A new app knows what your Instagram-loving friends did last summer. Called Who’s in Town, the iOS and Android app is ostensibly designed to show you, well … who’s in town. But it does much more than that.
Users who download the app and grant it access to their Instagram account are presented with an eerie interactive map of every place the people they follow have visited and shared online since they created their profile. The map updates in real time and is sourced from the wealth of location data the average Instagram user willingly uploads to the platform each time they opt to use its popular geotag feature in a story or post.
This information is nominally public already, as Instagram users must choose to share it with their followers. But by collecting them all in one place over time, Who’s in Town transforms data points that are seemingly meaningless in isolation, into a comprehensive chronology of the habits and haunts of anyone with a public Instagram account.
It can tell you what coffeeshops or restaurants your Instagram-using friends frequent, when they last told the digital world they were there, and paint a detailed picture that wouldn’t be evident from just looking at their profile.
“The amount of data is insane,” said Erick Barto, the app’s creator. “It’s the equivalent of you going through every single story and writing down every single location, just consistently all the time.”
Paris Martineau covers platforms, online influence, and social media manipulation for WIRED.
A pre-release study he conducted using Who’s in Town tracked the posting habits of over 15,000 active Instagram users over multiple weeks. Barto said it found that 30 percent of people who post Instagram stories over the weekend geotag at least one location.
“This capability is problematic … from a privacy perspective as long-term aggregate data can potentially be misused in various ways,” Jason Polakis, security researcher and assistant professor at the University of Illinois at Chicago, told WIRED over email.
Polakis said users’ aggregate location data could reveal sensitive information about their daily routine—like when a person normally goes out, or is at work—that could be used to determine when their home is empty, enable stalking, or indicate social connections, like friendships or relationships, based on similarities in the time and location of their posts. The information could also be used by companies to infer a person’s hidden habits or traits, he noted. A health insurance firm, for example, could scan prospective customers’ geotag history to compare how often they indicate they frequent bars versus the gym.
“While the app’s functionality isn’t doing anything complicated that a determined (malicious) individual or company wouldn’t be able to do,” said Polakis, “it does streamline and facilitate potentially invasive behavior at a large scale, as anyone installing the app would have access to this functionality.”
Once installed, Who’s in Town pulls post data for the people you follow dating back to the creation of each user’s account, and the geotags from stories posted that day. Since Instagram stories (and any geotags contained within them) disappear after 24 hours, older stories won’t be displayed on the map; however, the longer you have the app installed, the more detailed the map gets, as it slurps up data from every subsequent geotagged Instagram story shared by your friends.
The app has two viewing modes: general, and single user. General mode shows you a map of every place that all of the people you follow have said they visited, when they said they were there, and links to the post or story where they indicated that. For users who follow a lot of people, it’s a sea of pins. Single user mode allows you to track a specific person. The other pins fade away, leaving only one user’s shared location history, which, depending on how heavy an Instagrammer they are, can reveal a stunning amount of information about their current location and daily habits.
It’s creepy, and concerning—and that’s the point, says Barto. He created the app to illustrate the wealth of sensitive and telling data users willingly share on a public platform without considering the access that Instagram and outside developers have to it, or what they could be doing with it.
“People don’t realize what they’re sharing,” said Barto. “They’re [operating under] the false assumption that this information is only going to a few people … but it’s public.” Who’s in Town can pull data from private Instagram accounts, as well, provided that the person signing into the app is an accepted follower of the private profile. There is no way for Instagram users to determine whether one of their followers is using a third-party application like Who’s in Town to scrape and aggregate their data, as it operates outside of Instagram’s purview and only requires one party’s consent.
An Instagram spokesperson told WIRED on Friday that it was reviewing Who’s in Town against its platform policies and would take action if any violations are found.
Who’s in Town isn’t Barto’s first privacy-invading social media app. Last March, he released Chatwatch, an app that allowed users to spy on their friends on WhatsApp by exploiting the messenger app’s status feature, which shows when users are on or offline. The app used the data to tell users how often their friends checked WhatsApp, when they likely woke up and went to sleep, and which of their contacts were likely messaging each other. It was removed from the Apple App and Google Play stores after an outpouring of concern from users and members of the press over the privacy implications. (WhatsApp and Instagram are both owned by Facebook, which has its own contentious and scandal-ridden history when it comes to data privacy.)
In the weeks following Chatwatch’s removal from app stores, Barto says that Apple and Google removed every other similar third-party app that scraped WhatsApp for the same type of user data. Likewise, Barto says Facebook banned the popular exploit of the company’s Graph API that he used in Chatwatch shortly after the app went viral, and WhatsApp later rolled out updates restricting all users’ access to their friends’ statuses.
“To this day, in WhatsApp web, you cannot see someone else’s online status if they haven’t saved you on their phone,” he explained. “This is a worldwide change [and it] happened because of us … We managed to get them to techno[logically] change [who can access] this kind of data, which is huge. We didn’t expect to have this [kind of] impact.”
Barto says he hopes the same happens to Who’s in Town, which is currently available in the Apple Store and to download for Android on Who’s in Town’s website. The app was expensive to develop, he says, hence the hefty $6.99 monthly subscription fee. But he admits the app likely won’t be around long enough to recoup all of the development costs. (Barto adds that if subscribers are no longer able to use the app, they will Ultimately, Barto says he hopes that Who’s in Town’s unsettling demonstration of the potential for misuse causes Instagram to change the way it stores and permits third-party access to this type of data.
But there’s something else at play here, too, he says.
“If it does get taken down, that means that whatever data is shared with you by your friends, you have no rights to that—and we know that of course,” said Barto. “But if companies can collect all this data and make a killing from it …. why can’t [you] or I put it all together and gain some value from it?”