
Instagram took down private unofficial APIs via DMCA - giansegato
https://github.com/mgp25/Instagram-API
======
mCOLlSVIxp6c
Looks like this is the takedown request:
[https://github.com/github/dmca/blob/master/2020/01/2020-01-2...](https://github.com/github/dmca/blob/master/2020/01/2020-01-22-facebook.md)

The core allegation is:

> Mgp25’s Instagram-API repository (and its forks) offers a tool expressly
> designed to circumvent the Company’s effective access controls and
> protection measures by avoiding, bypassing, removing, deactivating, or
> impairing the Company’s technological measures without the authority of the
> copyright owners or the Company. Mgp25’s Instagram-API is designed to
> emulate the official Instagram mobile app when communicating with
> Instagram’s servers, which allows users of mgp25’s Instagram-API to send and
> receive data (including receiving legitimate, copyrighted posts by
> Instagram’s users) through Instagram’s private API. Mgp25’s Instagram-API
> also permits other types of access to, and collection of, Instagram’s users’
> copyrighted works in manners that exceed the scope of access and
> functionality that would be permitted by a user with a legitimate,
> authorized Instagram account.

~~~
wpietri
Is this legally a legitimate reason for a DMCA request? That it's a tool that
could be used to bypass copyright controls?

It's been a long time since I read it, but my understanding of the DMCA is
that you need to claim an actual copyright violation on the thing being taken
down. This sounds like a claim of contributory copyright infringement, which
a) I don't remember being covered by DMCA, and b) there's a reasonable claim
here for substantial non-infringing use, so I'm not sure contributory
copyright infringement really applies.

~~~
saurik
This is about Section 1201, one of the most interesting parts of the DMCA,
which is about banning circumvention devices. What is confusing me is that I
am under the impression that the DMCA "takedown" process (which I know quite
little about, to be fair) was unrelated to the anti-trafficking provisions
(which I do stare at a lot), so I don't think this is a valid request (even if
it were a valid lawsuit... though I frankly doubt that either as I don't think
an "access token" can be considered an "effective TPM").

(I am _not_ a lawyer, but I spend an unreasonable amount of my time staring at
Section 1201 issues; if anyone needs legal advice they should contact a
lawyer: nothing I say should possibly be construed as legal advice.)

~~~
ldoughty
From what I gathered: The author was banned from service on Instagram, he or
she kept getting banned/denied new accounts because they flagged the device's
UUID... So the author then made the API to mask/modify the device UUID and try
to regain access to the platform (presumably signing up elsewhere, then using
that token through this API to maintain access on their phone).

The author admitted to this in the readme of the repo.

Sounds 100% like the API was designed to try and bypass access control
mechanisms...

Not sure if that falls under the legal definition or not.

~~~
buckminster
> Sounds 100% like the API was designed to try and bypass access control
> mechanisms...

Sure, but your parent's point is that this doesn't appear to be grounds for a
takedown. Takedowns are for infringing content, which this isn't.

~~~
jacurtis
According to the 2nd sentence on Wikipedia, which describes DCMA:

> [DCMA] criminalizes production and dissemination of technology, devices, or
> services intended to circumvent measures that control access to copyrighted
> works (commonly known as digital rights management or DRM). It also
> criminalizes the act of circumventing an access control, whether or not
> there is actual infringement of copyright itself.

While I initially thought (like many others on here) that DCMA was to keep you
from spreading copyright content or passing it off as your own, the true
purpose of DCMA is actually to criminalize the act of circumventing DRM.
Access control on a social network I guess is considered a type of DRM for the
content within the network (which, lest we not forget, is wholly owned by
Instagram as soon as you post it). It specifically states that circumventing
access control is a violation, regardless of whether any copyright was
actually infringed upon.

So from my keyboard lawyer perspective, it seems like Instagram is actually
within their rights here.

[Source]([https://en.wikipedia.org/wiki/Digital_Millennium_Copyright_A...](https://en.wikipedia.org/wiki/Digital_Millennium_Copyright_Act))

~~~
TheDong
The point of the parent comment is not that the DMCA doesn't cover anti-
circumvention, but rather than the DMCA contains many parts, and only the
copyright content part has a safe Harbor and takedown notice provision.

