Court rules in favor of a web scraper, Bright Data, which Meta had used and then sued

Meta has lost a claim in its legal battle with an Israeli tech firm Bright Data, which it sued last year for scraping data from Facebook and Instagram via the web. The tech giant, which has a long history of suing data scraping businesses, claimed that Bright Data's data harvesting was a violation of its terms of service -- which Bright Data had agreed to by having accounts on Meta's platforms. However, a court has ruled in favor of Bright Data on Meta's "breach of contract" claim, saying that Meta had not presented sufficient evidence that the firm had scraped anything but public data.

The lawsuit was particularly interesting because it revealed that Meta had earlier paid Bright Data to gather data from e-commerce websites to build brand profiles on its platforms. In other words, Meta was a customer of Bright Data's web-scraping services before it went to sue them, though it used the company's services for a different purpose. In a related matter, Bright Data had also been accused of collecting personal information about minors pulled from Facebook and Instagram, Bloomberg reported last year.

The court said it denied Meta's motion for a partial summary judgment on the breach of contract claim because the company had not presented enough evidence that Bright Data scraped non-public data -- meaning data that's not behind a log-in screen or that's password-protected. Instead, what Meta brought to the court was an example of a dataset Bright Data offered for sale, which included 615 million records of Instagram user data. The dataset sells for $860,000. Meta claimed Bright Data had been collecting and selling "vast" amounts of user data like this dataset, which had included fields like Instagram users' names, ID, country, post count, bio, hashtags, followers, posts, profile images, business category, email, and more. However, Meta failed to establish that such data could be collected only if Bright Data had been logged into a user account.

In another example of Bright Data's activity, Meta attempted to show that the firm was in possession of non-public information, but the court decided this didn't prove logged-in scraping as the data could have been publicly accessible at an earlier time -- like before a user changed their privacy settings, for example.

In addition, Meta argued that Bright Data had used tools to circumvent its access restrictions like CAPTCHAs, which proved Bright Data collected data "behind authentication barriers."

The court disagreed with this, too, saying that using an automated program to bypass a CAPTCHA "is different from accessing a password-protected website" and that "Meta surely understands the difference."

Even though Meta's anti-scraping investigation team found that Bright Data had advertised a "scraping browser" that would automate logging into a website and simulating other user action to facilitate automated data collection, the court said this, too, wasn't sufficient evidence that Bright Data had conducted logged-in scraping in this case.

The court also ruled that both the Facebook and Instagram terms had to be considered separately, and that there was no evidence that Bright Data had used its own Facebook and Instagram accounts when it engaged in data scraping. That means Bright Data was not acting as a "user" of the services at the time it was scraping, but only as a logged-out "visitor." The court also didn't find other legal arguments Meta had used convincing enough to rule in its favor on breach of contract.

"We look forward to continuing our efforts to protect user data and are evaluating next steps in the ongoing litigation," a Meta spokesperson told TechCrunch in light of the ruling.

The tech giant has regularly sued companies that engage in data-scraping operations in an effort to discourage the practice. In October 2022, it settled a case against two other firms, Israeli-based BrandTotal Ltd. and Delaware-incorporated Unimania Inc., which both agreed to a permanent injunction that banned them from scraping Facebook and Instagram data going forward and pay Meta a "significant financial sum," Meta had said.

The company had also settled in 2020 with the scraping service Massroot8 and in 2022, it sued a clone site operator and a company called Octopus, a U.S. subsidiary of a Chinese national high-tech enterprise that had offered scraping services. Meta won that case, as the court issued a permanent injunction to stop the firm's data-scraping operations. Last year, Meta sued another scraping-for-hire firm Voyager Labs, which has not yet been decided or settled.

Such data-scraping operations can put user privacy at risk as data collected by web scrapers has been previously leaked online, such as in the case where the personal data from 533 million Facebook accounts was found to have been leaked.

The current case with Bright Data is case No. is 3:23-cv-00077-EMC in the U.S. District Court in Northern California.

The only remaining claim against Bright Data in this case is for tortious interference with contract.

Bright Data shared the following comment from CEO Or Lenchner (emphasis theirs):

When Meta approached us with a demand to stop allowing our customers to collect public data (scraping) from Facebook and Instagram, we decided that the right thing to do was to refuse and resolve this in court because public data should remain public. Despite many efforts by tech giants to exclusively control public information on the internet, common sense prevailed. Public information is public. This has always been our claim, and we are very happy about the decision of the court that supports this approach. Bright Data, as the leading web data collection company, will continue to fight for the basic right to free access to public information on the web.

Updated, 1/24/24, 11:22 a.m. ET with Meta comment, 4:39 p.m. ET with Bright Data comment.