After 90 days for privacy, photos and user data must be deleted from servers: Instagram kept them for over a year
With the arrival of the GPDR for data protection and privacy, Instagram has set a new rule: if a user deletes photos or messages from his profile, they can be kept on the servers only up to 90 days. A bug in Instagram, however, kept the deleted data for longer, well over a year.
Discovering the Instagram security bug was Saugat Pokharel, who while downloading his data from the social network found data that should have already been deleted. As of 2018, Mark Zuckerberg had decided that for his social network, the maximum time for user-deleted data to remain on the servers was 3 months. After Pokharel discovered the bug in October 2019, also receiving a reward of 6 thousand dollars, Instagram developers worked to fix it and comply with the regulations on the treatment of user data.
Instagram, data on servers beyond 90 days
The General Data Protection Regulation, known as Gdpr, is an international level regulation on the treatment of user data, so that their security and privacy, as well as access, is always guaranteed. Facebook, Instagram, and all major social networks have also been working since it came into effect to respect the rights of online users. Since 2018, Instagram has also included a tool that allows users to download all their personal account data from the servers.
Just by using this tool, in October 2019, Pokharel realized that private messages and photos exchanged with other users and that he had deleted for over a year were stored on the servers. A time that goes well beyond the 90 days set by Instagram to delete content from its servers.
Pokharel, who is a researcher, was rewarded with a $6,000 prize for revealing and reporting the bug. Instagram’s developers immediately set about fixing the problem, re-establishing proper deletion times for its users’ data, and checking for breaches and abuses, and then ensuring that security and privacy were restored.