Account Aggregation:
A New Technological Challenge to the Law

Adrian Lawrence

Senior Associate,

Abstract

This paper attempts a relatively brief outline of some of the legal issues and questions raised by the relatively new phenomenon of online account aggregation. These are split into two groups of issues:

(a) those arising from the disclosure by users of personal information, including passwords, to the account aggregator; and

(b) those arising from the accessing by the account aggregator of the sites at which the user has accounts.

In each case, there are some substantial challenges to traditional legal analyses in ascertaining the appropriate position. Rather than attempt to provide a comprehensive review of the legal doctrines in question, or provide detailed or categorical answers to the problems raised, this paper aims simply to introduce some of the key areas of legal concern in relation to the provision of account aggregation services, and provide some direction on the possible solutions to such questions.

Account Aggregation:
A New Technological Challenge to the Law

Adrian Lawrence
Senior Associate, Baker & McKenzie

Use of innovative software applications online continually tests the boundaries of existing legal doctrine. Many of the most interesting questions posed of ecommerce law relate to the variety of ways parties can interact online, and the multi-party relationships established in certain types of online conduct. Some early examples of such questions related to the legality of activities such as deep-linking, framing and metatagging: uses of the new media of online communications in ways not possible in the offline world.

It is rare, however, for an online activity to raise as many and as varied legal questions as those raised by the new phenomenon of account aggregation. At the core of legal difficulties in the analysis of account aggregation is an ongoing tension between the rights of those who create material and make it available online, and the rights of those that use such material. In framing the question in such a way, the emphasis appears to be placed solely on intellectual property concerns. Whilst these elements are undoubtedly important in the analysis, the scope of legal inquiry goes well beyond a traditional intellectual property focus, possibly into areas of the law in relation to which there has been little need for analysis in an online context, including torts such as trespass and conversion, criminal provisions and the law of restitution.

The concept of account aggregation itself is relatively simple: a service is provided to users which allows them to aggregate data and information held in multiple online locations. The classic example is an aggregation of bank accounts: the aggregation service provides a single "entry point" to the user where that user can view, in a combined form, all relevant details of his or her online bank accounts, which may be held with a number of different financial institutions. Most aggregation services operate through an initial disclosure by the user to the service of all the necessary account information, including user passwords. This information is then used by the aggregation software, which "scrapes" or "harvests" the relevant data from the multiple databases operated by the financial institution in which such data is held.

One reason for the need to expand the legal analysis beyond intellectual property questions is the subject matter involved: the intellectual property protection for databases is questionable at best, and certainly not consistent around the world. There is, however, a deeper and perhaps more difficult threshold issue: in most cases, the accessing of the institution's database, and the extraction of information from it, would clearly be legal if it were undertaken by the user. In fact, it is trite to say that it is this purpose, the dissemination of data, that was the reason for the establishment of the database and associated online service in the first place. It is also correct to say that the accessing of the database is at the request of the user: the aggregation service is clearly clothed with the authority of the person on whose behalf the relevant information in the database is held.

It is tempting, when an aggregation service is described in this manner, to simply reject all legal concerns on the basis of this "chain" of authority. It is necessary, however, to examine the commercial effect of the service in some more detail. Is there likely to be a "wronged" party in these circumstances, one which would wish to seek redress from the law? The answer, potentially, is yes. The institution which operates the "scraped" site and database is in an interesting position in relation to aggregation services. Firstly, it may well wish to provide such a service itself, making it complaint practically unlikely.

Second, and more fundamentally, it may well obtain a commercial benefit from the operation of the aggregation service: presumably a key reason for its provision of services online is so that users will take advantage of the convenience and speed of online banking. Generally speaking, accessing of customer accounts online involves less incidental cost for the financial institution, and is therefore to be encouraged from the point of view of the institution. The institution may well consider that the aggregation service is simply another method by which users can access its banking services, and on that basis take a positive view of the service. On the other hand, the aggregation service is likely to reduce "actual" traffic to the institution's site, and all the potential benefits of such traffic, such as the ability to sell advertising on the site based on page impressions and the branding and cross-selling opportunities to which such traffic gives rise. This commercial tension provides an interesting context for the complex and difficult legal position outlined below.

