Bonum Certa Men Certa

Suitable Online Bank(rupt)ing

Reprinted with permission from Alexandre Oliva (FSFLA and FSF)

For the past couple of decades, I've entered various fights with Brazilian banks over their threats to my software freedom in their Internet banking services. Back in 2002, the main threats were websites that required Internet Explorer, or the then-still-proprietary Java plugin, and there were plenty of alternatives without such abusive requirements. Nowadays, in the early 2020's, most banks require users to install security-theater malware and to use tracking devices, and those that make exceptions to the malware upon request are becoming very hard to find. Before running out of alternatives to these morally bankrupt practices, I've started legal action to defend my freedom using my consumer rights.



Java Trap



I was a happy customer of Banco do Brasil until around 2001, when it rolled out a Java applet for authentication. The Java VM only became free software years later, but even if the Java Trap had already been disarmed, the applet itself was a nonfree program I'd be required to run on my own computer, analogous to the JavaScript Trap that became a grave problem later on.



Both of these requirements were unacceptable to me, and I let the bank know in no uncertain terms. For some time, changing the browser-presented User-Agent identifier to pretend to be running some Java-incompatible system served as a workaround. When that was cut off and it became clear that there weren't going to be workarounds any more, I took my business to banks that did not impose such abusive requirements.



JavaScript virtual keyboards



Banespa and Real, both now part of Santander, at some point also started demanding a so-called "security" program on the customer's end, but both of them made exceptions upon request, so I didn't have to move on from them. Eventually, they also rolled out virtual keyboards for authentication in security theater, and at that, I blinked: without GNU LibreJS to warn me, I did not realize those were also nonfree programs running on my computer after being automatically installed by the browser. When I learned that this was the case, I had already accepted these features for too long, and I rationalized them as layout silliness that was borderline acceptable, and so I kept on using them. I'm embarrassed and sorry that I did; resisting back then might have made things easier for everyone else later on.



Hostile take-over



In 2008, my then-employer started paying salaries at Citibank. I gave it a try and was happy with how little JavaScript it used, so it became my favorite banking platform, and it served me well for some 10 years, until Itaú-Unibanco (henceforth just Itaú) bought its retail operations in Brazil and switched all customers to its own Internet banking service. That brought me two major problems: in order to perform banking transactions, they demanded a piece of malware they deemed "Guardian" (Diebold's Warsaw, really) to be installed on the desktop or laptop computer, and the bank's own One-Time Password (OTP) TRApp had to be installed on a portable tracking device (of the kind that usually can also make phone calls) for authentication purposes.



Workaround



Some colleagues mentioned that changing to FreeBSD the operating system name sent by the browser in the User-Agent identifier would disable the malware requirement, but authentication remained a challenge. It was no use to argue that my phone ran GNU/Linux (my smartphone has been a Neo Freerunner for way over a decade) and they only had nonfree apps, for other also-nonfree mobile operating systems; or that there were other OTP apps I could run, on it or elsewhere, that would serve the same purpose.



Backup plan



Santander still worked for me, but it's very uncomfortable to be tied to a single option, so I contacted a banking cooperative/credit union, Sicredi, explained that I was looking for a bank that would offer me Internet banking services without requiring me to install anything but a standards-compliant browser on any operating system of my choice, that this was the reason I had left Banco do Brasil before, and was leaving Itaú now, that I was very serious about not running nonfree software, to the point of maintaining my own Free version of Brazilian income tax software to avoid the government-provided nonfree version. They told me that they could indeed meet my requirements, and they'd be happy to take my business.



Plot twist



So I signed up with Sicredi, went to a branch of Itaú to transfer the balance, and then, only then, did Itaú think of offering me a hardware OTP token for authentication, just like the one Sicredi had offered me. I figured I could give Itaú a try, so I didn't trasfer the whole balance. I'm glad I didn't! I went back to the Sicredi branch, confirmed the transfer that activated the account, got the hardware token, moved a significant chunk of the balance to a long-term investment fund, and went home.



When I got there, I tried to access the Internet banking service and check everything out, just to find out that it demanded the installation of the same piece of "security" malware as Itaú. Unlike Itaú, I couldn't even see my balance without it, whereas Itaú worked beautifully once I had its hardware token and the User-Agent workaround.



