How Do Web Scrapers Work
How Do Web Scraping Tools Work? [All you need to know]
Is Web Scraping Illegal? Depends on What the Meaning of the Word Is
Depending on who you ask, web scraping can be loved or hated.
Web scraping has existed for a long time and, in its good form, it’s a key underpinning of the internet. “Good bots” enable, for example, search engines to index web content, price comparison services to save consumers money, and market researchers to gauge sentiment on social media.
“Bad bots, ” however, fetch content from a website with the intent of using it for purposes outside the site owner’s control. Bad bots make up 20 percent of all web traffic and are used to conduct a variety of harmful activities, such as denial of service attacks, competitive data mining, online fraud, account hijacking, data theft, stealing of intellectual property, unauthorized vulnerability scans, spam and digital ad fraud.
So, is it Illegal to Scrape a Website?
So is it legal or illegal? Web scraping and crawling aren’t illegal by themselves. After all, you could scrape or crawl your own website, without a hitch.
Startups love it because it’s a cheap and powerful way to gather data without the need for partnerships. Big companies use web scrapers for their own gain but also don’t want others to use bots against them.
The general opinion on the matter does not seem to matter anymore because in the past 12 months it has become very clear that the federal court system is cracking down more than ever.
Let’s take a look back. Web scraping started in a legal grey area where the use of bots to scrape a website was simply a nuisance. Not much could be done about the practice until in 2000 eBay filed a preliminary injunction against Bidder’s Edge. In the injunction eBay claimed that the use of bots on the site, against the will of the company violated Trespass to Chattels law.
The court granted the injunction because users had to opt in and agree to the terms of service on the site and that a large number of bots could be disruptive to eBay’s computer systems. The lawsuit was settled out of court so it all never came to a head but the legal precedent was set.
In 2001 however, a travel agency sued a competitor who had “scraped” its prices from its Web site to help the rival set its own prices. The judge ruled that the fact that this scraping was not welcomed by the site’s owner was not sufficient to make it “unauthorized access” for the purpose of federal hacking laws.
Two years later the legal standing for eBay v Bidder’s Edge was implicitly overruled in the “Intel v. Hamidi”, a case interpreting California’s common law trespass to chattels. It was the wild west once again. Over the next several years the courts ruled time and time again that simply putting “do not scrape us” in your website terms of service was not enough to warrant a legally binding agreement. For you to enforce that term, a user must explicitly agree or consent to the terms. This left the field wide open for scrapers to do as they wish.
Fast forward a few years and you start seeing a shift in opinion. In 2009 Facebook won one of the first copyright suits against a web scraper. This laid the groundwork for numerous lawsuits that tie any web scraping with a direct copyright violation and very clear monetary damages. The most recent case being AP v Meltwater where the courts stripped what is referred to as fair use on the internet.
Previously, for academic, personal, or information aggregation people could rely on fair use and use web scrapers. The court now gutted the fair use clause that companies had used to defend web scraping. The court determined that even small percentages, sometimes as little as 4. 5% of the content, are significant enough to not fall under fair use. The only caveat the court made was based on the simple fact that this data was available for purchase. Had it not been, it is unclear how they would have ruled. Then a few months back the gauntlet was dropped.
Andrew Auernheimer was convicted of hacking based on the act of web scraping. Although the data was unprotected and publically available via AT&T’s website, the fact that he wrote web scrapers to harvest that data in mass amounted to “brute force attack”. He did not have to consent to terms of service to deploy his bots and conduct the web scraping. The data was not available for purchase. It wasn’t behind a login. He did not even financially gain from the aggregation of the data. Most importantly, it was buggy programing by AT&T that exposed this information in the first place. Yet Andrew was at fault. This isn’t just a civil suit anymore. This charge is a felony violation that is on par with hacking or denial of service attacks and carries up to a 15-year sentence for each charge.
In 2016, Congress passed its first legislation specifically to target bad bots — the Better Online Ticket Sales (BOTS) Act, which bans the use of software that circumvents security measures on ticket seller websites. Automated ticket scalping bots use several techniques to do their dirty work including web scraping that incorporates advanced business logic to identify scalping opportunities, input purchase details into shopping carts, and even resell inventory on secondary markets.
To counteract this type of activity, the BOTS Act:
Prohibits the circumvention of a security measure used to enforce ticket purchasing limits for an event with an attendance capacity of greater than 200 persons.
Prohibits the sale of an event ticket obtained through such a circumvention violation if the seller participated in, had the ability to control, or should have known about it.
Treats violations as unfair or deceptive acts under the Federal Trade Commission Act. The bill provides authority to the FTC and states to enforce against such violations.
In other words, if you’re a venue, organization or ticketing software platform, it is still on you to defend against this fraudulent activity during your major onsales.
The UK seems to have followed the US with its Digital Economy Act 2017 which achieved Royal Assent in April. The Act seeks to protect consumers in a number of ways in an increasingly digital society, including by “cracking down on ticket touts by making it a criminal offence for those that misuse bot technology to sweep up tickets and sell them at inflated prices in the secondary market. ”
In the summer of 2017, LinkedIn sued hiQ Labs, a San Francisco-based startup. hiQ was scraping publicly available LinkedIn profiles to offer clients, according to its website, “a crystal ball that helps you determine skills gaps or turnover risks months ahead of time. ”
You might find it unsettling to think that your public LinkedIn profile could be used against you by your employer.
Yet a judge on Aug. 14, 2017 decided this is okay. Judge Edward Chen of the U. S. District Court in San Francisco agreed with hiQ’s claim in a lawsuit that Microsoft-owned LinkedIn violated antitrust laws when it blocked the startup from accessing such data. He ordered LinkedIn to remove the barriers within 24 hours. LinkedIn has filed to appeal.
The ruling contradicts previous decisions clamping down on web scraping. And it opens a Pandora’s box of questions about social media user privacy and the right of businesses to protect themselves from data hijacking.
There’s also the matter of fairness. LinkedIn spent years creating something of real value. Why should it have to hand it over to the likes of hiQ — paying for the servers and bandwidth to host all that bot traffic on top of their own human users, just so hiQ can ride LinkedIn’s coattails?
I am in the business of blocking bots. Chen’s ruling has sent a chill through those of us in the cybersecurity industry devoted to fighting web-scraping bots.
I think there is a legitimate need for some companies to be able to prevent unwanted web scrapers from accessing their site.
In October of 2017, and as reported by Bloomberg, Ticketmaster sued Prestige Entertainment, claiming it used computer programs to illegally buy as many as 40 percent of the available seats for performances of “Hamilton” in New York and the majority of the tickets Ticketmaster had available for the Mayweather v. Pacquiao fight in Las Vegas two years ago.
Prestige continued to use the illegal bots even after it paid a $3. 35 million to settle New York Attorney General Eric Schneiderman’s probe into the ticket resale industry.
Under that deal, Prestige promised to abstain from using bots, Ticketmaster said in the complaint. Ticketmaster asked for unspecified compensatory and punitive damages and a court order to stop Prestige from using bots.
Are the existing laws too antiquated to deal with the problem? Should new legislation be introduced to provide more clarity? Most sites don’t have any web scraping protections in place. Do the companies have some burden to prevent web scraping?
As the courts try to further decide the legality of scraping, companies are still having their data stolen and the business logic of their websites abused. Instead of looking to the law to eventually solve this technology problem, it’s time to start solving it with anti-bot and anti-scraping technology today.
Get the latest from imperva
The latest news from our experts in the fast-changing world of application, data, and edge security.
Subscribe to our blog
Good or Evil? What Web Scraping Bots Mean for Your Site – Imperva
The internet is crawling with bots. A bot is a software program that runs automated tasks over the internet, typically performing simple, repetitive tasks at great speeds unattainable, or undesirable by humans. They are responsible for many small jobs that we take for granted such as search engine crawling, website health monitoring, fetching web content, measuring site speed and powering APIs. They can also be used to automate security auditing by scanning your network and websites to find vulnerabilities and help remediate them.
According to our 2015 Bot Traffic Report, almost half of all web traffic is bots, and two thirds of bot traffic we’ve analyzed is malicious. One of the ways that bots can harm businesses is by engaging in web scraping. We work with customers often on this issue and wanted to share what we’ve learned. This post discusses what web scraping is, how it works, and why it’s a problem for website owners.
What is scraping?
Web scraping is the process of automatically collecting information from the web. The most common type of scraping is site scraping, which aims to copy or steal web content for use elsewhere. This repurposing of content may or may not be approved by the website owner.
Typically, bots do this by crawling a website, accessing the source code of the website and then parsing it to remove the key pieces of data they want. After obtaining content, they typically post it elsewhere on the internet.
