Suitable Online Banking

Alexandre Oliva

For the past 20 years, I've entered various fights with Brazilian banks over their threats to my software freedom in their Internet banking services. Back in 2002, the main threats were web sites that required Internet Explorer, or the then-still-proprietary Java plugin, and there were plenty of alternatives without such abusive requirements. Now, in 2022, most banks require users to install security-theater malware and to use tracking devices, and those that make exceptions to the malware upon request are becoming very hard to find. Before running out of options, I've started legal action to defend my freedom using my consumer rights.

Java Trap

I was a happy customer of Banco do Brasil until around 2001, when it rolled out a Java applet for authentication. The Java VM only became free software years later, but even if the Java Trap had already been disarmed, the applet itself was a nonfree program I'd be required to run on my own computer, analogous to the Javascript Trap that became a grave problem later on. Both of these requirements were unacceptable to me, and I let the bank know in no uncertain terms. For some time, there was a workaroud: changing the browser-presented User agent identifier to pretend to be running some Java-incompatible system served as a workaround. When that was cut off and it became clear that there weren't going to be workarounds any more, I took my business to banks that did not impose such abusive requirements.

JavaScript virtual keyboards

Banespa and Real, both now part of Santander, at some point also started demanding a so-called "security" program on the customer's end, but both of them made exceptions upon request, so I didn't have to move on from them. Eventually, they also rolled out virtual keyboards for authentication in security theater, and at that, I blinked: without GNU LibreJS to warn me, I did not realize those were also nonfree programs running on my computer. When I learned that this was the case, I had already accepted these features for too long, and I rationalized them as layout silliness that was borderline acceptable, and so I kept on using them. I'm embarrassed and sorry that I did; resisting back then might have made things easier for everyone else later on.

Hostile take-over

In 2008, my then-employer started paying salaries at Citibank. I gave it a try and was happy with how little JavaScript it used, so it became my favorite banking platform, and it served me well for some 10 years, until Itaú-Unibanco (henceforth just Itaú) bought its retail operations in Brazil and switched all customers to its own Internet banking service. That brought me two major problems: in order to perform banking transactions, they demanded a piece of malware they deemed "Guardian" (Diebold's Warsaw, really) to be installed on the desktop or laptop computer, and the bank's own One-Time Password (OTP) app had to be installed on a portable tracking device (of the kind that usually can also make phone calls) for authentication purposes.

Workaround

Some colleagues mentioned that changing to FreeBSD the operating system name sent by the browser in the User-agent identifier would disable the malware requirement, but authentication remained a challenge. It was no use to argue that my phone ran GNU/Linux (my smartphone has been a Neo Freerunner for way over a decade) and they only had apps for other mobile operating systems; or that there were other OTP apps I could run, on it or elsewhere, that would serve the same purpose.

Backup plan

Santander still worked for me, but it's very uncomfortable to be tied to a single option, so I contacted a banking cooperative/credit union, Sicredi, explained that I was looking for a bank that would offer me Internet banking services without requiring me to install anything but a standards-compliant browser on any operating system of my choice, that this was the reason I had left Banco do Brasil before, and was leaving Itaú now, that I was very serious about not running nonfree software, to the point of mainntaining my own Free version of Brazilian income tax software to avoid depending on the government-provided nonfree version, and they told me that they could indeed meet my requirements, and they'd be happy to take my business.

Plot twist

So I signed up with Sicredi, went to a branch of Itaú to transfer the balance, and then, only then, did Itaú think of offering me a hardware OTP token for authentication, just like the one Sicredi had offered me. I figured I could give Itaú a try, so I didn't trasfer the whole balance. I'm glad I didn't. I went back to the Sicredi branch, confirmed the transfer that activated the account, got the hardware token, moved a significant chunk of the balance to a long-term investment fund, and went home. When I got there, I tried to access the Internet banking service and check everything out, just to find out that it demanded the installation of the same piece of "security" malware as Itaú. Unlike Itaú, I couldn't even see my balance without it, whereas Itaú worked beautifully once I had its hardware token and the User-agent workaround. For some time, I had FreeBSD as the operating system name in User-agent, but eventually I tried GNU instead of the misnomer Linux, and that worked too. Once again, GNU helped me keep my freedom!
https://gnu.org/gnu/linux-and-gnu.html

Seeking consumer protection

Still, I felt unsafe, because the User-agent workaround was not documented nor recommended. The bank even denied its existence. It also unilaterally decided to stop sending me monthly statements by mail, which was part of the service I'd hired and was quite important to me, since the viable alternative, namely getting the file with the Internet banking service, could be cut off at any time. So I filed complaints about both Itaú and Sicredi with the local consumer protection agency, Procon. Not that I expected much to come out of it: in my experience, Procon could only fine violators, that would be taken as cost of business, and even protect the violators from any further complaints from me over the same issue. In this case, I wasn't even sure Procon would recognize my rights; its agents were not familiar with the notion of software freedom, but once I explained that in terms that made sense to consumer protection agents, they seemed quite excited about it. Procon eventually found in my favor in both cases, fined both banks, and confirmed the fines on appeal.

