Building the Conversation Around Unauthorized Scraping

On January 31, 2023, the Mitigating Unauthorized Scraping Alliance (MUSA) held its inaugural public event in observance of International Data Privacy Day. Over 175 people, both in-person and online, attended this three-panel discussion and networking opportunity, entitled “The State of Unauthorized Scraping and Its Impacts on Users and Industry.” The event featured perspectives from leading academic, legal, and industry representatives who discussed the impacts of unauthorized scraping on users and industry as well as the legal and regulatory landscape.

The first panel of the day focused on current and prospective laws and regulations that protect publicly available data and could be used to address unauthorized scraping. Panelists pointed out that we should challenge the assumption that we cannot have laws that regulate scraping and highlighted that current hacking and privacy laws such as the Computer Fraud and Abuse Act (CFAA) do not address unauthorized scraping or the technical aspects of authentication, authorization, and access control. In their discussion, panelists agreed that there is a need for more comprehensive laws and enforcement mechanisms that go beyond the CFAA and other hacking statutes to better address unauthorized scraping.

The next panel kicked off with a discussion on how to define an unauthorized scraping incident. Notably, speakers stressed that unauthorized scraping incidents are not data breaches. With this clarification in mind, panelists dug into the varied impacts of unauthorized scraping, including the loss of users’ ability to change or delete data once it has been scraped and the loss of trust in platforms. For example, panelists highlighted how threat actors can scam, stalk, or blackmail individuals using information scraped from online dating and social media sites. In addition, panelists highlighted that companies need to implement both legal and technical solutions to mitigate the impacts of unauthorized scraping, particularly because laws often cannot evolve fast enough to keep up with technological innovation. However, speakers expressed that technological prevention measures alone are not enough to deter unauthorized scrapers. 

The second panel also discussed the need for balancing user data protection and privacy expectations with public research interests. Speakers highlighted privacy laws that try to address these issues, like the Digital Services Act (DSA) in the EU and the proposed Platform Accountability and Transparency Act (PATA) in the US, which includes a protection for researchers using scraping to gain access to data. Panelists emphasized the importance of building understanding around the potential misuses of public data among regulatory bodies in the US and abroad and strengthening regulatory enforcement capacities to combat unauthorized scraping.

The final panel centered around the growing need for fostering dialogue on unauthorized scraping and building a unified front to combat data misuse. By collaborating through organizations like MUSA to create industry partnerships and share anti-scraping practices, companies of all sizes can work to mitigate unauthorized scraping based on their needs and capacities. As the third panel highlighted, there is no singular solution to preventing or combating unauthorized scraping. However, as the market for unauthorized scraped data continues to grow, regulatory action is needed to combat threat actors. By building awareness around the impact of unauthorized scraping and fostering public-private collaboration to ensure that there is an expectation of consequence for unauthorized scrapers, MUSA can protect data from unauthorized scraping and misuse.  The Mitigating Unauthorized Scraping Alliance will continue to inspire public-private dialogue and increase awareness around unauthorized scraping by engaging with policy makers and the industry, legal, media, and academic communities. MUSA is currently working with members to align on industry practices to publish in March 2023. MUSA will hold additional public conversations and develop opportunities for collaboration to combat unauthorized scraping.

Panel Summary:

Panel 1 “The State of Unauthorized Scraping Enforcement”

Moderated by Julia Tama (Venable LLP) with panelists Timothy Edgar (Brown University, Harvard Law School), Megan Iorio (EPIC), Chelsea Reckell (Venable LLP), and Cobun Zweifel-Keegan (IAPP DC).

Panel 2 “The Impact of Unauthorized Scraping on Users”

Moderated by Tejas Narechania (UC Berkeley School of Law) with panelists Brandie Nonnecke (CITRIS Policy Lab), Calli Schroeder (EPIC), Hannah Shimko (ODA), and Sarah Wight (LinkedIn). 

Panel 3 ”The Impact of Unauthorized Scraping on Industry”

Moderated by Hemu Nigam (Venable LLP) with panelists Mike Clark (Meta), Doug Hudson (Etsy), and Veronica Torres (Jumio Corporation).

You can view the recording of the full event below:

2023 Data Privacy Day Event: The State of Unauthorized Scraping and Its Impact on Users & Industry