Industry Practices to Mitigate Unauthorized Data Scraping
The Mitigating Unauthorized Scraping Alliance has developed non-binding and voluntary industry practices that promote means of detecting, preventing, mitigating, and enforcing against unauthorized data scraping. Individual practices to protect against unauthorized scraping have significantly evolved over recent years, although there are no existing standards. This publication is intended to offer suggested institutional, prevention, detection, mitigation, and enforcement measures against unauthorized data scraping.
These practices were developed through extensive conversations with industry members and experts on measures to mitigate the risk of unauthorized data scraping. They also draw from industry research conducted by the research firm NewtonX in its study of 1,300 professionals to better understand data extraction prevention.
This publication is an important first step to raise awareness and broaden the adoption of helpful practices to combat unauthorized data scraping. The practices in the publication are divided into institutional, prevention, detection/mitigation, and enforcement categories. These categories highlight measures against unauthorized data scraping and can be maintained and updated effectively over time to serve the needs of industry members.
Section A of the publication outlines practices that establish institutional structures to identify and fill gaps in unauthorized data scraping mitigation. These institutional practices help platforms prepare to combat unauthorized data scraping threats. These practices include establishing an internal knowledge system, understanding organizational risk, establishing mitigation policies and procedures, and collaborating with external organizations and partners.
Section B of the publication focuses on practices that help prevent unauthorized scraping, balancing user experience with data protection based on organizational priorities. Practices for proactive prevention and risk reduction of unauthorized data scraping include disincentivizing unauthorized data scraping, predicting and disrupting unauthorized data scraping events, and monitoring and reevaluating dated or risky products and features.
Section C of the publication details practices for identifying active unauthorized data scraping in order to respond to suspected data scraping incidents or attempts. This includes monitoring and identifying unauthorized data scraping, investigating active unauthorized data scraping, and remediating through technical actions.
Section D of the publication highlights practices for enforcement against detected and/or attributed unauthorized data scraping activity and unauthorized data scraping actors such as developing an enforcement framework and disclosing identified unauthorized data scraping actors.
The practices listed in the publication do not claim to be a fully comprehensive list of every unauthorized data scraping mitigation practice that companies may take, or to identify which measures will be appropriate for any given platform. However, they offer useful guidance for potential mitigation. In addition, it is necessary to acknowledge that due to the continuously evolving nature of scraping technologies and functional need for public-facing data, even comprehensive detection, mitigation, prevention, and enforcement practices can only reduce the incidence of unauthorized data scraping; they cannot prevent it altogether.