Home
| Databases
| WorldLII
| Search
| Feedback
Privacy Law Resources |
[Home] [Databases] [Search] [Feedback] [Help] | ||
1. Two Focal Points for Legal DiscussionThere are two key areas of an account aggregation service which may give
rise to specific legal concerns. Not surprisingly, these
areas of interest coincide
with points of interaction between the aggregation service and other parties,
as follows:
(a) the disclosure by the user of the aggregation service of identifiers and passwords to the service provider; and (b) the interface between the aggregation service and software and the third party sites and databases from which the primary data and material for the service is obtained. Within each of these areas, there are a number of potential sources of liability which need to be considered in establishing and operating an account aggregation service which utilises scraping technology. In undertaking such consideration, it is important to retain a view of the underlying commercial aspects of an aggregation service, and also of the tension between increased usage and increased traffic as discussed above. Some key legal considerations are the following: (a) issues relating to disclosure of identifiers and passwords by users of the aggregation service: (i) breach of privacy provisions; (ii) tortious conduct: inducing a breach of the contract between the user and the "scraped" institution; and (iii) breach of certain regulatory provisions in the presentation of the aggregation service, including, for example, the Electronic Funds Transfer Code of Conduct and, potentially, other consumer protection legislation; and (b) issues relating to the accessing of the scraped institution's sites and databases: (i) breach of certain criminal laws; (ii) infringement of the intellectual property rights of the owner of the scraped site; (iii) certain other torts, including, potentially: (A) trespass and conversion; and (B) interference with economic rights; and (iv) an action in restitution based on the unjust enrichment of the aggregator. Two additional points should be noted at this stage: (a) each of the areas of potential liability can be categorised as either a "structural" or an "operational" concern, with the key distinction here being between concerns which arise as a result of: (i) the structural basis of the service the legal and technical relationships created through the establishment of the aggregation service, which cannot easily be altered. Examples of this might be the fact that users are required to disclose passwords, or the technical means with which the aggregation software interacts with the scraped site; and (ii) the operational aspects of the service elements of the service which can be altered with relative ease, for example, details of the form in which the service is presented to users or disclosure is made to users. An example of a legal concern of this nature might be privacy compliance, which is likely to depend on the information provided to and obtained from users, rather than any inherent structural aspect of the service; and (b) whilst there are some areas of potential liability which may be "objectively" imposed on an aggregation service provider, such as a breach of the criminal law, the majority of legal concerns would depend for their origination upon the operators of the scraped sites. Whether or not a claim is likely to be brought is therefore in many cases dependent upon the attitude of such operators to the aggregation services, in particular whether they come to the view that the aggregation service has a positive or negative overall effect upon their businesses. Each of the areas of potential liability will be discussed in turn below. Rather than a detailed examination of each area, this paper simply sets out the key questions and some initial thoughts on their resolution. 2. Presentation of Aggregation Services: Disclosure and Consumer Protection Issues2.1 PrivacyAny financial aggregation service is likely to involve the collection of
highly sensitive personal information. In addition, any
failure by the aggregator
to meet user privacy expectations and the obligations of the recently enacted
private sector privacy
legislation (the Privacy Amendment (Private Sector)
Act 2000) will create a high risk of negative publicity and
damage to its brand name.
As with the majority of privacy concerns, however, difficulties with privacy
regulation for an aggregation service will largely
be overcome in obtaining
fully informed consent from users in relation to the activities to be carried
out by the aggregator,
and the use of personal information for such activities.
In other words, aggregations services are intrinsically "capable" of
complying with relevant privacy laws, and such compliance becomes an "operational"
rather than a "structural" concern. Important details of privacy obligations
for aggregators will include the following.
(a) Collection of personal informationCollection must be necessary for an organisation's activities, and information
must be collected lawfully and fairly, and, as a
general principle, with the
individual's consent. Clearly, it is crucial that consent in the clearest form
is obtained, and
that the collection of the information is lawful. Consideration
should also be given to the ability of the service provider to
comply with users'
requests to cease the service and have their personal information removed.
(b) Use and disclosure of personal informationAs a general principle, information can only be used or disclosed for its
original purpose unless the person has consented to its
use or disclosure for
another purpose. It is therefore essential that there is no unauthorised disclosure
of information by
the aggregation service provider or any other party to whom
the information is provided.
