How Bright Data’s KYC-first approach has helped pioneer one of the safest, legally compliant, and ethical data collection networks

We caught up with Nir Borenshtein, Bright Data’s Chief Operating officer (COO), and Gal Shechter, Bright Data’s Head of Compliance to get an inside look at the unique customer onboarding, and network monitoring processes they have built from the ground up to enable ultimate web transparency for businesses
Bright Data KYC - Know Your Client/Customer - Ethical Data Collection
Nadav Roiter - Bright Data content manager and writer
Nadav Roiter | Data Collection Expert
12-Jul-2021

In this interview we will discuss:

What sets Bright Data’s ‘Know Your Customer’ process apart, and how is it leading the data collection industry’s compliance standards?

“There are two key components that ensure ultimate security:

One: Real-time compliance – Alongside ensuring they are receiving the best service, new users are also strictly vetted to ensure their use case is compliant, legal, and ethical. Network user activity is monitored for the first week of usage along with ongoing, real-time monitoring. We invest large amounts of effort, and resources in order to make sure we are online providing immediate alerts in case the traffic is not aligned with the customer’s declared use case. Log checks are performed regularly by our in-house Head of Compliance, along with her team.

This is essential to both keeping the network ‘clean’ from potentially malicious actors as well as ensuring that existing Bright Data customer operations are never harmed.

Two: User validation – When individuals use our networks, and especially in the case of large corporate entities – we ensure that all source IPs are approved. We work closely with external security companies who review each individual IP to guarantee that the IPs performing web-based data collection belong to their employees, and are part and parcel of an ‘approved list of users’.

Additionally our networks are always open to third-party audits. Bright Data continuously works with leading independent firms to ensure its networks are up to regulation, security, and legal standards. Some examples of these include working with ‘Herzog Strategic’ who thoroughly reviewed our network policies, and activities.”, Mr. Borenstein asserted. Recommendations are always quickly reviewed and immediately implemented.

Here is an executive summary of Herzog’s independent audit, and findings, regarding Bright Data’s multi-pronged approach to compliance:

Client checks, and due diligence: ‘New residential/mobile customers are on-boarded using a comprehensive vetting / Know Your Customer (KYC) process, which includes live video identity verification and individual approval by an internal compliance officer. The KYC is based on more than 27 indicators developed internally that are unique in the industry.

After the use case is approved, the customer is assigned to a business development representative, who is then responsible for proactively monitoring the account. This allows the representative to monitor for any mismatches between in-practice usage and the use case originally declared’.

Code-based prevention and technological response mechanisms: ‘Any customer that tries to abuse the network is automatically blocked. This is enabled by a series of code-related mechanisms, inserted in each one of Bright Data’s main products. Such mechanisms are constantly updated according to abuse trends identified by the team, such as reselling, ad fraud, DDoS, as well as other emerging threats.

Each developer has full, end-to-end responsibility for coming up with new features, including the full testing cycle. This, along with their custom Build-and-Test (BAT) system, allows the company to release almost 60 upgrades to their system on a daily basis. An unprecedented number in the industry.

An independent Compliance Department: ‘Bright Data has established an independent, proactive compliance team that manually handles every report of abuse, including investigating, warning, and blocking suspicious clients, as well as legally enforcing the company’s’ policies when necessary. The compliance team is also responsible for monitoring the activities of the sales and business development departments, ensuring that all KYC procedures are conducted in conformity.’ This can sometimes work against the company’s business goals. For this reason, the team is completely independent and has unrestricted access to the company’s CEO.

Can you reveal the specific use cases as well as the frequency with which potential customers are denied Bright Data network access?

“Absolutely, my department is constantly working to ensure that each, and every use case is compliant with our network standards”, Ms. Shechter began elaborating. “ I am of the opinion that numbers speak more strongly than words, in this instance:

  • In 2020 we blocked nearly 20 times the quantity of ‘forbidden network use cases’ in comparison with 2019.
  • We are only half way through 2021, and are on track to double that figure by the year’s end.

This explosive growth in our department’s proactive efforts to keep our networks secure, and compliant can be seen vis-à-vis the growth in the quantity of would-be customers who did not ‘pass’ compliance procedures, and were ultimately denied network access:

Table of Bright Data compliance for 2019, 2020 and January to June 2021

Image source: Bright Data Compliance Department

All customer use cases are verified prior to onboarding

All Bright Data customers who request access to our Residential Network are required to provide a detailed description of their intended ‘use case’. The latter must be one of the pre-approved verticals. Here is a shortlist to give you an idea of what types of use cases we allow on our networks:

  • Performing ad-verification to ensure that marketing campaigns are actually reaching their intended audiences
  • Carrying out brand protection to ensure a company’s value is not being diluted by cybercriminals trying to profit from misrepresenting themselves as licensed producers/retailers
  • Collecting real-time information regarding competitor pricing, inventory levels, and other open-source digital retail stats
  • Website testing from various geolocations, as well as load balance testing
  • Performing preventative cybersecurity through, for example mapping, and monitoring for internet-exposed attacks outside of a company’s firewall (e.g. ransomware, ,malware, phishing attempts)

Bright Data has a policy of zero tolerance for illicit or abusive usage of its network!