For some time, I had FreeBSD as the operating system name in User-Agent to authenticate with Itaú, but eventually I tried GNU instead of the misnomer Linux, and that worked too.

Once again, GNU helped me keep my freedom!



Seeking consumer protection



Still, I felt unsafe, because the User-Agent workaround was not documented nor recommended. The bank even denied its existence. It also unilaterally decided to stop sending me monthly statements by mail, which was part of the service I'd hired and was quite important to me, since the viable alternative, namely getting the file with the Internet banking service, could be cut off at any time. So I filed complaints about both Itaú and Sicredi with the local consumer protection agency, Procon.



Not that I expected much to come out of it: in my experience, Procon could only fine violators, that would be taken as cost of business, and even protect the violators from any further complaints from me over the same issue.



In this case, I wasn't even sure Procon would recognize my rights; its agents were not familiar with the notion of software freedom, but once I explained that in terms that made sense to consumer protection agents, they seemed quite excited about it. Procon eventually found in my favor in both cases, fined both banks, and confirmed the fines on appeal.



Surprise!



I expected the banks wouldn't change their behavior over it, though. It turned out I was surprisigly wrong. Not long after the initial Procon decision, Itaú started changing its Internet banking service. It wasn't for the better, though.



Progressively, over several years, some kinds of transactions would no longer accept authentication with the secure and entirely offline hardware token, and instead insisted on a tracking device-based OTP instead. After some time, they'd start demanding the Guardian malware, or their own brand new app, now available for a small selection of operating systems, including GNU/Linux/x86_64, but nonfree software nevertheless.



As I write this, relevant features I've noticed as blocked are payments of bills that aren't scheduled automatically, payments of some taxes, outgoing wire transfers, international wire transfers, credit card statements, activating new cards, and even updating contact and investor information and obtaining the consolidated information needed to fill in income tax returns, all in name of "security". At least the tax information is made available on another website maintained by the bank, that clearly doesn't care so much about "security".



That wasn't all at once. One day a feature worked, next day it didn't any more. Then another. And another... For some time, even redeeming from investment funds (to avoid a negative balance over automatically scheduled payments) stopped accepting confirmation with the hardware token, but at least on this one they seem to have retreated. Not on the others.



Not fine



Meanwhile, Sicredi accused me of dishonesty: they wouldn't believe I hadn't come across the very clear information about their software requirements, shown on a web page that's not even reachable without JavaScript, reason why I ended up contacting the branch to explain my requirements. That absurd accusation earned them a reprimand in the appeal decision, but not a higher fine.



Lawsuit



As Itaú tightened the knot, I talked to my lawyer about defending my rights with a lawsuit. He wasn't enthusiastic about it at first, apparently expecting the bank to take back on the impositions, not realizing back then how they were show-stoppers for me, while most people wouldn't even notice or realize that there was an injustice there. We couldn't count on a public uproar for the bank to retreat.



We had to demand the bank to live up to the obligations it acquired along with the Citibank retail business: it couldn't unilaterally change the terms, quality and requirements of the service I had so carefully selected because I wouldn't use a service that demanded nonfree software. So, in the middle of 2022, he filed a lawsuit against Itaú on my behalf, grounded mainly on consumer rights, asking the court to order the bank to offer the services I had hired, under the conditions I had hired them, restoring the services that it was progressively discontinuing.



Picking battles



Ironically, because of COVID-19, I had to attend a conciliation session held through nonfree software. My lawyer was surprised that even that sort of online program would be objectionable for me, and invited me to attend along with him at his office. That's no way to get full justice, but... that's another fight, that we're going to have to have at a higher court. He's optimistic about the legal arguments in the ongoing lawsuit, and though they're not quite founded on software freedom, we do mention freedom and dignity as constitutional rights that the bank's imposition violates.



2023-02 update



In February 2023, a sentence landed ordering Itaú to abide by our request, restoring services without demanding the installation of additional programs, with a small daily fine in case of noncompliance. It's a full victory in the first round, but my lawyer tells me theirs are likely to file an appeal, so we can celebrate some, but this is not over yet.



