[KingMachiavelli]

> https://www.eff.org/cases/facebook-v-power-ventures

While it is bad and unethical to encourage sharing credentials, I really hope we don't continue to criminalize intermediary services that act on the user's behalf. User's should be able to use whatever product and services they want. If you don't want consumer's to use third party tools then either improve your own tools or implement better security.

On the bright side it sounds like in the Power Venture's case they did a few other things to sort of 'impersonate' Facebook in order to encourage user's to use their product. So maybe things haven't escalated too far yet... the outcome of this & Plaid will certainly be interesting.

[imgabe]

Financial institutions should all be required to provide API with various permissions so consumers can connect whatever 3rd party tools they want. Coinbase has a good API where you can specify read-only access to whichever accounts and wallets you want.

[wikibob]

Look up PSD2. Exactly that is required in EU

[pintxo]

And it's a net-negative for everyone not using any such service. The UX for my online banking has gone down significantly. Banks require now a lot of additional 2fa authorizations for various actions, even when you are already authenticated.

[rmesters]

Not just EU. Also Australia, Brazil, Japan, Saudi Arabia, Mexico, Singapore, Hong Kong, India. Canada is rumoured to have this soon as well.

[nly]

Many banking apps won't even run on a rooted phone 'for my own safety', yet not so long ago the same banks allowed aggregation services that store my login credentials to have access to my accounts?

[kag0]

The difference is liability. If something happens due to the bank's app, the bank is liable. If you give your account credentials to some third party and something happens, that's not the bank's problem.

[sa46]

Seems a bit counter-intuitive to brand Plaid's behavior as unethical and then argue that users should have agency to share their own passwords.

At a meta-level, using unethical as a qualifier seems like an attempt to bolster an argument without having to provide a logical argument. I think most discussions are cleaner without broaching the thorny topic of ethics. Such discussions usually devolve into ideological battles, which by HN guidelines, "trample curiosity".

[sagarm]

The difference IMO is that Plaid is often used for e.g. tenant applications, where the person requiring the use of Plaid and the person forced to disclose credentials are not the same. That's bad.

If I choose to give my credentials to e.g. Mint to aggregate information for my own benefit, that's good because it was entirely my choice.

[KingMachiavelli]

As I used the wrote the word 'unethical' I knew it was sort of the wrong choice. At best it is unclear and lacks substance. The logical argument explicitly phrased would have been:

> Plaid's behavior works against the social norms that the majority of the tech community supports; in this case it deviates from the norm of keeping login information private.

But actually after re-reading the article, everything seems perfectly fine. The number of participants was only 12 who were all related in some fashion to Plaid employees & everything was pretty well disclosed. So the updated logical argument would be:

> Plaid's actions were limited in scope such that it had little chance of undermining norms regarding account login security. The purpose behind their actions was to increase the interoperability of their software and other software which is seen as a legitimate and net-positive goal in the software community.

[unishark]

> At a meta-level, using unethical as a qualifier seems like an attempt to bolster an argument without having to provide a logical argument.

I seemed like more of a disclaimer to avoid such ideological battles and deliver a nuanced view. "I agree the practice is shady, but..."