The claim you're arguing against isn't that the DMCA doesn't cover this. The
claim is that the DMCA takedown process doesn't apply to all infringements of
the DMCA, only those of copyright wrt safe harbor.

------
thosakwe
IANAL. I'm also assuming this was an HTTP client library.

How could this possibly be a violation of copyright, if it's just a client
that accesses their API? Their API is not truly "private," just undocumented.
If you distribute a free app that calls a remote API over users' networks, you
can't make the case that it's private, because it's clearly accessible from
every network/connection/device. Something exposed to the public cannot
simultaneously be private.

At least, maybe the author's lawyer could argue the above in court.

Among many things I hate about the DMCA, it's that hosts have basically no
option other than to respond to takedown requests by actually taking down the
content in question, for fear of litigation. It just rubs me the wrong way.

~~~
ikeboy
>Among many things I hate about the DMCA, it's that hosts have basically no
option other than to respond to takedown requests by actually taking down the
content in question, for fear of litigation.

That's the entire point. A DMCA takedown request is supposed to lead to the
content being taken down. The person who uploaded it can send a counternotice,
which will lead to the content being put back up if no lawsuit is filed.

What would you change about the system? Should rights owners have no recourse
short of litigation to get their content taken down?

~~~
Semaphor
> What would you change about the system?

3 strikes and you are out. Take down 3 obviously (probably decided by a judge)
non-infringing things and you lose the ability to send takedowns.

~~~
ikeboy
>Take down 3 obviously (probably decided by a judge) non-infringing things and
you lose the ability to send takedowns.

Once it reaches this point, the service provider would likely stop accepting
the notices anyway. See e.g. the recent lawsuit by Youtube against Brady, who
sent a bunch of bogus notices. Once they realized that, they stopped accepting
the notices.

There's hardly a critical mass of takedowns by people who've been found 3
times by a judge to have sent fraudulent takedowns.

~~~
Semaphor
> There's hardly a critical mass of takedowns by people who've been found 3
> times by a judge to have sent fraudulent takedowns.

Because those rarely go in front of a judge. Torrentfreak [0] gets many
takedown notices where for example their reporting on a leak gets targeted
with a DMCA request. If those companies had to fear someone challenging these
(in this example an easy win) and making them lose their ability to send them
out at all, that would change a lot.

[0]: [https://torrentfreak.com/all-dmca-notices-filed-against-
torr...](https://torrentfreak.com/all-dmca-notices-filed-against-torrentfreak-
in-2019-were-bogus-191231/)

> In previous years we’ve received erroneous complaints from the likes of
> Amazon, Electronic Arts, Disney, Entertainment One, Vertigo Films, Magnolia
> Pictures, NBCUniversal, Paramount, and even BBC Worldwide. This year we can
> add more.

