Open in app

Sign in

Write

Sign in

Instagram account suspension process overview, or — how my account was unjustly disabled

Piotr Chylarecki
20 min readFeb 21, 2021

Article meta

The purpose of this article

  • to describe the Instagram centrally-induced account access lock mechanisms
  • to summarize the info available on the web regarding troubleshooting the issue and to report on their efficacy
  • to introduce and rate the efficacy of other steps that I took
  • to show general issues with these
  • to show issues specific to my case
  • to illustrate the extent of loss of personal intellectual property and personal and professional capabilities
  • to provide hypotheses to the cause of the locks
  • to name potential steps for prevention of such situations

The target audience of this article

  • Instagram users, more specifically:
  • - people who have invested a significant amount of time, effort, and money in their accounts and/or rely on their accounts for their livelihood
  • decision-makers inside Instagram and/or Facebook (the company) — Instagram Engineering, Facebook Design
  • regulators with the power to introduce social media legislation

The aim of this article

  • to document a process that Instagram failed to comprehensively document themselves
  • to show the technical performance shortcomings and UX design issues for Instagram to improve
  • to prove the unjust and hurtful practices of Instagram
  • to apply pressure on Instagram to change their practices in general
  • to show as evidence to Instagram actors that can solve my specific case
  • to raise awareness of the issues among fellow users
  • to provide evidence to the regulators
  • to boost initiatives focusing on improving the issue

Article content

Introduction

Around 2021–01–27. (GMT+01:00) Instagram unjustly suspended all of my user accounts based on false allegations of breach of their T&Cs, EULA, Community guidelines etc.

The accounts I care about the most were @Piotr.Chylarecki and @P_Chylarecki_photo .

Report

1.Remote log-out

The mechanism started on its own unexpectedly after a few hours of inactivity on Instagram. I re-opened the Instagram native mobile app that ran on the background on my iPhone.

I was logged into a number of accounts simultaneously. (If you didn’t know it, the Instagram apps support up to 5 active accounts simultaneously in theory , and at least 10 — in practice. Press and hold on the user tab icon on the bottom or on the user name up top on that tab to bring the account switching panel. )

I noticed that the posts on my feed were (slightly) outdated. A toast (ie. disappearing) notification bar on the bottom of the feed tab said ‘ Could NOT refresh feed’.

Here’s the first design problem. The notification only informed the user of a symptom of an issue. It should also say what is the cause of the issue and how to solve it.

I also suppose it’d be helpful if the notification was semi-permanent, for example, it was permanently displayed until dismissed by selecting an ‘x’ button on the bar — that’d require a permanent notification bar instead of a toast.

Another thing I noticed is I was not able to view the contents of any other users’ profiles. Each profile that I entered, that I have followed, would show ‘Account is private / Follow to see media’ even though the ‘Follow’ button was toggled in ‘Following’ state.

This is another issue — Instagram failed to provide a dedicated message for ‘Access denied’ scenario (which I later found I was in). Instead, it applied the same messaging as for ‘Access not granted’ scenario, where a user isn’t following a profile.

Because the notification failed to provide any cause, I was left to guess.

I supposed it may be a one-off fluke, so I tried manually refreshing the feed (by pull-to-refresh from the top of the view). Did NOT solve the issue.

I checked my web connection — I had full wi-fi (and cellular) reception and could navigate to new web addresses just fines in my web browser.

Thus, I moved onto the next troubleshooting step. I forcibly closed and re-started the Instagram app.

Only then the procedure moved forward — I no longer saw the ‘could NOT refresh feed’ error message. Instead, I have been forcibly remotely logged out of my account. Not only the one open at the time — of all the active ones.

There was no message explaining what happened or why, and what I can do to prevent it from happening in the future.

2.Re-authentication

I tried to re-log in. Not only did I have to re-enter my credentials, I also had to reauthenticate the device using the 2FA (two factor authentication) time-based codes generated by a separate app even though I did NOT change the device, re-set it or re-install app. I was not told why these steps have been taken towards my account and what steps are awaiting and what’s the procedure they all comprise.

After the 2FA authentication, I met the first message from Instagram. It was a generic allegation saying they have detected ‘suspicious activity’ on my account. They did NOT provide details or proof. They did NOT say how the whole locking and unlocking process would look like.

