Proposed “Screen Scraping” Ban Could Affect EV, Solar & Battery Owners
Over in the financial sector, there is a development that has implications that we in the renewable energy space – particularly in the world of electric vehicles – should pay attention to.
It came in this speech by Assistant Treasurer Stephen Jones to the Intersekt conference, in which he foreshadowed a ban on what’s known as “screen scraping”.
The process has started with a consultation opened by Treasury.
What Is Screen Scraping?
Screen scraping is a very rough colloquialism that describes third-party financial apps that sit between a user and their bank. Imagine, for example, an app that consolidates all your account information across different banks into one screen. The simplest way for an app to do this is to borrow your credentials for all your different bank accounts so it can log into CBA, ANZ, NAB, Westpac and so on to check your account balance.
It’s a terrible name for the practice because the login details are generally used to access an API, not scrape your screen. But even that’s a security risk, since if a hacker accesses the third-party app’s data, they get access to stored credentials.
Jones said:
“The practice of screen scraping … cuts against the work we as a Government and many parts of the fintech industry are trying to do to use data more safely, and to store it more safely.”
What’s that got to do with owners of electric vehicles?
A while back, a reader alerted us that the practice is used in apps that use customer credentials to access users’ accounts with their EV manufacturer – for example, a third-party charge management application that needs information from your Tesla app data.
Third-party apps “that use Tesla and any other unofficial API are a ticking security timebomb,” our reader said.
“Many of these apps capture user credentials to access third parties.”
He said one captures the EV owners’ username and password to control the charge rate.
“Those credentials give a party full access to the vehicle including unlocking it and making it driveable (and the location of the vehicle too). All it takes is a malicious actor to wait for an opportunity for someone to make a mistake and they will have access to a large set of assets.”
Change Is Coming
Banks have long opposed the practice of screen scraping for reasons very similar to our reader’s objections to the practice: user information is held by a third party whose data handling may not be as secure as the bank.
It’s also worth noting that while a bank’s data security is heavily regulated, the same can’t be said for an EV charge management app.
As Jones said in his speech, a screen scraping ban was raised last year in a review of the Consumer Data Right (CDR), which governs how consumer data is handled and shared in a handful of industries, including the financial sector.
“Last year’s Statutory Review into CDR … recommended that screen scraping be banned where CDR is a viable alternative”.
So, the government is launching an inquiry:
“Today, we are beginning that consultation process, with a discussion paper on the policy and regulatory implications of screen scraping.”
“I really don’t think that asking people to hand over their online banking passwords to lenders, mortgage brokers, and others is the best we can do. The world has moved on.
“It’s hard to see a big future for any business model that relies on people sending through their log in details.”
Solar, Storage And EV Sectors Take Note
Once this train gets in motion, it seems inevitable someone will notice the practice reaches far beyond the financial sector.
So it would at least be sensible for the EV industry – and, for that matter, inverter and battery manufacturers – to start changing their practices so consumer data is appropriately protected when shared.
And there are alternatives to screen scraping. As SolarQuotes Founder Finn Peacock pointed out, Tesla allows Powerwall users to share data without sharing their login:
“Tesla has a great feature with their Powerwall app – you go into the app and invite people to look at your data – then [you] can revoke at any time. We just need a similar built-in system for API access to EVs, battery and inverter data.”
Comments are closed.