Remember “Spotify Wrapped“? That annual tradition where the music-streaming platform unveils your quirky listening habits? Well, someone tried to replicate that for Instagram with Instagram Wrap, a third-party app that promised a personalized year-in-review for your IG life. But before you jump on the bandwagon, let’s unpack the truth behind this viral sensation.

Unlike official wrapped experiences from platforms like BeReal and Apple Music, Instagram Wrap wasn’t created by the platform itself. This raised eyebrows, especially considering the app popped up solely on the App Store, mirroring “Wrapped for TikTok”, another third-party offering.

As users started sharing their “Instagram Wrapped 2023” results, a storm of concern brewed. Could secret lurkers and stalkers be exposed through this app? Could our precious data be at risk?

What exactly is Instagram Wrapped 2023 and was it even real?

Instagram Wrap 2023, which took the App Store by storm, promised to summarize your Instagram activity in a neat “wrapped” package. Available only for iOS devices, it quickly vanished at the behest of Meta, Instagram’s parent company. Meta cited policy violations but didn’t elaborate further.

Interestingly, an app named “Wrapped” exists on Google Play, but it’s unrelated to the iPhone version, using the same screenshots for a dubious game of smoke and mirrors.

To generate your “wrapped” report, Instagram Wrap requires users to log in with their Instagram credentials. This included displaying your most popular stories, your most frequent chat buddies, and even a “top friends” list.

But was any of this Instagram Wrap app legit? Unlikely

Reddit users reported that the app simply listed friends in follower order, raising doubts about its data analysis capabilities. Others noticed the stats changing on each app launch, further fueling suspicion. Providing fake data aligns with the theory that Instagram Wrap lacked access to Instagram’s core data, something third-party apps can’t access just by linking with your Meta login.

Adding to the red flags, Instagram Wrapped’s App Store page claimed it didn’t collect any data. However, the login process raised more questions. Was it a genuine login interface or just a honeytrap for harvesting your credentials?

The bottom line? Instagram Wrap appears to be a phantom in the tech world, offering hollow promises and shrouded in questionable practices. Stick to official wrapped experiences or explore alternative apps with proven transparency and respect for your data. After all, your Instagram life is worth more than a fleeting viral trend fueled by dubious claims.

Don’t say it is just data

Sharing your data with third-party apps like Instagram Wrap can pose several dangers, both to your privacy and your security.

One of the main risks is data breaches. When you connect your Instagram account to any app, you’re entrusting it with sensitive information like your username, password, and potentially even private messages, contact lists, and activity data. If the app’s security is compromised, this information could be exposed to hackers or other malicious actors.

Another risk is the misuse of data. Even if the app itself isn’t compromised, there’s no guarantee how your data will be used. Third-party apps often have their own privacy policies that govern how they collect, store, and share your data. These policies may allow them to use your data for targeted advertising, sell it to other companies, or even use it for purposes you didn’t consent to.

Furthermore, apps like Instagram Wrap may not even function as advertised. Some might generate fake data or manipulate it to seem more interesting, all while harvesting your real information. This can be frustrating and misleading, and it can also be a gateway to more sophisticated scams designed to steal your money or identity.

Additionally, once you share your data with a third-party app, it can be difficult to get it back. Even if you delete the app or revoke its access to your Instagram account, the company may still retain your data indefinitely. This lack of control can be unsettling and can make it difficult to protect your privacy in the long run.

Finally, the proliferation of apps like Instagram Wrap can contribute to a general erosion of trust and privacy norms online. If we become too accustomed to casually sharing our data with any app that promises a fun gimmick, it can become harder to protect ourselves from real threats and maintain control over our digital lives.

Beyond these general risks, specific concerns around Instagram Wrap include:

• Unclear data access: The app claimed not to collect data but required login to generate reports, suggesting potential deception
• Shady App Store listing: The claim of not collecting data contradicted the login requirement, raising suspicion
• Unrealistic statistics: Users reported inconsistent and unrealistic stat generation, hinting at data manipulation

Featured image credit: Brett Jordan/Unsplash.

Was this a transition year for data protection? How much were the fines collected in the first year of GDPR? What regulations have been enforced so far? Here is all you want to know about GDPR, after a year of its implementation.  