3. Verification

The only instruction they provided went only as far as the current step, with no notice of the number of steps ahead or logic to them.

I was asked to solve CAPTCHA challenges where I had to match the pictures to the description. The CPATCHA mechanism itself has issues and was poorly designed. Firstly, after I succeeded and submitted the form after solving the CAPCTCHA the first time round, the flow failed to move forward. I was moved back in the process, having to re-take the challenge, w/ no explanation given. Not only that, this time I had to solve multiple challenges in a row. The CAPTCHA itself doesn’t tell you if you have solved it successfully when you submit it, neither does it tell you how many challenges are ahead.

4. Phone number shadow-ban

Then I was asked to provide a phone number to get a text message w/ a code that’d verify my identity. Now, here’s the kicker. I inputted my phone number that I know for fact that works, cause I receive and make calls and send texts on it daily. I’ve put it in the contact details for a number of IG accounts I use. I have received 2FA and verification codes for IG on it in the past w/ out issue.

This time around submitting the number moved me to another screen for inputting the code. To my surprise, the code never reached my phone. Normally it did within 10 seconds in the location that I was at the time. I waited a couple of minutes — still nothing. I requested a re-send through the option on the screen. Did NOT help.

I was perplexed. There was no message on the screen saying there was anything wrong with my number. I stress, the flow let me move to the code submission screen after I have submitted the number. If there had been anything wrong with the number it should have said it immediately after inputting it, or at least submitting it. And it should NOT, under any condition, have allowed me to move on to the next screen, as the screen explicitly said that a code WAS sent to the number.

Once again, I was left to figure out what was happening. I tried to re-log in to all of my other IG accounts, only to find they have been flagged as well, as were stuck at the same phone number verification screen, with the phone number in question being of no use to any one of them.

I gave up and decided to re-attempt the procedure w/ another number. As I’m an expat I happen to have another active SIM laying around. After some iPhone / iOS-specific SIM detection drama I was able to get the other number up and running in the phone. I submitted the other number in the form field and was moved onto the code input screen as before. Only that that time it worked, as it always did prior to this situation — ie. I received the code, within 10 secs. This proved true for all other accounts of mine.

This proves Instagram can- and does shadow ban phone numbers, at least for the identity verification on the log-in stage. A Shadow ban is a ban without an explicit message notifying the user of the ban.

The problem with shadow bans are numerous. First, as per ‘shadow’ name, it denies the users transparency on matters that affect them. That is unfair. Second, as the user doesn’t know they have been banned, they may as well suppose they are affected by a technical issue. This leads them to engage in generic technical issues troubleshooting steps to try and solve the issue. These steps all end in re-attempting to submit the form, using the number. Furthermore, as the user is left to believe the technical issue is non-descript, they have a vast array of steps to take, wasting their time and effort, that result in a high number of re-attempts of using that phone number.

Some abuse detection and/or prevention systems are designed according to a principle where each attempt of submitting such shadow-banned number deteriorates the rating of the user that submits it. This creates this self-fulfilling prophecy to the loss of the user. Their number gets flagged and shadowbanned. They don’t know about it, they try to make some changes to their device configuration and re-attempt to use said number, only having it pop-up more and more times on their account. That, in turn, leads to the number (and sometimes the account, device, IP etc. ) to be flagged, more so, with each attempt. The practice is extremely unfair to users, leading them to tighten a noose the SoMe platform put around their neck.

The generic troubleshooting steps that I took before switching to the second number were as follows:

  • re-starting the identity verification flow
  • re-starting the app
  • re-installing the app
  • re-installing the app, this time after having deleted the saved user accounts (they persisted between app installs, turned out, despite iOS saying ‘uninstalling will delete this app’s settings and data’)
  • re-starting the phone
  • soft resetting the phone
  • connecting from a different wi-fi network
  • connecting from the cellular network
  • connecting w/out VPN
  • connecting from a different device — here: a notebook, w/ the config (device, OS user account, web browser user account, and profile used successfully, regularly, and recently for Instagram before)

None of the steps worked.

5. Suspension

Back to the other phone number that allowed me to get and submit the code. The whole time Instagram was saying they needed the CAPTCHA and the phone number to verify my identity. After I did give them these, they still refused to let me in, saying they would now take up to 24 hrs to verify my identity. They did NOT specify how they would do that, or how come the CAPTCHA and the phone number were insufficient.

