In 2006, Aaron Patzer founded Mint. Patzer had grown up in the city of Evansville, Indiana—a place he described as “small, without much economic opportunity”—but had created a successful business building websites. He kept up the business through college and grad school and invested his profits in stocks and other assets, leading to a minor obsession with personal finance that saw him devoting hours every Saturday morning to manually tracking every penny he’d spent that week, transcribing his receipts into Microsoft Money and Quicken.
Patzer was frustrated with the amount of manual work it took to track his finances with these tools, which at the time weren’t smart enough to automatically categorize “Chevron” under fuel or “Safeway” under groceries. So he conceived on an ingenious hack: he wrote a program that would automatically look up every business name he entered into the online version of the Yellow Pages—constraining the search using the area code in the business’s phone number so it would only consider local merchants—and use the Yellow Pages’ own categories to populate the “category” field in his financial tracking tools.
It occurred to Patzer that he could do even better, which is where Mint came in. Patzer’s idea was to create a service that would take all your logins and passwords for all your bank, credit union, credit card, and brokerage accounts, and use these logins and passwords to automatically scrape your financial records, and categorize them to help you manage your personal finances. Mint would also analyze your spending in order to recommend credit cards whose benefits were best tailored to your usage, saving you money and earning the company commissions.
By international standards, the USA has a lot of banks: around 12,000 when Mint was getting started (in the US, each state gets to charter its own banks, leading to an incredible, diverse proliferation of financial institutions). That meant that for Mint to work, it would have to configure its scrapers to work with thousands of different websites, each of which was subject to change without notice.
If the banks had been willing to offer an API, Mint’s job would have been simpler. But despite a standard format for financial data interchange called OFX (Open Financial Exchange), few financial institutions were offering any way for their customers to extract their own financial data. The banks believed that locking in their users’ data could work to their benefit, as the value of having all your financial info in one place meant that once a bank locked in a customer for savings and checking, it could sell them credit cards and brokerage services. This was exactly the theory that powered Mint, with the difference that Mint wanted to bring your data together from any financial institution, so you could shop around for the best deals on cards, banking, and brokerage, and still merge and manage all your data.
At first, Mint contracted with Yodlee, a company that specialized in scraping websites of all kinds, combining multiple webmail accounts with data scraped from news sites and other services in a single unified inbox. When Mint outgrew Yodlee’s services, it founded a rival called Untangly, locking a separate team in a separate facility that never communicated with Mint directly, in order to head off any claims that Untangly had misappropriated Yodlee’s proprietary information and techniques—just as Phoenix computing had created a separate team to re-implement the IBM PC ROMs, creating an industry of “PC clones.”
Untangly created a browser plugin that Mint’s most dedicated users would use when they logged into their banks. The plugin would prompt them to identify elements of each page in the bank’s websites so that the scraper for that site could figure out how to parse the bank’s site and extract other users’ data on their behalf.
To head off the banks’ countermeasures, Untangly maintained a bank of cable-modems and servers running “headless” versions of Internet Explorer (a headless browser is one that runs only in computer memory, without drawing the actual browser window onscreen) and they throttled the rate at which the scripted interactions on these browsers ran, in order to make it harder for the banks to determine which of its users were Mint scrapers acting on behalf of its customers and which ones were the flesh-and-blood customers running their own browsers on their own behalf.
As the above implies, not every bank was happy that Mint was allowing its customers to liberate their data, not least because the banks’ winner-take-all plan was for their walled gardens to serve as reasons for customers to use their banks for everything, in order to get the convenience of having all their financial data in one place.
Some banks sent Mint legal threats, demanding that they cease-and-desist from scraping customer data. When this happened, Mint would roll out its “nuclear option”—an error message displayed to every bank customer affected by these demands informing them that their bank was the reason they could no longer access their own financial data. These error messages would also include contact details for the relevant decision-makers and customer-service reps at the banks. Even the most belligerent bank’s resolve weakened in the face of calls from furious customers who wanted to use Mint to manage their own data.
In 2009, Mint became a division of Intuit, which already had a competing product with a much larger team. With the merged teams, they were able to tackle the difficult task of writing custom scrapers for the thousands of small banks they’d been forced to sideline for want of resources.
Adversarial interoperability is the technical term for a tool or service that works with (“interoperates” with) an existing tool or service—without permission from the existing tool’s maker (that’s the “adversarial” part).