The European Commission started in January 2012 to set out plans for data protection reform across the European Union in order to make Europe ‘fit for the digital age’. As a result, General Data Protection Regulation (GDPR) came into force after years of debate and preparation. Approved by the European Parliament in April 2016, the legislation came into force across the European Union on 25 May 2018, and completed one year recently.

Reshaping how personal data is handled and raising awareness

This regulation is aimed at fundamentally reshaping the way personal data is handled across every sector in Europe. One year later, we can clearly see that this regulation raised professionals and individuals’ awareness of data protection issues. The regulation gave extensive new powers to individuals in how they can control their data. For example, data subjects can demand from organisations to tell them how their data are used and ask them to destroy their data,  “the right to be forgotten” and the fines for non-compliance were significantly increased.

According to the Eurobarometer of March 2019, the increase in queries and complaints confirms the rise in awareness about data protection rights among individuals. Indeed, 67%of EU citizens polled indicated that they have heard of the GDPR, 36% of them indicated that they are well aware of what the GDPR entails. In addition, 57% of them indicated that they are aware of the existence of a public authority in their country responsible for protecting their data protection rights. This result shows an increase of 20 percentage points compared to 2015 Eurobarometer results according to the European Commission.

How has the GDPR been enforced so far?

On February 26, 2019, the European Data Protection Board released an overview on the implementation and enforcement of the GDPR.

According to this report, cooperation mechanisms within national data protection authorities have been heightened. Between May 2018 and February 2019, 444 mutual assistance requests, both formal and informal, have been triggered by Data Protection Authorities (DPAs) from 18 different EEA countries. Furthermore, 45 one-stop-shop procedures were initiated by DPAs from 14 different EEA countries, 23 cases are currently at the informal consultation stage, 16 are at the draft decision stage and 6 cases have been finalised. These cases are mainly related to the exercise of individual rights, consumer rights and data breaches. The EDPB has adopted 28 consistency opinions regarding the national lists of processing subject to a data protection impact assessment.

The total number of cases reported by DPAs from 31 EEA countries totalled 206,326 with 94,266 complaints and 64,684 of those cases initiated on the basis of data breach notification by controllers. 52% of the above cases have concluded while 1% are being challenged before national courts. DPAs from 11 EEA countries reported imposing administrative fines under the GDPR totalling €55,955,871.

GDPR fines in the first year

In 2018, based on a complaint by the non-profit organisation NOYB (“None Of Your Business”)  the french supervisory authority imposed the world’s stiffest privacy fine against Google. In January, the CNIL impose a fine penalty of 50 million euros to the company in over how it uses data for ad-targeting by violating the GDPR principles of transparency, adequate information and valid consent regarding ads personalisation. While there is limited transparency of the enforcement and only some DPAs have published their results to date, some details for the different states in Germany are known:

As recent as May 21st 2019, a fine was imposed for breaches of the General Data Protection Regulation in Lithuania. The  data protection inspectorate issued a 61,500 EUR fine against a payment services provider for violations of the data minimisation, adequate security measures and data breach reporting requirements of GDPR.

A transition year for data protection

By enhancing data protection we are protecting the fundamental rights and freedoms of persons that are related to that data. As General Data Protection Regulation came into force only one year ago, improvements are made in order to address issues that companies and europeans citizens are facing into the day-to-day practice of data processing.

The EEA Supervisory Authorities have reported that they need to carry out investigations, observe procedural rules, coordinate and share information with other supervisory authorities in order to standardise and provide the best solutions to secure our data.

The first 12 months and looking forward

Looking back on the first 12 months of the EDPB’s work, Andrea Jelinek, Chair of the EDPB, comments: ”It has been a challenging first year, but we have reached the goals that we set out to achieve, and we intend to keep up both the work and the pace.”  

European Data Protection Board (EDPS) had adopted the framework of the 2019-2020 work programme and is willing to develop operational cooperation with its non-European counterparts and a convergence of data protection principles worldwide.

(This article was originally published at the TechGDPR website and the copyright lies with them.)

Data security is being pushed to the top of the agenda by the new General Data Protection Regulation that comes into force next May, and that means a focus on issues that many organisations have neglected.

Companies across the globe that process data about European Union (EU) individuals will need to take much more stringent security measures to keep that data safe from prying eyes, whether those are criminals or employees.

