If the Australian government truly cares about privacy, then it’s time to ban screen scraping

- March 7, 2022 3 MIN READ
Photo: AdobeStock
Legislation is never the fastest moving part of the technology sector, but when it does catch up, the industry should rethink the practices that have been addressed by a new law.

One such example is screen scraping, a data collection practice that has been banned overseas and needs to be banned in Australia for its security and privacy issues.


What is screen scraping?

Screen scraping is an automated process to collate content from a website or app by taking snapshots of data on a display for use somewhere else.

While it does initially require ‘permission’ from the user when they hand over their login details and password, the user has no control over the ongoing collection process.

It is essentially unregulated data sharing: the scraper can access it, download it, harvest it, sell it, do whatever they would like with it without the active consent or knowledge of the customer. 

Why agree to it?

The most benevolent use for screen-scraped content is to find out how a customer is using a website or app in order to make improvements to the organisation’s product, service or design.

A friend recently emailed to ask me about a service that helps with school fee loans; it had requested their online banking username and password.

They were confused about why they would hand over such sensitive information.

I explained that the payoff was being able to use the service digitally – without having to deal with PDF statements and paper – but that, until they changed their password, the service would continue to collect data at any time.

In banking, this practice means giving a third party your login credentials, allowing it to log into your account on your behalf without your knowledge to scrape your data.

You can see that this is problematic for several reasons: data security, breach liability, and a violation of your T&Cs for starters.

Screen scraping is problematic, and it’s unfortunate that some organisations are defending its limited legitimate uses instead of finding other, more secure and consumer-friendly, methods to collect the data they need.

Those methods now exist, and they hand the control back to the consumer.


Consumers have new data rights

In late 2017, the Federal Government introduced the Consumer Data Right (CDR), a regulated data sharing regime that requires the explicit and informed consent of consumers for sharing data. By mid-2020, major banks started using consumer data sharing; Open Banking is the result.

CDR means consumers control the specific use of their data, from the type of data, for how long, and who can use it. Compared to screen scraping, which gathers collateral information, has no set time limit, and no regulation on who it goes to, the difference is night and day. Better transparency and control, in fact.

Screen scraping has been banned in the UK and Europe due to data privacy concerns. As a result, the European Commission mandated banks to create APIs, which are basically interfaces where consumers can control the use of their data in a regulated way.

Until the CDR came into play, Australia did not have an alternative to data sharing other than screen scraping. If we’d banned it earlier, fintechs, other organisations and consumers would be worse off. But now that there is an alternative, regulated method – with about 97 per cent of banks making data sharing available – we need to ban screen scraping and embrace the growing maturity of Open Banking.


Response inertia

Without an outright ban, we battle the inertia of organisations who see regulated data sharing as ‘too hard’ and continue to use screen scraping without regard for the consumer. But protecting the consumer is the cost of doing business: if you’re going to be handling people’s financial data, then you need to deal with the security protocols and regulation associated with it.

In fact, Open Banking makes it easier for organisations to participate in data sharing because it allows Accredited Data Recipients to act as a ‘principal’ to representatives – client companies – wanting to access data. The data is already there, and consumers have already consented to its use.

One example of a Representative is our client Sherlok, an automated refinancing tool with hundreds of mortgage broker clients, which monitors more than 35,000 home loans. C

DR enables Sherlok to access real-time transaction data to give brokers mortgage analytics and insights.

Sherlok compares rates against other lenders, identifies borrowers at risk of leaving for a better rate, then refinances their loans to a lower interest rate on behalf of the broker to improve customer retention. It is quick, transparent and promotes competition for the benefit of the consumer.

The law is constantly trying to bridge the gap with technology, and CDR is a step in the right direction for digital rights and consumer control.

It’s up to the tech sector now to see regulation as a chance to rethink practices such as screen scraping and use better, more ethical alternatives that put the consumer first.

  • Jill Berry is CEO and co-founder of Adatree.