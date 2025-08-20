Earlier this month, Meta-owned social media platform Instagram began rolling out a new Instagram Map feature, with a seemingly innocent pitch of being able to use a “map to see content your friends and favourite creators are posting from cool spots.” However, as this feature becomes available to more users, worries that usually accompany any functionality which tracks a user’s location, are beginning to emerge. Security researchers warn of concerns around safety and physical risk, control over personal data and the overarching question of trust. Security researchers warn of concerns around safety and physical risk, control over personal data and the overarching question of trust. (Official image)

Instagram insists that the maps feature, which is currently rolling out to users starting with the US, follows an opt-in method. “If you use location sharing, your location is updated whenever you open the app or return to the app if it’s been running in the background. You can turn off location sharing at any time,” Instagram explains, in a statement. However, cybersecurity firm McAfee points out that unlike traditional posts where users specifically choose what to share, this feature operates as an always-on location transmitter that continuously broadcasts whereabouts to selected contacts whenever the app is opened.

Location tracking, and scale

McAfee’s chief technology officer Steve Grobman points out that, “features like location sharing aren’t inherently bad, but they come with tradeoffs. It’s about making informed choices. When people don’t fully understand what’s being shared or who can see it, that’s when it becomes a risk.” In their latest research, they draw parallels with Snapchat’s infamous Snap Map.

Instagram has more than 2 billion active accounts worldwide, and the scale of data collection gets amplified significantly. At this time, the global rollout for Instagram Maps has started with the US, with global availability soon, says the company.

Also read: Instagram’s new reposting and map features face backlash for absurd reason: ‘Reminds me of…’

Cybersecurity firm Check Point explains that this simply isn’t a case of periodical location data collection. First are the app-triggered location logs, which collect the most recent location every time a user opens or re-enters the Instagram app. Secondly, the content-based location data that is attached to Reels, Stories or feed posts get indexed and tied to a user’s account.

“This location data is stored centrally on Meta’s servers as part of the same infrastructure that underpins Instagram, Facebook, Messenger, and other Meta services. Meta has not specified exactly how long it retains this data, instead using the vague phrase “as long as necessary” to cover service delivery, analytics, compliance, and commercial purposes. Unlike security-first location services, this information is not end-to-end encrypted, meaning Meta’s systems and potentially its employees can access it,” explains Amit Weigmann, cybersecurity evangelist, office of the chief technology officer (CTO) at check point.

Your location, your ads, your risks

A centralised data collection and storage mechanism, which doesn’t have end-to-end encryption, also becomes a target for breaches and hackers.

There’s very much a possibility of Meta leveraging this data across its other apps, including Facebook as well as their Meta Ads product. This information can be cross-referenced with your browsing history, purchase records, and demographic data to create highly specific audience segments.

Meta’s advertising platform can merge location data with browsing history, shopping history from other apps, and demographic specifics to create highly specific audience segments, for not just targeted marketing but potentially sophisticated disinformation campaigns.

An inevitable AI angle, and broad concerns

In December, Nick Clegg, Meta’s president for global affairs, admitted that in what was labelled as the year of the election, through 2024 they recorded “instances of confirmed or suspected use of Artificial intelligence (AI)” for deepfakes and disinformation campaigns, but insist that the volumes remained low and their policies and processes proved sufficient to reduce risk from generative AI content.

Also read: Instagram reposting feature released: What is it and how does it work

Meta’s location data collection policy states,” We also receive and use some location-related information even if location services are turned off.” This includes IP, or internet protocol addresses (think of this as a digital address for each device that’s connected to Wi-Fi or mobile data) which they use to estimate a user’s general location. “We can use IP addresses to estimate your specific location if it’s necessary to protect the safety and security of you or others,” says the policy, without getting into specifics.

“This integration allows for extremely granular ad targeting, where an advertiser could, for example, reach people who visit a certain gym on weekdays or frequent a specific coffee shop on Saturday mornings. The same precision that enables that kind of marketing also enables more malicious forms of targeting,” says Weigmann.

It is not just a question of Meta building a virtual profile for a user to serve ads. Concerns go much further.

“Criminals can use what’s known as the mosaic effect, combining small bits of data like your location, routines, and social posts to build a detailed profile. They can use that information to run scams against a consumer or their connections, guess security questions, or even commit identity theft,” is something that has experts at McAfee worried.

Also Read: Instagram unveils new analytics to help creators track what works and why

Because Instagram Map is fully integrated into the broader Meta ecosystem, a breach or compromise of a connected service such as Facebook or Messenger could expose your location data indirectly. There is also concern about risks that include stalking and harassment. “If someone knows where you are in real time, that could lead to stalking, harassment, or even assault. Location data can be powerful, and in the wrong hands, dangerous,” points out Grobman.

Instagram says that regardless of whether or not a user has chosen to share their location, they can still use the map to explore location-based content. “From checking out stories from friends who’ve gone to a concert or finding a new place to hangout from a local creator’s reel,” they detail the proposition. For parents, who have set up supervision via the Instagram Family Center, they will have the option to monitor a minor’s location settings and restrict sharing.