On August 24, 2023, 12 data protection authorities members of the Global Privacy Alliance’s International Enforcement Cooperation Working Group, including the Information Commissioner’s Office, adopted a joint statement concerning data scraping. The joint statement primarily addresses the privacy risks associated with data scraping and also offers an overview of measures that organizations and individuals can take to mitigate such risks.
This article presents the core aspects of the joint statement, shedding light on the pivotal privacy risks linked to data scraping. Whether an organisation is involved in data scraping for marketing purposes, law enforcement activities, or finds itself potentially vulnerable to data scraping, this article holds relevance. It not only outlines the potential risks, but also provides strategic measures that website operators can adopt to meet regulatory expectations in addressing such risks.
Unveiling Privacy Risks in Data Scraping
In an ever-connected world, data scraping has emerged as a potent tool for extracting valuable insights from the web. Data scraping, also referred to as web scraping, entails the automated extraction of data from online sources, which is then used for different purposes (e.g., analysis, research, intelligence gathering). It is typically performed using bots (i.e., a software or program that performs tasks automatically on the internet, often mimicking human actions) or web crawlers (i.e., a computer program that automatically scans websites to collect information).
However, the practice raises significant privacy concerns for individuals, and it is essential to strike a balance between innovation and respecting users’ privacy. Across most jurisdictions, personal information that is “publicly available” on the internet, falls within the scope of application of data protection and privacy regulations. Consequently, companies involved in web scraping and operators of websites hosting such data are accountable for ensuring compliance with relevant laws.
Data scraping deprives individuals of their control over personal information, potentially eroding their trust in website operators. The joint statement outlines the following risks on the basis of the reports received by data protection authorities in recent years:
- Cyberattacks: Malicious actors might exploit scraped data from “hacking forums” to orchestrate social engineering or phishing attacks.
- Identity Fraud: Extracted data could facilitate fraudulent loan applications, credit card misuse, or impersonation via counterfeit social media profiles.
- Surveillance: Scraped data might populate unauthorised facial recognition databases, which could be used by law enforcement authorities.
- Unauthorised Intelligence Gathering: Foreign governments or intelligence agencies could exploit scraped data for unauthorised ends.
- Unwanted Marketing: Scraped contact data may facilitate unsolicited marketing campaigns.
- Diminished Control: Data scrapers may perpetuate the use and distribution of scraped information, curtailing individuals’ control over their digital presence.
Apart from the risks posed to users, data scraping can also expose organisations, as well as their employees’ and customers’ data, to various risks. For example, it has the potential to facilitate cyberattacks, erode user trust, and attract regulatory penalties. This is particularly significant considering that in numerous jurisdictions, data scraping could be considered tantamount to a data breach.
Mitigating Risks: Best Practices for Website Operators
Website operators bear the responsibility of protecting personal data from illicit scraping endeavours. The joint statement offers a comprehensive set of practices, echoing prevalent global data protection norms, aimed at safeguarding against data scraping and its privacy implications. A tailored combination of multi-layered technical and procedural controls is recommended based on the sensitivity of the data. Such measures may include:
- Rate Limiting: Implement hourly or daily visit caps between account profiles to identify unusual activities.
- Activity Monitoring: Vigilantly observe new account behaviour for signs of aggressive scraping activities.
- Bot Detection: Employ pattern recognition techniques to identify bot activities, such as unusual IP address clustering accessing the platform through the use of identical credential from multiple locations within a condensed timeframe.
- Anti-Bot Measures: Implement CAPTCHAs (i.e., a security feature used to determine if a user is human or a computer program) and IP blocking to counter identified data scraping attempts.
- Designating Teams: Appoint dedicated teams or roles responsible for implementing and monitoring anti-scraping measures.
- Metrics Analysis: Collect and analyse scraping incident metrics to identify security control gaps.
- Continual Improvement: Regularly stress-test and update controls to adapt to evolving technologies.
- Legal Recourse: Employ legal actions like ‘cease and desist’ letters and enforcement of terms and conditions to counter suspected or confirmed data scraping.
- Upholding Transparency: Clearly inform users about implemented anti-scraping measures, so to foster trust and user empowerment.
- User Education: Actively engage and educate users about privacy settings and information-sharing policies. By doing so, users’ awareness will be heightened when making decisions about the information they choose to share and the potential privacy risks that may arise as a consequence.
Operating websites that house publicly accessible personal data requires the attentive evaluation of the legality of various scraping methods within relevant jurisdictions. In addition, the digital domain is ever evolving, and so are data scraping techniques. This article underscores the significance of embracing a dynamic approach to data protection as safeguarding data security calls for ongoing vigilance and adaptability to the changing regulatory and technical landscapes.
Trilateral’s Data Protection and Cyber-Risk Team has significant experience in assisting organisations in developing organisational and technical measures to enhance data security in various domains, including the digital one. Feel free to contact our advisors if you would like to receive expert assistance in data protection compliance.