> According to Google’s Transparency Report, in 2019 Google received a further
> 11 DMCA takedown notices targeting our domain, sent on behalf of Columbia
> Pictures, Sony Pictures, and sundry others. All of them were completely
> bogus.

~~~
ikeboy
> If those companies had to fear someone challenging these (in this example an
> easy win) and making them lose their ability to send them out at all, that
> would change a lot.

Why hasn't torrentfreak sued? Presumably because it's not an easy win and
doesn't produce real benefits for them. I'm struggling to see how any of that
would change under your proposal.

For what it's worth, judges have occasionally issued injunctions preventing
people from filing claims, under the DMCA and otherwise. See e.g.

[https://www.courtlistener.com/docket/16599762/home-it-
inc-v-...](https://www.courtlistener.com/docket/16599762/home-it-inc-v-wen/)
("ORDERED that the Defendant Wupin Wen, no later than eighteen (18) hours
after service of this Order on her via email to trademark@cn-ip.cn, trynow@cn-
ip.cn, and bzkjuk@126.com: a. Notify Amazon that the trademark owner’s
allegations of infringement against HOMEIT are withdrawn and that Amazon
should re-list the involved products to its website as soon as possible; and
b. Refrain from filing or otherwise communicating any allegations of
infringement by HOMEIT to any third party, at minimum, for the duration of the
instant litigation relative to Saganizer branded products." docket 21

[https://www.courtlistener.com/docket/4160397/design-
furnishi...](https://www.courtlistener.com/docket/4160397/design-furnishings-
inc-v-zen-path-llc/) (older case from 2010), "Defendant is therefore enjoined
from notifying eBay that defendant has copyrights in the wicker patio
furniture offered for sale by plaintiff and that plaintiff’s sales violate
those copyrights. " docket 29

[https://www.courtlistener.com/docket/16630192/california-
bea...](https://www.courtlistener.com/docket/16630192/california-beach-co-llc-
v-du/) "THEREFORE, DU AND ALL PERSONS IN ACTIVE CONCERT OR PARTICIPATION WITH
DU, ARE TEMPORARILY RESTRAINED from taking down, based on any alleged
copyright infringement, from Facebook and Instagram, or any other service
provider’s website, CBC’s online content or product line. Du is temporarily
not permitted to file any further takedown notices with Facebook, Instagram,
or any other service provider’s website as to CBC’s online content or product
line. Any current and operative takedown notices in effect that were filed by
Du as to CBC are restrained, and are to be disregarded by the online service
provider. Accordingly, and specifically, Facebook (Report #2576187715997707)
and Instagram (Report #1407615876061304) are directed to disregard Du’s
takedown notice and to reinstate CBC’s online content during the period of
this Order. " docket 22

~~~
Semaphor
> Why hasn't torrentfreak sued? Presumably because it's not an easy win and
> doesn't produce real benefits for them. I'm struggling to see how any of
> that would change under your proposal.

a) I’m not sure they can even sue currently, isn’t the only thing illegal
misrepresenting that you have the right you claim? b) Even if they could, as
you say, no real benefit c) The change would mean that just the threat of
getting sued for malicious DMCA notices would make the companies sending them
better at actually having a case. Currently, there is no risk at all shooting
with cluster bombs when sending notices. Barely any risk using DMCA to prevent
speech. That is what my proposal would take away.

~~~
ikeboy
a) USC 512(f) makes it illegal to misrepresent that something is infringing.
Not considering fair use is included, per Lenz v. Universal Music Corp.

c) To do that, you'd need to make suing easier. I don't see how your proposal
does that.

------
rcaught
[https://web.archive.org/web/20191207221404/https://github.co...](https://web.archive.org/web/20191207221404/https://github.com/mgp25/Instagram-
API)

> Why did I make this API?

> After legal measures, Facebook, WhatsApp and Instagram blocked my accounts.
> In order to use Instagram on my phone I needed a new phone, as they banned
> my UDID, so that is basically why I made this API.

~~~
pmlnr
Anyone has the actual git repo as well?

~~~
segmondy
If you fork git repos, make sure to pull them down, if the official repo is
taken down, your forks will disappear unless you have a copy.

Here's a script I made to backup all your repos, throw it into a cron and run
once a month or something, where 20 is the largest number of pages you have,
adjust accordingly. I actually wrote this up when a fork I had disappeared.

    
    
       #!/bin/bash
       USERNAME='segmond'
       for i in `seq 1 20`;
       do
            curl --fail -s https://api.github.com/users/$USERNAME/repos?page=$i | jq '.[] | .clone_url' | xargs -t -n1 git clone
            sleep 1
       done

~~~
dicytea
> if the official repo is taken down, your forks will disappear unless you
> have a copy.

