Account Scraping

What is account scraping?

Account scraping is when someone uses software or APIs to collect user data from your website. This is illegal in many cases, but difficult to prove and fight against.

Usually, account scrapers are third parties who make money by selling the data they fetch from your site to advertisers. For instance, social media sites can access Facebook APIs to get data about which of their users are also on your site. Often you won’t even know that this happens. Data that has been passed through an API call once cannot be traced back if it gets sold multiple times afterwards.

Why is account scraping dangerous?

The main issue with account scraping is that companies selling data don’t care where the data comes from and what they imply in its collection and distribution. This means your company could get blacklisted in an instant, by way of not following the guidelines set out for third parties handling user data, leading to a loss of brand reputation.

How do you fight account scraping?

Unfortunately, account scraping can be difficult to fight. If you suspect your website is being scraped by third parties, there are a few steps you should take:

• Block all direct access to your APIs or website. This step might not always be possible for larger companies with an active user base.
• Make sure that no sensitive data can be retrieved via your APIs (no names, age etc.). Pass only publicly available information like user IDs and profile pictures.
• Adopt a bot management solution that protects against malicious web scraping.

Frequently asked questions about account scraping

Is account scraping illegal?

Account scraping itself is not illegal, but there are laws in place to prevent the sale of user data without explicit consent.

How much damage can an account scraper do in the long term?

This depends on how quickly you’ll notice that somebody else has access to your website or API’s. If it takes weeks or months, then a lot of damage could already have been done by then.

If you notice the account scraper within minutes, weeks or months it will help you to take action against them.

What if the data is used for good?

This does not matter. If third parties (even benevolent ones) use your APIs, you might get in trouble with the law and open yourself up to brand damage. Once this happens you cannot tell who will use that data and how it will be used, making legal action tricky.

What are the penalties for account scraping?

There are no clear-cut penalties, but if you get notably large fines or an open court case it will be bad news for your brand.

Is it possible to detect account scrapers?

You can try to do this by looking at IP addresses or service providers. If you notice any red flags about the service providers, talk to the company they are working for directly – you might be able to solve it out of court.

What if my website is already scraped?

First, talk to service providers involved in the account scraping. Make sure they are aware of the problem and do not allow it anymore. It is also possible that you can take legal action against service providers.

Is account scraping inevitable?

Account scraping is not inevitable, but it will always be a risk if you’re sharing data with service providers or third parties. If you update your Terms of Use and ask users to agree to them regularly, then this can help diffuse some of the damage that might happen in case of a scrape.