(c) Security of personal informationOrganisations must take reasonable steps to protect the personal information
which aggregation service providers hold from misuse,
loss, unauthorised access,
modification or disclosure. A database of highly sensitive information such
as that collected by
an aggregator may attract hackers, and the relevant parties
should be strongly assured of the security of personal information
handled by
the aggregator.
(d) Access and correction rightsAs a general principle, organisations must give individuals access to their
personal information and must allow them to correct
it or explain something
with which they disagree, unless disclosing this would have an unreasonable
impact on someone else's
privacy. Aggregators should ensure that they have the
technical capabilities to provide this access.
(e) Restrictions on transborder data flowsIt is also worth noting that, as a general principle, organisations can only
transfer the personal information about an individual
to a foreign country if
they believe that the information will be protected by a law or a contract which
upholds privacy principles
similar to those in force in Australia.
2.2 Tort of inducing breach of contractAnother potential source of liability relates to the contract between the
user and the institution whose site or database is being
scraped. The key issue
here is that the disclosure of the user's password to a third party (the aggregator)
may involve a breach
by the user of a specific term in the user's agreement
with the financial institution prohibiting such disclosure. It should also
be
noted that it appears that this area of potential liability is a "structural"
rather than an "operational" concern, meaning that if the concerns outlined
below are well-founded, there may not be a great deal an aggregator can do to
rectify this problem, short of either a radical restructuring of the aggregation
service (which may be unpalatable), or seeking
consent from the financial institution
for the disclosure of the relevant password (which may not be forthcoming).
If a provision of the relevant agreement between the user and the financial institution does indeed contain a prohibition on the disclosure of passwords, it may well be that the aggregator tortiously induces a breach of that agreement in requiring such disclosure. The key element in question here will be the knowledge of the aggregator in respect of the agreement: to commit the tort, a relatively high level of knowledge is required, namely knowledge "of the contract and of sufficient of its terms to know that what the defendant induced or procured the party to the contract to do would be in breach of the contract" (Fightvision Pty Ltd v Onisforou [1999] NSWCA 323; (1999) 47 NSWLR 473). Given the fact that the question of this restriction on disclosure is critical to the operation of the service, and also that the agreements in question tend to be "pro-forma" contracts for each individual institution, it may well be that an aggregator has the requisite level of knowledge, and is therefore in danger of committing the tort. 2.3 Regulatory, Liability and Consumer Protection Issues(a) Electronic Funds Transfer Code of Conduct
A key question related to the use of aggregation services is liability for loss caused during such use. The cause of this loss could originate from outside the aggregation service, such as an unauthorised use of the service leading to a user's loss, or it may originate within the service, such as damage to a user's computer systems through malfunctioning software, or loss due to reliance on inaccurate information provided by the aggregator. Clause 5.6 of the revised Electronic Funds Transfer Code of Conduct provides that an account holder may only be held liable for an unauthorised transaction in particular circumstances, including, as is here relevant, where the user's password has been disclosed. Clause 5.7 clarifies this exemption, to specific exclude circumstances where the disclosure by the user was either expressly authorised by the relevant financial institution, or where the institution "expressly or impliedly promotes, endorses or authorises the use" of the aggregation service. In the absence of such circumstances, however, a user will be considered to have lost the "protection" against unauthorised transactions set out in the EFT Code. A further issue is whether the EFT Code in fact applies to the aggregation
service providers themselves. On its face, the revised
Code appears not to directly
apply to aggregators, meaning that aggregators are free to set the terms and
conditions on liability
as between them and their users as they please, subject
to general law provisions such as the implied warranties in the Trade Practices
Act 1974. In such circumstances, users of aggregation services should be
aware that they do not necessarily have the same position and
protection in
relation to liability as they might enjoy in direct dealings with the relevant
financial institution. Again,
however, this is not a structural problem with
an aggregation service, but rather a question of operational standards and their
appropriate disclosure to users.
