Meta’s looking to expand its detection measures on potential misuse of user data by adding new rewards for data scraping elements into its Bug Bounty program.
Data scraping, which involves extracting user data from websites, has been a key element in various hacking and user data exposures, with Meta itself suffering some of its biggest PR headaches due to unapproved usage of user data insights.
As explained by Meta:
“We know that automated activity designed to scrape people’s public and private data targets every website or service. We also know that it is a highly adversarial space where scrapers - be it malicious apps, websites or scripts - constantly adapt their tactics to evade detection in response to the defenses we build and improve. As part of our larger security strategy to make scraping harder and more costly for the attackers, today we are beginning to reward valid reports of scraping bugs in our platform.”
The new program will see app researchers offered rewards for alerting Meta to data scraping measures, ‘even if the data they target is public’.
Which is interesting, because right now, as it currently stands, scraping public data from websites is not technically illegal, or at the least, there is standing legal precedent for such that would allow third parties to extract public data without falling foul of the law.
LinkedIn has been in the courts for several years battling a company called hiQ, which had built a recruitment insights tool based on scraped LinkedIn profile data.
LinkedIn first sought to block hiQ’s access to its user data back in 2017, and since then, through various court cases, hiQ has been won several challenges which have allowed it to continue accessing public LinkedIn data, by arguing that this information is indeed public, and therefore freely accessible.
LinkedIn took the case to the Supreme Court, and earlier this year, it was given the opportunity to challenge the hiQ decision once again. The case is still ongoing, but it underlines the challenges in defining ownership, or user intent, in regards to publicly accessible data.
For its part, Meta has made user data less and less accessible over time, and even more so in the wake of the Cambridge Analytica scandal, but it is interesting that Meta notes here that even publicly accessible data scraping will be considered in its new bounty program.
“Specifically, we’re looking to find bugs that enable attackers to bypass scraping limitations to access data at greater scale than the product intended. Our goal is to quickly identify and counter scenarios that might make scraping less costly for malicious actors to execute.”
The real push here is on large-scale data scraping activity, and combating groups that seek to utilize user data for means that users have not explicitly agreed to. Because again, as with Cambridge Analytica, that can cause major PR issues for Meta, and bring more scrutiny over its practices.
Which is a good step, Meta should be doing all that it can to protect user data, and ensure that hackers are not stealing your info and selling it on the dark web. But at the same time, it will be interesting to see how Meta enforces such once it’s alerted to these programs via the Bug Bounty.
Meta says that it will also now offer rewards for any discoveries of publicly available user data sets:
“We will reward reports of unprotected or openly public databases containing at least 100,000 unique Facebook user records with PII or sensitive data (e.g. email, phone number, physical address, religious or political affiliation). The reported dataset must be unique and not previously known or reported to Meta. We aim to learn from this effort so we can expand the scope to smaller datasets over time.”
Though in these situations, Meta will not offer direct cash rewards for researchers, instead providing donations to the charity of the discoverer’s choice.
Why? Because if Meta offered cash rewards for discoveries of large user data sets, that could also incentivize hackers to create those datasets in the first place, to then claim the money.
Meta will, however, issue monetary rewards for valid reports about scraping bugs, in line with other disclosures as part of its Bug Bounty program.
It could be a good way to help Meta protect user data, and with over 25,000 Bug Bounty reports in 2021, there’s clearly a lot of interest in taking part, which could significantly expand the company’s detection web for such misuse.
That could play a big role in stopping the next big Facebook data leak, and helping the company mend its reputation for such in the longer term.