← Learn

Is It Legal to Audit Someone's Public Social Media?

There is a clear legal line between viewing information someone published openly and breaking into a private account, and auditing a public profile sits firmly on the lawful side of it. That is not a marketing assurance; it is the through-line of two significant U.S. court decisions on what 'unauthorized access' means under computer-fraud law. Understanding where the line actually sits, rather than guessing, is what lets you use public data confidently and stay well clear of the conduct that is genuinely prohibited.

Key points

  • Viewing a public account is lawful, it's published for anyone to see.
  • Analyzing public data is lawful; hiQ v. LinkedIn held no-login public access isn't a CFAA violation.[1]
  • The line is unauthorized access: passwords, private accounts, bypassing settings.
  • Van Buren framed CFAA liability as 'gates-up-or-down', are you entitled to access at all.[2]
  • Browsing public profiles is invisible to the account owner.

Public means published

When someone sets an account to public, they are publishing to the open internet. Their posts, follower list, and following list become visible to anyone with the app, no relationship, login, or permission required. That is the operative fact: the information was made available to the general public by its owner.

Looking at it, and organizing or analyzing it, is the legal equivalent of reading a public blog or a company's public page. You are consuming what was deliberately made open, which is the activity at the heart of every legitimate audit of a public account.

hiQ v. LinkedIn: public data and the CFAA

The most directly relevant authority is hiQ Labs v. LinkedIn. hiQ scraped public LinkedIn profiles; LinkedIn tried to stop it by invoking the Computer Fraud and Abuse Act, the federal anti-hacking statute. The Ninth Circuit held that accessing data on a public website that requires no login does not constitute access 'without authorization' under the CFAA.[1]

The reasoning is intuitive once stated: on a public page there are no access gates to breach, so there is no unauthorized access to commit. The decision is the legal backbone of the principle that public-facing data is fair to access, and it is why reviewing a public following list is categorically different from hacking.

Van Buren: what 'exceeds authorized access' means

The Supreme Court sharpened the boundary in Van Buren v. United States. The Court adopted a narrow reading of the CFAA's 'exceeds authorized access' clause, describing liability as a 'gates-up-or-down' inquiry: either you are authorized to access a particular area of a system, or you are not.[2]

The practical upshot is that improper purpose does not convert authorized access into a federal computer crime, the question is whether the area was off-limits to you in the first place. Public information is, by definition, gates-up for everyone. Private, login-gated, or restricted data is gates-down, and reaching it without authorization is where liability lives.

Where the line actually is

Synthesizing the two: the law cares about unauthorized access to private systems or data, not about looking at public posts. Logging into an account that is not yours, obtaining a password by any means, or circumventing a privacy setting to reach restricted content all cross the line. Reading a public account does not.

A useful mental model is the closed door versus the open window onto the street. A private account is a closed door; opening it without permission is the violation. A public account is information set out in public view, and observing it is what the law leaves alone.

How a responsible audit stays inside it

A legitimate tool only ever touches public data and never asks for a password, not yours and not the target's, and it cannot and should not access a private account. That design is not just good ethics; it is what keeps the activity on the lawful side of the hiQ and Van Buren line.

Serum works strictly on public Instagram and TikTok accounts using publicly visible data, with no login to anyone's account, no password, and no notification, because there is nothing to notify when someone reads what is already public. Knowing why that is lawful, rather than taking it on faith, is what lets you use public information with confidence and recognize the conduct to avoid.

Frequently asked questions

Is it legal to look at someone's public Instagram?

Yes. A public account is published for anyone to see, so viewing it, posts, followers, following, is the legal equivalent of reading a public website. No law is broken by looking at information someone chose to make public.

Is analyzing public social data legal?

Generally yes. Reviewing, organizing, and analyzing already-public information is lawful in most jurisdictions. In hiQ v. LinkedIn, the Ninth Circuit held that accessing data on a public website that requires no login does not violate the Computer Fraud and Abuse Act.[1]

What would make it illegal?

Crossing into private data: logging into an account that is not yours, guessing or stealing a password, or bypassing a privacy setting to reach restricted content. The Supreme Court's Van Buren decision framed CFAA liability as a 'gates-up-or-down' question, are you entitled to access this area at all, which is the boundary that matters.[2]

Does the purpose of the audit change its legality?

Under Van Buren, accessing public data you are entitled to view does not become a computer-crime because your purpose is disfavored, the statute turns on whether you were authorized to access the area, not on motive.[2] Other laws (harassment, stalking) can still govern conduct, so purpose matters elsewhere even if it does not convert lawful access into hacking.

Will the person know I looked?

No. Viewing a public profile and its public follower and following lists is invisible; the platforms do not notify users or log viewers for public information. There is nothing to notify, because you are reading what is already published.

What about the platform's terms of service?

Terms of service are a contract between the user and the platform, not criminal law. The hiQ line held that violating a site's terms by accessing public data does not by itself trigger the CFAA, though platforms can still pursue contract or other remedies, which is a separate question from legality of viewing public information as an individual.

See what their profile won't tell you.

Serum pulls every account someone follows on Instagram or TikTok and profiles each one. No password. They are never notified.

View all Learn articles