California Federal Court Weighs In (Again) on Social Media Scraping

Social media sites such as Facebook and LinkedIn have collected personal information on hundreds of millions of subscribers. They have also promised those subscribers that their data will only be shared or used for particular purposes—agreements that are not only enforceable but also are required to be upheld under various FTC consent decrees. On the other hand, much of the data contained about these subscribers is accessible to subscribers with social media accounts. The dilemma is that the data is both “public” (in the sense that it can be seen by those with accounts) and “private” in the sense that it is shared by the subscriber for particular purposes—often only with other approved subscribers.

Recognizing that both public and private data about social media users have significant economic value, third-party companies have made an enterprise out of collecting this data by establishing a social media presence, and then using that to “scrape” data from social media users’ profiles and other places. They then collect, store, analyze, sell and repurpose that data, often in ways that subscribers never agreed to. Social media sites take efforts to prevent such scraping, including prohibiting the activity in its terms of service or terms of use and using technological measures to detect and prevent the scraping from occurring. They argue that accessing the social media sites computers in this way violates the terms of use and therefore “exceeds the authorization to access” the site and bypasses technological measures designed to restrict access to the site for those purposes. Indeed, the U.S. Supreme Court is considering the legality under the federal computer hacking statute of such social media scraping. In that case, the Ninth Circuit Court of Appeals (which includes California) ruled that web scraping site HiQ could, even in violation of LinkedIn’s policies, scrape data from the social media site. LinkedIn has appealed that ruling to the high court.

“UpVoice” is a Chrome extension offered by a company named BrandTotal. The extension, when installed on a user’s machine, scrapes Facebook and Instagram information and sends that information to BrandTotal. Facebook repeatedly tried to shut down the extension, shutting down the company’s social media sites, locking out the extension, removing it from the Google extension store and disabling the functionality. In a corporate game of whack-a-mole, BrandTotal kept creating new accounts or variations of the code to avoid detection and suppression. BrandTotal also sued Facebook, seeking a temporary restraining order prohibiting the social media behemoth from kicking them out. Facebook Inc. v. BrandTotal LLC, 2020 WL 6562349 (N.D. Cal. Nov. 9, 2020)

On Nov. 9, 2020, a federal court in San Francisco ruled on the efficacy of the application for a TRO, finding that BrandTotal was a small company that needed access to Facebook’s information to grow. Without that access, BrandTotal would suffer irreparable harm and would be forced to breach its contracts with those with whom it had promised access to the data. As a Chrome extension, the BrandTotal customers (those who downloaded and installed the extension) consented to the sharing of their Facebook data—which, after all, belonged to the subscriber, not Facebook. So far, so good.

While finding all of this true, the court—at least at the preliminary phase—found that Facebook had legitimate business purposes in preventing the extension from operating. The extension bypassed the security protocols of Facebook and automatically collected information on users (Facebook friends of those who installed the extension) who never consented to the collection of the data in that manner. When a Facebook subscriber set up their privacy settings to permit a “friend” to see something, they did not consent to the scooping up of that data by some app and the use and sale of that data by some unknown company. Moreover, Facebook had settled an FTC complaint and entered into a consent decree whereby the social media company agreed to enforce its own terms of service in a way that would protect the privacy of users. Allowing the scraping would violate both the terms and spirit of its terms of service and would permit the privacy of some Facebook users to be invaded by the scraping software. The software also bypassed and therefore affected Facebook’s privacy and security settings—something the court found that Facebook had a legitimate interest in preventing. The court noted that “BrandTotal had a history of collecting user data in ways that posed risks to security and privacy.”

The court ruled that Facebook had the right to require entities that accessed Facebook’s user data—even with the consent of individual users—to obtain the consent of Facebook to ensure that the privacy and security of the platform itself were protected. This includes a requirement that the method of access—the APIs or other mechanisms—be approved by Facebook. Accessing in a manner not approved by the social media company was “without authorization” and therefore might violate the terms of the federal computer trespass or hacking law, and might subject the company to both civil and criminal liability. Essentially, by not using approved APIs in an approved manner and instead relying on user (subscriber) consent to Chrome extensions, the company might—just might—be “hacking” Facebook.

The hacking law, 18 USC 1030, prohibits both “unauthorized access” to a computer and access that “exceeds authorization.” Courts have struggled to determine whether this is a “permissions”-based liability (e.g, if you do something that violates terms of use you are a hacker) or a “technological”-based liability (if you bypass a technical barrier designed to keep you out). Indeed, the HiQ v. LinkedIn case, together with a case involving a state trooper who accessed the NCIC computer database to see records for personal not professional reasons, may decide that issue. For now, the question of whether scraping a website through “legitimate” but not approved means to get data that is not publicly accessible but is viewable by some constitutes a criminal trespass is mostly undecided.

Is Facebook here protecting the legitimate privacy rights and access to computers? Or is Facebook using its monopoly power to prevent competition? Can Facebook prevent a user from accessing and selling (even to a scraping company) the Facebook data that they are permitted to access? Can Facebook determine the means by which others can access this data? Can Facebook simply prohibit “automated” access (scraping) to data including public data, through Terms of Service?

In the end, BrandTotal was unsuccessful in getting a temporary restraining order against Facebook and an order requiring Facebook to permit the extension to continue. Nonetheless, the case continues. Ultimately, these issues may be decided and pre-empted by the U.S. Supreme Court. Until then, we can expect more battles over when and how people can access computers and data. Scape at your own risk.

Avatar photo

Mark Rasch

Mark Rasch is a lawyer and computer security and privacy expert in Bethesda, Maryland. where he helps develop strategy and messaging for the Information Security team. Rasch’s career spans more than 35 years of corporate and government cybersecurity, computer privacy, regulatory compliance, computer forensics and incident response. He is trained as a lawyer and was the Chief Security Evangelist for Verizon Enterprise Solutions (VES). He is recognized author of numerous security- and privacy-related articles. Prior to joining Verizon, he taught courses in cybersecurity, law, policy and technology at various colleges and Universities including the University of Maryland, George Mason University, Georgetown University, and the American University School of law and was active with the American Bar Association’s Privacy and Cybersecurity Committees and the Computers, Freedom and Privacy Conference. Rasch had worked as cyberlaw editor for, as Chief Privacy Officer for SAIC, and as Director or Managing Director at various information security consulting companies, including CSC, FTI Consulting, Solutionary, Predictive Systems, and Global Integrity Corp. Earlier in his career, Rasch was with the U.S. Department of Justice where he led the department’s efforts to investigate and prosecute cyber and high-technology crime, starting the computer crime unit within the Criminal Division’s Fraud Section, efforts which eventually led to the creation of the Computer Crime and Intellectual Property Section of the Criminal Division. He was responsible for various high-profile computer crime prosecutions, including Kevin Mitnick, Kevin Poulsen and Robert Tappan Morris. Prior to joining Verizon, Mark was a frequent commentator in the media on issues related to information security, appearing on BBC, CBC, Fox News, CNN, NBC News, ABC News, the New York Times, the Wall Street Journal and many other outlets.

mark has 203 posts and counting.See all posts by mark