[https://help.github.com/en/github/collaborating-with-
issues-...](https://help.github.com/en/github/collaborating-with-issues-and-
pull-requests/what-happens-to-forks-when-a-repository-is-deleted-or-changes-
visibility)

I don't think that's true, I've personally recovered deleted repositories by
finding its forks.

edit: Ah never mind it seems things work differently in the case of DMCA
takedowns

~~~
AdamJacobMuller
There is also a big difference between clicking `fork` on github vs cloning
and creating a new repository (on github) and then changing the remote URL and
pushing.

The latter isn't "github fork" even if it is a "git fork" and won't be
affected by most[1] automated takedowns.

1> where most is defined as somewhere between 0 and 100%

------
h1fra
You can still find the implem in various language, like this one in js:

[https://github.com/dilame/instagram-private-
api](https://github.com/dilame/instagram-private-api)

------
heavyset_go
What's the difference between scraping while circumventing anti-scraping
measures, which certain circuits have upheld as being legal, and what this
unofficial API client did?

This is an honest question, and not a rhetorical one.

~~~
filoleg
That was my first thought upon seeing this post. Given the LinkedIn scraping
decision earlier this week, i would think that this one should be in the
clear.

------
tylergetsay
Question, is there any way to design an API such that it can't just be
reversed into a new client library like this? Certificate pinning makes it
harder to MITM but that's trivial to disable.

~~~
taytus
If you create a door, that door is going to be used to enter and to exit.

~~~
SergeAx
Except if you add a lock)

~~~
shirshak55
even with that you can use key to open the lock and key has to be stored
somewhere and end user can always get it right?

------
Nextgrid
Does anyone have a mirror? I might download this and keep it just in case.

~~~
sbr464
Some of the forks[1] still work, although outdated. There are some on
gitlab[2] also. Doing code searches finds other copies[3].

[1] [https://github.com/NantipatSoftEn/Instagram-
API](https://github.com/NantipatSoftEn/Instagram-API)

[2] [https://gitlab.com/alihesari/Instagram-
API](https://gitlab.com/alihesari/Instagram-API)

[3]
[https://github.com/DarriusAlexander/speaklight/tree/1b4167c3...](https://github.com/DarriusAlexander/speaklight/tree/1b4167c3164a8fd1e1779410a61e2841c89ce386/wordpress/wp-
content/plugins/social-auto-
poster/includes/social/libraries/instagram/mgp25/instagram-php)

------
vga805
unofficial APIs or unofficial documentation about the APIs? what exactly was
this, and if the latter, are the APIs still available?

~~~
g4k
"This is a PHP library which emulates Instagram's Private API. This library is
packed full with almost all the features from the Instagram Android App. This
includes media uploads, direct messaging, stories and more."

[https://web.archive.org/web/20191207221404/https://github.co...](https://web.archive.org/web/20191207221404/https://github.com/mgp25/Instagram-
API)

------
mddanishyusuf
Now facebook developers' app approval is so hard. I submit 6 times to review
and every time reviewer point a mistake. I'm building for a tool that sets up
a third party API gateway for your 3rd party applications APIs.
[https://nocodeapi.com](https://nocodeapi.com)

~~~
1hakr
Awesome! I love this tool. What were you doing all these days.

~~~
mddanishyusuf
Thanks, I'm adding lot's of applications and here are the list you can find
them [https://nocodeapi.com/marketplace](https://nocodeapi.com/marketplace)

~~~
todd8
Looks very useful. I like your landing page, it nicely designed, works great
on a phone, and communicates clearly.

A tiny suggestion, it looks like a typographical error slipped though in the
sentence:

> Convert these applications APIs without any hustle and Power-up your
> products, tools & portfolio by these NoCodeAPI.

