News

It’s Now Easier for Hackers to Use Public Info Against You

Be careful of what you post online

  • A US court has ruled that it is not illegal to scrap public data from sites like LinkedIn.
  • Privacy advocates suggest that activity can be used to identify new targets and fine-tune phishing attacks.
  • The only option people have is to stop over-sharing, experts say.

YoungID/Getty Images

Hackers are improving their attacks by literally scraping the bottom of the barrel, and they are now court-blessed.

The Ninth Circuit of Appeals in the United States ruled that it was not against the law to scrap public information. Web scraping is a technical term for extracting information from a website. For example, copying the text of an article as a citation is scrap. You enter a legal gray area when scraping is done by automated programs that scrape entire websites, especially websites that contain personally identifiable information such as names and email addresses.

“The vast amount of information freely available for scrap from the Internet is of interest to both individuals and organizations. [for instance] VMware’s principal cybersecurity strategist, Rick McElroy, told Lifewire in an email.

get scratched

The ruling is part of a lawsuit between LinkedIn and hiQ Labs, a talent management company that uses publicly available LinkedIn data to analyze employee turnover.

This is inconsistent with professional social networks that have long argued that their activities threaten users’ privacy. LinkedIn also alleges that scraping violates our Terms of Service and constitutes hacking as described in the Computer Fraud and Abuse Act (CFAA).

Privacy groups like the Electronic Frontier Foundation (EFF) have criticized the CFAA for saying the 30-year-old law was not written with the sensitivities of the Internet age in mind.

“The only practical solution for those concerned about privacy is to stop over-sharing…”

In its critique, the EFF says it seeks to help courts and policy makers understand how the CFAA has undermined security research. It targets LinkedIn in an attempt to transform a criminal law aimed at combating computer intrusion into a tool for enforcing company policies about computer use, essentially restricting free public access to publicly available information.

LinkedIn doesn’t look at web scraping the same way. In a statement to TechCrunch, LinkedIn spokeswoman Greg Snapper said the company was disappointed with the court’s decision and will continue to fight to protect the ability of those who have control over information provided by LinkedIn. Snapper claims that the company doesn’t like taking people’s data without their permission and using it in ways they didn’t consent to.

looking for a problem

hiQ takes the position that rulings on data scraping could have “significant implications for public access to the Internet”, but there have been several cases in which scraped data has been made available on underground forums for nefarious purposes.

In 2021 CyberNews announced that threat actors had been raking data from the profiles of over 600 million users on LinkedIn and selling them for an undisclosed sum. In particular, this is the third time that data scraped from a LinkedIn user’s public profile has been sold in the last four months.

CyberNews adds that although the data is not very sensitive, it can still put users at risk of spam and phishing attacks. Malicious actors may also use (misuse) the details to quickly and easily find new targets.

Willy Leichter, CMO at LogicHub, believes there are difficult legal and privacy issues on both sides in this case.

“[The ruling] Essentially, you code how the internet actually works. [so] If you share something publicly, you permanently lose any exclusive control over that data, photo, arbitrary posting, or personal information,” Leichter warned in an email exchange with Lifewire. You have to expect to be killed or armed against you.”

Even if people could claim some legal control over publicly available data, Leichter said, it would be impossible to enforce and would never prevent nefarious activity.

McElroy said the ruling is a reminder that people should limit information in the public domain because that’s the only way to protect them from future attacks.

Leichter suggested, “The only practical solution for those concerned about privacy is to stop over-sharing and think carefully about everything you post publicly.”


More information

It’s Now Easier for Hackers to Use Public Info Against You

Be mindful of what you post online

A US Court has ruled that scraping public data from websites like LinkedIn isn’t illegal.
Privacy advocates suggest the activity can be used to identify new targets and fine-tune phishing attacks.
The only option for people is to stop oversharing, experts say.
youngID / Getty Images

Hackers are literally scraping the bottom of the barrel to fine-tune their attacks, and they now have the courts’ blessing.

The US Ninth Circuit of Appeals has ruled that scraping public data isn’t against the law. Web scraping is the technical term for extracting information from a website. For instance, when you copy some text from an article as a quote, that’s scraping. It enters a legal gray area when the scraping is done by automated programs that scrape entire websites, especially those holding personal information, such as names and email addresses.

“The massive amount of information that can be freely scraped from the internet is of concern both to individuals and organizations as this information [for instance] can easily be used by attackers to help make phishing attacks better,” Rick McElroy, Principal Cybersecurity Strategist at VMware, told Lifewire via email.

Get Into a Scrape

The ruling comes as part of a legal battle between LinkedIn and hiQ Labs, a talent management company that uses public data from LinkedIn to analyze employee attrition. 

This doesn’t sit well with the professional social network, which has long argued that the activity threatens the privacy of its users. Furthermore, LinkedIn contends that the scraping is against its terms of service and amounts to hacking, as described in the Computer Fraud and Abuse Act (CFAA).

Privacy advocacy groups such as the Electronic Frontier Foundation (EFF) have been critical of the CFAA, saying the three-decade-old law wasn’t framed with the sensibilities of the internet age in mind.

“The only practical solution for individuals concerned about privacy is to stop oversharing…”

In its criticism, the EFF notes that it strives to make the courts and policymakers understand how the CFAA has undermined security research. It targets LinkedIn for its attempt to transform a criminal law meant to address computer break-ins into a tool to enforce corporate computer use policies, in essence restricting free and open access to publicly available information. 

LinkedIn doesn’t view web scraping in the same light. In a statement to TechCrunch, LinkedIn’s spokesperson Greg Snapper said the company is disappointed in the court’s decision and will continue to fight to protect the ability of people to control the information they make available on LinkedIn. Snapper asserted that the company isn’t comfortable when people’s data is taken without permission and used in ways they haven’t agreed to.

