[LINK] Security, privacy and e-banking

[richard@auscoms.com.au]

Linkers,

In receipt of press fluff from a site called "The Money Shop":

>OneStopMoney is an easy concept working online at www.themoneyshop.com.au
>where users can conduct banking, share trading and paying bills all in the
>one place, negating the need to go via homepages to access frequently used
>log in pages every time they are used.

And so on. In checking out the site, I looked over the privacy policy, terms and
conditions, and security policy.

First, terms and conditions:
>USE OF INFORMATION

>themoneyshop may gather, process and use (and allow others to use): a) any 
>information which you submit or otherwise provide when using the Site 
>(including your name, physical address, email address and any other 
>details you provide), b) information regarding the manner in which you use 
>the Site (including, without limitation, all information gathered as a 
>result of the use of "cookies"). From time to time, themoneyshop may offer 
>and may allow others to offer products and services to you. If you wish to 
>discontinue receiving such offers, please contact themoneyshop.

[snip]
and from privacy statement
>Who we share it with themoneyshop.com.au Pty Limited will not sell, rent, 
>or lease your personally identifiable information to others. Unless we 
>have your permission or are required by law, we will only share the 
>personal data you provide online with other themoneyshop.com.au Pty 
>Limited entities and/or business partners who are acting on our behalf to 
>complete the activities described above. Such themoneyshop.com.au Pty 
>Limited entities and/or business partners, including those located in 
>other countries, are governed by our privacy policies with respect to the 
>use of this data.

So we have a terms&conditions that says "We are allowed to share" and privacy
statement which says "we won't share." They also have the same rather offensive
you-relinquish-copyright-over-your-name type of condition:

>If you participate in any interactive facility, you: - represent and 
>warrant that any information provided by you is not owned by, or 
>confidential to, any third party; - represent and warrant that your >provision
of such information will not expose themoneyshop to any 
>liability, whether civil or criminal; - grant to themoneyshop a perpetual 
>licence to use and disclose any such information provided by you to any 
>person or entity for any purpose; waive any rights you have in relation to
>any information submitted through an interactive facility in favour of 
>themoneyshop; - release and indemnify the themoneyshop from any claim in 
>any way related to the information provided by you.

Now, the security statement. Remember, what they're adding to the site is a sort
of banking portal; come here and we'll hand you off to your bank. Yes,
redirection should mean that data never reaches themoneyshop BUT does the common
punter know how the Internet works? Of course not. So in the face of that sort
of concern, what does the site say about security?

>themoneyshop.com.au is committed to ensuring the security of your 
>information. To prevent unauthorized access, maintain data accuracy, and 
>ensure the appropriate use of information, we have put in place 
>appropriate physical, electronic, and managerial procedures to safeguard 
>and secure the information we collect online.

That's it. Encryption? Never heard of it. 

It seem to me to be perilously close to intentionally trying to confuse the
customer. All this stuff exists on two different documents, it's presented in
unreadably small type, and it's buried among lots of nice motherhood stuff.

So we have a site from which *personal finance* activity may be visible; at
which such activity may be collected; a "your browser will remember your
preferred bank" capability which is NOT explained to the customers; and no
ironclad guarantee that highly sensitive information is protected.

Is this legal?

Richard Chirgwin