Canberra mulls screen scraping ban over cyber crime concerns
The government seeks submissions on a “deeply disconcerting” data capture method widely used by the finance industry.
A “deeply disconcerting” method of capturing personal information routinely used by the finance sector - screen scraping - could be banned in the wake of a government review.
The widespread practice, currently unregulated, enables businesses to tailor offerings using customer data kept by banks and super funds.
The government will explore the feasibility of outlawing the practice through a discussion paper, following recommendations from a 2022 review of its data sharing program Consumer Data Right (CDR).
“The fintech industry can make a real, lasting difference in finding better ways for people to share and use their data.”
UNSW financial data expert Dr Natalia Jevglevskaja said screen scraping was widespread and “deeply disconcerting”.
“A mortgage broker will send you an email explaining what kind of information they need from you, including a link which will ask you to provide your online banking credentials. A third party used by the broker will ‘scrape’ data from the bank account and deliver it to the broker so that they could perform their job. It is that easy albeit also hard to believe,” she said.
“Businesses don’t talk about it much because it’s the same way you don’t talk about driving or taking a bus to work because it’s just what you do.”
The paucity of information meant consumers were often unaware of the consequences of consenting to sharing their information. “The way they present their request to share information is such that consumers may not even be aware they have shared their bank login details with someone other than their bank and, as a result, they aren't aware of what will be happening," she said.
She attributed their ubiquity to being an easier data collection method compared to using APIs or individually negotiating with different institutions for consumers’ information.
While no data breaches had yet been reported by screen scraping providers, she said the risk of a breach was a “bomb that could explode” and would disproportionately affect vulnerable consumers.
“Those who suffer more are the most vulnerable consumers: those who cannot otherwise get credit or any financial support from established institutions and need to turn to alternative lending methods with much higher interest rates to pay,” she said.
Mr Jones said the government believed the CDR was a safer alternative to screen scraping but acknowledged “a lot of money has been spent on CDR for not a great amount of take-up, and not a great amount of use cases”.
The CDR was implemented in 2020 and allows consumers to see how their data is being used with registered businesses.
Dr Jevglevskaja expressed similar doubts about the CDR being a viable replacement in the short term.
“Much more needs to be done. CDR’s limited use cases is something that the government is still struggling with … I strongly hope for the CDR to succeed but it will still take a few years with businesses for various reasons turning to screen scraping in the meantime,” she said.
“I think we certainly will find much more information in submissions to the government.”