Asking For Trouble

While hiQ has taken the stand that a ruling against data scraping could “profoundly impact open access to the Internet,” there have been several incidents of scraped data being made available on underground forums for nefarious purposes.

In 2021, CyberNews shared that threat actors had managed to scrape data from over 600 million user profiles on LinkedIn, putting it up for sale for an undisclosed sum. Notably, this was the third time in the past four months that data scraped from millions of LinkedIn users’ public profiles had been posted for sale.

CyberNews added that while the data wasn’t deeply sensitive, it could still put users at risk of spam and expose them to phishing attacks. The details could also be (ab)used by malicious actors to quickly and easily find new targets.

Willy Leichter, CMO of LogicHub, believed there are difficult legal and privacy issues on both sides of this case.

“[The ruling] basically codifies the way the internet works in practice [so] if you share something publicly, you have permanently lost exclusive control over that data, photos, random posts, or personal information,” warned Leichter in an email exchange with Lifewire. “You should assume it will be copied, archived, manipulated, or even weaponized against you.”

Leichter opined that even if people could assert some legal control over data posted in the public domain, it would be impossible to enforce it, and it wouldn’t deter nefarious activity in any case.

McElroy agreed, saying the ruling serves as a great reminder that people should limit their publicly accessible information since that is the only real recourse available to protect them from future attacks. 

“The only practical solution for individuals concerned about privacy is to stop oversharing and think carefully about anything you post publicly,” suggested Leichter.

#Easier #Hackers #Public #Info

It’s Now Easier for Hackers to Use Public Info Against You

Be mindful of what you post online

A US Court has ruled that scraping public data from websites like LinkedIn isn’t illegal.
Privacy advocates suggest the activity can be used to identify new targets and fine-tune phishing attacks.
The only option for people is to stop oversharing, experts say.
youngID / Getty Images

Hackers are literally scraping the bottom of the barrel to fine-tune their attacks, and they now have the courts’ blessing.

The US Ninth Circuit of Appeals has ruled that scraping public data isn’t against the law. Web scraping is the technical term for extracting information from a website. For instance, when you copy some text from an article as a quote, that’s scraping. It enters a legal gray area when the scraping is done by automated programs that scrape entire websites, especially those holding personal information, such as names and email addresses.

“The massive amount of information that can be freely scraped from the internet is of concern both to individuals and organizations as this information [for instance] can easily be used by attackers to help make phishing attacks better,” Rick McElroy, Principal Cybersecurity Strategist at VMware, told Lifewire via email.

Get Into a Scrape

The ruling comes as part of a legal battle between LinkedIn and hiQ Labs, a talent management company that uses public data from LinkedIn to analyze employee attrition. 

This doesn’t sit well with the professional social network, which has long argued that the activity threatens the privacy of its users. Furthermore, LinkedIn contends that the scraping is against its terms of service and amounts to hacking, as described in the Computer Fraud and Abuse Act (CFAA).

Privacy advocacy groups such as the Electronic Frontier Foundation (EFF) have been critical of the CFAA, saying the three-decade-old law wasn’t framed with the sensibilities of the internet age in mind.

“The only practical solution for individuals concerned about privacy is to stop oversharing…”

In its criticism, the EFF notes that it strives to make the courts and policymakers understand how the CFAA has undermined security research. It targets LinkedIn for its attempt to transform a criminal law meant to address computer break-ins into a tool to enforce corporate computer use policies, in essence restricting free and open access to publicly available information. 

LinkedIn doesn’t view web scraping in the same light. In a statement to TechCrunch, LinkedIn’s spokesperson Greg Snapper said the company is disappointed in the court’s decision and will continue to fight to protect the ability of people to control the information they make available on LinkedIn. Snapper asserted that the company isn’t comfortable when people’s data is taken without permission and used in ways they haven’t agreed to.

Asking For Trouble

While hiQ has taken the stand that a ruling against data scraping could “profoundly impact open access to the Internet,” there have been several incidents of scraped data being made available on underground forums for nefarious purposes.

In 2021, CyberNews shared that threat actors had managed to scrape data from over 600 million user profiles on LinkedIn, putting it up for sale for an undisclosed sum. Notably, this was the third time in the past four months that data scraped from millions of LinkedIn users’ public profiles had been posted for sale.

CyberNews added that while the data wasn’t deeply sensitive, it could still put users at risk of spam and expose them to phishing attacks. The details could also be (ab)used by malicious actors to quickly and easily find new targets.

Willy Leichter, CMO of LogicHub, believed there are difficult legal and privacy issues on both sides of this case.

“[The ruling] basically codifies the way the internet works in practice [so] if you share something publicly, you have permanently lost exclusive control over that data, photos, random posts, or personal information,” warned Leichter in an email exchange with Lifewire. “You should assume it will be copied, archived, manipulated, or even weaponized against you.”

Leichter opined that even if people could assert some legal control over data posted in the public domain, it would be impossible to enforce it, and it wouldn’t deter nefarious activity in any case.

McElroy agreed, saying the ruling serves as a great reminder that people should limit their publicly accessible information since that is the only real recourse available to protect them from future attacks. 

“The only practical solution for individuals concerned about privacy is to stop oversharing and think carefully about anything you post publicly,” suggested Leichter.

#Easier #Hackers #Public #Info


Synthetic: Vik News

Đỗ Thủy

I'm Do Thuy, passionate about creativity, blogging every day is what I'm doing. It's really what I love. Follow me for useful knowledge about society, community and learning.

Trả lời

Email của bạn sẽ không được hiển thị công khai. Các trường bắt buộc được đánh dấu *

Back to top button