I think you meant to use the word “hassle” instead of “hustle” as it would be
a bit more idiomatic in the sentence.

~~~
mddanishyusuf
Thanks, todd8 for the catch. I'm working on the content. stay tuned.

------
enterabdazer
I don't know the details of the code, so I'm left with questions.

Is the only difference between using this library and using Instagram's mobile
app the fact that the library is not the "right" web browser?

Isn't the library simply a different web client accessing a publicly available
API? And requests from the library are properly authenticated / authorized by
Instagram's servers through normal means (the library isn't bypassing some
mechanism, it's just not the official app)?

If it's true that it's just a different API client, then there may be some TOS
violation, but isn't DMCA an overreach? Is there any validity to the claim?

~~~
buckminster
A TOS violation is an unauthorised access which is a federal crime. See, for
example, the case of Aaron Swartz. Using the DMCA seems preferable. Changing
these laws would be better still.

~~~
capableweb
So if I put "If you visit the website, you owe me 5 USD" in my Terms of
Service, I can have them arrested? Something feels very fishy here, has to be
more conditions than just "TOS violation === federal crime"

~~~
buckminster
The difference is in what you can convince an investigator, a prosecutor and a
jury to take seriously.

------
thefounder
Isn't the google vs oracle still on? How did github rule that apis are
copyrighted?

~~~
dkarras
I think with how DMCA works, Github doesn't have to (or need to) rule one way
or another. Someone sends a notice and it is taken down swiftly. If the owner
thinks this was in bad faith or a mistake, they can challenge it but if you
are not absolutely sure that you can win such a claim you better talk to a
lawyer first.

~~~
notyourday
Owner needs to send a counter-notice. Github will have to restore it. FB will
be forced to take owner to court but the repo will stay up until court decides

~~~
wpietri
Easy to say. But I'd be hesitant to invite a lawsuit from a company with
infinite money, a predatory attitude to their users, and a proven willingness
to spend arbitrary sums of money to maintain their quasi-monopoly.

~~~
notyourday
Possibly. Though based on having friends who had DMCA used against them and
fought it, a counter-notice immediately put the brakes on large companies.

The reason for that is simple: DMCA takedowns in large companies are handled
by someone who at best is a year out of law school who processes hundreds of
them per day. 99.99% of those go unchallenged because no one knows about the
process. As soon as the counter-notice is served this person/entity indicates
that they aren't the 99.99%, at which point someone actually starts looking at
their play book. It will be another round of notice/counter notice game before
someone that bills $400/h looks at the merit of a company's assertion. In the
larger companies the cooler hands tend to prevail in non-obvious cases.

------
circular_logic
If this developer had reversed engineered some documentation about the private
API could that also receive a DMCA?

~~~
qes
Yes. I could publish the source code of, say, my access control system, along
with instructions on how it could be bypassed, but yet if you use those
instructions to bypass it, that is a violation of the DMCA.

------
KaiserPro
In the author's own words, this API was explicitly designed to get round
access controls. (see internet archive)

So people should be cheering this no? I mean facebook are protecting their
users from nefarious developers seeking to get access to people's data.

The only crit is that it took so damn long to find it. (since 2016!)
[https://web.archive.org/web/20160603201221/https://github.co...](https://web.archive.org/web/20160603201221/https://github.com/mgp25/Instagram-
API)

I know thats not whats annoyed most people. But if facebook really are serious
about privacy, then they took too damn long

~~~
the_gipsy
They should make their APIs secure, instead they abuse DMCA.

~~~
slimed
Exactly. All they did was remove an open source repository. It's still trivial
to access their services in a way that they admit is harmful to their
customers' privacy. As a bonus, now it's on the front page of Hacker News.

It's almost as if they're making the same error as OP who identified the
library as "an API" rather than a client of an insecure API implemented by
Instagram. Presumably they know better.

~~~
amylene
Perfect is the enemy of good. And we don’t know what work they’re doing on the
engineering side.

What if it turns out they detected this code was run by other people and
responsible for 50% of the unauthorized access? Just because it doesn’t
entirely solve the problem, does not mean they shouldn’t pursue all partial
tactics.

~~~
slimed
The problem is that they are abusing a statute that we all know is harmful
more generally and creating precedent for others to do it.

