Facebook has announced an expansion to its bug bounty program covering third-party apps that abuse user data, to include the Instagram ecosystem.
First launched in 2018 in response to the Cambridge Analytica scandal, the Data Abuse Bounty program works by “incentivizing anyone to report apps collecting user data and passing it off to malicious parties to be exploited.”
If an application is found to be breaking Facebook policy in this way, it could be kicked off the platform or become the subject of legal action. Facebook may also decide to conduct a forensic audit of related systems.
Cambridge Analytica infamously used data on tens of millions of Facebook users and their friends scraped by the third-party This Is Your Digital Life app to target US voters in the 2016 Presidential election.
Since that debacle, the social network was forced to kick hundreds more third-party apps from its platform for similar abuses, including one called myPersonality which was used by four million users.
The addition of Instagram to the program reflects the importance of the platform to Facebook’s business and growing concerns over developer access to user data.
In February, it was reported that data on 14.5 million Instagram accounts was being stored online in the UK with no password protection. It was suspected that a third party could be scraping accounts for publicly accessible data, for use later in marketing campaigns.
Last year, Instagram suddenly reduced the API limit for third-party apps from 5000 to 200 calls per hour, and stopped accepting new submissions, in what was seen as an attempt to improve user privacy.
Facebook set out its vision for a radical overhaul of the company in July following a record $5bn penalty issued by the FTC in response to failings that led to the Cambridge Analytica incident.