(b) Other Consumer Protection Issues In addition to being a potential breach of copyright, the reproduction of the layout and formatting of the institution's sites by the aggregator may be such as to mislead users that the service it offers either is, or is endorsed, sponsored or approved by, the institution. This may give rise to breach of sections 52 or 53(d) of the Trade Practices Act 1974. Again, such concerns are operational rather than structural and whether this cause of action will be available depends on the way in which the data is presented to users, and its similarity to the institution's format or service. Realistically, it is likely that an aggregation service will, with relative ease, remove the identifying features of the data or scraped site and frame it within its own site or other medium, lessening the risk of liability. 3. "Scraping" Material from Third Party Sites: Access by the Aggregator 3.1 Criminal liabilityPart 6 of the Crimes Act 1900 (NSW) creates offences relating to unauthorised
use of data, including computer trespass or hacking. The provisions prohibit
persons from obtaining unauthorised access to data stored in computers and make
it an offence to damage data in a computer in
certain circumstances.
Section 309 of the Crimes Act creates offences of intentionally obtaining
access to data stored in a computer "without authority or lawful excuse".
A person who does so knowingly, or in circumstances where they ought reasonably
to have known, that data relates to certain
categories of information (including
the personal affairs of any person) or who continues to examine data after becoming
aware
that it falls within one of the categories is liable to higher penalties
(imprisonment for two years and/or a fine of $55,000).
Section 309 has not been the subject of detailed judicial consideration.
However, the section has been used to bring charges against
people who have
used their position to obtain access to computer databases for improper purposes,
for example a police officer
obtaining access to the RTA motor vehicle database
(via a colleague) on behalf of an acquaintance.
The key issue in relation to the application of s 309 to the scraping of
an institution's databases is whether access the site
by the aggregator is "without
authority or lawful excuse". It is arguable that the authority of the end
user given to the scraper to access the end user's own information is sufficient
authority for the purpose of s 309. However, this argument may not succeed given
that the user's authority to access
the information is likely to be limited
by their agreement with the institution and therefore that they may not have
authority
to grant the right to access their data to the aggregator.
It is also worth noting that new legislation in relation to computer-based criminal offences has been proposed in New South Wales. Whilst these provisions have been proposed with a view to confirming offences in relation to hacking, denial of service attacks, virus dissemination and other potentially harmful conduct, it is possible that the provisions, if enacted, could impact on other online activities involving interaction between computer systems, including account aggregation. The proposals include: (a) a new section 308D, relating to the unauthorised modification of data with intent to cause impairment; (b) a new section 308E, relating to the unauthorised impairment of electronic communication; and (c) a new section 308H, relating to the unauthorised access to or modification of restricted data held in a computer. 3.2 Intellectual PropertyThe question of copyright infringement again squarely raises the "authorisation"
point. By making material available online, and
providing tools for users to
access material stored in databases, a financial institution is granting a licence
to a user to
exercise whatever copyright rights are necessary to utilise such
material, whether such licence be express, in the terms and conditions
of use
of the relevant site, or implied, simply due to the nature of the service made
available. In these circumstances, can
it be argued that such a licence, to
the extent it may be necessary, can allow an aggregator to use the information
and data
on behalf of the user? In effect, there are three separate questions
in respect of a potential copyright infringement:
(a) is there a relevant "work" which will attract copyright protection?;(b) has there been a reproduction (or other infringing use) of a substantial part of that work in the course of the operation of the aggregation service by the aggregator?; and(c) if there has been such a reproduction (or other use), can it be argued that such use is authorised?To provide a full analysis of these issues in any particular case, it would
be necessary to know:
In the case of each of these steps, it is possible that the operation of
an aggregation service could involve a breach of an institution's copyright.
For example:
It would not be relevant that such copying might only be ephemeral, or that
such copying may never be viewed by the relevant user;
(b) the storage by the aggregation service of the user's information could involve a breach of the copyright held by the institution in the layout and formatting of its site. It is generally unlikely that an institution would be able to successful argue that copyright subsists in the "pure" data itself, but in combination with the institution's own layout of that data, a relevant copyright infringement may occur at this point (this may occur regardless of whether the user actually views this material); and (c) the presentation of the data to the user could also involve an infringement on similar grounds to that set out in (b) above. 3.3 Tortious Actions(a) TrespassIt may be possible to characterise the scraping or harvesting utilised
by an account aggregation service as a trespass or conversion.
