Hacker News new | past | comments | ask | show | jobs | submit login
Ask HN: How Is Plaid Legal?
8 points by TobyTheDog123 on Aug 28, 2022 | hide | past | favorite | 8 comments
Hi HN,

While in the process of creating my own service, I've been doing a bit of research into the legality of web scraping. All the court cases I've seen around it seem to imply that it's a violation of the CFAA to scrape data that is behind authentication.

However, Plaid seems to be doing just fine in this regard, as none of this banking data is publicly accessible. Sure, users are only accessing data that they would otherwise have access to, and Plaid is only facilitating this data transmission through scraping, however I am unable to find anything in the court cases that makes such a distinction.

I guess what I'm asking is "is it legal for a service to scrape data behind an authentication wall if the user has granted permission for that service to access said data", and if it is illegal, "how is Plaid operating within the confines of the law?"

Obviously I'm not asking anyone to leave real legal advice, I'm only asking for people's personal interpretations or theories.




I asked this question 5 years ago in an AMA the CEO did once here, but they plainly ignored me and are a unicorn 5 years later. The trick here is to move so fast that the law has trouble keeping up (same with Uber/AirBNB).


I'm pretty sure they just were in a gray enough area that it was never worth suing when they were little. Once they were big enough for the banks to notice it was too late.

But I find the secondary effects to be the most fascinating bit. They created a security risk for the banks by collecting everyone's logins and then were like "Hey bank CISO, the way to mitigate this massive risk we've created for you is to make an API so we can do this safely and delete the creds. k thx byeeee!"


I assume this is done the same way products like YNAB and even QuickBooks Online access your banking info - through an API provided by the bank (or it's website partner). Your act of logging in is enough to allow a partner (like Plaid) access to endpoints that contain your information, including transaction history, account info, etc. I don't think any of it is done through scraping - the chances of that information being wrong then become Plaid's problem, not the bank's, and there's no way in hell that would be acceptable to Plaid.


Hmm, things may have changed in the past four years, but I'm fairly confident they at least used to: https://news.ycombinator.com/item?id=18654880

I'm not sure how many banks have adopted real APIs since then, but given the size of Plaid's connection library, I probably wouldn't say all of them.


They are probably using private APIs to retrieve your day. Fintech is federation of walled gardens that you need to have business relationships with before you even know they exist.


Plaid definitely did not start this way, but I suspect they have been at least trying to move in that direction


Providing your full bank login for services like this is just crazy.

All banks need to be required to provide either a read only login or full read only API for tools like this.


> All banks need to be required to provide either a read only login or full read only API for tools like this.

They will be, soon enough. In the EU at least there are laws coming out promoting open banking.




Consider applying for YC's Spring batch! Applications are open till Feb 11.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: