• forIndividuals
  • forBusiness
  • forCommunity
search
About usFact sheetsPrimary legislationWhat's new?
DictionaryTeachingContact usSite mapLinks
click to go home


Our Fact Sheets provide a detailed account of 29 areas of law as they apply to the Internet

Fact Sheets



IIA releases draft Cybercrime Code of Practice in July 2003

Develop a website

Screen scraping

1. What is screen scraping (or a content aggregation website)?

An aggregator (screen scraping) website gathers on one website all online accounts of a consumer and is accessed by a single password. An aggregator site offers convenience and in the process captures a valuable customer base for advertising and linking to other services. Instead of visiting many sites and inputting many access codes a consumer is given one entry point and one password to view all his or her services. Many aggregator sites are currently free.

For example, a consumer may access on one site their banking, bills, investments, insurance policies, stock portfolios, credit commitments, frequent flyer points, news sites, email and shopping sites. The growth of aggregator sites is recent and the Australian Securities and Investments Commission (ASIC) is considering developing rules to help consumers navigate these new internet services.

Two types of aggregation service exist:

(a) a service which requires the consumer to hand over personal password information to the aggregator and use the service from a third party web site (Third Party Aggregators); and

(b) a service which sends software to the consumer who uses the service from their own computer - the passwords are stored in a secure area on the computer (Virtual Aggregators).

The following comments apply variously to both services.

2. Liability issues arising from screen scraping

Aggregation is relatively new to Australia. Legal issues of consumer liability, privacy, copyright and information security arise from the operation of an aggregation website. ASIC is presently looking at the regulatory issues arising from the service.

The following issues may arise:

(a) A Third Party Aggregation site requires consumers to hand over their access codes (eg PINs) for each of their online accounts. This may constitute a clear breach of the consumer's account terms and conditions and may affect any limited liability the consumer is entitled to under that account. For example, the Electronic Funds Transfer Code of Conduct (EFT Code) covers only ATM and EFTPOS transactions. As the regulation stands, a consumer is entitled to a $50 liability limit should unauthorised transactions take place on their account. This liability limit is revoked if the consumer knowingly discloses its PIN or password to any third party.

The EFT Code (revised version 2001) (revised EFT Code) comes into effect on the 1 April 2002 and covers all forms of electronic transactions including ATM, EFTPOS, internet, telephone banking and stored value facilities. Under the revised EFT Code the liability limit has been increased to $150 but is still revoked if the consumer knowingly discloses its PIN or password to any third party. However, under subclause 5.7 of the revised EFT Code, if an account institution promotes or endorses the use of an aggregation service or authorises its consumers to use that service, such conduct by a consumer does not revoke the limited liability.

Currently, the revised EFT Code only addresses PIN security, though as the usage of aggregation increases others changes to the revised EFT Code are likely.

Refer to the Consumer Protection fact sheet for more details on the revised EFT Code.

(b) An aggregation site whose terms and conditions require consumers to carry all legal risk arising from the service (eg a provision limiting the aggregator's liability from any site-associated problems such as telecommunications error, computer error or bank account fraud) may expose the aggregator to liability under the trade practices legislation. It may be unconscionable for the aggregator to require consumers to give up important legal protection given to them under their accounts (see example above). If unconscionable, such a contract would not be binding on the consumer. See Consumer Protection fact sheet.

(c) Difficulty may arise in establishing and maintaining an audit trail should a security breach occur. Screen scraping can occur without the knowledge and control of the relevant account institution. An account institution may not be able to differentiate between the consumer or the aggregator logging on. If losses result, it may be difficult to tell where the security breach occurred. Did the consumer fail to protect his or her PIN or was there a security breach at the bank or with the aggregator? Audit trails will be difficult to establish and maintain to ensure security throughout the chain of participants involved in the process.

3. Managing legal risk (consumer guidelines)

Before registering for a service, a consumer should:

(a) Ensure the aggregation website will not:

* sell personal information;
* release financial details owing to bad internal security; or
* increase the risk of unauthorised transactions on online accounts.

(b) Check with his or her account institution to see if there is a risk of breaching their rules. The consumer should only register for a service where the hand over of personal access codes has been approved by the relevant party.

(c) Check whether personal financial information is stored overseas or locked up securely in computer centres in Australian jurisdictions.

(d) Check the terms and conditions of the site to make sure the liability arrangements are acceptable and ask the aggregator whether it will assume liability in the case of a security breach or some other "unforeseen circumstance" at the aggregator end. Ensure the terms and conditions of the service clearly identify the point at which liability is assumed by the aggregator.

(e) Contact his or her account institution and find out the consequences of handing over a PIN to an account aggregation site. Request written consent from the institution to do so.

(f) When using the service the consumer should:

* not reveal a site access code to anyone. If a security breach is suspected, the consumer should change the access code and alert the provider;
* resist Windows password helpers that allow you direct access into a site without having to key in a password; and
* remember to log-off when finished. Most sites automatically log-out after five to 10 minutes of activity but this should not be relied on.
Other relevant Articles on this site:
Terms and conditions of website
Trade practices and consumer protection

Other relevant Fact Sheets:
Online Contracts
Consumer Protection

End Notes

"Computers aren't intelligent, they only think they are" Anon
forIndividuals/