- A US Court has ruled that scraping public data from websites like LinkedIn isn’t illegal.
- Privacy advocates suggest the activity can be used to identify new targets and fine-tune phishing attacks.
- The only option for people is to stop oversharing, experts say.
Hackers are literally scraping the bottom of the barrel to fine-tune their attacks, and they now have the courts’ blessing.
The US Ninth Circuit of Appeals has ruled that scraping public data isn’t against the law. Web scraping is the technical term for extracting information from a website. For instance, when you copy some text from an article as a quote, that’s scraping. It enters a legal gray area when the scraping is done by automated programs that scrape entire websites, especially those holding personal information, such as names and email addresses.
“The massive amount of information that can be freely scraped from the internet is of concern both to individuals and organizations as this information [for instance] can easily be used by attackers to help make phishing attacks better,” Rick McElroy, Principal Cybersecurity Strategist at VMware, told Lifewire via email.
Get Into a Scrape
The ruling comes as part of a legal battle between LinkedIn and hiQ Labs, a talent management company that uses public data from LinkedIn to analyze employee attrition.
This doesn’t sit well with the professional social network, which has long argued that the activity threatens the privacy of its users. Furthermore, LinkedIn contends that the scraping is against its terms of service and amounts to hacking, as described in the Computer Fraud and Abuse Act (CFAA).
Privacy advocacy groups such as the Electronic Frontier Foundation (EFF) have been critical of the CFAA, saying the three-decade-old law wasn’t framed with the sensibilities of the internet age in mind.
The only practical solution for individuals concerned about privacy is to stop oversharing…
In its criticism, the EFF notes that it strives to make the courts and policymakers understand how the CFAA has undermined security research. It targets LinkedIn for its attempt to transform a criminal law meant to address computer break-ins into a tool to enforce corporate computer use policies, in essence restricting free and open access to publicly available information.
LinkedIn doesn’t view web scraping in the same light. In a statement to TechCrunch, LinkedIn’s spokesperson Greg Snapper said the company is disappointed in the court’s decision and will continue to fight to protect the ability of people to control the information they make available on LinkedIn. Snapper asserted that the company isn’t comfortable when people’s data is taken without permission and used in ways they haven’t agreed to.
Asking For Trouble
While hiQ has taken the stand that a ruling against data scraping could “profoundly impact open access to the Internet,” there have been several incidents of scraped data being made available on underground forums for nefarious purposes.
In 2021, CyberNews shared that threat actors had managed to scrape data from over 600 million user profiles on LinkedIn, putting it up for sale for an undisclosed sum. Notably, this was the third time in the past four months that data scraped from millions of LinkedIn users’ public profiles had been posted for sale.
CyberNews added that while the data wasn’t deeply sensitive, it could still put users at risk of spam and expose them to phishing attacks. The details could also be (ab)used by malicious actors to quickly and easily find new targets.
Willy Leichter, CMO of LogicHub, believed there are difficult legal and privacy issues on both sides of this case.
“[The ruling] basically codifies the way the internet works in practice [so] if you share something publicly, you have permanently lost exclusive control over that data, photos, random posts, or personal information,” warned Leichter in an email exchange with Lifewire. “You should assume it will be copied, archived, manipulated, or even weaponized against you.”
Leichter opined that even if people could assert some legal control over data posted in the public domain, it would be impossible to enforce it, and it wouldn’t deter nefarious activity in any case.
McElroy agreed, saying the ruling serves as a great reminder that people should limit their publicly accessible information since that is the only real recourse available to protect them from future attacks.
“The only practical solution for individuals concerned about privacy is to stop oversharing and think carefully about anything you post publicly,” suggested Leichter.