banking and Free Software
Paul Boddie
paul at boddie.org.uk
Tue Feb 27 15:34:42 UTC 2024
On Thursday, 22 February 2024 19:35:24 CET Florian Snow wrote:
> Hello everyone,
>
> As part of my job at the FSFE, I have been working on the topic of
> Free Software in banking and I would like to share some of my findings
> and thoughts with you. This is part of the larger topic of
> appification/forcing users to use non-free apps to do certain
> interactions.
Thanks for raising this issue. Here are some observations from my interactions
with Norwegian banks.
Following Nico's template, the evolution of authentication solutions for
online banking in Norway over the last 25 years has mostly been as follows, in
my experience:
1. Use of one-time codes issued on paper and sent to customers through the
postal system.
2. The issuing to customers of code generation tokens which provide a code on
screen when prompted. Although I believe that calculator-like devices have
been issued by some banks, I have only used the very simple single-button
devices. See the following for an example of the general form:
https://en.wikipedia.org/wiki/RSA_SecurID
3. The introduction of the BankID scheme, providing a single authentication
mechanism for all participating institutions. This initially complemented the
hardware authentication token approach but then broadened to encompass mobile-
based implementations. Banks offer a login through BankID as a kind of single
sign-on, although some have retained their own code-based login path as well.
4. The proliferation of "apps" for banking and the discouragement of hardware
tokens, potentially charging customers fees for the provision of such tokens.
You can imagine that things were a lot simpler before stage 3. And plenty
could be written about how BankID was rolled out, perhaps even by myself on
earlier occasions. There were several concerns about what it entailed and
represented, some of which Lionel touches on:
* Since BankID introduced a "certificate" that could be used for digital
authorisation (or document/agreement signing), does the user have actual
control over their certificate or are they delegating this to an entity that
may lose control over it or misuse it?
* BankID initially required Java and ran as an application, not an applet, and
wanted to perform "checks" on the user's environment. (I ran the browser in a
chroot for slightly improved isolation, since this is a classic way for
companies to claim "unsupported system" and coerce people into buying "a
normal computer".)
The BankID experience has since evolved along different directions. For Web
users, it became a JavaScript-based implementation running in the user's
browser, presumably because Java became a liability. It was then rolled out as
"BankID on mobile" to mobile users where I believe that it involved some kind
of "secure element", most likely delivered using traditional SIM technology,
but I wouldn't rule out vendor-specific technology at least in the case of
Apple products.
What has since happened is that "BankID on mobile" is being retired,
presumably due to vendors seeking to banish things like physical SIM cards
altogether, now replaced by the "BankID app". However, this distinction now
needs to be repeatedly explained along with a distinction between that "app"
and whatever "app" a bank may be providing. This kind of confusion may
actually prove helpful to any cause seeking to prevent needless technological
churn and the instability and uncertainty it brings.
== Some Reflection ==
When one bank had to verify all their customers' identities to comply with
legislation, they strongly encouraged use of their "app". This "app" was meant
to scan the customer's passport using near-field communication, and then the
user was supposed to take a picture of the photo page. Evidently this didn't
work for many people and wasn't likely to work for many phone users, anyway.
Their guidance for people who didn't have the "app" circled back to a video
showing someone using the "app"! Their functionality in the online banking
interface for attaching an image of the customer's passport or other
identification document didn't work. Consequently, they had to get a bunch of
contractors in to staff their remaining branch offices to handle queues of
people showing up to do things the old way.
All of this was accompanied by news stories of people trying to use their own
phone to help their very worried elderly parents retain access to their bank
accounts [1], along with tales of such people not having passports because, as
you can expect, they don't tend to travel much any more. It was a complete
fiasco involving a million people in total [2]. The people responsible for
planning the effort really should have been fired.
What this tells us is that those wishing genuine accessibility to services are
our allies. It would be easy for a response to the above situation to be the
usual, lazy, "old people need to get digital" exhortation, advocating classes
and courses for retired people, but a lot of people who had to queue up to
keep their bank account were far from retirement age. Also, retired people are
not necessarily sitting around bored and wondering what social media is all
about, which is how such encouragement is usually framed, usually by people
who try and shoehorn inappropriate technology into everything.
Just today I read another story about "digital exclusion" in schools for
children with disabilities in various forms [3]. This isn't exactly the same
issue as the one with banking, but it says a lot about attitudes when there is
an opportunity to roll out technology. We are actually seeing the active
neglect and marginalisation of people who cannot help their personal situation
and condition [4], and when this is questioned, those responsible will seek
refuge in the usual arguments about cost or efficiency, or that new technology
brings "new possibilities" or whatever.
There are plenty of people who are legitimately unhappy with the way
technology is being deployed, that their children are being obliged to use
Internet-connected devices at school [5], for example. A lot of that circles
back round to issues of control, proprietary applications and services, and
the predatory nature of swathes of the technology industry, inventivised by
perverse economic models, facilitated by corruption, and enabled at the level
of the individual decision-maker by classic signs of addiction.
In isolation, Free Software advocacy only gets us so far. But in a broader
coalition, it becomes apparent that many people share the same concerns,
demonstrating that Free Software is a valuable component in a larger ethical
framework. Which I will have mentioned before.
Paul
[1] https://www.nrk.no/nordland/dnb-krever-re-legitimering-av-kunder-_-mange-sliter-med-appen-1.15964828
[2] https://www.nrk.no/nyheter/dnb-kan-fa-dagboter-pa-grunn-av-legitimasjonsmangler-1.16026163
[3] https://www.nrk.no/nyheter/alle-barn-kan-ikke-delta-pa-like-vilkar-i-den-digitale-skolen-1.16779967
[4] https://www.nrk.no/vestfoldogtelemark/mener-laereboker-for-svaksynte-ikke-fungerer-godt-nok-1.15717682
[5] https://www.nrk.no/norge/skole-nettbrett-regnes-ikke-som-laeremiddel-1.16713819
(Sorry that these are all in Norwegian! Please enquire if you wish to know
more about any of these articles.)
More information about the Discussion
mailing list