In other news, the month before Itaú emailed me about its renewed plans to phase out the hardware token: no new ones would be issued, though the ones in use would be usable as long as their batteries lasted. The lawsuit will hopefully enable us to come to an agreement so that I can start using oathtool or FreeOTP+.



2023-04 update



Surprisingly, there was no appeal. The sentence is final. It remains to be determined whether it will be obeyed.



Procon fines Sicredi



Back on the week the lawsuit had been filed, coincidentally, Procon published the appeal decision in the case against Sicredi, and I was contacted by its lawyers trying to find some way to reach an agreement and avoid the fine. I wrote and published a long open letter (in Portuguese) explaining why I rejected that and any other piece of nonfree software over philosophical (defending my software freedom on principle), practical (defending my freedom to choose what computer and operating system to use) and security (the alleged need for obscurity suggests insecurity) concerns.



I restated my wish for service delivered through a standards-compliant browser on any operating system, noting the possibility of removing the requirement for specific users, before or after authentication, and offering an alternative: getting documentation on the networked programming interfaces that their own apps rely on, for me to implement relevant features on Gnucash.



Coincidence?



A few days later, I was supposed to make a payment to my lawyer for his service in preparing the initial filing against Itaú. I went on to Santander's Internet banking website, that had served me well while Itaú and Sicredi let me down, and I couldn't get in: it was demanding me to agree to a so-called "privacy policy" (in Portuguese) that, besides requiring JavaScript to be viewed and not allowing printing or saving as a whole, contains abusive terms unrelated to the notion of privacy policy, or even to the terms of use bundled with it.



That policy had allegedly been in effect for nearly a whole year, so it seemed an unbelievable coincidence that they'd start demanding agreement to it right then. The next day, the requirement was gone, only to return a couple of weeks later. Meanwhile, I could make the payment, but my lawyer joked he could already tell the next bank we were going to sue.



Some of the abusive terms were the power to choose computers and operating systems the customer would have to use to get service, and the power to discontinue the service unilaterally for any reason, including changes to the technological platform. My lawyer's guess is probably right, but I've started by filing a complaint with the consumer protection agency and agreeing only to the terms identifiable as privacy policy. The bank did not dispute my understanding in its response, so the case got closed with the understanding that they agreed, but the fight goes on.






Copyright 2022-2023 Alexandre Oliva
Copyright 2023 FSFLA



Permission is granted to make and distribute verbatim copies of this entire document worldwide without royalty, provided the copyright notice, the document's official URL, and this permission notice are preserved.



https://www.fsfla.org/texto/bancarrota

Recent Techrights' Posts

Nobody is "Replaced by AI", It's Just a Smokescreen for Jobs Being Eliminated by Lack of Money (Too Much Debt) and Offshoring
It's also why many make the jokes about the "I" in "AI" being "India" or "Indians"
The US Government is Now in the Business (Literally!) of Saving Microsoft and Intel
This means that President TACO/Cheeto now has greater financial incentive to also prop up Microsoft and Windows
 
