After months of trying and being refused access to my own user data, I found myself at the precipice of nearly committing fraud to get my user information, photos, and videos back from Instagram.
Never had I been to Fort Irwin, California, a military base in the Mojave desert where exercises are conducted against simulated enemies to prepare for war. But, three years after leaving the Army, I was searching for addresses there that I might claim as my own.
My journey to the base, at least digitally, had begun when my Instagram account was disabled a few months ago. Suddenly and without warning, I lost access to all of the images and other data I uploaded on the application over years. Obtaining access to my own creations so I could have a backup was harder than I had imagined though—so hard that a virtual move to the Mojave—so I could claim residency in California and obtain my information via the state’s digital rights laws—seemed to be the only option left.
The question of the dubious legality of doing so made me go no further, but others—the people I got the idea from—haven’t had such qualms. In an era of unlimited connectivity, physical location remains paramount when it comes to data privacy and data access for users. It’s so important that some are driven to lying to obtain the protections offered by a small group of states and nations.
If even a user’s access to their own data is determined by their geographic location, what does that mean for more troubling questions about how this information is being used?
When my account was first disabled, the Instagram application informed me that I could appeal the decision, which I did. Eventually, I lost the ability to do even that. So I used the multiple methods Instagram suggested to appeal the disablement decision, since I believed it to be a mistake. For months, I tried to jump through their hoops—sending in a photo of my driver’s license, verifying my identity with a selfie taken with a sheet of paper that had a unique code written on it, and other efforts. Eventually I figured that if I couldn’t get my account reactivated, I could at least download a copy of my data using the tool Instagram has created for those who can’t access their accounts.
I hadn’t posted inappropriate content or anything unusual–I simply received a message one day that I violated the Terms of Service somehow. Based on Instagram’s TOS, they have the right to disable accounts in such a manner, which as a private site is in their purview.
But an account being disabled is not the same thing as one being deleted. My account and its data still exist and is presumably being used for Meta’s business model—I just can’t log in or use it in any way, even to utilize Instagram’s built-in data download feature.
When I finally used the tool to request my user data from Instagram in hopes of being able to at least download the files I had uploaded, I got the first response from a human. The privacy department informed me that they could not give me my data unless I logged in. When I replied to them that my lack of account access prevented my data access, the representatives responded that they were “unable to assist me further based on the information I provided” and that they considered the matter over.
They then closed my help ticket. Months later, my data is still inaccessible.
I began looking online to find out more information about my situation, seeing if others had experienced the same response of being denied access to their own information. I eventually ended up on the unofficial Instagram subreddit where I found multiple posts from users there who have found themselves unable to log in and therefore unable to retrieve their data. Some have even attempted to buy back access to their data and accounts, purchasing ads on Facebook’s business platform to get access to a specialized chat support feature that’s specific for businesses.
Nothing was guaranteed to work except for virtually moving to the Mojave. I read a Reddit post that suggested that if Meta refused to provide your Instagram data to you, the best option was to fill out a consumer complaint in California with the Office of the Attorney General. Not living in the state didn’t matter, apparently: The poster from Reddit said they’d just used a random California street address in their complaint. And it had worked. Others in that Reddit thread made the same claim, an example of the effect of disparate data privacy laws.
That’s of California’s Consumer Protection Act. Under California law, consumers in the state have the right to know about the personal information businesses collected, used, shared, or sold about them, including specific pieces of personal information and data. The right to know means you can specifically request your data from platforms. For now, California is the only state with comprehensive consumer data privacy laws that go beyond the limited existing federal rules. (Utah, Colorado, Connecticut, and Virginia have also passed such laws, too, but they don’t effect until various points in 2023.) So if I truly did live in California, under the law, Meta would have to release that information to me.
The same holds true in some other countries as well. For instance, in 2018 the European Union adopted stringent privacy protection measures in its General Data Protection Regulation, designed to harmonize data privacy laws across its member countries and grant greater protections to individuals. If your account is suspended by Instagram and you live in the EU, you’re covered by article 15 of the GDPR and can request your information.
If your state or country doesn’t have privacy laws, it’s unclear what rights you have. Facebook’s current TOS states that you “retain ownership of the intellectual property rights in any such content that you create and share on Facebook and other Meta Company Products you use.” The current terms also state “If you delete or we disable or delete your account, these Terms shall terminate as an agreement between you and us, but the following provisions will remain in place: 3, 4.2-4.5.”
Section 4.2 is literally the section this text is in, meaning it’s citing itself. Section 4.5 doesn’t exist. Beyond the text on a person owning intellectual property rights, Section 3 says nothing about privacy and data access considerations beyond the user’s privacy settings. Facebook’s privacy policy meanwhile simply says users can request their data at any time. But, again, if Facebook disables someone’s account on Instagram, that person can lose all access to the data the company has gathered on them with no guaranteed recourse. (I reached out to Meta for a comment on their data access policy but did not receive a response.)
Since no national law which regulates data access and privacy, not having access to one’s data on a social media site for any reason is not federally recognized for any legal action as of now. The Federal Trade Commission currently focuses on issues of data breaches, exposures of private user data due to a company’s security practices. One such was with the data breach Equifax announced in 2017 which affected 147 million people.
I asked Tori Ekstrand, an associate professor in the Hussmann School of Journalism and Media at UNC-Chapel Hill who specializes in media law, about my situation, and she told me, “The United States has lagged behind countries when it comes it comes with creating a comprehensive data privacy protection framework.” She noted that several bills are currently pending before Congress, most notably the bipartisan American Data Privacy and Protection Act. The bill would establish a “duty of loyalty,” imposing a baseline obligation on companies to not collect, process, or transfer data unless companies reasonably need it to provide products or services to existing customers. Companies would not be able to deny service or adjust prices for an individual to who refuses to waive their privacy rights. Finally, it would establish a right to data and information access for consumers, mandating that companies must provide access to consumers upon request including what third parties a user’s data has been given to.
“With states like California passing their own privacy laws, there is concern among lawmakers and data scientists about a ‘patchwork’ approach to regulating digital privacy,” Ekstrand said.
The ADPPA is currently being held back from a vote in the House of Representatives by Speaker of the House Nancy Pelosi, whose reasoning seems to illustrate Ekstrand’s point: She feels that the bill doesn’t go far enough in its data protection rules and would weaken the California CPA.
“Privacy considerations weren’t part of the blueprint of modern social media sites,” said Ekstrand. “Adding privacy support can be seen as equivalent to the changes to buildings after Americans With Disabilities Act was passed in 1990.”
The benefits of data privacy and control will benefit those at the most serious risk first, such as when elevators were mandated by the ADA to be added into all new buildings and retrofitted into the older ones. Those benefits then moved “downstream” to others who weren’t the original population targeted to help; we’ve all used the ADA mandated elevators in buildings.
Maybe one day I’ll be able to get my old photos and videos in the same manner.
Future Tense is a partnership of Slate, New America, and Arizona State University that examines emerging technologies, public policy, and society.
Photo illustration by Slate. Photos by Instagram and charlesdeluvio on Unsplash.