While the question seems simple enough there’s plenty hidden implication in it that make it very difficult to answer.

If a bank has a TOS that allows its customers to aggregate their data from it, does that blanket permission constitute permission to Yodlee?

If the TOS is vague, like most, and says that customers have a right retrieve and use their data in third-party applications, without mentioning the means of getting that data, does that constitute permission to Yodlee?

If a financial institutions notices a high volume of traffic from the Yodlee servers, contacts Yodlee and accepts what is occurring and chooses not to block Yodlee traffic but doesn’t draft any official agreement to avoid lengthy legal processes, does that constitute permission?

I wish it were simple, but the complexity of law makes it a complex issue. People should weigh in their minds if they think it’s ethical to access their personal information through a service that might not have explicit legal agreements with all the financial institution that currently houses their data. If they feel it isn’t right, than they can choose not to use a Yodlee-powered service.

These types of discussions are always welcome on the Yodlee Forums:
http://forum.yodlee.com/

..Jordan, Yodlee Inc.

Here’s Bank of America’s TOS:
“Using other aggregation sites. If you provide information about your Bank of America accounts to an aggregator company, we will consider that you have authorized all transactions initiated by an aggregation site using access information you provide, whether or not you were aware of a specific transaction.”

That’s pretty friggin scary. Basically, that says that if you’re allowing people into your account, then you’re authorizing them all access. I wouldn’t allow anyone full access into my bank account.

On top of that, scraping dies with two-factor authentication. Just try pulling a scrape through E-Trade when it’s got RSA’s SecurID. All in all from what I’ve read… all these people want the convenience of Yodlee. That’s fine, but in the world where ID theft is more common through electronic means, I move towards hardier methods of protecting the data. That would mean that scraping itself is not allowed and even API access should be through a secure method.

Like I said before… having seen this done, this is not a safe measure for any end user and depending on how the scraping is done, you could actually introduce bogus data.

If it’s not being done via an API, scares the bejeebus outta me when you’re looking at banking and credit card information. Sounds like an ID theft disaster waiting to happen.

I agree. The problem is you use the word “many” not all in the next sentence. All institutions giving permission is different than some, many or most. I’m glad you are here to set the record straight on the specifics.

Are you saying that Yodlee has the permission of every institution it is scraping from, yes or no? It’s really that simple. If the answer is no with even one institution, then permission needs to be obtained or the practice stopped. If the answer is “don’t know” then go back and find somebody at Yodlee who can answer that question. If the answer is YES, then there is no problem and was covered conditionally in the bolded text in the post above that reads:

“scraping without permission is unethical behavior.”

Scraping with permission = no problem. So, please answer the question. All institutions giving Yodlee permission? Yes or no?

GB