One area of the GDPR that hasn’t got quite as much attention though is continued access to data. In fact, it seems that the regulation will create a disaster recovery obligation on organisations, so that if there are any attacks or unforeseen problems that bring a company off-line, they will need to get back up and running as fast as possible, or face a fine as well as the wrath of their customers.

Getting to grips with the GDPR

The GDPR is an EU-wide piece of legislation which will creates a revolutionary series of new rights for individuals and will force everyone to think differently about how individuals’ data is treated. Essentially, the principle is that everyone becomes the owner of their personal information. A Data Subject – any individual – has the right to much greater control over how their data is used by Data Controllers – people or companies who keep personal information such as sales records – and Data Processors, the people who use the data, such as call centres.

One of the responsibilities of both data controllers and data processors is to keep that data safe, and if there is a data breach, organisations can be fined up to 4% of their annual global turnover or €20 million.

“Security of processing” and the GDPR

For all the focus on individual rights and the possibilities of a breach, one area of the GDPR has been broadly overlooked – article 32, the security of processing.

This includes two provisions which, according to Giancarlo Butti, a security expert and author, mean that a disaster recovery plan is an essential part of every organisation’s set up:

“the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services”

and

“the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident”

Previous EU regulations gave firms up to seven days to restore data – restoring access to personal data in a “timely manner” is likely to be interpreted more strictly. As Butti says: “Surely we are far from the concept of ‘seven days’.”

Why businesses need a disaster recovery plan

Many larger businesses have relied on back-up tapes as a fixed form of storage – sometimes known as “immutable buckets” of data as they can’t be amended and are separate from the rest of the system. Tapes create an “air gap” which means that even if a ransomware attack succeeds, the tapes cannot be affected.

However, the length of time that tapes require to restore data may be prohibitive, both for the business and its potential reputational damage, and under the new GDPR.

Companies like Sungard AS offer online solutions which are much faster and use a Data-Recovery-as-a-Service model which means that data protection and recovery expertise can be brought into focus on the affected system. Since most businesses have multiple systems and data flows, there is seldom any single way of protecting data, which makes a holistic approach vital.

Cloud data storage and recovery, using data centres such as Amazon’s AWS service, are now being used by NASA, the United States Air Force and the US Department of Justice, which offers a great vote of confidence in the levels of security for the data.

Not having a disaster recovery plan means losing valuable data – and worse

Data is at the heart of most companies’ ability to do business, which means that every minute counts. Banks that can’t give customers access to their money, when RBS and NatWest customers could not use ATMs, or an airline which can’t check in passengers, like British Airways’ computer failure – these issues cause massive disruption to a business, reputational damage and significant financial loss.

In 2016, a study by IBM found that a single data breach cost companies in the US around $7million on average, with an over increase in costs amounting to seven percent. Many businesses that don’t have a data recovery plan simply never recover. In the case of British Airways, the incident led to 700 cancelled flights, 75,000 passengers stranded and a bill of £80million.

The GDPR may seem at first glance to add a significant level of non-urgent and overly arduous regulation to a business. Yet the GDPR offers an opportunity for businesses and organisations to develop a detailed and practical disaster recovery plan that will protect them from serious harm.

Like this article? Subscribe to our weekly newsletter to never miss out!

Follow @DataconomyMedia

In politics decision making takes time, especially when there is a lot at stake. In Brussels, home of the European Union, this has been the case for the new EU data protection package.

Last June, the EU Civil Liberties and Justice Committee (aka LIBE) entered “trilogue” negotiations between the EU Parliament (representing us, the citizens), the EU Commission (the government of the EU) and the EU Council (all 28 heads of EU member states’ governments) on the proposed changes in Data Protection regulations. On the 17th of December 2015 LIBE announced that all parties have finally reached agreement consensus.

The major points of the package are:

• Explicit consent: Companies that want to use personal data for purposes other than delivering the service for which their clients provide the data, must seek formal, written permission from the client for such use. No more “general data processing” tick boxes. Instead, companies will need “explicit consent.”
• Right to be forgotten: In some instances, like when the data has been collected during a time when the data subject was a minor and in need of parental consent, data subjects have a “right to be forgotten.” Their personal data must be removed from IT systems, including those in test environments.
• Privacy by design: All IT systems must be “privacy ready.” Data protection must be by design, not as an afterthought.
• Onerous fines: Failure to comply will be met with massive fines, up to 4 percent of the offender’s global turnover. For large global companies, this could amount to billions.
• Timeframe: Upon enactment, companies will have two years to adopt.