There are two key areas of an account aggregation service which may give rise to specific legal concerns. Not surprisingly, these areas of interest coincide with points of interaction between the aggregation service and other parties, as follows:

(a) the disclosure by the user of the aggregation service of identifiers and passwords to the service provider; and

(b) the interface between the aggregation service and software and the third party sites and databases from which the primary data and material for the service is obtained.

Within each of these areas, there are a number of potential sources of liability which need to be considered in establishing and operating an account aggregation service which utilises scraping technology. In undertaking such consideration, it is important to retain a view of the underlying commercial aspects of an aggregation service, and also of the tension between increased usage and increased traffic as discussed above. Some key legal considerations are the following:

(a) issues relating to disclosure of identifiers and passwords by users of the aggregation service:

(i) breach of privacy provisions;

(ii) tortious conduct: inducing a breach of the contract between the user and the "scraped" institution; and

(iii) breach of certain regulatory provisions in the presentation of the aggregation service, including, for example, the Electronic Funds Transfer Code of Conduct and, potentially, other consumer protection legislation; and

(b) issues relating to the accessing of the scraped institution's sites and databases:

(i) breach of certain criminal laws;

(ii) infringement of the intellectual property rights of the owner of the scraped  site;

(iii) certain other torts, including, potentially:

(A) trespass and conversion; and

(B) interference with economic rights; and

(iv) an action in restitution based on the unjust enrichment of the aggregator.

Two additional points should be noted at this stage:

(a) each of the areas of potential liability can be categorised as either a "structural" or an "operational" concern, with the key distinction here being between concerns which arise as a result of:

(i) the structural basis of the service  the legal and technical relationships created through the establishment of the aggregation service, which cannot easily be altered. Examples of this might be the fact that users are required to disclose passwords, or the technical means with which the aggregation software interacts with the scraped site; and

(ii) the operational aspects of the service  elements of the service which can be altered with relative ease, for example, details of the form in which the service is presented to users or disclosure is made to users. An example of a legal concern of this nature might be privacy compliance, which is likely to depend on the information provided to and obtained from users, rather than any inherent structural aspect of the service; and

(b) whilst there are some areas of potential liability which may be "objectively" imposed on an aggregation service provider, such as a breach of the criminal law, the majority of legal concerns would depend for their origination upon the operators of the scraped sites. Whether or not a claim is likely to be brought is therefore in many cases dependent upon the attitude of such operators to the aggregation services, in particular whether they come to the view that the aggregation service has a positive or negative overall effect upon their businesses.

Each of the areas of potential liability will be discussed in turn below. Rather than a detailed examination of each area, this paper simply sets out the key questions and some initial thoughts on their resolution.

Any financial aggregation service is likely to involve the collection of highly sensitive personal information. In addition, any failure by the aggregator to meet user privacy expectations and the obligations of the recently enacted private sector privacy legislation (the Privacy Amendment (Private Sector) Act 2000) will create a high risk of negative publicity and damage to its brand name.

As with the majority of privacy concerns, however, difficulties with privacy regulation for an aggregation service will largely be overcome in obtaining fully informed consent from users in relation to the activities to be carried out by the aggregator, and the use of personal information for such activities. In other words, aggregations services are intrinsically "capable" of complying with relevant privacy laws, and such compliance becomes an "operational" rather than a "structural" concern. Important details of privacy obligations for aggregators will include the following.

Collection must be necessary for an organisation's activities, and information must be collected lawfully and fairly, and, as a general principle, with the individual's consent. Clearly, it is crucial that consent in the clearest form is obtained, and that the collection of the information is lawful. Consideration should also be given to the ability of the service provider to comply with users' requests to cease the service and have their personal information removed.

