Independent security researcher Saugat Pokharel found that when he downloaded his data from Instagram, a feature it launched in 2018 to comply with new European data rules, his downloaded data contained photos and private messages with other users that he had previously deleted.
It’s not uncommon for companies to store freshly deleted data for a time until it can be properly scrubbed from its networks, systems and caches. Instagram said it takes about 90 days for deleted data to be fully removed from its systems.
But Pokharel found that his ostensibly deleted data from more than a year ago was still stored on Instagram’s servers, and could be downloaded using the company’s data download tool.
Pokharel submitted it as a bug, and the company paid him $6k under its bug bounty. It says the bug has now been fixed.
This mirrors an experience with Twitter last year, where another researcher found that Twitter retained copies of direct messages ‘years’ after they’d been deleted by the user.
While there’s no reason to doubt either company’s explanation that this was a coding error rather than a deliberate privacy breach, it does highlight the need for transparency and user control around deletion policies, as well as a proper auditing process.
For example, when you delete a photos from your iPhone, Apple is transparent about the default process:
- The photo is moved to the Deleted photos album
- It is hidden from your main feed
- It is permanently deleted after 30 days
You also have the ability to override the 30-day delay: if you go into the Deleted photos album and delete it from there, then it is immediately and permanently deleted.
Other apps and services could learn much from this approach.
FTC: We use income earning auto affiliate links. More.