banking and Free Software

• Previous message (by thread): banking and Free Software
• Next message (by thread): Nominate candidates for the F-Droid board
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Thursday, 22 February 2024 19:35:24 CET Florian Snow wrote:
> Hello everyone,
> 
> As part of my job at the FSFE, I have been working on the topic of
> Free Software in banking and I would like to share some of my findings
> and thoughts with you. This is part of the larger topic of
> appification/forcing users to use non-free apps to do certain
> interactions.

Thanks for raising this issue. Here are some observations from my interactions 
with Norwegian banks.

Following Nico's template, the evolution of authentication solutions for 
online banking in Norway over the last 25 years has mostly been as follows, in 
my experience:

1. Use of one-time codes issued on paper and sent to customers through the 
postal system.

2. The issuing to customers of code generation tokens which provide a code on 
screen when prompted. Although I believe that calculator-like devices have 
been issued by some banks, I have only used the very simple single-button 
devices. See the following for an example of the general form:

https://en.wikipedia.org/wiki/RSA_SecurID

3. The introduction of the BankID scheme, providing a single authentication 
mechanism for all participating institutions. This initially complemented the 
hardware authentication token approach but then broadened to encompass mobile-
based implementations. Banks offer a login through BankID as a kind of single 
sign-on, although some have retained their own code-based login path as well.

4. The proliferation of "apps" for banking and the discouragement of hardware 
tokens, potentially charging customers fees for the provision of such tokens.

You can imagine that things were a lot simpler before stage 3. And plenty 
could be written about how BankID was rolled out, perhaps even by myself on 
earlier occasions. There were several concerns about what it entailed and 
represented, some of which Lionel touches on:

* Since BankID introduced a "certificate" that could be used for digital 
authorisation (or document/agreement signing), does the user have actual 
control over their certificate or are they delegating this to an entity that 
may lose control over it or misuse it?

* BankID initially required Java and ran as an application, not an applet, and 
wanted to perform "checks" on the user's environment. (I ran the browser in a 
chroot for slightly improved isolation, since this is a classic way for 
companies to claim "unsupported system" and coerce people into buying "a 
normal computer".)

The BankID experience has since evolved along different directions. For Web 
users, it became a JavaScript-based implementation running in the user's 
browser, presumably because Java became a liability. It was then rolled out as 
"BankID on mobile" to mobile users where I believe that it involved some kind 
of "secure element", most likely delivered using traditional SIM technology, 
but I wouldn't rule out vendor-specific technology at least in the case of 
Apple products.

What has since happened is that "BankID on mobile" is being retired, 
presumably due to vendors seeking to banish things like physical SIM cards 
altogether, now replaced by the "BankID app". However, this distinction now 
needs to be repeatedly explained along with a distinction between that "app" 
and whatever "app" a bank may be providing. This kind of confusion may 
actually prove helpful to any cause seeking to prevent needless technological 
churn and the instability and uncertainty it brings.

== Some Reflection ==

When one bank had to verify all their customers' identities to comply with 
legislation, they strongly encouraged use of their "app". This "app" was meant 
to scan the customer's passport using near-field communication, and then the 
user was supposed to take a picture of the photo page. Evidently this didn't 
work for many people and wasn't likely to work for many phone users, anyway.

Their guidance for people who didn't have the "app" circled back to a video 
showing someone using the "app"! Their functionality in the online banking 
interface for attaching an image of the customer's passport or other 
identification document didn't work. Consequently, they had to get a bunch of 
contractors in to staff their remaining branch offices to handle queues of 
people showing up to do things the old way.

All of this was accompanied by news stories of people trying to use their own 
phone to help their very worried elderly parents retain access to their bank 
accounts [1], along with tales of such people not having passports because, as 
you can expect, they don't tend to travel much any more. It was a complete 
fiasco involving a million people in total [2]. The people responsible for 
planning the effort really should have been fired.

What this tells us is that those wishing genuine accessibility to services are 
our allies. It would be easy for a response to the above situation to be the 
usual, lazy, "old people need to get digital" exhortation, advocating classes 
and courses for retired people, but a lot of people who had to queue up to 
keep their bank account were far from retirement age. Also, retired people are 
not necessarily sitting around bored and wondering what social media is all 
about, which is how such encouragement is usually framed, usually by people 
who try and shoehorn inappropriate technology into everything.

Just today I read another story about "digital exclusion" in schools for 
children with disabilities in various forms [3]. This isn't exactly the same 
issue as the one with banking, but it says a lot about attitudes when there is 
an opportunity to roll out technology. We are actually seeing the active 
neglect and marginalisation of people who cannot help their personal situation 
and condition [4], and when this is questioned, those responsible will seek 
refuge in the usual arguments about cost or efficiency, or that new technology 
brings "new possibilities" or whatever.

There are plenty of people who are legitimately unhappy with the way 
technology is being deployed, that their children are being obliged to use 
Internet-connected devices at school [5], for example. A lot of that circles 
back round to issues of control, proprietary applications and services, and 
the predatory nature of swathes of the technology industry, inventivised by 
perverse economic models, facilitated by corruption, and enabled at the level 
of the individual decision-maker by classic signs of addiction.

In isolation, Free Software advocacy only gets us so far. But in a broader 
coalition, it becomes apparent that many people share the same concerns, 
demonstrating that Free Software is a valuable component in a larger ethical 
framework. Which I will have mentioned before.

Paul

[1] https://www.nrk.no/nordland/dnb-krever-re-legitimering-av-kunder-_-mange-sliter-med-appen-1.15964828
[2] https://www.nrk.no/nyheter/dnb-kan-fa-dagboter-pa-grunn-av-legitimasjonsmangler-1.16026163
[3] https://www.nrk.no/nyheter/alle-barn-kan-ikke-delta-pa-like-vilkar-i-den-digitale-skolen-1.16779967
[4] https://www.nrk.no/vestfoldogtelemark/mener-laereboker-for-svaksynte-ikke-fungerer-godt-nok-1.15717682
[5] https://www.nrk.no/norge/skole-nettbrett-regnes-ikke-som-laeremiddel-1.16713819

(Sorry that these are all in Norwegian! Please enquire if you wish to know 
more about any of these articles.)

• Previous message (by thread): banking and Free Software
• Next message (by thread): Nominate candidates for the F-Droid board
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]