If a customer requests to use Bright Data’s’ networks for an ‘unapproved’ use case, such a request will be sent for review by the company’s compliance team and rejected. These cases may be considered ‘legal’ however regulation often fails to keep up with the pace of technology. After consulting with leading network security experts, we have decided these cases do not go hand-in-hand with our overall ethical approach. Here is a shortlist of real use cases that have been actively prevented from using our networks by our dedicated compliance team:

Click fraud: “I want to use proxy services for CPA and PPC campaigns where I can click on ads repeatedly using different IPs in order to generate traffic and revenue.”

Copyright infringement: “I need a proxy network in order to download YouTube videos, and then subsequently convert them to mp3 files for my clients.”

Generating fake traffic: “I want to access videos on YouTube, and Vimeo in order to increase views, rankings, and content revenue.”

Creating dishonest social engagement: “I want to create fake Facebook accounts in order to ‘push’ post-exposure using (fake) likes, comments, and shares.”

Sports betting: “I need Bright Data in order to scrape betting rates from different gambling sites in order to feed my own site with datasets as well as placing bets for personal profit.”

Deep dive: In what ways does Bright Data go above, and beyond compliance standards in order to ensure network safety, and use case legality with an ethics-first approach?

“Bright Data employs four major fraud detection pillars”, Gal shares with me. Let’s take a closer look:

One: KYC calls

These are used to deeply understand a customer’s use case. The questioning process is leveraged to identify inconsistencies in the clients’ answers and if such a case arises it is reported directly to our compliance team for further investigation.

An example of a case in which the KYC call served as an effective tool in preventing illegal and fraudulent activity on our network is a customer who tried to circumvent our KYC process by hiring another individual to go on a video call with our sales representative. We noticed the client was having trouble answering questions, we also noticed he was referring to a handwritten note when answering questions. Towards the end of the video, we noticed another man hiding in the back, who turned out to be the person trying to get access to our Residential network.

Compliance outcome: Our compliance team denied him access to our networks effective immediately, terminated his account, and blocked him from signing up in the future.

Two: Usage Monitoring

Our business account managers and compliance team perform ongoing granular monitoring of client event logs after Residential Network permissions are granted. In the event that a discrepancy is found between said client’s declared use case and their practical account activity – their account is permanently terminated.

An example of a case in which usage monitoring was key in preventing a customer from misusing our networks for an unapproved use case is when a customer claimed that they were going to use our Residential Network to scrape eCommerce platforms such as ‘amazon.com’ for product research and price comparison to promote their online business. The customer also provided evidence of an online shop with products in their inventory. However, while monitoring the customer logs, the account manager noticed thousands of requests targeting gaming sites and only several targeting ‘amazon.com’.

Compliance outcome: Our compliance team noticed this discrepancy and immediately terminated this customer’s Bright Data account.

Three: Ongoing systematic logs review

Our department has several processes in place to perform systematic checks to ensure our network users remain compliant. These processes help us find accounts with activity that doesn’t match the stated use case. These include daily reports, a dedicated dashboard and daily procedures that involve reviewing our top customers.

An example of this is a client who was discovered to be misusing our services while reporting on a fake use-case (collecting open-source data on Instagram such as images, influencers, and profile data). The client was found to be targeting gambling sites, and other illicit content.

Compliance outcome: Our compliance team noticed this and immediately terminated this customer’s Bright Data account. Additionally, we built a tool that monitors customers’ logs, and when a client is targeting domains that are outside their declared use case, Compliance gets an automated alert and immediately investigates, taking further actions when necessary.

Four: Abuse Reports

Bright Data uses vendor security reports in order to continuously maintain a clean network, as well as an automated system to detect, and immediately terminate abusive behavior.

An example of this is a new customer who got flagged due to a suspicious transaction. Bright Data’s fraud and chargeback software provider reported that this customer was a hacker who stole email addresses and passwords to feed a lucrative and widespread spamming operation.

Compliance outcome: Our compliance team put this information into action and ensured that this client was blacklisted and banned from accessing our networks.

Put into operational practice: The compliance team has since made use of these vendor reports in order to prevent similar cases of abuse going forward:

One: DC abuse reports – Compliance often receives abuse reports from DC vendors about customers who have improperly targeted a domain. Bright Data has developed internal tools that help locate the abusive customer in question, and resolve an ‘event’ within several minutes.

Two: Safecharge – fraud reports – Bright Data’s payment provider sends us a daily fraudulent transactions report which assists us in monitoring customers with suspicious billing activity.

Bottom line practices

While many data collection companies put their ‘No-Log policy’ front, and center, Bright Data takes pride in its ‘Log-keeping policy’.

All written, and video communication with Bright Data’s customers starting with their first point of contact on our website (inbound), or upon first approach by our sales team (outbound), is documented in our systems. We know our customers value our comprehensive approach to network security which is why we invest in running such a large-scale time-heavy operation.

Upon receipt of an abuse report Bright Data reviews the logs of the relevant customer and considers taking one of the following actions:

  • Suspension of a client’s account
  • Blocking the relevant domain
  • Transferring the relevant logs to law enforcement agencies and/or customers (upon request)

These are actions, that speak to values, that are grounded in transparency, as well as a commitment to network security, and ethical business practices.

Nadav Roiter - Bright Data content manager and writer
Nadav Roiter | Data Collection Expert

Nadav Roiter is a data collection expert at Bright Data. Formerly the Marketing Manager at Subivi eCommerce CRM and Head of Digital Content at Novarize audience intelligence, he now dedicates his time to bringing businesses closer to their goals through the collection of big data.