I understand the situation. Another of Plaid's investors is Goldman Sachs. I naively assumed that Plaid's ability to build their product was likely based on access to private APIs available to them based on their relationships and backing.

If someone came to me and asked me to build what Plaid has built, I would decline the work. I would assume that impersonating a bank would be illegal. I would assume that the banks I am impersonating would treat me as a malicious actor. I would assume that I would go to jail for building a system like this.

Absolutely unbelievable.

Plaid does have real integrations with some institutions, using OAuth and the works. The list is relatively miniscule compared to the vast majority of institutions that still consider customer data their asset and not their customers'.

On the other hand, Plaid’s behaviour means that your data is not yours either, but is up for grabs by a 3rd party for which you may not have given consent to. Plaid is no Robin Hood (the story not the app) here.

Plaid is equivalent to a carrier, right? They merely provide the data to their client (whatever service/app you're signing into) and it's up to that client to decide how to use it.

Back when I used to run a web scraping shop, we had this exact request. I didn't know it was illegal at the time but we ultimately didn't do it because lot of people just want to pay as little as possible for scraping without considering the amount of work that goes behind it.

Web scraping is not illegal per se. Though it may be against the specific terms of service of the site you are scraping.

that was before the 2018 ruling this was back in 2012, I remember Craigslist sued someone for scraping under CFAA.

Thanks to EFF, this scummy tactic used to kill Aaron Swartz is no more.

You are misremembering. CFAA defines criminal acts not civil, so Craigslist could not sue someone under the CFAA. The DA would have to bring charges first and then the civil suit by Craigslist would reference the criminal suit.

Even if it isn’t illegal it can be against the terms of service and void your warranty/insurance

fraudulently obtaining people's banking information can be described many ways. The prosecutors won't call it web scraping and the judge hasn't seen that although he has heard of people who steal users information to hack their banks.

Seems like a bad bet to me.

I've learned that when it comes to banks, assuming things like that is usually wrong.