This study addresses the lack of large-scale empirical evidence on web crawlers’ compliance with the robots.txt protocol (REP), a widely assumed—but unverified—security boundary. Method: Leveraging 40 days of anonymized web server logs from 40 institutions, we systematically analyze the behavior of 130 self-declared bots and numerous anonymous crawlers, employing crawler fingerprinting, dynamic robots.txt directive injection, and behavioral attribution. Contribution/Results: We find that AI-powered search crawlers routinely ignore robots.txt—most rarely, if ever, consult it. Compliance rates decline significantly under stricter directives (e.g., Disallow: /), undermining the consensus that REP serves as an effective security control. Our results demonstrate REP’s limited practical efficacy as a protective mechanism in real-world deployments, highlighting the urgent need for more robust, enforceable access control mechanisms. This work establishes the first real-log-based controlled-experiment benchmark for web crawling governance and provides foundational empirical evidence for policy and protocol design.

Online data scraping has taken on new dimensions in recent years, as traditional scrapers have been joined by new AI-specific bots. To counteract unwanted scraping, many sites use tools like the Robots Exclusion Protocol (REP), which places a robots.txt file at the site root to dictate scraper behavior. Yet, the efficacy of the REP is not well-understood. Anecdotal evidence suggests some bots comply poorly with it, but no rigorous study exists to support (or refute) this claim. To understand the merits and limits of the REP, we conduct the first large-scale study of web scraper compliance with robots.txt directives using anonymized web logs from our institution. We analyze the behavior of 130 self-declared bots (and many anonymous ones) over 40 days, using a series of controlled robots.txt experiments. We find that bots are less likely to comply with stricter robots.txt directives, and that certain categories of bots, including AI search crawlers, rarely check robots.txt at all. These findings suggest that relying on robots.txt files to prevent unwanted scraping is risky and highlight the need for alternative approaches.