On Thursday, 22 February 2024 19:35:24 CET Florian Snow wrote: > Hello everyone, > > As part of my job at the FSFE, I have been working on the topic of > Free Software in banking and I would like to share some of my findings > and thoughts with you. This is part of the larger topic of > appification/forcing users to use non-free apps to do certain > interactions.
Thanks for raising this issue. Here are some observations from my interactions with Norwegian banks. Following Nico's template, the evolution of authentication solutions for online banking in Norway over the last 25 years has mostly been as follows, in my experience: 1. Use of one-time codes issued on paper and sent to customers through the postal system. 2. The issuing to customers of code generation tokens which provide a code on screen when prompted. Although I believe that calculator-like devices have been issued by some banks, I have only used the very simple single-button devices. See the following for an example of the general form: https://en.wikipedia.org/wiki/RSA_SecurID 3. The introduction of the BankID scheme, providing a single authentication mechanism for all participating institutions. This initially complemented the hardware authentication token approach but then broadened to encompass mobile- based implementations. Banks offer a login through BankID as a kind of single sign-on, although some have retained their own code-based login path as well. 4. The proliferation of "apps" for banking and the discouragement of hardware tokens, potentially charging customers fees for the provision of such tokens. You can imagine that things were a lot simpler before stage 3. And plenty could be written about how BankID was rolled out, perhaps even by myself on earlier occasions. There were several concerns about what it entailed and represented, some of which Lionel touches on: * Since BankID introduced a "certificate" that could be used for digital authorisation (or document/agreement signing), does the user have actual control over their certificate or are they delegating this to an entity that may lose control over it or misuse it? * BankID initially required Java and ran as an application, not an applet, and wanted to perform "checks" on the user's environment. (I ran the browser in a chroot for slightly improved isolation, since this is a classic way for companies to claim "unsupported system" and coerce people into buying "a normal computer".) The BankID experience has since evolved along different directions. For Web users, it became a JavaScript-based implementation running in the user's browser, presumably because Java became a liability. It was then rolled out as "BankID on mobile" to mobile users where I believe that it involved some kind of "secure element", most likely delivered using traditional SIM technology, but I wouldn't rule out vendor-specific technology at least in the case of Apple products. What has since happened is that "BankID on mobile" is being retired, presumably due to vendors seeking to banish things like physical SIM cards altogether, now replaced by the "BankID app". However, this distinction now needs to be repeatedly explained along with a distinction between that "app" and whatever "app" a bank may be providing. This kind of confusion may actually prove helpful to any cause seeking to prevent needless technological churn and the instability and uncertainty it brings. == Some Reflection == When one bank had to verify all their customers' identities to comply with legislation, they strongly encouraged use of their "app". This "app" was meant to scan the customer's passport using near-field communication, and then the user was supposed to take a picture of the photo page. Evidently this didn't work for many people and wasn't likely to work for many phone users, anyway. Their guidance for people who didn't have the "app" circled back to a video showing someone using the "app"! Their functionality in the online banking interface for attaching an image of the customer's passport or other identification document didn't work. Consequently, they had to get a bunch of contractors in to staff their remaining branch offices to handle queues of people showing up to do things the old way. All of this was accompanied by news stories of people trying to use their own phone to help their very worried elderly parents retain access to their bank accounts [1], along with tales of such people not having passports because, as you can expect, they don't tend to travel much any more. It was a complete fiasco involving a million people in total [2]. The people responsible for planning the effort really should have been fired. What this tells us is that those wishing genuine accessibility to services are our allies. It would be easy for a response to the above situation to be the usual, lazy, "old people need to get digital" exhortation, advocating classes and courses for retired people, but a lot of people who had to queue up to keep their bank account were far from retirement age. Also, retired people are not necessarily sitting around bored and wondering what social media is all about, which is how such encouragement is usually framed, usually by people who try and shoehorn inappropriate technology into everything. Just today I read another story about "digital exclusion" in schools for children with disabilities in various forms [3]. This isn't exactly the same issue as the one with banking, but it says a lot about attitudes when there is an opportunity to roll out technology. We are actually seeing the active neglect and marginalisation of people who cannot help their personal situation and condition [4], and when this is questioned, those responsible will seek refuge in the usual arguments about cost or efficiency, or that new technology brings "new possibilities" or whatever. There are plenty of people who are legitimately unhappy with the way technology is being deployed, that their children are being obliged to use Internet-connected devices at school [5], for example. A lot of that circles back round to issues of control, proprietary applications and services, and the predatory nature of swathes of the technology industry, inventivised by perverse economic models, facilitated by corruption, and enabled at the level of the individual decision-maker by classic signs of addiction. In isolation, Free Software advocacy only gets us so far. But in a broader coalition, it becomes apparent that many people share the same concerns, demonstrating that Free Software is a valuable component in a larger ethical framework. Which I will have mentioned before. Paul [1] https://www.nrk.no/nordland/dnb-krever-re-legitimering-av-kunder-_-mange-sliter-med-appen-1.15964828 [2] https://www.nrk.no/nyheter/dnb-kan-fa-dagboter-pa-grunn-av-legitimasjonsmangler-1.16026163 [3] https://www.nrk.no/nyheter/alle-barn-kan-ikke-delta-pa-like-vilkar-i-den-digitale-skolen-1.16779967 [4] https://www.nrk.no/vestfoldogtelemark/mener-laereboker-for-svaksynte-ikke-fungerer-godt-nok-1.15717682 [5] https://www.nrk.no/norge/skole-nettbrett-regnes-ikke-som-laeremiddel-1.16713819 (Sorry that these are all in Norwegian! Please enquire if you wish to know more about any of these articles.) _______________________________________________ Discussion mailing list Discussion@lists.fsfe.org https://lists.fsfe.org/mailman/listinfo/discussion This mailing list is covered by the FSFE's Code of Conduct. All participants are kindly asked to be excellent to each other: https://fsfe.org/about/codeofconduct