As a general principle, information can only be used or disclosed for its original purpose unless the person has consented to its use or disclosure for another purpose. It is therefore essential that there is no unauthorised disclosure of information by the aggregation service provider or any other party to whom the information is provided.

Organisations must take reasonable steps to protect the personal information which aggregation service providers hold from misuse, loss, unauthorised access, modification or disclosure. A database of highly sensitive information such as that collected by an aggregator may attract hackers, and the relevant parties should be strongly assured of the security of personal information handled by the aggregator.

As a general principle, organisations must give individuals access to their personal information and must allow them to correct it or explain something with which they disagree, unless disclosing this would have an unreasonable impact on someone else's privacy. Aggregators should ensure that they have the technical capabilities to provide this access.

It is also worth noting that, as a general principle, organisations can only transfer the personal information about an individual to a foreign country if they believe that the information will be protected by a law or a contract which upholds privacy principles similar to those in force in Australia.

Another potential source of liability relates to the contract between the user and the institution whose site or database is being scraped. The key issue here is that the disclosure of the user's password to a third party (the aggregator) may involve a breach by the user of a specific term in the user's agreement with the financial institution prohibiting such disclosure. It should also be noted that it appears that this area of potential liability is a "structural" rather than an "operational" concern, meaning that if the concerns outlined below are well-founded, there may not be a great deal an aggregator can do to rectify this problem, short of either a radical restructuring of the aggregation service (which may be unpalatable), or seeking consent from the financial institution for the disclosure of the relevant password (which may not be forthcoming).

If a provision of the relevant agreement between the user and the financial institution does indeed contain a prohibition on the disclosure of passwords, it may well be that the aggregator tortiously induces a breach of that agreement in requiring such disclosure. The key element in question here will be the knowledge of the aggregator in respect of the agreement: to commit the tort, a relatively high level of knowledge is required, namely knowledge "of the contract and of sufficient of its terms to know that what the defendant induced or procured the party to the contract to do would be in breach of the contract" (Fightvision Pty Ltd v Onisforou (1999) 47 NSWLR 473). Given the fact that the question of this restriction on disclosure is critical to the operation of the service, and also that the agreements in question tend to be "pro-forma" contracts for each individual institution, it may well be that an aggregator has the requisite level of knowledge, and is therefore in danger of committing the tort.

(a) Electronic Funds Transfer Code of Conduct

A key question related to the use of aggregation services is liability for loss caused during such use. The cause of this loss could originate from outside the aggregation service, such as an unauthorised use of the service leading to a user's loss, or it may originate within the service, such as damage to a user's computer systems through malfunctioning software, or loss due to reliance on inaccurate information provided by the aggregator. Clause 5.6 of the revised Electronic Funds Transfer Code of Conduct provides that an account holder may only be held liable for an unauthorised transaction in particular circumstances, including, as is here relevant, where the user's password has been disclosed. Clause 5.7 clarifies this exemption, to specific exclude circumstances where the disclosure by the user was either expressly authorised by the relevant financial institution, or where the institution "expressly or impliedly promotes, endorses or authorises the use" of the aggregation service. In the absence of such circumstances, however, a user will be considered to have lost the "protection" against unauthorised transactions set out in the EFT Code.

A further issue is whether the EFT Code in fact applies to the aggregation service providers themselves. On its face, the revised Code appears not to directly apply to aggregators, meaning that aggregators are free to set the terms and conditions on liability as between them and their users as they please, subject to general law provisions such as the implied warranties in the Trade Practices Act 1974. In such circumstances, users of aggregation services should be aware that they do not necessarily have the same position and protection in relation to liability as they might enjoy in direct dealings with the relevant financial institution. Again, however, this is not a structural problem with an aggregation service, but rather a question of operational standards and their appropriate disclosure to users.

(b) Other Consumer Protection Issues

In addition to being a potential breach of copyright, the reproduction of the layout and formatting of the institution's sites by the aggregator may be such as to mislead users that the service it offers either is, or is endorsed, sponsored or approved by, the institution. This may give rise to breach of sections 52 or 53(d) of the Trade Practices Act 1974.

