A group of teens defeated Instagram tracking with this clever trick
High-school kids create flood of confusing metadata
WASHINGTON, DC — High-school students in Maryland have done what privacy experts have tried to do for years. They've figured out how to confuse Instagram so that it can't track you, and can't even tell who you are.
At a presentation at the ShmooCon hacker conference here this past weekend, Samantha Mosley, a junior at a Baltimore-area high school, and her father Russell Mosley described how Samantha and her friends set up a form of "cooperative obfuscation" by logging into each others' accounts.
"Multiple users on the same account liking different things confuses Instagram," Samantha said. "It doesn't know where you are or what you like."
Because social-media services use your device, location and operating system (plus many other factors) to build user profiles, multiple inputs on the on the same account will flood the trackers with misleading data and make a mess of Instagram's profiling. It literally won't know which one of many users you are.
This isn't the first example of cooperative obfuscation. Russell Mosley cited a recent book called "Obfuscation: A User's Guide for Privacy and Protest" that documented how terrorist and criminal groups swap SIM cards among their own members to defeat phone tracking, and how loyalty-card shopper exchange cards to defeat being tracked by retailers.
But these Maryland kids came up with this system to defeat social-media tracking all on their own. As an audience member pointed out after the presentation, every previous attempt to camouflage user behavior on social media by flooding the service with fake data has tried to protect a single account, and has usually failed.
No one until now seems to have thought of using real data from a group of users working together to protect dozens of social-media accounts.
Sign up to get the BEST of Tom's Guide direct to your inbox.
Get instant access to breaking news, the hottest reviews, great deals and helpful tips.
Rinsta, finsta and other terms old people don't know
You'd think that social-media services know who you are anyway by your user profile. But the fact is that many people will have several profiles on a single service, and often won't use their real names.
Samantha said she and her friends know that future employers and even college-admissions offices will look at their social-media accounts, so they each have multiple Instagram accounts to serve different purposes.
"These may be terms that grown-ups don't know," she said, explaining that everyone has a "rinsta," or "real" Instagram account with your real name and that strangers, schools and future employers can see.
Then there's the "fun" or "fake" Instagram account, or "finsta," where you post silly and potentially embarrassing things for your friends. Only your friends know that it's you. After that, you might have specialized Instagram accounts for your family or for dedicated interests, such as social activism, music, rock climbing and so forth.
Standing out in a crowd
Now with all those different, mostly pseudonymous accounts, you don't want Instagram or third parties being able to link them all to one real person. But that's exactly what happens with the metadata that gets collected, and which is largely invisible to the user.
There's enough unique identifying information on your smartphone or computer to make it clear who's posting to which accounts, and to find out how many accounts belong to a single person.
"There's more metadata out there than people realize," Russell Mosley said. "Do you guys know how many identifying factors Twitter picks up with every tweet you send? It's between 140 and 150."
"A learning algorithm can identify you as an individual among 10,000 people, simply from Twitter metadata," he said. He added that metadata is now being coupled with image recognition, which has gotten to the point where "you can search your photos on an iPhone by looking for 'ball' or 'car' and it works pretty well."
Instagram collects this kind of metadata, and even worse, other people can sometimes access it.
In November 2019, Apple deleted an iOS app called Like Patrol that scraped information from your Instagram profile to let other users monitor whom you interacted with.
You could even pay to be notified whenever a person you were targeting liked or commented on someone else's post, and you would also be able to tell if a person that your target interacted with on Instagram was male or female — perfect for jealous lovers.
The previous month, in October 2019, Instagram had killed its "Following" tab, which showed users which posts their friends were following, liking and commenting on.
That sounds innocent enough, but as BuzzFeed reported, it let "a Catholic priest [notice] a fellow priest liking gay porn star pics on Instagram" and "a mother [notice] the husband of a fellow mom liking bikini model photos."
Hence the desire for anonymous Instagram accounts — and for a method to defeat the collection of identifying metadata.