Whether either
of these actions can be made out is likely to depend on two key questions:
(i) the exact means by which the aggregation software accesses the scraped database; and (ii) whether a court will consider the concepts of trespass and conversion relevant and applicable to activity in an online environment. In order for a scraped institution to claim in trespass it must prove an intentional and direct interference with its exclusive possessory rights, and a deprivation of those rights by the aggregator. The factors to be considered include:
It may well be difficult to prove that the institution's information or data
is a "good" for present purposes. It has been held, often for
taxation or customs duties purposes, that computer equipment and software, in
combination, constitute "property" or "goods", however,
this interpretation does not necessarily apply when the information or data
stored on a computer system is considered
separately.
Recent events in the US may provide some guidance on this issue. In eBay Inc v Bidder's Edge, Inc 100 F Supp 2d 1058 (2000), it was held, for the purposes of a preliminary injunction, that a company's bandwidth and server capacity can constitute "property" for the purposes of a claim in trespass against an internet scraper using robots to crawl its sites for information which it then aggregated on its own site. In that case, it was held that the internet scraper's activities amounted to an "appropriation of the company's personal property". The decision referred to an earlier case, Thrifty-Tel v Bezenek 46 Cal App 4th 1559 (1996), in which it was held that the electronic signals sent during an unauthorised use of a long-distance telephone line were "sufficiently tangible to support a trespass cause of action". It should be noted, however, that the eBay decision is now the subject of an appeal supported by an amicus curiae brief filed by 28 leading US law professors, who argue that the ruling endangers many fundamental activities upon which Internet and electronic commerce are based, including price comparison "spiders", search engines, and even linking. On the second and third limbs of the test under Australian law, the meaning of "direct" and "interference" implies that there should be a physical interference, intermeddling or contact with the plaintiff's goods. However, it should not be fatal to an institution's claim that there is no material damage to, or physical contact with the goods in the course of the aggregator's activities. It should be sufficient for the institution to show an impact on its property resulting directly from an act of the internet scraper. It is arguable that evidence of unauthorised use or manipulation of goods to extract information will be sufficient to constitute a "direct interference". (b) ConversionConversion involves dealing with goods or chattels in a manner contrary to
the immediate right of possession of the person who
has the property in them.
An intent to deprive or impair the owner's immediate right to possession is
essential to the tort.
It is arguable that an aggregator's activities would fit within the following examples of conversion:
In contrast, it has also been held that temporary and harmless use of another's
goods, where there is no intention to deprive the
plaintiff of his or her immediate
right to possession or impair that right is not conversion, unless made in bad
faith or in
such a way as to expose the goods to the risk of damage or loss.
The difficulties for an institution in pursuing a cause of action in conversion are similar to those of trespass. Firstly, it is uncertain whether information or data could amount to "goods" for the purposes of the tort, and secondly, it is arguable that there is no intent on the part of the aggregator to deprive the institution of possession of its information. Further, it may well be correct to say that the institution does not actually lose possession of the data scraped from its site, but rather that an additional copy is made of such information. Finally, it is arguable that the aggregator's temporary interference with the institution's data and systems is not accompanied by the necessary intent to assert proprietary rights over the goods, and therefore that the requisite elements of the tort have not been satisfied. (c) Tort of intentional interference with economic rightsThe activities of an aggregator may also amount to tortious conduct with
respect to the institution's economic rights in its services.
It is possible
that if the aggregator is intentionally or deliberately interfering with the
institution's trade or business
by unlawful means to cause loss or injury, it
is engaging in tortious conduct remediable by injunctions or damages.
The Australian legal position on economic torts is unsettled and unsatisfactory. Tortious remedies have been applied in situations where a person has interfered with a commercial contract by "unlawful means" which has led to a loss of sales and business reputation. It is enough that the interference "targets" the plaintiff, even though its predominant purpose may be to advance the other party's own interest rather than injure the plaintiff. "Unlawful means" have been held to include common law crimes like battery and fraud and all torts. There has also been authority to suggest that breach of a statutory prohibition constitutes "unlawful means". Australian courts have repeatedly rejected the notion that "unfair competition" or "unfair trading" can give rise to an action where a plaintiff suffers loss as a result of the defendant's impact on its business. Beyond this, no clear view has emerged about the circumstances in which the tort may apply. 3.4 Restitution and unjust enrichmentAn institution may have grounds to argue that it is entitled to restitutionary
remedies based on a claim that the aggregator has
been unjustly enriched at
its expense. This argument could involve claiming that potential revenue which
an institution could
have derived (for example, potential advertising revenue
from its sites) has been lost and instead diverted to the aggregator
because
the page impressions in relation to the use of the scraped material which would
have been obtained by the institution
is instead being derived by them.
