Facebook parent Meta openly collects data from its billions of users, but when other companies scrape said data, it’s a problem, according to a pair of lawsuits filed today.
Jessica Romero, Meta’s Director of Platform Enforcement and Litigation, said the US tech giant has kicked off two federal lawsuits: one against scraping-for-hire company Octopus, and one against Ekrem Ateş, a Turkish individual who scraped Instagram data for use on a clone site.
Scraping involves extracting data from publicly available sources, as well as private data kept behind login pages, without user permission. Part of the risk from companies like Octopus, Romero wrote, is that they provide automated scraping services to anyone, regardless of who they may be targeting, or why.
Romero said Octopus is “a US subsidiary of a Chinese national high-tech enterprise that claims to have over one million customers.” Its scraping software, Octoparse, is offered online and can reportedly scrape sites including those owned by Meta, Amazon, Twitter, Google, LinkedIn, and others.
According to Romero, users self-compromised their accounts when signing up for Octopus’s service by handing login credentials over to the company. Octoparse was designed “to scrape data accessible to the user when logged into their accounts.” Data scraped included email addresses, phone numbers, gender, birth date, post likes/comments, and more.
The lawsuit against Octopus is alleging Terms of Service and Digital Millennium Copyright Act violations for engaging in unauthorized and automated scraping, along with attempting to hide its activity. Facebook is seeking a permanent injunction against Octopus to prevent its operations on any of its sites.
We’ve reached out to Meta to learn more about Octopus and its allegations, but have yet to hear back.
As for Ateş, Meta is alleging he scraped the data of over 350,000 Instagram users for reposting on a “clone site” called MyStalk that shows Instagram profile info and posts without user authorization. Romero said that Meta has taken multiple actions against Ateş since 2021, including disabling his accounts, serving him with a cease and desist, and revoking his access to Meta services.
Facebook has been scraped before. Over the course of nearly two years beginning in early 2018, a Ukrainian national named Alexander Alexandrovich Solonchenko extracted data on 178 million Facebook users. Facebook sued Solonchenko in October 2021.
Meta expanded its bug bounty program to include scraping attacks a couple of months later, but the language in the lawsuit reveals much about Meta’s take on the sanctity of the data it’s responsible for.
“The goal of this program is to find bugs that attackers utilize to bypass scraping limitations to access data at greater scale than the product intended,” Facebook Security Engineering Manager Dan Gurfinkel said. Romero’s blog post echoes some of those sentiments, calling Octopus’s scraping “unauthorized,” not expressing dissatisfaction that it was scraping data in the first place.
Those carefully chosen words shouldn’t be ignored: Meta doesn’t appear to mind people scraping data from their sites – provided they do it in a way the company approves of. ®