The screen also informed me that my account was suspended, based on some alleged suspicious activity. It also provided a period of time after which the account would get permanently (as Instagram’s knowledge base and 3rd party articles stress) deleted, meaning presumably, even an inside intervention from FB wouldn’t help past that point. I don’t remember precisely — the period was somewhere between 28 and 31 days, and I’m leaning more towards the latter. Anyway, the page with the suspension notice and the countdown, rounded to days, is refreshed for each account in real-time, meaning summoning it again will give you the current period to deletion day.

Now, a little background on what I’m referring to as ‘the flow’, in terms of UX design. The whole identity verification procedure and account suspension communication take place in a slide-over screen that sits atop the regular UI of Instagram. After the log-in and 2FA code input, which have their dedicated UI screens loaded natively by the app, a WebView (a limited-functionality app-embedded web browser) is opened. The problem with this approach is that WebView itself, or even the page loaded in it, with its form contents, such as the form awaiting input of the SMS code or the CAPTCHA challenge, are not persistent.

The WebView will close and be reset every time the parent app has to free memory, which usually is after the user closed IG, switched to another app, or even locked the phone and kept it inactive for a period of time.

The page within the embedded browser will reload likewise, even if none of the above happened, after a timeout is reached or memory is low.

At the previous step, no info was provided as to if- and how the user would get notified about the verdict of that account suspension appeal. It did NOT mention if that appeal involves an algorithm or an employee, or what follows.

It should say these things and the process should include a way of notifying the user, such as by an e-mail or a push notification. It turned out none of these methods are used by Instagram. The only way to see the result of the appeal is to manually check again in 24 hours' time.

Now, as explained above, due to the technical limitations based in the solution Instagram chose to use for this procedure, the app will have inevitably lost the state in which the user left it, even if they left the phone on the appeal submission confirmation screen and left the phone untouched for a day.

Now, this does NOT have to mean that the whole log-in, authentication, and verification procedures should be required again. The app could remember the active log-in and authentication state for this flow after that step; and it could query the server for the status of the verification check in recent history. It doesn’t.

Thus, the only way to re-check the status of the suspension appeal procedure is to re-go all of the steps mentioned. And, as outlined earlier, depending on the algorithms, re-engaging in such procedures may result in flagging the user / config further.

In my experience with a few accounts so far the procedure took 24 hours with some change. For each account the verdict was negative. There was no justification for the ruling, nor any details or proof of the offense. What there was, was an escalation of the issue — from the account being suspended to it being disabled.

6. Disablement

This was accompanied by the flow moving to Instagram support’s knowledge base article paraphrasing the situation and providing a single link to a from for a second appeal. It did NOT mention if this appeal is provided by a person, or how long it takes etc.

That link is https://help.instagram.com/contact/1652567838289083 .

The form requires the following information: the owner’s full name (NOT the display name for the account), the account’s specific contact e-mail, the account username (@handle), and the country.

Now, for one of my accounts the first coupla times I provided the wrong e-mail, as I forgot I used that particular one — I hardly do. Instead of the standard practice of returning an error for the wrong credentials being provided, the form returns an error alerting the user they failed to authenticate and urging them to do so in Instagram (the knowledge base website is separate from the Instagram’s web app). Now, on mobile in the native app this leads to a particularly peculiar situation, as the user must have authenticated to ever reach that very from, meaning that the error message doesn’t make sense . Providing the correct e-mail solved the issue.

Unfortunately, after the form is submitted there is no confirmation message, which is the standard. There is no case number, which is the best practice. Nothing. More confusingly, the flow moves on, unabashed, kicking the user out onto the home page of the knowledge base. From there they may even proceed to Instagram’s web app. Nearly half of the times I do that the WebView UI’s top bar, with the button to close it, disappears, sliding up and beyond the screen area. This leads to an Inception-like bug in which I’m left with the Instagram native app stuck in the Instagram web app view, with no way to exit it. Re-starting the app solves the issue, as the webview is closed on app start, as mentioned above.

7. Disablement appeal — identity verification

The first time I have submitted that form for a given account I’ve immediately (<1 min) received an automated e-mail from Instagram. Still no case number, no info on the actors involved, the charges, the proof etc. It asks to snap a selfie with a piece of paper containing a code included in the e-mail, the full name of the account owner and the handle, as well as the full face of the owner and their hand.

