Cyber Security

Meta expands its bug bounty program to include reports on data scraping

Meta (earlier Facebook) has expanded its bug bounty program to reward reports of data scraping vulnerabilities. The new program will cover all Meta platforms as well as include reports of scraping data sets that are available online, THN reported.

Data scraping has been a grey area and the jurisprudence on the issue is yet to evolve. Facebook had some trouble earlier this year, in dealing with incidents of data scraping that impacted as many as 500 million users around the world.

Some background please?

First of all, data scraping is an automated method of collecting data available on websites. A scraping tool is programmed to retrieve detailed information from specific websites. It may, for example, gather contact information for small business owners from LinkedIn, Facebook, or yellow pages. After extracting the data, the scraper parses it and saves it in a readable spreadsheet or database.

But scrupulous thieves can put this data to use. Data scraping was at the heart of the Cambridge Analytica scandal. Using scraped data, the company was able to use publicly available data for political advertising.

The personal nature of data, available online, inadvertently allows cyber-criminals to misuse the data and launch scams. Further, because the data set also contains email addresses, hackers can attempt an intrusion into people’s computers.

Why is Facebook worried though?

Firstly, scams like Cambridge Analytical attract a bad name. Secondly, data scraping gives out even email IDs & phone numbers, which implicates privacy laws. Dan Gurfinkel, security engineering manager at Meta, said:

“Our goal is to quickly identify and counter scenarious that might make scraping less costly for malicious actors to execute. We want to particularly encourage research into logic bypass issues that can allow access to information via unintended mechanisms, even if proper rate limits exist.”

Facebook has even filed a lawsuit against a Ukrainian man in a federal court for scraping and selling data of 178 million users. It said the person violated Facebook’s terms of service by using automated means to access data he was not supposed to access.

LinkedIn is also contesting a lawsuit against HiQ, a company that scraps information from LinkedIn and then utilizes it to develop algorithms. These algorithms then allow HiQ to assess employee skill sets and alert employers when they might be available for work. The Ninth Circuit court will now decide if scraping data off LinkedIn is legal.

Besides, LinkedIn itself leaked data of 700 million users in June. It blamed data scraping.

The Bug Bounty Program

Meta will give monetary compensation for valid reports of scraping bugs in its service, or openly public databases containing no less than 100,000 unique Facebook user records. However, the dataset must be novel, and not previously known.

Meta will take measures, including legal actions, to remove the data set from the internet. You can read the full program info here.


Do subscribe to our Telegram group for more resources and discussions on tech-law & policy. To receive weekly updates, don’t forget to subscribe to our Newsletter.

Rohit Ranjan Praveer

Rohit is a practicing advocate at Delhi. Beginning as a tech enthusiast, Rohit always had a keen interest in computer forensics and information security. Building upon these fundamentals, he has undertaken extensive research on various techno-legal topics and continues his pursuit pass on valuable information to the masses, with a zeal to build something that outlasts him.​

Share your thoughts!

This site uses Akismet to reduce spam. Learn how your comment data is processed.