Again, such concerns are operational rather than structural and whether this cause of action will be available depends on the way in which the data is presented to users, and its similarity to the institution's format or service. Realistically, it is likely that an aggregation service will, with relative ease, remove the identifying features of the data or scraped site and frame it within its own site or other medium, lessening the risk of liability.

3. "Scraping" Material from Third Party Sites: Access by the Aggregator

Part 6 of the Crimes Act 1900 (NSW) creates offences relating to unauthorised use of data, including computer trespass or hacking. The provisions prohibit persons from obtaining unauthorised access to data stored in computers and make it an offence to damage data in a computer in certain circumstances.

Section 309 of the Crimes Act creates offences of intentionally obtaining access to data stored in a computer "without authority or lawful excuse". A person who does so knowingly, or in circumstances where they ought reasonably to have known, that data relates to certain categories of information (including the personal affairs of any person) or who continues to examine data after becoming aware that it falls within one of the categories is liable to higher penalties (imprisonment for two years and/or a fine of $55,000).

Section 309 has not been the subject of detailed judicial consideration. However, the section has been used to bring charges against people who have used their position to obtain access to computer databases for improper purposes, for example a police officer obtaining access to the RTA motor vehicle database (via a colleague) on behalf of an acquaintance.

The key issue in relation to the application of s 309 to the scraping of an institution's databases is whether access the site by the aggregator is "without authority or lawful excuse". It is arguable that the authority of the end user given to the scraper to access the end user's own information is sufficient authority for the purpose of s 309. However, this argument may not succeed given that the user's authority to access the information is likely to be limited by their agreement with the institution and therefore that they may not have authority to grant the right to access their data to the aggregator.
It is also worth noting that new legislation in relation to computer-based criminal offences has been proposed in New South Wales. Whilst these provisions have been proposed with a view to confirming offences in relation to hacking, denial of service attacks, virus dissemination and other potentially harmful conduct, it is possible that the provisions, if enacted, could impact on other online activities involving interaction between computer systems, including account aggregation. The proposals include:

(a) a new section 308D, relating to the unauthorised modification of data with intent to cause impairment;

(b) a new section 308E, relating to the unauthorised impairment of electronic communication; and

(c) a new section 308H, relating to the unauthorised access to or modification of restricted data held in a computer.

The question of copyright infringement again squarely raises the "authorisation" point. By making material available online, and providing tools for users to access material stored in databases, a financial institution is granting a licence to a user to exercise whatever copyright rights are necessary to utilise such material, whether such licence be express, in the terms and conditions of use of the relevant site, or implied, simply due to the nature of the service made available. In these circumstances, can it be argued that such a licence, to the extent it may be necessary, can allow an aggregator to use the information and data on behalf of the user? In effect, there are three separate questions in respect of a potential copyright infringement:

To provide a full analysis of these issues in any particular case, it would be necessary to know:

In the case of each of these steps, it is possible that the operation of an aggregation service could involve a breach of an institution's copyright. For example:

It would not be relevant that such copying might only be ephemeral, or that such copying may never be viewed by the relevant user;

(b) the storage by the aggregation service of the user's information could involve a breach of the copyright held by the institution in the layout and formatting of its site. It is generally unlikely that an institution would be able to successful argue that copyright subsists in the "pure" data itself, but in combination with the institution's own layout of that data, a relevant copyright infringement may occur at this point (this may occur regardless of whether the user actually views this material); and

(c) the presentation of the data to the user could also involve an infringement on similar grounds to that set out in (b) above.

It may be possible to characterise the scraping or harvesting utilised by an account aggregation service as a trespass or conversion. Whether either of these actions can be made out is likely to depend on two key questions:

(i) the exact means by which the aggregation software accesses the scraped database; and

(ii) whether a court will consider the concepts of trespass and conversion relevant and applicable to activity in an online environment.

