The Flow Report - behind your scraping… a kids’ app?
Residential proxies are the tool that most major web scraping vendors use to make scraping requests appear as if they're coming from genuine users, in their homes. These proxies use real IP addresses assigned to home computers or smartphones (rather than datacenter IPs) to increase anonymity and reduce the risk of being blocked by a website.
As of this month, residential proxies are having their time in the spotlight. A WIRED story on March 5th exposed the fact that at least 1 million Android-based devices for sale, such as TV streaming boxes, are infected with malware that allow bad actors to use an unsuspecting customer’s internet connection for concealing web traffic. The “bad actors” in that story are China-based hackers and scammers. But what about well-known and widely-adopted web scraping companies? How are they acquiring their vast networks of residential proxies?
Bright Data Apps
At least for Bright Data, a leading web scraping company, a portion of its highly-coveted network of proxies appears to be sourced from (drumroll)… kids’ applications. In its typical business model, Bright Data offers a “Bright SDK” which allows developers to incorporate proxyware functionality into their applications. Upon installation, users are given the choice to opt in to premium features in exchange for the use of their internet connection. Developers receive compensation proportional to the amount of the user's internet connection utilized.
However, at least in some cases, Bright Data markets its own free children’s applications that, when downloaded, offer the user the chance to turn their device into a proxy in exchange for less advertising. Free applications available on Amazon for devices such as the Fire tablet include names like “Tetris”, “Cute Puppies Screensaver”, and “Tic Tac Toe Blast”.
Source: Amazon.com
Upon download, a device user receives an opt-in consent screen, such as the one below:
Source: Bright Data
Bright Data Policies
On its website, Bright Data states that the Bright SDK is not directed towards children under 13, and that apps owned and operated by Bright Data are published on app stores with an age rating of 13+ (curiously, when Glacier reviewed the apps available on the Amazon store, it found that a number of the apps are marked as for “all ages”). Bright Data further states that its platform supports parental controls for app downloads: “on platforms that have parental control, and Bright Data is able to identify that the user is defined in the age 0-12 years, the Bright SDK will not be available”.
Web scraping enthusiasts may also be quick to point out that proxyware typically does not collect any sensitive information about a device owner. Indeed, Bright Data maintains a Privacy Policy stating that the SDK “does not collect any of your personal information, and does not track you in any way.”
Do Proxies Hurt?
Proxyware experts seem to disagree on whether turning a device into a proxy can have a detrimental practical effect on an app user’s experience of his device or network. Commercial vendors like Bright Data are careful to cap the amount of traffic conducted on the device and use only the device’s available resources. On the flip side, any excess traffic from a device can cause an IP address to potentially be flagged as malicious. In some cases, an entire household may find itself unable to access a favorite website.
Perhaps the most important question raised by Bright Data’s approach is really an ethical question about transparency and consent. Does the opt-in process give kids (or more importantly, their parents) enough notice that a device is being turned into a proxy? Can a teenager older than 13 but under 18 give informed consent at all? Exactly how critical are children’s’ apps to a scraping vendor’s (very) necessary business of obtaining residential proxies?
What Does This Mean for Data Buyers?
One thing is certain: data compliance teams would be well-advised to dig deep during the diligence process on the topic of how a web scraping vendor has acquired its proprietary network of residential proxies. If you need assistance in conducting diligence on your vendors, please contact Glacier.
Dede Siguler
Data Diligence Consultant, Glacier Network
©2025 Glacier Network LLC d/b/a Glacier Risk (“Glacier”). This post has been prepared by Glacier for informational purposes and is not legal, tax, or investment advice. This post is not intended to create, and receipt of it does not constitute, a lawyer-client relationship. This post was written by Dede Siguler without the use of generative AI tools. Dede is a diligence consultant at Glacier, a data risk company providing services to users of external and alternative data. Visit www.glaciernetwork.co to learn more.