Fraud Management & Cybercrime , Governance & Risk Management , Privacy

Ireland Assessing Minors' Profiles on Instagram

Data Scientist Files Reports With European Regulators
Ireland Assessing Minors' Profiles on Instagram
Photo: Santeri Viinamäki via Wikimedia Commons/CC

Ireland’s Data Protection Commission says it is “assessing” a report concerning minors who have business profiles on Instagram that may expose email addresses and phone numbers.

See Also: A Single Cyberattack = Loss in Consumer Trust & Brand Damage

The issue was identified by David Stier, a San Francisco-based data scientist and business adviser, who discovered the situation while researching a recent Instagram data exposure issue.

David Stier

Business profiles are intended for promotion, and Instagram requires either an email address or phone number to be displayed. The business profile category is open to anyone who uses Instagram, including those under 18 years old.

Stier estimates that at least 2 million 12- to 15-year-olds and 3 million kids ages 16 or 17 worldwide have business Instagram profiles with their email addresses or phone numbers exposed - or both.

Minors' business profile photos are open to the public. It’s unclear exactly why kids opt for business accounts, but one reason may be the analytics tools in these profiles that are unavailable to personal accounts.

Ireland’s DPC say: “We are currently assessing the information that has been provided to us regarding this issue.”

An Instagram spokesman told Information Security Media Group the company had no comment on the issue. Instagram, which is own by Facebook, previously told ISMG that it's concerned about child safety and publishes guides for parents on social media safety. Instagram’s guide for parents, however, does not mention business profiles.

“No one that I've spoken to would give out the phone number of their 13-year-old daughter/cousin/niece etc.,” Stier says. “So why should Instagram be allowed to reveal any child's phone number to a billion strangers?”

Click to Text

Child safety experts have said exposed contact details for minors can invite unwanted attention and potentially put kids at risk (see: Instagram Shows Kids' Contact Details in Plain Sight).

Clicking the “phone” button within Instagram’s mobile version for a 14-year-old with a business profile, for example, brings up the calling dialogue on a mobile phone. It would be possible to text the child, an action that would take place outside of Instagram’s purview.

Tapping the call button on someone’s business profile brings up a mobile phone’s calling dialogue.

Instagram doesn’t show a person’s birth date or age in the app. But many people use the short bio space to describe some personal information. Minors with business profiles who describe their age may write “13yo” or a variation.

ISMG visited dozens of profiles of self-identifying minors with business accounts. While it's possible some profiles are fake, most appeared to be legitimate, and often the public photos revealed where the child lives, goes to school and for example, recent holidays taken with their families.

No accounts appear to be related to an actual business in the traditional sense. This matches with what Stier says he has found, such as minors with business accounts categorized as nonprofit organizations but who have no discernable connection to one. Users are allowed select their own business category, such as grocery store.

E-safety experts often warn about revealing too much personal information on social networking sites because it could open a door to social engineering, scams, or in the case of a child, untoward behavior.

Instagram has sought to give more options for account holders who aren’t a business but are instead driving more of a personal brand. The Hollywood Reporter reported in December 2018 that Instagram was introducing a “creator” account, which would be appropriate for those who might have tagged themselves as a business.

Germany’s Reaction

The European Union has one of the world's strictest data protection law: the General Data Protection Regulation. The comprehensive law is intended to make companies more accountable for their data security practices.

It’s also intended to ensure technology companies clearly inform users and gain specific, unambiguous consent for data processing. Facebook’s European headquarters is in Dublin. Under GDPR, that makes Ireland’s DPC the social network’s European regulator.

Stier also filed a report with Germany’s Federal Commissioner for Data Protection and Freedom of Information, or BfDI. In a July 4 email to Stier, BfDI told Stier: “Thank you very much for drawing our attention to the observed and alarming behaviour of minors on Instagram.”

Germany’s data protection regulator responded to Stier’s report, calling the situation “alarming.”

The agency went to write that it would bring the situation to the attention of Ireland’s DPC “as they are the lead supervisory authority for Instagram/Facebook.”

Deriving Estimates

Since his first findings, Stier has sought to figure out the full scope of how many minors may have business accounts.

In his latest investigation, Stier used a sample of size of nearly 150,000 Instagram accounts. That process of estimating how many minors have business accounts is not straightforward, Stier says.

As mentioned before, Instagram doesn’t disclose ages, birth dates or where someone lives. But some users disclose that information in their bio. Also, a phone number will reveal a country code.

Stier says he excluded from his research minors who were performers with agents or managers or who refer to partnership arrangements. All told, he manually reviewed 4,000 profiles and says “there are definite patterns that emerge.”

“The age information is fairly reliable,” he says. “I was rigorous about making sure that I only included minors who had no discernible business, and I used their phone number’s country code, location tagging and other information in posts.”

Generally, 6 percent to 7 percent of all Instagram accounts in a given country belong to users under 18 years old, according to Statista, a social media marketing firm. The adoption of business accounts was also fairly uniform around the world, Stier says, at around 15 percent.

About the Author

Jeremy Kirk

Jeremy Kirk

Executive Editor, Security and Technology, ISMG

Kirk was executive editor for security and technology for Information Security Media Group. Reporting from Sydney, Australia, he created "The Ransomware Files" podcast, which tells the harrowing stories of IT pros who have fought back against ransomware.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.