Stanford CIS

Lovely-Faces and the Benefit of Scraping Restrictions

By Woodrow Hartzog on

Website scraping, which is the bulk extraction of website information by software, is becoming an increasingly visible activity. The Lovely-Faces controversy shows how scraped information can disrupt a sense of privacy when re-published in a different context. The Lovely-Faces website, deemed “a social experiment” by its creators, re-contextualizes names, locations, and photos scraped from publicly accessible Facebook pages in a mock dating website. This controversy serves as a good example of how the fine print in online legal agreements can sometimes protect website users. The controversy presents a great opportunity to examine whether a social network site’s anti-scraping terms are as beneficial to users as the website itself.

By scraping these profiles off Facebook and including them in their social experiment, the creators of Lovely-Faces have stripped both the context and obscurity that likely made some users comfortable posting their information. Lovely-Faces has also potentially violated Facebook’s terms of use, which dictates that “by accessing Facebook,” visitors agree “not collect users' content or information, or otherwise access Facebook, using automated means (such as harvesting bots, robots, spiders, or scrapers) without [Facebook’s] permission.”

Lovely-Faces apparently did not have Facebook’s authorization to scrape its profiles. Facebook has threatened legal action against those who violate their terms, but it remains to be seen if their terms are enforceable against people merely browsing (scraping) the site. Scraping restrictions in similar “browsewrap”contracts have been ineffective in the past. While users who click to indicate assent to terms of use are regularly bound by these agreements, passive website users are often exempted because they lack the requisite notice of terms. Disputes involving automated online contract formation are typically decided by the facts of each case, rather than some all-encompassing rule as to whether bots, spiders, and scrapers have formed a contract.

For the sake of argument, let’s assume that Lovely-Faces is bound by Facebook’s terms. Facebook would then have a claim for breach of contract. But what about the Facebook users whose profiles were lifted? These users have no contract with Lovely-Faces, and the traditional school of thought is that they are largely without recourse. Although Lovely-Faces has explicitly and unequivocally offered to remove the profile of anyone who requests it, other websites might not be so generous.

In my article on confidentiality in online communities, I propose utilizing the third-party beneficiary doctrine to enable members of online communities to enforce the terms in online agreements aimed at protecting users. In essence, website users can enforce restrictions against a scraper if the website so intended in its terms of use. Typically, third-party beneficiaries are created when explicit language indicates non-parties to a contract can enforce the agreement. (Think life insurance contracts). However, it is conceivable that some terms are so clearly intended for the benefit of others that such explicit language is not necessary.

While it is unlikely that Facebook intended to give each of its users a right to enforce its terms of use against other parties who violate them, the Lovely-Faces controversy brings up an interesting question: does the restriction on scraping benefit Facebook users as much as Facebook itself? Of course, the restriction helps Facebook maintain control over its extremely valuable data set of personal information. But Lovely-Faces makes it very apparent that website users are quite concerned about the scraping of information as well.

While Facebook users would likely be unsuccessful with a breach of contract claim here, I think it is worth analyzing the intent behind these restrictions and determining the benefit conferred by these terms. A website’s gift of the right to enforce restrictions on scraping could be a selling point in attracting privacy conscious users. Could this be a way for start-ups to compete on user privacy?

Published in: Blog