As the LIBE rapporteur, Jan Albrecht put it, “The regulation returns control over citizens’ personal data to citizens. Companies will not be allowed to divulge information that they have received for a particular purpose without the permission of the person concerned. Consumers will have to give their explicit consent to the use of their data.”

How easy is it to ‘forget’?

The new rules coming into force with the arrival of the EU Data Regulations pose a major challenge for all companies that collect and store personal data. Take for example the “Right to be forgotten.” To be able to execute on this law it requires companies to be in control of where any personally identifiable information (PII) resides within their systems. This might sound pretty simple, but it’s far from it; organisations not only need to consider their own back-end databases and backups, but they also need to consider any data being used by outsourcers, partners or cloud service providers they’re working with. In many cases, data could even be in use outside of the EU—in the systems of an outsourcer developing mainframe applications for the business, for example. This would instantly create a breach of the new EU regulations unless the proper controls were in place.

we consent to having our data used for system testing?

Explicit consent seems simple. We all know the tick boxes that we already see when doing business online. But do we ever read and understand what our data is collected and used for? What data do these online services need to deliver the service request and what kind of data is collected that has ‘purposes other than delivering the service for which the clients provide the data”? Do we consent to the latter?

Translating this issue from legal into IT lingo, we can take testing as an example: testing applications with real personal data will require an explicit consent of the end customer. If customers were to reject to the usage of their data in testing it could severely impact application testing. Complex applications, such as those developed for the mainframe, are often tested using live customer data in order to create an impression of how they’ll perform in the real world. However, this practice is already unlawful when businesses have not treated the data as personal and put stringent controls in place, not to mention informing people what their data will be used for beyond “normal business.” This is even more significant when the data is being used by third-parties, such as outsourcers. Unless the business has explicit consent from the customer for their data to be handed to an outsourcer and used in controlled testing environments, they’ll be in direct breach of the new EU legislations and face a painful fine.

Impact on testing/development

Alarmingly, research by Compuware indicates that many businesses lack a clear understanding of how their testing practices will be impacted by the new data protection legislation. A fifth of firms do not mask or protect customer data before sharing it with outsourcers, with the vast majority of them relying on non-disclosure agreements that in essence do not satisfy even current data privacy regulation. It is therefore extremely important for all businesses to start looking at their testing practices to ensure that they can comply with the “privacy by design” demand of the EU laws.

If any real personal data is used for testing, it’s high time to start protecting it with a test data privacy project to ensure compliance with the existing as well as new EU regulations. There is absolutely no excuse for continuing to use unmasked customer data in testing projects, and those that continue to do so will have nowhere left to hide when the EU legislators come calling.

Like this article? Subscribe to our weekly newsletter to never miss out!

Follow @DataconomyMedia

In the aftermath of the various data breaches that occurred in 2014 across enterprises, retailers and government organisations, including the much speculated hack in November of Sony Pictures, U.S. President Barack Obama called for stringent data laws to protect citizen privacy and data, while speaking at Pellissippi State College in Knoxville, Tennessee on January 9, 2015.

“Major companies get hacked. America’s personal information, including financial information, gets stolen. And the problem is growing and it costs us billions of dollars,” he said.

It is expected that the U.S. President will call for ‘new federal legislation requiring hacked private companies to report quickly the compromise of consumer data,’ reports P.C. World. The New York Times has quoted White House officials as saying that emphasis will also be laid on laws to prevent tech firms from generating revenue on data gleaned from schools.

Dubbed the Personal Data Notification and Protection Act will be discussed with the Federal Trade Commission, setting up a 30 days time frame within which hacked companies must report breach. The FTC will hold power to hold companies responsible that do not stay in line with the new laws.

Earlier last week, while the President was promulgating the new data laws, the Twitter feed of U.S. Central Command, was hacked by a miscreant claiming association with Islamic State militants, reports Reuters. The White House is investigating the hack, however, noting that the social media hack was a lesser concern as compared to database breaches.

Read more here.

Follow @DataconomyMedia

(Image credit: Charles Tsevis, via Flickr)