Facebook sues to shut down alleged Instagram clone maker over scraping and sharing personal info for cash

Facebook on Thursday sued Ensar Sahinturk, a software developer based in Istanbul, Turkey, who is alleged to have built a network of sites that scrape data from Instagram to create Insta-clones.

The company's complaint [PDF], filed in the Northern District Federal court of California in Oakland, claims that Sahinturk used software that masquerades as Instagram's Android client to harvest Instagram users' posts.

"Through this fraudulent connection, [Sahinturk] scraped publicly available data from over 100,000 Instagram users and republished it to the clone sites," the complaint says.

The scraping has taken place since 2017, according to Facebook, and has allowed Sahinturk to operate at least twenty Instagram clone websites, including jolygram.com, imggram.com, imggram.net, finalgram.com, ingram.ws, and pikdo.net.

These websites, several with names integrating the "-gram" portion of the Instragram trademark, made Instagram users’ public profiles, pictures, videos, Stories, hashtags, and location data available to anyone searching for the associated Instagram username, without having to login to Instagram and with no notification to the user who made the initial post.

The copycat sites also allow visitors to download pictures and videos, a function not offered by Instagram. And they generated ad revenue, it's claimed, for Sahinturk.

Last year, Facebook began sending Sahinturk cease-and-desist letters and disabling multiple associated Instagram accounts. But its efforts have accomplished little.

The legal filing says that Sahinturk responded to one such letter in May 2019 denying that he operated jolygram.com, even though his name was on the domain registration. And though he is subsequently said to have told Facebook that the site was shut down, the site was operational again two months later and could still be accessed at the time this article was written.

Facebook's legal filing doesn't identify the specific scraping software involved – there are many open source projects for hoovering Instagram data, such as Instagram PHP Scraper. But the complaint suggests Sahinturk found a way to "digitally sign requests in a manner that falsely identified them to Facebook’s servers as originating from a human using the [official Instagram client]."

A Facebook spokesperson told The Register in an email that the scraping software is part of a framework that appears to have used a key embedded in the application. The company earlier this year filed a DMCA takedown notice to have the software and multiple forks removed from GitHub.

Sahinturk is alleged to have used about 30,000 fake accounts for this scheme.

Facebook is suing for breach of contract, trademark violations, and unjust enrichment – it wants to recover ad revenue generated with the copied content, plus the more than $25,000 spent trying to put a stop to the alleged abuse. The company contends it is entitled to cybersquatting damages amounting to $100,000 per domain name, and to attorneys' fees if it prevails.

Collecting a civil judgement against a defendant in Turkey, however, isn't likely to be easy.

Facebook periodically files cases of this sort to deter terms of service scofflaws. In February, the ad biz took aim at New Jersey-based marketing firm OneAudience for allegedly snarfing data through its ad SDK. And in October last year, it sued NSO Group, and its Q Cyber Technologies affiliate, for allegedly hacking its WhatsApp service with its Pegasus spyware. ®