Think twice before posting your Instagram Top 9 for 2019

Social media apps love offering year-end tools that allow users to see their most popular posts of the past 12 months. It’s a fun way to look back on what we’ve said, done, and experienced online as the New Year approaches. Many apps, like Snapchat, offer their own year-end tools. Other social media giants, most notably Instagram, do not.

But if you’re an Instagram user, your timeline is probably inundated right now with people’s collages of their Top 9 of 2019 posts. And you’ve likely encountered articles explaining how to create these year-end collages of your most popular Instagram posts. What you may not be aware of: These tools are not made by Instagram–and using them can have major privacy implications.

The original Top 9 app, created by a company called Beta Labs, debuted in 2015. It asks Instagram users to give Top 9 read-only access to their accounts in order to create a collage of their nine most-liked or most-interacted-with posts of the year. For obvious reasons, the feature has caught on. (One has to wonder why Instagram hasn’t implemented a similar, official tool.)

But the bad thing about the Top 9 trend is that a plethora of imitators—and even scammers—have cropped up with their own Top 9 or Best 9 apps. Some of these represent serious privacy and security risks to users.

While Beta Labs asks users to log into their Instagram accounts in order to see their posts, it doesn’t harvest or ask for their passwords, and doesn’t have access to their photo libraries. That’s because Instagram itself handles the authentication process for Top 9. But some of these Top 9 clones ask for direct access to your Instagram account. Yep–they ask for your password and sometimes even access to your entire photo library on your device.

Needless to say, giving such access to shady apps that represent themselves as another app isn’t a good idea. But the Top 9 clone problem has become so alarming that Beta Labs even posted a security warning about it last month.

The post reminds Instagram users that if their account is already public, they shouldn’t have to provide their password to an outside app to allow it to create a collage. Beta Labs also warns that shady Top 9 clones will often ask users to log into their Instagram accounts, but will mask the true URL of the site they’re logging into. By hiding the address bar, the app could trick users into entering their info on a dummy site. As Beta Labs suggests, “If you can’t see the address bar, then it’s better not to risk it using this app.”

Though Beta Labs touts its own security credentials, the app does ask users for their email addresses, which are not necessary for creating a Top 9 collage. According to Beta Lab’s privacy policy, “the company and its affiliates may use this information to contact you in the future to tell you about services we believe will be of interest to you,” though users can always opt out of receiving these marketing emails.

Top 9 is a free app, after all. And as we learned in 2019, everything free comes at a price.