Elementary experiments
Samantha and her friends didn't start out trying to disguise their Instagram activities. Their system got started when she and a group of neighborhood kids started a FIRST Lego League team while in elementary school, competing to develop Lego Mindstorms programs and robots.
"They met in our basement," Russell Mosley told Tom's Guide in an interview following the presentation.
The kids set up a group Instagram account for their team, and noticed something interesting. The account would present you with different like recommendations, different people's feeds and different tabs depending on who had most recently accessed the account.
Male and female members of the group would create different results. Instagram was clearly tailoring the experience for different users, even on the same account.
So the kids began experimenting with logging into each others' accounts to see if that changed things too. It did. Then they realized that if they did this often enough and in a deliberately randomized way, then Instagram wouldn't be able to figure out who they were.
They could tell that their methods worked by going to the Instagram Search tag. The pictures that showed up before you searched for anything changed depending on who most recently had accessed the account. So did the suggested tags along the top of the screen -- "Animals," "Food," "TV & Movies," "Nature," "Gaming" and so forth.
You can do this without sharing passwords
Today, Samantha and her friends handle about 100 Instagram accounts in this way. She told Tom's Guide that the number of participants varies because some people go on vacation, and other people drop out or enter the group, but the group has grown to include Instagram users in other states and countries.
The way it works is pretty simple. Each user has multiple Instagram accounts, and shares access to each with a few other users -- but not the same users for each account.
So if User 1 has account A, B and C, she will share account A with Users 3, 6 or 7, account B with users 2, 8 and 12, and account C with users 6, 8 and 10. Other users do the same.
You don't even have to share passwords to do this. Samantha and her friends found that you can set up Instagram to save your login information on a device so you don't have to use a password again on that device.
(To do this, go to your user profile, tap the three-line menu icon in the upper right corner, tap the Settings icon at the bottom right, tap Security, then tap Saved Login Info.)
Once you've done that, then you can say you lost your password and send a password-change request. Instagram will send you a link to reset the password -- but instead of using the link, you send it to a friend so that he can use the link.
In that way, your friend gets to set his own password to your account, and you both keep access.
A web of trust
Of course, this doesn't work if you have Instagram's two-factor authentication turned on. And it requires implicit trust among all the members, because once someone has access to your account, they could hijack it and lock you out. Of course, you could do the same thing to them.
Because of this, Samantha's group vets all prospective new members before they can join. If someone misbehaves, you can kick them out of your account by changing the settings to forgot device logins, then resetting the password without sharing the email link. Chronic misbehavior can be punished by expulsion from the group.
Her group does have rules. You can post on other people's accounts only when asked to do so. And you can't link any accounts to accounts on other social-media services, because then your cover could be blown.
"We do allow anyone to like relevant posts" on other people's accounts, Samantha said. "But we ask people to avoid follow requests."
Constant management
Following her presentation, Samantha told Tom's Guide that doing all this isn't easy. You can't just set up multiple logins and then forget about it.
Instead, the whole system has to be carefully and constantly managed. Samantha explained that she and a few other kids are managers who keep track of who's logged into which accounts. The account-access arrangements have to be periodically shuffled around so that the same people don't stay logged into the same accounts for a long time.
She said that the managers will interact with all the users in her group, so that individual users can request the frequency by which their accounts are switched up.
Samantha said that her Instagram-obfuscation group was the only one that she knew of, although she thinks some members in distant locations may be breaking off and forming new groups.
Tom's Guide asked Samantha if such cooperative obfuscation could be used effectively on other social-media platforms such as, for example, Facebook.
"I don't know," she replied. "We don't use Facebook."
Paul Wagenseil is a senior editor at Tom's Guide focused on security and privacy. He has also been a dishwasher, fry cook, long-haul driver, code monkey and video editor. He's been rooting around in the information-security space for more than 15 years at FoxNews.com, SecurityNewsDaily, TechNewsDaily and Tom's Guide, has presented talks at the ShmooCon, DerbyCon and BSides Las Vegas hacker conferences, shown up in random TV news spots and even moderated a panel discussion at the CEDIA home-technology conference. You can follow his rants on Twitter at @snd_wagenseil.