Security researcher Saugat Pokharel found that Instagram didn’t delete his photos and private direct messages from its servers, even though he deleted them from his account (via TechCrunch).
Instagram Photos Not Deleted
Mr. Pokharel discovered this when he downloaded a copy of his data from Instagram, per Europe’s GDPR policy. Publicly, Instagram says it takes about 90 days for deleted data to be fully removed from its servers. Privately, the company wasn’t removing them at all.
He reported the issue through Instagram’s bug bounty program in October 2019. He says the bug was fixed earlier in August. An Instagram spokesperson stated:
The researcher reported an issue where someone’s deleted Instagram images and messages would be included in a copy of their information if they used our Download Your Information tool on Instagram. We’ve fixed the issue and have seen no evidence of abuse. We thank the researcher for reporting this issue to us.
This news follows a lawsuit on Wednesday that accused Instagram of illegally collecting biometric data from its users without their knowledge or consent. The Facebook-owned company could face up to US$500 billion in fines in this class-action lawsuit if Facebook is found guilty.