Thanks to lax oversight and technical loopholes, Instagram allowed one of its vetted advertising partners harvest vast amounts of public user data to create detailed records of users' physical locations, bios, and photos which were intended to disappear after 24 hours, according to Business Insider.

In clear violation of Instagram's rules, the San Francisco-based marketing firm Hyp3r was able to operate under the radar for the past year as one of the company's preferred "Facebook Marketing Partners."

"HYP3R's actions were not sanctioned and violate our policies. As a result, we've removed them from our platform. We've also made a product change that should help prevent other companies from scraping public location pages in this way," said an Instagram spokesperson, following a Wednesday cease-and-desist letter sent to the Hyp3r.

The existence of the profiles is a stark indication that more than a year after revelations that Facebook users' data was exploited by Cambridge Analytica to fuel divisive political ad campaigns, Facebook's struggles in locking down users' personal information not only persist but also extend beyond the core Facebook app. Instagram, which is owned by Facebook but operated as a mostly separate business, has been largely insulated from the privacy backlash and scrutiny that has rocked its parent company. But the wealth of the data contained in people's fleeting Instagram activity, from family-vacation snapshots to restaurant appetizer photos, can provide valuable fodder for a variety of outside actors, who can repurpose the information in ways users never expected or agreed to. -Business Insider

While the amount of data Hyp3r scraped is currently unknown, the firm has publicly bragged about having "a unique dataset of hundreds of millions of the highest value consumers in the world," of which more than 90% is sourced from 1 million+ Instagram posts per month, according to the report.

Hyp3r made unauthorized use of Instagram data in three key ways: It took advantage of an Instagram security lapse, allowing it to zero in on specific locations, like hotels and gyms, and vacuum up all the public posts made from the locations. At these locations, it systematically saved users' public Instagram stories — a type of content designed to vanish after 24 hours —including the individual photos that users shared in the stories, in a clear violation of Instagram's terms of service. It scraped public user profiles on a broad basis, collecting information like user bios and followers, which it then combined with the other location information and data from other sources. -Business Insider

Furthermore, Hyp3r uses image-recognition software to determine what users are depicting.

And as Business Insider points out, Hyp3r is clearly not the only company doing this - they're just the ones that got caught. "...the nature of Hyp3r's activity raises significant questions about the extent of the due diligence that Instagram and parent company Facebook conduct on partners using their platform, as well as on their own procedures to safeguard user data," writes BI's Rob Price.

"For [Instagram] to leave these endpoints open and let people get to this in a back channel sort of way, I thought was kind of hypocritical," said one former Hyp3r employee, adding that it wouldn't take much for Instagram to protect the location data accessed by Hyp3r.

"Why they haven't done it remains a mystery," added the former employee.

Hyp3r, meanwhile, insists they've done nothing wrong - and that harvesting public Instagram data they way they've done so is legitimate and justifiable - adding that they're confident this whole thing will get straightened out soon.

"HYP3R is, and has always been, a company that enables authentic, delightful marketing that is compliant with consumer privacy regulations and social network Terms of Services. We do not view any content or information that cannot be accessed publicly by everyone online," said CEO Carlos Garcia in an emailed statement to Business Insider.

What is Hyp3r?

Founded in 2015, Hyp3r - which has raised tens of millions of dollars - bills itself as a "a location-based marketing platform that helps businesses unlock geosocial data to acquire and engage high-value customers."

Or as BI describes it, "Hyp3r is a marketing company that tracks social-media posts tagged with real-world locations. It then lets its customers directly interact with those posts via its tools and uses that data to target the social-media users with relevant advertisements."

For example, someone who visits a hotel and posts a selfie there might later find themselves inundated with ads from competing hotels, thanks to Hyp3r.

The result of the public information it gleaned was a sophisticated database about Instagram users, their interests, and their movements that Hyp3r openly touted to customers as one of its key selling points, despite the fact that Instagram's policies were structured so that such a thing would not be possible. ... Some of Hyp3r's behavior was once permitted by Instagram. Like many big platforms, Instagram has an API, or application programming interface, that allows developers to build services that can interact with its platform. (They're the reason you can save files to Dropbox from Microsoft Office or see your Facebook friends on Spotify, for example.) But revelations in March 2018 about the political-research firm Cambridge Analytica's misappropriation of 87 million Facebook users' data — data which was originally collected via a quiz app built on top of Facebook's API years prior — prompted a sea change for Facebook, including at Instagram. -Business Insider

After the Cambridge Analytica scandal, Instagram disabled a lot of API functionality, causing companies that relied on its open access for their business models.

According to the report, Hyp3r adapted to the privacy changes by "building a system that could disregard Instagram's decision and keep on harvesting data anyway."

Hyp3r created a tool that could "geofence" specific locations and then harvest every public post tagged with that location on Instagram. The result is a database of thousands of locations, including"hotels, casinos, cruise ships, airports, fitness clubs, stadiums and shopping destinations across the globe," as well as hospitals, bars, and restaurants. If a user makes a post at one of these locations, it is, unbeknownst to them, saved to Hyp3r's systems indefinitely, sources said, along with other information including a link to their profile picture, their profile bio, and their number of followers. Ordinary users' Instagram stories — posts that are supposed to disappear after 24 hours — have never been available through Instagram's API. But Hyp3r built a tool to collect them too, sources said, saving the images indefinitely, along with the associated metadata. (The official API allows access only to stories of business accounts and creator accounts, a tiny fraction of the Instagram population, and these are not surfaceable by location.) -Business Insider

Hyper, of course, says that since the data it harvests is (or was at some point) publicly available, they don't need consent from Instagram users.

Read the rest of the report here.