1. What is screen scraping (or a content aggregation website)?
An aggregator (screen scraping) website gathers on one website all online accounts of a consumer and is accessed by a single password. An aggregator site offers convenience and in the process captures a valuable customer base for advertising and linking to other services. Instead of visiting many sites and inputting many access codes a consumer is given one entry point and one password to view all his or her services. Many aggregator sites are currently free.
For example, a consumer may access on one site their banking, bills, investments, insurance policies, stock portfolios, credit commitments, frequent flyer points, news sites, email and shopping sites. The growth of aggregator sites is recent and the Australian Securities and Investments Commission (ASIC) is considering developing rules to help consumers navigate these new internet services.
Two types of aggregation service exist:
(a) a service which requires the consumer to hand over personal password information to the aggregator and use the service from a third party web site (Third Party Aggregators); and
(b) a service which sends software to the consumer who uses the service from their own computer - the passwords are stored in a secure area on the computer (Virtual Aggregators).
The following comments apply variously to both services.
2. Liability issues arising from screen scraping
Aggregation is relatively new to Australia. Legal issues of consumer liability, privacy, copyright and information security arise from the operation of an Aggregation website. The ASIC is presently looking at the regulatory issues arising from the service.
The following issues may arise:
(a) A Third Party Aggregation site requires consumers to hand over their access codes (eg PINs) for each of their online accounts. This may constitute a clear breach of the consumer's account terms and conditions and may affect any limited liability the consumer is entitled to under that account. For example, the Electronic Funds Transfer Code of Conduct (EFT Code) covers only ATM and EFTPOS transactions. As the regulation stands, a consumer is entitled to a $50 liability limit should unauthorised transactions take place on their account. This liability limit is revoked if the user knowingly discloses its PIN or password to any third party.
The revised EFT Code will come into effect on the 1 April 2002. This revised Code will cover all forms of electronic transactions including ATM, EFTPOS, stored value and digital coins, as well as all methods of access to an internet transaction, such as the use of an ID number, password, PIN or digital signatures. Under the revised Code the liability limit is increased to $150 but is still revoked if the user knowingly discloses its PIN or password to any third party. Refer to the Consumer Protection fact sheet for more details on the revised EFT Code.
(b) An aggregation site whose terms and conditions require consumers to carry all legal risk arising from the service (eg a provision limiting the aggregator's liability from any site-associated problems such as telecommunications error, computer error or bank account fraud) may expose the aggregator to liability under the trade practices legislation. It may be unconscionable for the aggregator to require consumers to give up important legal protection given to them under their accounts (see example above). If unconscionable, such a contract would not be binding on the consumer. See Consumer Protection fact sheet.
(c) Difficulty may arise in establishing and maintaining an audit trail should a security breach occur. Screen scraping can occur without the knowledge and control of the relevant financial institution. An account institution may not be able to differentiate between the consumer or the aggregator logging on. If losses result, it may be difficult to tell where the security breach occurred. Did the consumer fail to protect his or her PIN or was there a security breach at the bank or with the aggregator? Audit trails will be difficult to establish and maintain to ensure security throughout the chain of participants involved in the process.
3. Managing legal risk (consumer guidelines)
Before registering for a service, a consumer should:
(a) Ensure the aggregation website will not:
* sell personal information;
* release financial details owing to bad internal security; or
* increase the risk of unauthorised transactions on online accounts.
(b) Check with his or her account institution to see if there is a risk of breaching their rules. The consumer should only register for a service where the hand over of personal access codes has been approved by the relevant party.
(c) Check whether personal financial information is stored overseas or locked up securely in computer centres in Australian jurisdictions.
(d) Check the terms and conditions of the site to make sure the liability arrangements are acceptable and ask the aggregator whether it will assume liability in the case of a security breach or some other "unforeseen circumstance" at the aggregator end. Ensure the terms and conditions of the service clearly identify the point at which liability is assumed by the aggregator.
(e) Contact his or her financial institution and find out the consequences of handing over a PIN to an account aggregation site. Request written consent from the institution to do so.
(f) When using the service the consumer should:
* not reveal a site access code to anyone. If a security breach is suspected, the consumer should change the access code and alert the provider;
* resist Windows password helpers that allow you direct access into a site without having to key in a password; and
* remember to log-off when finished. Most sites automatically log-out after five to 10 minutes of activity but this should not be relied on.
Other relevant Articles on this site:
Trade practices and consumer protection
Terms and conditions of website
Other relevant Fact Sheets:
Consumer Protection
Electronic Payment Systems
Online Contracts
Secure Electronic Transactions
End Notes