ICO calls on social media firms to protect user’s data from scraping


UK’s Information Commissioner’s Office (ICO), together with eleven data protection and privacy authorities from around the world, have published a statement calling social media platforms to up their protections against data scrapers.

Data scraping is the process of extracting large amounts of publicly available data from websites using automated tools such as bots, collecting information that users have published on that platform.

Although the collected information is already public, if it is combined with private or additional data from other sources, threat actors can use it to launch targeted attacks or to conduct identity fraud, and data brokers or marketers can create detailed user profiles.

“Scraping from social media creates privacy risks and potential harms, such as the information people post online being used for reasons they don’t expect, exploited in cyberattacks or used for identity fraud.” – ICO

The problem has been highlighted many times recently, causing damage to several social media platforms, including Facebook, LinkedIn, and TikTok.

The joint statement highlights that publicly available or accessible information is still subject to data protection and privacy laws, and hence, the companies that manage that data are obliged to protect it by implementing anti-scraping measures.

The measures proposed in the statement are the following:

  • Implement multi-layered technical and procedural controls for protection.
  • Designate a team or roles to handle, monitor, and respond to scraping activities.
  • Use “rate limiting” to control visits per hour or day by accounts.
  • Monitor new account activities for suspicious rapid interactions.
  • Identify “bot” patterns, e.g., multiple accesses using the same credentials in a short time.
  • Employ CAPTCHAs to detect bots; and block related IP addresses if scraping is detected.
  • Take legal actions, such as ‘cease and desist’ letters, against confirmed scrapers.
  • Notify affected parties and regulators in case of data breaches.
  • Proactively support users in understanding and managing privacy settings.
  • Ensure compliance with privacy laws if safeguards process personal information.
  • Inform users of measures taken against data scraping.
  • Continuously monitor and adapt to new threats; update controls accordingly.
  • Analyze metrics on scraping incidents for security framework improvements.

ICO also reminds users of social media platforms that no safeguards are 100% effective against scraping, and it’s crucial for them to actively protect their data, starting by limiting the amount of information they post online.

Additionally, users are urged to read the privacy policies of the online platforms they use to understand the risks, and set the privacy settings on those sites to decrease their public exposure as much as possible.

“Ultimately, we encourage individuals to think long term. How would a person feel years later, about the information that they share today?” warns ICO

“While SMCs and other websites may offer tools to delete or hide information, that same information can live forever on the Web if it has been indexed or scraped, and onward shared.”

The statement is co-signed by data protection authorities in the UK, Australia, Canada, Hong Kong/China, Switzerland, Norway, New Zealand, Columbia, Morocco, Argentina, and Mexico.



Source link