Elements of an action in unjust enrichment are:
An advantage for an institution in bringing an action under unjust enrichment
is that it allows a party to make a claim where the
item taken or converted
is intangible, such as a service or an informational product. It is often difficult
to establish "ownership" or title to intangibles (in particular, factual
material held databases), but an action in unjust enrichment may avoid such
difficulties by focussing instead on the basis of the commercial "value"
of an item and determining whether there has been an unjust transfer of wealth
or benefit. In order to make a claim in relation
to a valuable intangible, a
party must show that that there is a causal link between the loss of value generated
by the plaintiff
and the benefit or gain received by the defendant.
The courts have held that action in unjust enrichment must also be based on a recognised category of case. The recognised categories include: (a) mistake, where the plaintiff's intention to transfer value to the defendant is vitiated; and(b) total failure of consideration, whereby the plaintiff's purpose for transferring value to the defendant has failed and therefore his or her intent to transfer it has also failed.Currently, there is no judicial consideration of whether the "unauthorised
taking" or "misappropriation" of the value of an intangible falls
into an existing category. There is academic commentary supporting an argument
that the
"unauthorised taking" of a plaintiff's valuable intangible vitiates
any possible intention to transfer value to the defendant and should therefore
be treated as mistake for the purposes of applying the principles of unjust
enrichment. Conceptually, this is a plausible argument,
however, it is uncertain
whether it will be adopted by the courts.
It is also necessary to determine whether there are any defences available. Defences to a restitutionary claim generally require the defendant to either disprove the plaintiff's claim and/or prove its good faith, knowledge and detrimental reliance in respect of the gain or benefit it receives. In the normal course, it appears unlikely that such defences would be available. 4. Further "Structural" Issues: Whose Conduct is in Question? At a number of steps in the legal analysis set out above, it has been pointed out that the conduct in question would be unlikely to cause any concern if it were carried out by the user, rather than the aggregator, and indeed that the sites and databases established by the financial institutions were created specifically in order to be accessed by users. A structuring possibility has been suggested to capitalise on this concept in an attempt to reduce the potential liability on the part of the aggregator. It relies on a particular characterisation of the relationship between the aggregator and the user, and is likely to vary in potential value depending upon the technical operation of the service: The agency analysis depends upon a characterisation of the relationship between the aggregator and the user as one of agency: in effect, the operations of the aggregator in accessing the institution's sites and scraping information from it is simply in its capacity as an agent for the user. Therefore, so the argument goes, the legal concerns are lessened or even removed, as the operations of the aggregator are in effect those of the user, and the user is authorised to undertake such activities (for example, the user is licensed to access a database containing information relating to his or her bank accounts, and therefore there can be no copyright infringement). Whilst the argument casts an interesting light upon the principles examined above, it is submitted that in many cases it will be difficult to rely wholly upon it. For example, it may be true that a user would be entitled to access the scraped sites, and in fact that the sites and databases were established specifically for that to occur, but this may not mean that users would be entitled to access sites using complex software programs as would be the case in a scraping situation. C. Conclusion
Overall, the legal position of aggregation services remains uncertain in Australia. Although some of the actions outlined above such as the trespass argument may be viewed as an attempt to "overstretch" the analogy between online and offline conduct, there must be a possibility that structural elements of some aggregation services leave the operators of such service exposed to legal liability. It is another matter, however, as to whether the "targets" of the aggregation services will be so minded to complain about these services, and, given the uncertainties involved in the claims outlined above, will view legal remedies as the most appropriate. Whilst I have not attempted to consider the possible technical "defences" to site scraping software, it may well be possible that a party which wishes to avoid the operation of aggregation services may chose a technological, rather than a legal response. Adrian LawrenceSenior Associate
Baker & McKenzie, Sydney adrian.lawrence@bakernet.com
WorldLII:
Copyright Policy
|
Disclaimers
|
Privacy Policy
|
Feedback |