Late last week, it was discovered that Instagram had lowered the rate limit for its Platform API for some developers and completely removing access to it for others — without warning.
While these changes remain unconfirmed by Instagram, it appears that the visual content-sharing app has somewhat drastically decreased the frequency with which developers can use the Platform API to collect information from Instagram.
If that makes very little sense, don’t worry — you’re not alone.
But marketers should pay attention to this development and what it means. I had our own developers and engineers weigh in on how and why this happened, as well as the implications it could have for the rest of us.
Our Experts Weigh In: Instagram Has Limited (or Cut Off) API Data Available to Developers
What’s Instagram Doing?
To get a better understanding of how API (which stands for application program interface) works and what these changes from Instagram mean, I turned to Sam Mallikarjunan, HubSpot’s Marketing Fellow, who used this analogy:
“Think of API as two parties, or two software systems, on opposite sides of the planet. The API is the cellular network that allows them to talk to each other. What Instagram has done here is lower the number of minutes included with your cellular plan.”
Here’s how that applies here: Prior to these changes, Instagram had a “rate limit” (the minutes analogy Mallikarjunan used) of 5,000 calls per hour, which are essentially requests for data on someone’s activity on the app — such as Likes and comments. On Friday, that rate limit was abruptly lowered to 200 calls per hour for some developers, and for others, access to the API was revoked completely.
According to Recode, very few, if any, developers were alerted to this change — and when I tried to access Instagram’s limits documentation, I was met with this result — suggesting that the app could be in the process of updating its written policies.
So, while Instagram has changed the frequency with which third parties, like developers, can ping the app to gather information, it hasn’t changed the type or amount of information that can be collected — unless, of course, that developer is part of the group whose access to the API Platform has been revoked completely.
Which is interesting, considering that many believe this move was just the latest by Facebook — which owns Instagram — to put protective protocols in place in the wake of alleged misuse of personal user data by analytics and profiling firm Cambridge Analytica. It’s what Dmitry Shamis, HubSpot’s director of web development, calls “very reactive, instead of proactive.”
What Do These Changes Mean?
To further understand the impact of changes to Instagram’s Platform API, I once again turned to Mallikarjunan to explain how developers or other third parties might use it.
“Text messages also work as a metaphor, if anyone remembers a time before SMS was unlimited,” he said. Whereas one could text Instagram 5,000 times per hour to ask a question about someone using it, now, “I can text Instagram 200 times per hour.”
Of course, that’s only if these users have opted-in. Think of sites that give you the option of logging in with Facebook or Google, rather than using your email address and filling in several fields with information like your name, location, et cetera. Some sites also use Instagram in this way, perhaps not as frequently.
As a developer, Mallikarjunan explained, “the things I might ask about are, ‘When is Amanda’s birthday?’. That’s one API call. Or, ‘Who has posted a photo with the hashtag #SamRocks?’ That would be a second API call.”
And as long as the users from which the developer is seeking this information have given permission for the third party to ask these questions, they’ll be answered. “But once I ask too many questions within a short period of time,” Mallikarjunan says, Instagram may cut you off.
“For the everyday marketer, the impact won’t be huge,” says Shamis, since a volume of 5,000 calls per hour likely isn’t necessary for most. In fact, he explains, at that rate, “Something funky is probably going on.”
That might have been what was going on with Cambridge Analytica when personal user data was allegedly misused, says HubSpot Senior Systems Engineer Ben Becker, when a professor and app developer introduced an app for people to install via Facebook, granting the app developer permission to access and use that data. What the developer wasn’t supposed to do was transfer that information to Cambridge Analytica.
To get an idea of how a high API rate limit might be (ab)used in a situation like that one, Becker says to apply the numbers to that context. “Person A installs the professor’s app, giving the professor access to Person A’s information,” he explains. “At the time, Facebook allowed Person A’s information to also include data from his or her friends who Liked the Page or developer behind the app, which allowed the professor to also scrape their data.”
Now, Becker says, imagine a developer doing this to 50 million people — the estimated number of users for whom Cambridge Analytica obtained personal data — at 5,000 calls per hour. It could require less than 10,000 hours, or just over 417 days (less than a year and a half) to collect that amount of data.
Why Is Instagram Doing This, and What Does It Mean for Marketers?
“Right now, Facebook is in panic mode,” says Becker — which could explain the reactive nature of these changes, as Shamis described them. “I think this is Facebook over-adjusting.”
But one has to wonder how good actors — as opposed to those pinging the API Platform for less-than-savory reasons — could be impacted by them.
First, developers whose permissions were completely revoked likely faced that outcome because they were “probably bad actors, or reasonably assumed to be a bad actor,” Becker says. “If you’re a good person, there’s nothing to worry about.”
But in terms of how the “good person” is impacted here, says Mallikarjunan, it might force them to be more selective about the data they want to gather using Instagram’s API Platform, seeing as they likely won’t be able to obtain as much info in a single timespan as they once were.
However, he suspects that could change, and wouldn’t be surprised if Instagram will allow higher rate limits to those who pay for them, perhaps “under the pretense of privacy audits.”
So, why limit these changes (for now) to Instagram, and not to Facebook at large? While Facebook did announce last week that it would be shutting down Partner Categories — the product that allows third-party data providers to supplement advertisers with targeting information directly through the social network — we haven’t heard anything yet about restrictions being made to its API access.
Mallikarjunan believes it might have something to do with what is likely a significantly smaller subset of users who log into sites using Instagram — especially considering the limited number of sites that even offer it as a login option. (Personally speaking, I’ve barely ever come across it, but will certainly be keeping an eye out for it moving forward.)
Instagram has a “smaller user base,” he points out — 800 million monthly active users as of September 2017, compared to Facebook’s 2.13 billion, “and less data you can pull,” making it a convenient place to experiment with API restrictions.
But as that suspected experiment progresses, we could see further restrictions made on both Instagram and Facebook, especially with the General Data Protection Regulation (GDPR) coming into force next month.
But all of these events — starting with the alleged weaponization of Facebook by foreign agents to spread misinformation and influence the 2016 U.S. presidential election — and the resulting fallout from them is leading to a pivotal moment for social networks and the way they collect or leverage user data.
And out of these social networks, “Facebook is the biggest, and it’s getting the brunt of the focus,” says Becker.
We’ll see how it plays out — and which other networks follow suit.