Surprise!

I expected the banks wouldn't change their behavior over it, though. It turned out I was surprisigly wrong. Not long after the initial decision, Itaú started changing its Internet banking service. It wasn't for the better, though. Progressively, over several years, some kinds of transactions would no longer accept authentication with the secure and entirely offline hardware token, and instead insisted on a tracking device-based OTP instead. After some time, they'd start demanding the Guardian malware, or their own brand new app, now available for a small selection of operating systems, including GNU/Linux/x86_64, but nonfree software nevertheless. As I write this, relevant features I've noticed as blocked are payments of bills that aren't scheduled automatically, payments of some taxes, outgoing wire transfers, international wire transfers, credit card statements, activating new cards, and even updating contact and investor information and obtaining the consolidated information needed to fill in income tax returns, all in name of "security". At least the tax information is made available on another web site maintained by the bank, that clearly doesn't care so much about "security". That wasn't all at once. One day a feature worked, next day it didn't any more. Then another. And another... For some time, even redeeming from investment funds (to avoid a negative balance over automatically scheduled payments) stopped accepting confirmation with the hardware token, but at least on this one they seem to have retreated. Not on the others.

Not fine

Meanwhile, Sicredi accused me of dishonesty: they wouldn't believe I hadn't come across the very clear information about their software requirements, shown on a web page that's not even reachable without JavaScript, reason why I ended up contacting the branch to explain my requirements. That absurd accusation earned them a reprimand in the appeal decision, but not a higher fee.

Lawsuit

As Itaú tightened the knot, I talked to my lawyer about defending my rights with a lawsuit. He wasn't enthusiastic about it at first, apparently expecting the bank to take back on the impositions, not realizing at first how they were show-stoppers for me, while most people wouldn't even notice or realize that there was an injustice there. We couldn't count on a public uproar for the bank to retreat.

We had to demand the bank to live up to the obligations it acquired along with the Citibank retail business: it couldn't unilaterally change the terms, quality and requirements of the service I had so carefully selected because I wouldn't use a service that demanded nonfree software. So, in the middle of 2022, he filed a lawsuit against Itaú on my behalf, grounded mainly on consumer rights, asking the court to order the bank to offer the services I hired, under the conditions I had hired them, restoring the services that it was progressively discontinuing.

Picking battles

Ironically, because of COVID-19, I may have to attend conciliation sessions held through nonfree software. My lawyer was surprised that even that sort of online program would be objectionable for me, and invited me to attend along with him at his office. That's no way to get full justice, but... that's a fight we're going to have to have at a higher court. He's optimistic about the legal arguments, and though they're not quite founded on software freedom, we do mention freedom and dignity as constitutional rights that the bank's imposition violates.

Confirmed fine

On the week the lawsuit was filed, coincidentally, Procon published the appeal decision in the case against Sicredi, and I was contacted by its lawyers trying to find some way to reach an agreement and avoid the fine. I wrote and published a long open letter (in Portuguese) explaining, why I rejected that and any other piece of nonfree software over philosophical (defending my software freedom on principle), practical (defending my freedom to choose what computer and operating system to use) and security (the alleged need for obscurity denounces insecurity) concerns. I restated my wish for service delivered through a standards-compliant browser on any operating system, noting the possibility of removing the requirement for specific users, before or after authentication, and offering an alternative: getting documentation on the networked programming interfaces that their own apps rely on, for me to implement relevant features on Gnucash.

Coincidence?

A few days later, I was supposed to make a payment to my lawyer for his service in preparing the initial filing against Itaú. I went on to Santander's Internet banking web site, that had served me well while Itaú and Sicredi let me down, and I couldn't get in: it was demanding me to agree to a so-called "privacy policy" (in Portuguese) that, besides requiring JavaScript to be viewed and not allowing printing or saving as a whole, contains abusive terms unrelated to the notion of privacy policy, or even to the terms of use bundled with it. That policy had allegedly been in effect for nearly a whole year, so it seemed an unbelievable coincidence that they'd start demanding agreement to it right then. The next day, the requirement was gone, only to return a couple of weeks later. Meanwhile, I could make the payment, but my lawyer joked he could already tell the next bank we were going to sue. Some of the abusive terms were the power to choose computers and operating systems the customer would have to use to get service, and the power to discontinue the service unilaterally for any reason, including changes to the technological platform. My lawyer's guess is probably right, but I've started by filing a complaint with the consumer protection agency and agreeing only to the terms identifiable as privacy policy. The fight goes on.


Copyright 2022 Alexandre Oliva

This is a DRAFT, so permission is NOT YET granted to make and distribute verbatim copies of this entire document worldwide without royalty, provided the copyright notice, the document's official URL, and this permission notice are preserved.

https://www.fsfla.org/blogs/lxo/draft/suitable-online-banking