search

straup / parallel-ogram

It's like parallel-flickr but for Instagram.
http://straup.github.com/parallel-ogram/
BSD 2-Clause "Simplified" License
45 stars 9 forks source link

Instagram public vs. private #2

Closed bertrandom closed 12 years ago

bertrandom commented 12 years ago

In the README under Caveats, you write:

The Instagram API does not currently expose any consistent indication of whether a person's photos are public or not-public.

Isn't this determined by the link field returned from GET /media/{media-id}?

If the link is null, the photo is private. If the link is an HTTP link, the photo is public.

straup commented 12 years ago

You would think. In practice the short-code link is generated anytime you "share" the photo with a third-party service. Like Flickr.

I send a photo to Instagram. It's (not-public). If I send the photo to Flickr then the short-code is generated. It is unlikely that anyone would ever be so bored as to "guess" those casual privacy URLs but it does mean that it's not really reliable to glean what a user is trying to do.

bertrandom commented 12 years ago

I agree that their privacy model is ambiguous at best.

A couple months ago I figured out the short URL scheme that they are using:

https://gist.github.com/2359945

It's a base encoding similar to Flickr's, but it just uses a different alphabet. I haven't seen it published anywhere, or on their mailing lists, but if I can figure it out in an hour, someone else can, too.

Given any Instagram media ID, if you encode the short URL and go to it, it will either show you the photo or it won't.

If you take that same Instagram media ID and feed it into GET /media/{media-id}, the link field being equal to null matches the privacy reflected above. That's why I say that the link field is our only representation from the API whether or not the photo is public.

Now, we can disagree with them about whether or not they should make the photo public when you share on another network, obviously there are all sorts of use cases behind this (private Twitter accounts, private Flickr accounts), but at the end of the day, the photo is public. Walking the photo IDs and calling GET /media/{media-id} on them, or, even easier - converting them to the short URLs and checking the HTTP response code is trivial.

What is interesting to me is that at a certain point in Instagram's history, they decided to just start making photos public.

Here are my Instagram photos: https://gist.github.com/85e99f5d48a8746b79bc

I don't share Instagram photos with any social network automatically, but still, the most recent ones all have public links (because I have a public Instagram account?). The ones in the beginning that do have links are likely ones that I explicitly shared on Twitter.

straup commented 12 years ago

cries

But good to see the encoding scheme. I will boil that in to flamework-instagramapp and friends. For ... uh ... something.

Anyway, yeah. This is why everything is private by default in parallel-ogram. I'll get around to local permissions eventually.