In order for a scraped institution to claim in trespass it must prove an intentional and direct interference with its exclusive possessory rights, and a deprivation of those rights by the aggregator.

The factors to be considered include:

It may well be difficult to prove that the institution's information or data is a "good" for present purposes. It has been held, often for taxation or customs duties purposes, that computer equipment and software, in combination, constitute "property" or "goods", however, this interpretation does not necessarily apply when the information or data stored on a computer system is considered separately.

Recent events in the US may provide some guidance on this issue. In eBay Inc v Bidder's Edge, Inc 100 F Supp 2d 1058 (2000), it was held, for the purposes of a preliminary injunction, that a company's bandwidth and server capacity can constitute "property" for the purposes of a claim in trespass against an internet scraper using robots to crawl its sites for information which it then aggregated on its own site. In that case, it was held that the internet scraper's activities amounted to an "appropriation of the company's personal property". The decision referred to an earlier case, Thrifty-Tel v Bezenek 46 Cal App 4^th 1559 (1996), in which it was held that the electronic signals sent during an unauthorised use of a long-distance telephone line were "sufficiently tangible to support a trespass cause of action".

It should be noted, however, that the eBay decision is now the subject of an appeal supported by an amicus curiae brief filed by 28 leading US law professors, who argue that the ruling endangers many fundamental activities upon which Internet and electronic commerce are based, including price comparison "spiders", search engines, and even linking.

On the second and third limbs of the test under Australian law, the meaning of "direct" and "interference" implies that there should be a physical interference, intermeddling or contact with the plaintiff's goods. However, it should not be fatal to an institution's claim that there is no material damage to, or physical contact with the goods in the course of the aggregator's activities. It should be sufficient for the institution to show an impact on its property resulting directly from an act of the internet scraper. It is arguable that evidence of unauthorised use or manipulation of goods to extract information will be sufficient to constitute a "direct interference".

Conversion involves dealing with goods or chattels in a manner contrary to the immediate right of possession of the person who has the property in them. An intent to deprive or impair the owner's immediate right to possession is essential to the tort.

It is arguable that an aggregator's activities would fit within the following examples of conversion:

In contrast, it has also been held that temporary and harmless use of another's goods, where there is no intention to deprive the plaintiff of his or her immediate right to possession or impair that right is not conversion, unless made in bad faith or in such a way as to expose the goods to the risk of damage or loss.

The difficulties for an institution in pursuing a cause of action in conversion are similar to those of trespass. Firstly, it is uncertain whether information or data could amount to "goods" for the purposes of the tort, and secondly, it is arguable that there is no intent on the part of the aggregator to deprive the institution of possession of its information. Further, it may well be correct to say that the institution does not actually lose possession of the data scraped from its site, but rather that an additional copy is made of such information. Finally, it is arguable that the aggregator's temporary interference with the institution's data and systems is not accompanied by the necessary intent to assert proprietary rights over the goods, and therefore that the requisite elements of the tort have not been satisfied.

The activities of an aggregator may also amount to tortious conduct with respect to the institution's economic rights in its services. It is possible that if the aggregator is intentionally or deliberately interfering with the institution's trade or business by unlawful means to cause loss or injury, it is engaging in tortious conduct remediable by injunctions or damages.

The Australian legal position on economic torts is unsettled and unsatisfactory. Tortious remedies have been applied in situations where a person has interfered with a commercial contract by "unlawful means" which has led to a loss of sales and business reputation. It is enough that the interference "targets" the plaintiff, even though its predominant purpose may be to advance the other party's own interest rather than injure the plaintiff. "Unlawful means" have been held to include common law crimes like battery and fraud and all torts. There has also been authority to suggest that breach of a statutory prohibition constitutes "unlawful means". Australian courts have repeatedly rejected the notion that "unfair competition" or "unfair trading" can give rise to an action where a plaintiff suffers loss as a result of the defendant's impact on its business. Beyond this, no clear view has emerged about the circumstances in which the tort may apply.

