Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 



Forgot your password?
typodupeerror
×
The Internet Technology

Instagram Wasn't Removing Photos and Direct Messages From Its Servers (techcrunch.com) 34

A security researcher was awarded a $6,000 bug bounty payout after he found Instagram retained photos and private direct messages on its servers long after he deleted them. From a report: Independent security researcher Saugat Pokharel found that when he downloaded his data from Instagram, a feature it launched in 2018 to comply with new European data rules, his downloaded data contained photos and private messages with other users that he had previously deleted. It's not uncommon for companies to store freshly deleted data for a time until it can be properly scrubbed from its networks, systems and caches. Instagram said it takes about 90 days for deleted data to be fully removed from its systems. But Pokharel found that his ostensibly deleted data from more than a year ago was still stored on Instagram's servers, and could be downloaded using the company's data download tool. Pokharel reported the bug in October 2019 through Instagram's bug bounty program. The bug was fixed earlier this month, he said.
This discussion has been archived. No new comments can be posted.

Instagram Wasn't Removing Photos and Direct Messages From Its Servers

Comments Filter:
  • fixed how? (Score:5, Interesting)

    by antus ( 6211764 ) on Friday August 14, 2020 @04:06AM (#60400413)
    Fixed by preventing its download, or fixed by removing the deleted data and complying with regulations?
  • by Mike Frett ( 2811077 ) on Friday August 14, 2020 @04:18AM (#60400433)

    I'm not entirely sure that was a bug. It's owned by Facebook so I think it's working as intended. I expect a WontFix =)

    • EWONTFIX is my favorite error code. Lennart Poettering has long been fond of that one, refusing to fix breaking bugs in PulseAudio or systemd.

  • Derived data (Score:5, Interesting)

    by mrwireless ( 1056688 ) on Friday August 14, 2020 @04:43AM (#60400461)

    Of course the really interesting question is: what have they done with the derived data?

    Even if you delete all your data - or even your entire account - from parties like this, if they have algorithmically analysed your posts to determine your psychological profile, that profile is retained.

    According to American companies, those profiles are their 'opinion' of you. Heck, they'll say their profiles of you are protected as free speech. There's a court case going on in Maine, where some companies are claiming privacy laws invade their right to free speech:
    https://yro.slashdot.org/story... [slashdot.org]

    Most of these well meaning initiatives to give users control over "your data" run the risk of giving a false sense of security. These companies will happily say they don't sell your data, because according to them, these profiles are _their_ data. And who knows how long they store that stuff.

    As always: don't ask if they sell your data, ask if they sell data about you.

    Or move to Europe.

    • My understanding is that as the law is written, in most places the derived data is their property. It's hard to argue that it isn't, or even that it naturally shouldn't be; the sensible argument is that it should belong to the user even though it would logically belong to the corporation because of the impact on the user's life. However, if that were applied across the board, it would destroy credit reporting companies, which would in turn destroy predatory lenders... and both of those groups lobby a whole

    • by stikves ( 127823 )

      There are usually rules covering the derived data as well.

      I cannot vouch for all companies, but what I see generally is periodic scrubbing / regeneration of user profiles. In the intermediate periods, the systems usually process "delta" information (like "do not remember this"). Overall all the profiles should not contain any data deleted in the recent xx-days. (Depending on the privacy policy, but most systems would do it even faster just in case).

      This had been the case for most proper systems in a long wh

  • by gweihir ( 88907 ) on Friday August 14, 2020 @05:10AM (#60400505)

    This problem must be decades old. Apparently whoever was security architect in this system is completely incompetent and made basic beginner's mistakes. Alternatively, this is working as intended.

    • by Anonymous Coward

      It is at least as old as the facebook acquisition, and quite probably older. It was long known that facebook didn't delete pictures that were posted, I wouldn't have expected instagram to behave any differently.
      My educated speculation: It simply wasn't in the requirements, and keeping the images is a happy side benefit. 100s of billions of images are stored flat and contiguously, replicated at least 3 times per region of origin (which grows to dozens of regions for wide reach feeds). Deleting content happen

  • If you delete something from social media it's probably on 1000 backup tapes and 100 mirrors. Such is the stupidity and hubris of Europe.
  • Hardly a bug, working exactly as designed. How else is the state security apparatus going to keep the voters under surveillance.
  • Let's use the example of telling a company you no longer want to receive their emails. You select the unsubscribe link, enter your information, and are told the change might take a few days to be completed.

    A few days? How difficult is it to remove an email address? It is a single entry in a database. Is it that difficult for the monkey behind the keyboard to hit the delete button and say Yes when asked if they're sure they want to delete?

