First things first: Instagram is owned by Facebook. As such, no matter your settings or how you operate the app, you can never obtain real privacy on the platform. There exists a decentralized, ad-free alternative called Pixelfed that seems to have been getting some praise, but without personal experiences I can’t say much about it. Still worth the look if you’re thinking about migrating from Instagram.
Alright, now on to the guide. Here are the concrete steps you should take in order to increase your privacy and security on Instagram.
Public vs. Private profile
Turning your profile Private might sound like a good privacy move, but in reality it just transforms the Instagram user experience from Twitter-like to more Facebook-like, where you can approve who can follow you. As long as your profile has been public, it has been scraped and indexed by Google and a myriad of other third-party applications using the Instagram API. Neither does a private profile hide your engagements across Instagram, so it’s not a complete invisibility cloak against other users. If you share your pictures from Instagram to some outside service, those will be public as well. And of course, Instagram itself still can see everything you do.
There’s a bunch of settings in the app that fall into the “safety” category instead of “privacy” category, where they are located. These can be useful for privacy purposes if you’re e.g. trying to block a stalker, but generally these safety settings just alter and censor the things you see on the platform. There’s however, these three privacy settings you should check:
Tags: disable “Add automatically”. This doesn’t prevent random people tagging you in their photos, but it prevents these tagged photos to automatically appear in your profile. If tagging is used against you in a malicious way, think this just as one damage control method.
Story: This one’s more in the FYI category. By default, anyone can share you Instagram stories. If you’re not okay with that, disable it from the “Sharing”.
Activity status: Disable. This setting can be found on most social media and messaging platforms, always disable it.
Login security: As usual, use a strong and unique password. Recently, it turned out that Facebook had store millions of Instagram passwords in plain text – this goes as a good remainder that a good password is not enough, you also should change that password often. According to their Help pages, Instagram seems to have some proactive measures in place to warn users if their passwords have been leaked, which is a good thing:
“During automated security checks, Instagram sometimes recovers login information that was stolen from other sites. If Instagram detects that your password may have been stolen, changing your password on Instagram and other sites helps to keep your account secure and prevent you from being hacked in the future.”
Turn two-factor authentication on. As I’ve mentioned before on this blog, always use authentication app or hardware key as a secondary authentication method, instead of SMS. SIM swap attacks are one of the easiest way to perform an account takeover, and first step in protecting yourself against those is to not use SMS/call authentication anywhere, or even better, don’t tie your phone number to accounts in general. If you’re new to 2FA, visit this Instagram Help page to learn more.
Similar Account Suggestions setting is a bit hidden, as it’s accessible only through browser and not the app. When someone taps Follow on an Instagram profile, they’ll see suggestions of similar profiles they might also want to follow, such as mutual friends or other people they might know. This setting allows you to opt out of those suggestions.
This guide is part of my social media hardening series. You can find more articles like this, covering e.g. LinkedIn or Reddit, from this category.