The Bright Data SDK controversy exposed what the proxy industry avoids saying out loud. Here's a clear-eyed framework for evaluating IP sourcing ethics — and how NinjaProxy approaches these questions.

If you've been following proxy news in June 2026, you know what happened.
Bright Data — the largest residential proxy provider in the world — was found routing web scraping traffic through smart TVs, iPhones, and consumer devices via an SDK embedded in free apps. The disclosed consent was technically present but described "minimal" resource use while the configuration permitted up to 200 GB of monthly traffic per device. On iPhones, that traffic bypassed VPN configurations entirely.
The story landed on Hacker News and spread through developer forums immediately. The reaction was direct: where do residential IPs actually come from?
It's a question the proxy industry has historically avoided answering with specifics. This post is our attempt to change that — starting with a framework every developer should use, and then with our own answers.
When you buy cloud compute, the origin of the resources is irrelevant to your use case. When you buy residential proxies, the origin is the product.
Residential IPs have higher trust scores than datacenter IPs precisely because they come from real home and mobile connections assigned by real ISPs. The moment that's no longer true — either because the IPs are fake, or because they were acquired through means that could lead to rapid pool collapse — your use case degrades.
This creates an uncomfortable dynamic: the sourcing practices that make residential proxies valuable are the same practices that create ethical risk when done wrong.
1. SDK-embedded peer networks
The provider ships code inside a third-party app (a VPN, free utility, or consumer app). When users install the host app, their device joins the proxy network in the background, routing external traffic through their connection.
The ethical variable: the quality of user disclosure. "By using this app you agree to share network resources" buried in a ToS is not the same as "this app will route up to X GB/month of commercial web scraping traffic through your home internet connection." Bright Data had the former.
The practical variable: these networks are vulnerable to sudden pool collapse. An app store enforcement action, media coverage, or backlash can remove tens of thousands of IPs overnight.
2. ISP and IP range partnerships
The provider secures commercial agreements directly with ISPs or IP range holders to allocate specific IP ranges. The IPs are assigned through ISP infrastructure, so they appear as residential, but they live in controlled data centers rather than real consumer homes.
The ethical variable: lower — no consumer devices are involved.
The practical variable: these pools behave more like datacenter proxies in terms of stability and rotation diversity.
3. Direct contributor programs
Individuals explicitly join a program to share unused bandwidth, typically for payment or premium service access. They install a reviewed application and agree to terms that disclose what traffic will route through their connection, at what volume, and how to stop.
The ethical variable: depends entirely on the clarity of the disclosure and the honesty of the terms.
Whether you're evaluating NinjaProxy or any other residential proxy provider, these five questions will tell you most of what you need to know:
1. Where do your residential IPs come from?
Don't accept "ethically sourced" or "from legitimate sources" as an answer. Ask for the specific model: ISP agreements, contributor program, SDK partnerships, or a mix. If they won't say, that's information.
2. What do your contributors consent to, specifically?
If they run a contributor program: what does the consent screen or agreement actually say about traffic volume? Is the language clear that commercial web scraping traffic will route through the contributor's device?
3. What traffic is prohibited on your network?
What categories are your contributors' connections protected from routing? Adult content, illegal material, credential stuffing, DDoS? A provider that doesn't maintain and publish a prohibited-use policy is a provider that doesn't restrict use.
4. Have you received legal demands related to your IP network?
DMCA notices, law enforcement requests, civil litigation related to traffic routed through your residential pool. How a provider responds to these tells you how seriously they take the obligations that come with running a proxy network.
5. What happens if a segment of your pool disappears suddenly?
Session continuity, failover behavior, SLA implications. This is both a reliability question and a sourcing question — a stable pool is a well-governed pool.
We'll answer each one directly.
Where do our residential IPs come from?
We are happy to answer this question — contact us directly at [email protected] and we will explain our network sourcing in detail. We recognize that "ask us directly" is not the same as "published on our website," and we're working on making this more transparent. This post is step one.
What do we prohibit?
We do not route traffic that would constitute: illegal activity under applicable law, attacks on systems or infrastructure, bulk credential testing, or content that would expose end users to harm. These prohibitions are in our Terms of Service and enforced at the network level.
What is our legal history?
NinjaProxy has no public legal actions, DMCA litigation, or law enforcement matters related to our IP network.
What happens if a pool segment disappears?
Our session management handles pool changes gracefully. If you're in the middle of a session and an IP becomes unavailable, you are rotated to the next available IP in your target pool without session loss.
The Bright Data story isn't primarily about Bright Data. It's about what happens when an entire industry competes on features — IP count, country coverage, success rate — without competing on sourcing ethics.
Developers building at scale are going to ask these questions more often now, not less. The providers who answer them clearly — and back up those answers with practices that can survive scrutiny — are the providers that enterprise buyers will trust with long-term infrastructure decisions.
We think that's the right direction. This post is our first public step toward saying so.
If you have questions about NinjaProxy's sourcing practices that this post doesn't cover, email us at [email protected] or start a conversation via the chat on ninjasproxy.com. We will answer directly.
Using residential proxies for web scraping, ad verification, or market research? Start a free trial →