    The same with this. If you've given the company your approval to rem

    • by Mal-2 ( 675116 )

      It can take days, weeks, months for the deletion to propagate across all levels of backup. Even if you delete everything now, they're not going to mount yesterday's backup tape, find your data, and erase it.

      • by sjames ( 1099 )

        But in the case at hand it never even got deleted from online primary storage.

        • by Mal-2 ( 675116 )

          My response was directly to the situation posed by quonset [slashdot.org].

          However it is also possible for data to be pulled from those backup sources, and those backups would be unaware the data had been deliberately deleted, and not just lost. So it is possible the data was deleted, and then someone else put it back by design or by side effect of restoring something else.

    • by CastrTroy ( 595695 ) on Friday August 14, 2020 @08:16AM (#60400809)

      A lot of times they have jobs spooled up ahead of time, waiting to go out to a list that's already been determined. When you're sending out millions of emails, it can be quite a process to make sure everything is set up before hand so that the wrong email doesn't go out to the wrong people and that there isn't errors in the email. Many systems will stop emails immediately, but in a lot of cases it a CYA type of situation so that if an email or two that's aready in the queue does go out to unsubscribed members, then they can just point to this policy.

      The same goes f or deleting stuff. They may delete one instance of a file, but that won't automatically remove it from everywhere in the system. They often have tons of mirrored copies. And then there's backups. Which are often stored a separate location, offline. I don't even think most companies have a process for deleting data from backup copies. It's simply too big of a problem.They probably just wait until the tapes are too old and rotated out. If they keep all their tapes forever, they probably will never go back and delete files that you have asked them to.

      • A lot of times they have jobs spooled up ahead of time, waiting to go out to a list that's already been determined. When you're sending out millions of emails, it can be quite a process to make sure everything is set up before hand so that the wrong email doesn't go out to the wrong people and that there isn't errors in the email.

        All that is true but irrelevant. It takes very little effort to remove addresses from a list at any time before a mailing begins. I know this because I have operated bulk email systems before.

      • Or, they just mark it as deleted so it's still available to whatever law enforcement or spy agency subpoenas the account, and they just forgot to check that flag with the data download tool to hide it from you, because that's what the secret order with gag provision told them to do.
    • You should never do this. It tells them the account is real. Instead change the access file to reject mail from that sender. Immediate effect.
      • If you signed up, they already know the account is real. We're not talking about spammers here.

        • I'd bet they are more likely to drop you because of rejected emails than they are to drop you because you said so. A rejected tells them the email is no longer valid, and can't be sold. You telling them to drop you tells them you are valid email when they monetize their email list.
  • it is impossible to prove that a file has been deleted

    in other words, it is impossible to prove that a set of data does not exist somewhere where instagram has control.

    therefore when they say they deleted something, all we can do is trust them

    of course this is meaningless: "trust" and "their word" are completely void.

  • Instagram retained photos and private direct messages on its servers long after he deleted them

    If this is a surprise to you, you're not paying attention. A friend of mine once sat as a juror on a criminal trial, during which prosecution presented Instagram-posts of the suspects as evidence. (Convincing evidence it proved to be too, BTW.)

    You and your friends may not be able to view the expired/deleted posts, but police can still obtain them — with a duly-issued and court-approved warrant, of course

  • by argStyopa ( 232550 ) on Friday August 14, 2020 @10:29AM (#60401167) Journal

    If you believe this, I have a bridge to sell you.

    Seriously, how stupid are you to trust that Entity X (I don't give a shit if that's MS, Twitter, Instagram, or a bloody Government) is going to delete your information because they PROMISED to?

    Information that could prove valuable?

    I mean come on, how gullible / naive does someone have to be?

  • by roc97007 ( 608802 ) on Friday August 14, 2020 @01:06PM (#60401727) Journal

    About a year ago a family member, fifteen year old girl, posted some rather risque videos of her and a girlfriend during a sleepover, and separately posted information that identified her school and class schedule. I raised the alarm, the stuff was deleted, and we all talked to her about the dangers of exposing too much online.

    Now I'm worried that the stuff didn't really get deleted. It's bad enough to imagine some perv who works at Instagram having a copy.

  • Does anyone find this surprising? I would expect that all these massive online companies are indistinguishable from politicians -- you can tell when they are lying because their lips are moving. Why on earth would anyone believe anything that these arseholes say? It is not as if they back up their "saying" with indemnity insurance or anything. In fact, it is the contrary. They warrant that even if they are deliberately lying to you with malice aforethought that you agree to hold them harmless and discl

There's no sense in being precise when you don't even know what you're talking about. -- John von Neumann

Working...