The e-mail address that sends the message may be uniquely generated for each ticket — so this the closest thing to a ticket ID that I got.

I complied with the request and sent back the selfie immediately. That was on 2021–02–02, so nearly 3 calendar weeks ago. I didn’t receive any response from Instagram / Facebook since, even an automated delivery confirmation with an ETA, which is the common practice.

I’ve tried submitting the form again (the one for appealing the account disablement) a few more times from different configs — none of the attempts resulted in the code being sent again, despite what I read on the web. Ie. reportedly some people have tried submitting the form multiple times and got the codes (different ones) again, and submitted those. I’d suppose they hoped one of these other attempts get randomly picked, or maybe their amount helps their case reach a critical mass to get it looked into. Whatever the logic was, I could NOT follow that procedure.

The damage

Whether your account is suspended or disabled, for all intents on purposes it can’t be accessed on IG. It doesn’t show up in the search results. The profile and post addresses return 404s. The conversations show ‘Instagrammer’ in the header and — the actual account name — at the bottom, at least.

Specific

The two accounts that matter to me most and were disabled are still very much disabled. It says the data will get deleted in 6 days. This is where I’m at currently.

Now, to give the picture of the scope of the loss.

The two accounts that I have had disabled are: 1) my personal account; and 2) my professional account — for photography.

Both were 5 years old. The first one had, I think, around 200 posts over and the other — nearly 500. In terms of followers, we’re talking double digits, so nothing of significance these days. Like and comment count in the same territory.

What matters most to me are:

  • the posts shared
  • the stories shared and saved to the archive
  • the posts saved
  • the posts liked

Over these years I’ve managed to rack up hundreds, if not thousands of the latter two categories. And the creation and publishing of the posts and stories took hundreds of hours of my time that, should my accounts not get restored, I won’t ever get back.

General

In my mind, the virtual world is nearly as important as the real ones these days. And in terms of identity, after a phone number, an e-mail address, social media are the most important identity form there is. To me, and I feel, many people of my generation, Instagram (not Facebook, not LinkedIn, and not TikTok) are the most important service to that extent. Losing Instagram is the digital equivalent of losing one’s home.

Not to mention the consumption aspect of it. As Instagram got more aggressive with its log-in wall recently one cannot view anything without logging in, even on public accounts. I relied on Instagram to get my news, to keep up with family, with friends, to follow the causes and activists I care about, to get inspiration for my photography and interests, to shop for clothing and accessories, to see what’s happening in my neighborhood. None of which I can do anymore, if I can’t get access.

Cause hypothesis

There was no legitimate cause for suspension of any of my accounts.

I would like to note all of the accounts logged into the native mobile app got suspended. The ones that I used in the past but were not logged in (like my old work one) — didn’t. This may prove that the suspension flags not only an account it deems ‘suspicious’ but extends the procedure to all that are logged into the device.

The two accounts I mention as of primary importance to me I used to post content — of me, and my photo works, respectively. The other accounts I used just to consume media — I did not post at all. Most of the time on them I spent just scrolling through my feed. Sometimes I would follow new profiles, maybe 1–5 a week, if I found some cool ones online. I would like perhaps, 30% or less, of the posts I see. I would hardly ever comment, and these would usually be requests for specific info. I would not send messages from those accounts. I used the primary ones for that.

I did NOT post any offensive or copyrighted content, hate, bully, propagate fake news or spam etc. Nothing of the sort. I did NOT buy followers, likes, comments etc., use bots or unauthorized software. I did NOT exceed the hourly or monthly limits for content upload or actions.

Actually, I noticed the limits for my accounts, the ones I only used for media consumption, were lowered below the maximums mentioned by Instagram themselves in the official documentation. I could barely follow more than 3 accounts in a row w/out getting blocked from any interactions for weeks on end.

My hypothesis currently is that the cause of the issue was me using a VPN. Not sure if IG is detecting a VPN, my specific VPN (Express), or the server I use (DK).

After all my accounts got suspended and appeals got me nowhere I created a new account, just to consume media for now. Surely enough, after a couple days it got flagged (for no apparent reason). I followed maybe 25 accounts, max. 3 / hour, max. 9/ day, made no comments, liked maybe 30 posts, that’s it. No messages, no posts, comments, nothing.

