Instagram Investigated for Exposure of Minors' DetailsProbe Will Determine Whether Facebook, Instagram's Owner, Violated GDPR
Ireland's Data Protection Commissioner has launched an investigation into whether Facebook's Instagram service improperly displayed the email addresses and phone numbers of minors on its platform.
See Also: The Evolution of Email Security
The agency is Facebook's regulator for Europe because Facebook's European headquarters is in Dublin.
The development was first reported by The Telegraph on Sunday.
Ireland's DPC has been assessing since July 2019 the privacy impacts of a curious situation first noticed last year by David Stier, a San Francisco-based data scientist (see Ireland Assessing Minors' Profiles on Instagram)
Stier found that at least 2 million 12- to 15-year-olds and 3 million kids ages 16 or 17 worldwide had converted their Instagram profiles to "business" profiles. That automatically made either the user's email address or phone number, or both, public.
DPC Deputy Commissioner Graham Doyle says in a statement that it's vital social media companies are compliant with the European Union's General Data Protection Regulation and Ireland's Data Protection Act 2018.
"The DPC has been actively monitoring complaints received from individuals in this area and has identified potential concerns in relation to the processing of children's personal data on Instagram which require further examination," Doyle says.
The Data Protection Commissioner wrote Stier on Sept. 23, informing him that due to the "serious nature of the issues" a statutory inquiry would be undertaken into how Facebook processes children's personal data on Instagram.
The regulator will conduct two statutory inquiries. One will look at Instagram's profile and account settings and whether those are appropriate for children. The second inquiry will look at Instagram's use of business accounts and the "appropriateness of processing children's contact details as a part of this functionality," DPC says.
Under GDPR, Facebook could face a maximum fine of 20 million euros ($23.5 million) or 4% of global revenue, whichever is higher.
Facebook says it is cooperating with the DPC inquiries. Facebook cast Stier's findings as a "mischaracterization."
"We've always been clear that when people choose to set up a business account on Instagram, the contact information they shared would be publicly displayed," according to a statement. "That's very different to exposing people's information. We've also made several updates to business accounts since the time of Mr. Stier's mischaracterisation in 2019, and people can now opt out of including their contact information entirely."
Click to Contact
Information Security Media Group was the first news outlet to report Stier's findings in June 2019 (see Instagram Shows Kids' Contact Details in Plain Sight)
It's not entirely clear why children, who must be 13 to use Instagram, choose to convert their regular profiles to business profiles. But it has been suggested that Instagram offers better analytics tools of how posts are performing for those with business profiles, which may have proven attractive to younger people.
In business posts by children, it's often easy to figure out where a child went to school and what their interests are. They also often include recent photos. By default, all content on a business profile is public, whereas personal profiles can be set to allow only friends to view.
On a minor's business profile, simply clicking on "email address" or "call" would either bring up a new mail message in an email application or go to a device's phone function. Calling, texting or emailing a minor would occur outside of Instagram, so the social networking service would have no way to monitor the communication.
Child safety experts, as well as Australia's Office of the eSafety Commissioner, which oversees child-safety internet issues, told ISMG last year that the situation was concerning due to the ease at which child predators could reach out to children. Instagram noted it was concerned about child safety and publishes guides for parents on social media safety.
Stier: 'Absence of Common Sense'
Around July 2019, Stier shared his findings with Ireland's DPC.
The issue slowly gained steam throughout 2019, with more news media outlets covering it. Then in November 2019, Instagram quietly changed its privacy settings to allow those using a business profile to mask their contact details. But users who convert to a business profile must go into their settings to mask their data (see Despite Instagram Changes, Minors Are Still at Risk).
Contacted on Sunday, Stier said the Instagram's changes were only minor adjustments. He said some minors who had business profiles he discovered in August 2019 still have their email addresses and phone numbers exposed. Instagram has "done nothing to anonymize the personal contact data for millions of kids who set up fake business accounts," he sid.
"Instagram has knowingly placed millions of children in harm's way by carelessly revealing users' private contact information," Stier said. "That Instagram is still continuing to allow a 13-year-old to have a 'business' account shows a complete lack of care and an absence of common sense."