Mint’s story is a powerful example of adversarial interoperability: rather than waiting for the banks to adopt standards for data-interchange—a potentially long wait, given the banks’ commitment to forcing their customers into treating them as one-stop-shops for credit cards, savings, checking, and brokerage accounts—Mint simply created the tools to take its users’ data out of the bank’s vaults and put it vaults of the users’ choosing.
Adversarial interoperability was once commonplace. It’s a powerful way for new upstarts to unseat the dominant companies in a market—rather than trying to convince customers to give up an existing service they rely on, an adversarial interoperator can make a tool that lets users continue to lean on the existing services, even as they chart a path to independence from those services.
But stories like Mint are rare today, thanks to a sustained, successful campaign by the companies that owe their own existence to adversarial interoperability to shut it down, lest someone do unto them as they had done unto the others.
Thanks to decades of lobbying and lawsuits, we’ve seen a steady expansion of copyright rules, software patents (though these are thankfully in retreat today), enforceable terms-of-service and theories about “interference with contract” and “tortious interference.”
These have grown to such an imposing degree that big companies don’t necessarily need to send out legal threats or launch lawsuits anymore—the graveyard of new companies killed by these threats and suits is scary enough that neither investors nor founders have much appetite for risking it.
For Mint to have launched when it did, and done as well as it did, tells us that adversarial interoperability may be down, but it’s not out. With the right legal assurances, there are plenty of entrepreneurs and investors who’d happily provide users with the high-tech ladders they need to scale the walled gardens that Big Tech has imprisoned them within.
The Mint story also addresses an important open question about adversarial interoperability: if we give technologists the right to make these tools, will they work? After all, today’s tech giants have entire office-parks full of talented programmers. Can a new market entrant hope to best them in the battle of wits that plays out when they try to plug some new systems into Big Tech’s existing ones?
The Mint experience points out that attackers always have an advantage over defenders. For the banks to keep Mint out, they’d have to have perfect scraper-detection systems. For Mint to scrape the banks’ sites, they only need to find one flaw in the banks’ countermeasures.
Mint also shows how an incumbent company’s own size works against it when it comes to shutting out competitors. Recall that when a bank decided to send its lawyers after Mint, Mint was able to retaliate by recruiting the bank’s own customers to blast it for that decision. The more users Mint had, the more complaints it would generate—and the bigger a bank was, the more customers it had to become Mint users, and defenders of Mint’s right to scrape the bank’s site.
It’s a neat lesson about the difference between keeping out malicious hackers versus keeping out competitors. If a “bad guy” was attacking the bank’s site, it could pull out all the stops to shut the activity down: lawsuits, new procedures for users to follow, even name-and-shame campaigns against the bad actor.
But when a business attacks a rival that is doing its own customers’ bidding, its ability to do so has to be weighed against the ill will it will engender with those customers, and the negative publicity this kind of activity will generate. Consider that Big Tech platforms claim billions of users—that’s a huge pool of potential customers for adversarial interoperators who promise to protect those users from Big Tech’s poor choices and exploitative conduct!
This is also an example of how “adversarial interoperability” can peacefully co-exist with privacy protection: it’s not hard to see how a court could distinguish between a company that gets your data from a company’s walled garden at your request so that you can use it, and a company that gets your data without your consent and uses it to attack you.
Mint’s pro-competitive pressure made banks better, and gave users more control. But of course, today Mint is a division of Intuit, a company mired in scandal over its anticompetitive conduct and regulatory capture, which have allowed it to subvert the Free File program that should give millions of Americans access to free tax-preparation services.
Imagine if an adversarial interoperator were to enter the market today with a tool that auto-piloted its users through the big tax-prep companies’ sites to get them to Free File tools that would actually work for them (as opposed to tricking them into expensive upgrades, often by letting them get all the way to the end of the process before revealing that something about the user’s tax situation makes them ineligible for that specific Free File product).
Such a tool would be instantly smothered with legal threats, from “tortious interference” to hacking charges under the Computer Fraud and Abuse Act. And yet, these companies owe their size and their profits to exactly this kind of conduct.
Creating legal protections for adversarial interoperators won’t solve all our problems of market concentration, regulatory capture, and privacy violations—but giving users the right to control how they interact with the big services would certainly open a space where technologists, co-ops, entrepreneurs and investors could help erode the big companies’ dominance, while giving the public a better experience and a better deal.
The Electronic Frontier Foundation is the leading nonprofit organization defending civil liberties in the digital world. Founded in 1990, EFF champions user privacy, free expression, and innovation through impact litigation, policy analysis, grassroots activism, and technology development. We work to ensure that rights and freedoms are enhanced and protected as our use of technology grows. Visit https://www.eff.org