Yesterday, Instagram launched version 3.0 of their iOS and Android app. Along with some new UI improvements, the coolest thing about the update is the new Photo Maps feature which allows users to organize photos via geo-location data to provide more interesting narratives for their followers.
The new Photo Maps feature is great, but it comes with some privacy concerns. Private user photos that are added to a Photo Map are viewable to any Android Instagram user thanks to a bug in the 3.0 update.
Once a user turns on Privacy, Instagram’s policy is that anyone who wants to see your photos, followers, or following list, will have to send you a follow request. No follow request, no access to pictures or the Photo Map.
Only the private user and their approved followers will be able to see that photo on a Photo Map. Private users’ images, even when geotagged, are hidden from the public.
Right now that’s not actually the case.
Here’s what a private user screen looks like on Instagram 3.0 on both iOS and Android.
iPhone users don’t even see “Photo Map” as an option, which is great and how things should be. But Android users can see the Photo Map option on a private user and tap on it, which will then take them to a Photo Map, like this one, where they can roam around looking at all of the private users’s photos:
Even if an Instagrammer is using an iPhone as their device, it still won’t prevent Android users from being able to see their photos. The only saving grace of the bug is that it doesn’t expose all of a private user’s photos. It only exposes the photos that are on Photo Map.
If your account is private and you don’t add a picture to Photo Map it will stay private to both Android and iOS users. However, Instagram is trying to push all users to use Photo Map and most of them don’t know it comes with privacy risks.
The first thing users see after they update to Instagram 3.0 is a big message encouraging them to use Photo Maps. Instagram has even made it super quick to get started by gathering all your photos that contain geo-location data, and adding them to the Photo Map by default. It’s a great way to get people to use a new feature, but they should be alerted by Instagram about the privacy changes involved when doing so.
Update: Instagram’s team just emailed us saying they made a quick fix to the app so that Android users can’t access private photos via Photo Map.
The fix isn’t a full app update that removes the option to tap a private user’s Photo Map button, comparable to the iOS version, but now when Android users attempt to access a private Photo Map they are met with a loading error on the Photo Map page as seen in the screenshot below.
Update 2: Instagram released an update this evening for their Android app. The new update completely blocks access to private users’s Photo Maps by greying out the “Photo Map” button on private users for everyone but their approved followers. Hats off to Instagram for releasing two fixes to the privacy issue in freaky fast time.
