Bank of America shut down 3rd party access to consumer transaction data through their website. While it tightens security, it also hammers home the fact that user data does not belong to the user.
Bank of America recently shut down Intuit’s access to user data through BofA’s online banking system. Intuit owns Mint, a service which allows users to aggregate their financial information from bank accounts and credit card sites to have an overview of their financial information and spending in one place. Users logged into their online banking and credit card systems using their BofA user names and passwords, which allows Mint and other aggregators to collect their transaction and balance data.
BofA argued that they shut down 3rd party aggregator access because it weakened security by giving the aggregator access to the user’s password. In fact, many banks changed their terms of service to state that using Mint or another aggregator voided their identity theft coverage. While this sounds logical, shutting down access even with user consent drives home the point that users do not own, or even have access rights to their own financial transaction history. Some surmise that the real reason is because Mint provides users with deeper insight into the fee structures of their accounts, information that banks would prefer stay less explicit.
Almost every web service we use has a Terms and Conditions document that grants that service access to the data it generates. Most of those also grant the services ownership, or an “irrevocable lifetime license” to that data. That’s great as long as everything works as expected because there is no perceptible difference between us owning the data as opposed to the 3rd party service providers. The issue only comes to a head when users want their data back, and that request is denied, or access is granted but made difficult. What remains to be seen is how hard users will push back against institutional data silos to maintain access.
Aggregators such as Mint provide users with increased incentives to ask for access to their own data. Should these requests be denied, the issue of ownership of personal data may quickly come to a head. The technology exists to give safe read-only access to aggregators in the same way that Google and Facebook can give read-only access to your friends list in an app (OAuth), yet BofA chooses not to. Perhaps a little consumer outrage fueled by Mint’s PR machine will make a change.