In the recently released report, “The Forrester New Wave™: Bot Management, Q1 2020,” we talked about the range of bot attacks that organizations are facing, from simple web scraping bots to sophisticated bots that mimic human behavior. We didn’t spend much time talking about the web scraping scenario, but both good and bad bots do this. For examples of good bots, consider search engines that use web scraping bots to catalog websites and channel partners with permission to scrape sites to help sell inventory. Bad bots may use web scraping to steal competitive information or collect intelligence to drive future attacks.
Bad Bots Scrape Images, Too
Since we finished writing the New Wave, a couple of incidents have highlighted another malicious use of web scrapers: image theft. A few weeks ago, a member of New York City’s task force on cyber sexual assault revealed that criminals had scraped 70,000 photos from Tinder. The photos, which are only of women, are being shared on a cybercrime forum, raising concerns about criminals using such photos to stalk or threaten women.
It’s not only cybercriminals engaging in image scraping — some corporations are scraping images to feed AI engines. Clearview AI has gotten attention for the facial recognition software it supplies to law enforcement and for feeding its AI images scraped from various social media sites, including Facebook and Twitter. Twitter responded with a cease-and-desist order against Clearview.
Looking at recent precedents, it’s not clear how the Clearview case will resolve. Data scraping cases, such as hiQ scraping data from LinkedIn to warn hiQ’s customers about employees that might be job hunting, are working their way through the court systems, and the appellate rulings indicate that this might be legal. Whether image scraping is ultimately deemed “legal” is another question, but it’s certainly unethical and dangerous.
Bot Management As An Ethical Tool
Whether the perpetrator is a career cybercriminal or an unethical corporation — and whether you think there is a difference between the two — web scraping threatens citizens’ privacy and safety. Even where regulations are murky, organizations dealing in user-supplied data, including images, have an ethical mission to avoid data misuse. While we don’t often talk about bot management as an ethical tool, blocking bots that are trying to scrape your photos is a legitimate use case that needs more attention. Social media companies — and any other site whose business relies on collecting customer photos — must take steps to block image scraping bots and protect their customers.
- To bot management providers: Ensure that your offering can identify and deter image scraping bots, and demonstrate how organizations can use your solution to do so. Proactively engage your customers to educate them about the risks and ethical issues. Guidebooks or best-practices whitepapers can help organizations prevent criminals from stealing customer images.
- To social media sites: Even if you already specify in the terms and conditions for what purposes you allow data and image scraping, take the next step to prevent unethical use of scraped data. Technical controls such as bot management will help you restrict data and image scraping to your trusted partners. Remember that once images are scraped, getting the perpetrators to remove them is almost impossible. Even if a company responds to a cease-and-desist order, it will be difficult to validate compliance. Therefore, make sure that your bot management solutions are configured and updated to block unauthorized image and data scrapers. Check out “The Forrester New Wave™: Bot Management, Q1 2020” for more on bot management vendors.