An institution may have grounds to argue that it is entitled to restitutionary remedies based on a claim that the aggregator has been unjustly enriched at its expense. This argument could involve claiming that potential revenue which an institution could have derived (for example, potential advertising revenue from its sites) has been lost and instead diverted to the aggregator because the page impressions in relation to the use of the scraped material which would have been obtained by the institution is instead being derived by them.

Elements of an action in unjust enrichment are:

An advantage for an institution in bringing an action under unjust enrichment is that it allows a party to make a claim where the item taken or converted is intangible, such as a service or an informational product. It is often difficult to establish "ownership" or title to intangibles (in particular, factual material held databases), but an action in unjust enrichment may avoid such difficulties by focussing instead on the basis of the commercial "value" of an item and determining whether there has been an unjust transfer of wealth or benefit. In order to make a claim in relation to a valuable intangible, a party must show that that there is a causal link between the loss of value generated by the plaintiff and the benefit or gain received by the defendant.

The courts have held that action in unjust enrichment must also be based on a recognised category of case. The recognised categories include:

Currently, there is no judicial consideration of whether the "unauthorised taking" or "misappropriation" of the value of an intangible falls into an existing category. There is academic commentary supporting an argument that the "unauthorised taking" of a plaintiff's valuable intangible vitiates any possible intention to transfer value to the defendant and should therefore be treated as mistake for the purposes of applying the principles of unjust enrichment. Conceptually, this is a plausible argument, however, it is uncertain whether it will be adopted by the courts.

It is also necessary to determine whether there are any defences available. Defences to a restitutionary claim generally require the defendant to either disprove the plaintiff's claim and/or prove its good faith, knowledge and detrimental reliance in respect of the gain or benefit it receives. In the normal course, it appears unlikely that such defences would be available.

4. Further "Structural" Issues: Whose Conduct is in Question?
At a number of steps in the legal analysis set out above, it has been pointed out that the conduct in question would be unlikely to cause any concern if it were carried out by the user, rather than the aggregator, and indeed that the sites and databases established by the financial institutions were created specifically in order to be accessed by users.

A structuring possibility has been suggested to capitalise on this concept in an attempt to reduce the potential liability on the part of the aggregator. It relies on a particular characterisation of the relationship between the aggregator and the user, and is likely to vary in potential value depending upon the technical operation of the service:

The agency analysis depends upon a characterisation of the relationship between the aggregator and the user as one of agency: in effect, the operations of the aggregator in accessing the institution's sites and scraping information from it is simply in its capacity as an agent for the user. Therefore, so the argument goes, the legal concerns are lessened or even removed, as the operations of the aggregator are in effect those of the user, and the user is authorised to undertake such activities (for example, the user is licensed to access a database containing information relating to his or her bank accounts, and therefore there can be no copyright infringement).

Whilst the argument casts an interesting light upon the principles examined above, it is submitted that in many cases it will be difficult to rely wholly upon it. For example, it may be true that a user would be entitled to access the scraped sites, and in fact that the sites and databases were established specifically for that to occur, but this may not mean that users would be entitled to access sites using complex software programs as would be the case in a scraping situation.

C. Conclusion
Overall, the legal position of aggregation services remains uncertain in Australia. Although some of the actions outlined above such as the trespass argument may be viewed as an attempt to "overstretch" the analogy between online and offline conduct, there must be a possibility that structural elements of some aggregation services leave the operators of such service exposed to legal liability. It is another matter, however, as to whether the "targets" of the aggregation services will be so minded to complain about these services, and, given the uncertainties involved in the claims outlined above, will view legal remedies as the most appropriate. Whilst I have not attempted to consider the possible technical "defences" to site scraping software, it may well be possible that a party which wishes to avoid the operation of aggregation services may chose a technological, rather than a legal response.

Senior Associate
Baker & McKenzie, Sydney
adrian.lawrence@bakernet.com