A more advanced type of scraping is database scraping. Conceptually this is similar to site scraping except that hackers will create a bot which interacts with a target site’s application to retrieve data from its database. An example of database scraping is when a bot targets an insurance website to receive quotes on coverage. The bot will try all possible combinations in the web application to obtain quotes and pricing for all scenarios.
In this example, the bot tells the application it is a 25-year-old male looking for a quote for a Honda, then for a Toyota, then a Ferrari. Each time the bot gets a different result back from the application. Given enough tries, it is possible to obtain entire datasets. Clearly with the number of permutations available in this scenario, a bot would be preferable to a human.
Database scraping can be used to steal intellectual property, price lists, customer lists, insurance pricing and other datasets that would require an effort prohibitively tedious for humans, but perfectly within the range of what bots routinely do.
Consider the case of a rental car agency, if a company created a bot that regularly checked the price of its competitor and slightly undercut them at every price point, it would have a competitive advantage. This lower price would appear in all aggregator sites that compare both companies, and would likely result in more car rental conversions and higher search engine rankings.
To deal with the threat that scraping poses to your business, it’s advisable to employ a solution that adequately detects, identifies and mitigates bots.
Not all web scraping is bad
Scraping isn’t always malicious. There are many cases where data owners want to propagate data to as many people as possible. For example, many government websites provide data for the general public. This data is frequently available over APIs but because of the scale of work required to achieve this scrapers must sometimes be employed to gather that data.
Another example of legitimate scraping – which is often powered by bots – includes aggregation websites such as travel sites, hotel booking portals and concert ticket websites. Bots that distribute content from these sites obtain data through an API or by scraping, and tend to drive traffic to the data owners’ websites. In this case bots may function as a critical part of their business model.
Are bots legal? According to Eric Goldman, a professor of law at Santa Clara University School of Law, who writes about internet law,
Although scraping is ubiquitous, it’s not clearly legal. A variety of laws may apply to unauthorized scraping, including contract, copyright and trespass to chattels laws. (“Trespass to chattels” protects against unauthorized use of someone’s personal property, such as computer servers). The fact that so many laws restrict scraping means it is legally dubious.
Since scraping bots may also harm your business as we mentioned, it’s important to create an ecosystem that is both bot-friendly and also able to block malicious automated clients. Website owners can significantly improve security of their website by blocking bad bots without excluding legitimate bots.
Four things you can do to detect and stop site scraping
Site scraping can be a powerful tool. In the right hands, it automates the gathering and dissemination of information. In the wrong hands, it can lead to theft of intellectual property or an unfair competitive edge.
Over the last two decades, bots have evolved from simple scripts with minimal capabilities to complex, intelligent programs that are sometimes able to convince websites and their security systems that they are humans.
We use the following process to classify automated clients and determine next steps.
You can use the following methods to classify and mitigate bots, including detecting scraping bots:
Use an analysis tool — You can identify and mitigate bots including site scapers by using a static analysis tool that examines structural web requests and header information. By co-relating that information with what a bot claims to be, you can determine its true identity and block as needed.
You can use to shield your site from scraping bots, but it may not be effective in the long run. works by telling a bad bot that it’s not welcome. Since bad bots don’t adhere to rules, they will ignore any commands. In some situations, some malicious bots will look inside for hidden gems (private folders, admin pages) the site owner is trying to hide from Google’s index and exploit them.
So it’s even more important than ever that your bot defense solution can fully assess the impact of a specific bot before deciding whether or not to allow it to access your website. To see if your current solution is adequate ask these questions: Does this automated client add or subtract value to your business? Is it driving traffic toward your website, or away from your site? Answering these questions will help you determine which course to take to build bot detection and mitigation into your security systems.
Try Imperva for Free
Protect your business for 30 days on Imperva.
Frequently Asked Questions about how do web scrapers work
Is it legal to scrape a website?
Web scraping and crawling aren’t illegal by themselves. After all, you could scrape or crawl your own website, without a hitch. … Big companies use web scrapers for their own gain but also don’t want others to use bots against them.
Are web scrapers bad?
Not all web scraping is bad Scraping isn’t always malicious. There are many cases where data owners want to propagate data to as many people as possible. … Bots that distribute content from these sites obtain data through an API or by scraping, and tend to drive traffic to the data owners’ websites.Apr 18, 2016