First I got hit with the SMS code, then maybe with SMS & CAPCTHA (don’t remember). And finally, a day later — the same suspension, appeal (lost, just like before). I didn’t bother with another appeal through the form for that one.

The fact that I did not post anything and barely performed any actions whatsoever on the account and that the suspension happened when I accessed IG on my phone on cellular led me to believe that the reason was my VPN. It can’t be the wifi, the actions, the posts — that’s the only thing left. I mean, the only options left are quite extreme and include: blocking my phones numbers, my e-mails, my full name, my device ID, my non-VPN IP, or even my location.

So, I disabled VPN on my phone and blocked my OS from accessing IG domain in antivirus on my notebook, and created another fall-back account. That was on 2021–02–13. and so far, so good.

I’ve encountered my IP or my account being flagged by services while using this VPN and this server before. Sometimes changing the server helped. Unfortunately, they only have one for my current country of residence.

For example, Twitter would refuse to load images. Spotify would forcibly remote reset my password and kill my sessions. Google and YouTube would hit me with CAPTCHA — sometimes the checkmark, sometimes with pictures. CloudFlare would flag me half of the times. Even some torrent sites would hit me with CAPTCHA, the old type, with equations.

The problem definition

The problem, in general, is the procedure is poorly designed, results in false positives and so far have failed to resolve the issue it created.

It flags legitimate accounts run by actual humans that generate lawful SFW content and behave respectfully, provides no communication, has no human oversight that I know of.

Call to action — users

I’m not the only one — here’s an old Medium article and a matching Change.org petition that I signed already. I urge y’all to do the same — this has a chance, however little, of bringing about change — sharing your horror stories in comments won’t.

Steps left

For the 6 days left I’m gonna approach Facebook employees on LinkedIn and mention IG and IG Engineering with a link to this article on Twitter.

From what I saw in two sources, one which I personally know, IG’s appeal process is so bad that oftentimes they won’t look at a case started by a user if they don’t have an employee start an internal corresponding case themselves, leaving only people with access to flesh-n-blood FB / IG employees, to have any chance of getting the accounts they got robbed of the back, maybe.

Steps taken

There’s no e-mail address one can e-mail Instagram on the issue. There’s no phone number. There’s no person and no shop. There’s the knowledge base full of generic articles for basic tasks and containing this one form that I already used, to no avail. That’s it. The fact that Facebook, which has millions of users around the world and that people rely on their identity and livelihoods for, that people invested hundreds of hours and money in, has no accountability, is unacceptable.

What I found online was inaccurate. The phone number, +1 (650) 543 4800 doesn’t accept WhatsApp calls (even though it’s owned by Facebook). A regular carrier call results in a voice menu, which in the end points to the knowledge base, no matter the option chosen. No option to speak to an employee presented.

Mailing secuirty@mail.instagram.com doesn’t return any reply, even an automated one. Sending an e-mail to support@instagram.com results in a response w/ an auto-reply form facebook_hosted@fb.com saying they don’t check that e-mail and to check the knowledge base.

Some people are saying to use ‘USA’ instead of your actual country in the disablement appeal form. Or to use the business form, and NOT provided documents, even though you’re a person and not a company. Those I haven’t tried yet.

Call to action — to regulators

In the account lock process, Instagram internally charge you, as a user, of wrongdoing. They fail to follow the basic principles of a fair trial, ie. they fail to name specific charges, provide evidence, hear someone’s explanation or name a decision-maker. They may even not care to provide a human to ever review the case. They don’t provide a time window. They’re the judge, the jury, and the executioner. Such treatment has to end, as Instagram, with its monopoly and status, is a basic service these days and needs to be regulated, just like commodities, to avoid such situations.

There should be fair trials for such situations, with state oversight, and actual employees involved, with reasonable timeframes, evidence-based proceedings, and restitution for false accusation.

The point of this article is to show the way, to strengthen the voices who think alike, and to turn my frustration into information and a call to action. Even if it does very little, I can say that I did what I could, and this brings me peace.

Instagram
Facebook
Social Media
Algorithms
Policy

--

--

Piotr Chylarecki

Written by Piotr Chylarecki

25 Followers

UI designer, photographer

Help

Status

About

Careers

Blog

Privacy

Terms

Text to speech

Teams