to upload on your friend’s 21st birthday (#hbd)? Where are you when you upload a picture you found online for Man Crush Monday (#mcm) or Woman Crush Wednesday (#wcw)? The answer to these questions for the typical user is at home. So when you add these photos to Instagram leaving the photo map featuren on, where does the photo map log your location as? The coordinates of your home address.

The Ramifications

If you do not leave photo mapping on, you’re most likely fine and don’t have to worry about your home address being exposed to the public. However, if you do leave it on your address may be exposed. Because of the presence of your home coordinates on the photo map, anyone can go into your profile and zoom in to try to find a single location where you may have 10, 50, or even 100 photos uploaded. This tends to be a pretty clear signal of where you live. This allows someone who may have malicious intentions to find out where you live with ease.

Let’s say you are an Instagram personality. Maybe a dog, maybe a funny quote generator, or maybe a Cara Delevingne fan photo uploader. Your identity is separate from your profile and you probably do not want people knowing your actual identity. If someone was interested in finding out your identity they could use the photo map in order to deduce your home address. This can be a serious privacy breach for many.

Taking it a Step Further: Implementing an Algorithm that Figures out Home Addresses with only an Instagram Username

I decided that in order to portray how someone could use this maliciously I would dive deeper into the problem and make use of the Instagram API. I wanted to see if I could build an algorithm that can guess the address of a person by utilizing only their Instagram username.

After several hours of coding I was able to build a system that guesses a user’s home address. In my first test I simply inputted my username and the next thing I knew my program printed out my work address and my home address. I was shocked by how easy it was for me to gain access to this information and went ahead and tested it on my friends who gave me permission to test their profile. The testing led me to pull information I wouldn’t even expect. For one of the test cases I got my friends old home address, new home address, and college dorm address. I decided to take it one step further and test it on Instagram Personalities and Celebrities. I am not going to name any celebrities here but I will say that I was able to get the addresses of several celebrities and match it to the public available records of their home addresses. Additionally, I was able to deduce the home addresses of several Instagram users that do not identify themselves on their profile but instead post images ranging from dogs, to quotes, to celebrity fan pictures.

I am not posting the alogrithm as it stands to a public web server because that would enable people to search for anyone’s home address with ease. I did consider posting a version of the algorithm that only allows you to check on your own address by signing into your account but realized that the number of API requests between the Instagram API and my geocoding engine would be far too many if I did this. Because of this you are going to have to take me on my word. I am willing to demo the algorithm for any members of the Instagram team or the press if you simply drop me a line.

“I keep my Instagram profile private so am I safe?”

Yes and no. You are safe in regards to the fact that your photo map is private. No one, not even your followers, can go in and look at your photo map. Also, you are safe in regards to the fact that if someone makes an algorithm similar to mine they cannot simply type your username in and get your home address. However, if one of your followers wants to run a similar algorithm to mine on your profile you are exposed. In the context of Instagram this is concerning. Many people have private profiles but still accept every request they get to follow them. I deduced this from the fact that there are many private profiles out there that have 20,000 followers for only 50 people that they actually follow. If one of those 20,000 followers were to have malicious intentions they could utilize the API in order to find out where a given user lives.

Counterstrike: How to Protect this Information

Instagram does allow you to remove previously disclosed information. You can do this by going into your photo map and clicking the edit button at the top right corner. The approach I would recommend is zooming in towards your home address and see if there is a cluster of photos. After identifying the cluster simply remove them and your home address will be protected. Alternatively you can simply remove all photos from the map and quit using the Photo Map feature all together.

Conclusions

This may be a surprising realization to many users but it is not a reason to stop using Instagram. Instagram is a very powerful photo-sharing service that has changed the way many people share their experiences with their friends and fans. I do however hope that this information creates a dialog about the ramifications of certain actions we take in regards to our personal data. The methods we use to analyze data have changed the way humans inteact with machines. However, unfortunately, people can take these same methods and use them for malicious purposes. We (the users) need to consider the potential results of our actions before we actually take them. On the other side of the spectrum, applications, like Instagram, need to anticipate the actions users may take that can potentially harm them. Minute details (in this case an on off switch) can lead to major consequences and need to be considered.

Contact Me

Twitter | Facebook