The UEFI Restricted Boot 'Time Bomb' is About to Go Off in a Few Weeks
Garrett was the first person to face sanctions (like muting) in our IRC channels because of his abuse; worse yet, he hijacked other people's names and then locked them out of their own accounts
Should Currys PCWorld Start Voiding Warranties of Users of Vista 11?
If a person's laptop has a mechanical issue, should this person replace GNU/Linux with Vista 11 for the repair shop? Only to damage the SSD?
Newer is Not Always Better, and It's Possible That 'Peak' is the Past
People creating their own platforms means progress, whereas centralisation (like moving from blogs to social control media) is the opposite of progress
LLM Hype is Sowing Destruction: It Contributes to DDoS Attacks and Makes the Web Less Accessible (JavaScript "R U Human?" Tests)
If it was googlebot, it would be possible to argue that you'd at least then get referral traffic from Google Search. With LLMs, all you get is plagiarised.
Links 24/08/2025: New York Times Talks About Hey Hi (AI) Bubble
Links for the day
Gemini Links 24/08/2025: Upgrading Debian and Mobile-indifferent Design
Links for the day
Over at Tux Machines...
GNU/Linux news for the past day
IRC Proceedings: Saturday, August 23, 2025
IRC logs for Saturday, August 23, 2025
Richard Stallman's Talk in Buenos Aires Scheduled for 16 November 2025 (a Month After FSF Turns 40)
they've just updated their site and Stallman is listed first
Men Who Abuse Women Should Never Spend Over 3 Years of the UK High Court's Time
This demonstrates that we need a reform in the UK
Slopwatch: Linux Journal, WebProNews, LinuxSecurity, and the Serial Slopper
The bubble needs to burst, but even then the Web will be left with residues of these slopfarms
Links 23/08/2025: Science, War, and Important Win for the British Media Against SLAPPers Who Abuse Women
Links for the day
Gemini Links 23/08/2025: BaseLibre Numerical System and Back to Oldschool
Links for the day
"Deserved Victory" for "Women That Suffered"
"GNM defended its reporting as being both true and in the public interest and in a judgment on Friday"
Links 23/08/2025: onmicrosoft.com as Spam Cannon, The Cheeto-Intel Deal Is Official
Links for the day
Wired Complained About LLM Slop Only Days Before It Got Caught Doing That Itself
Never throw stones in a glass house
IBM "Value" Down 14.16% in a Month, Red Hat Layoffs Allegedly Discussed 12 Days Ago
"IBM is a dinosaur. Dinosaurs get extinct when the don't keep up."
We're Seeing More Countries Where Windows Isn't Even in Second Place Anymore (Third or Worse)
In a way, Microsoft can barely even hold onto second place anymore
Microsoft Workers on Canonical's Payroll
If you want something that's sort of like Ubuntu but is not controlled by Canonical, then look into Linux Mint, Debian, or LMDE
GNU/Linux Climbs to 4% in Sierra Leone
Sierra Leone isn't a very rich country (to say the least), but it's better off than some of its neighbours
The SLAPPS Run Out of Oxygen Because They're Abuse of Process
At the end of the day we plan to publish over 1,000 articles explaining what happened
The Register MS Gets Paid by the Employer of the Previous Editor in Chief to Promote the "AI" Ponzi Scheme, Which Does Considerable Damage to the Web and to Online Journalists
The Register MS can 'badmouth' slop all it wants; it gets paid to inflate this bubble. It's actively participating in it.
Soon It'll be Autumn, Time to Repair Things
Where they don't charge an arm and a leg
Doing Our Best to Cover Software Patents When the Mainstream Media Does Not
Even the FSF has its limits
Gemini Links 23/08/2025: August Questions and Network Solutions
Links for the day
Over at Tux Machines...
GNU/Linux news for the past day
IRC Proceedings: Friday, August 22, 2025
IRC logs for Friday, August 22, 2025
Microsoft Has Issues in Guyana
It's not just Guyana
About 25% of the "Linux" News/Results in Google News Today Are LLM Slop, Almost 20% From the Same Rogue Operators of Slopfarms
Google, which tries to market itself as an LLM giant, apparently fails to understand what's wrong with it
Harassing People on Holiday
There are "no-go areas"; but that assumes all laws firms have ethical standards
The Great, Undeniable Value of Paper Trail, Not Purely Digital Systems
Suppose you have nothing but bits on someone else's computer and "word of mouth"...
The Company Behind Ars Technica, Reddit and Wired Caught Publishing LLM Slop (It Also Admits It Now)
Condé Nast busted
Links 22/08/2025: Lagrange 1.18.8, Wired Magazine and Business Insider Caught Resorting to LLM Slop
Links for the day
This Saturday It's Gonna be 3.5 Years* Since Russia Invaded Ukraine. No Microsoft Protests Against Microsoft Having Provided Russia With Services.
Companies do not have consistent policies and enforcement of "corporate values" is somewhat of an egg salad
Slopwatch: Sites Gone Rogue, Google Promoting Lies, and DDoS Attacks by Plagiarism Giants
Charlatans and frauds engage in a war against artistic industries, mislabeling plagiarism as "AI"
Links 22/08/2025: Cisco Layoffs, LA Times Says "AI Hype is Fading Fast"
Links for the day
Gemini Links 22/08/2025: K for Kentucky and Caddy Versus LLM Slopbots
Links for the day
The "End Software Patents" Initiative of the FSF Explains "WHY [to] ABOLISH SOFTWARE PATENTS"
We hope to cover patent-related issues more and more as the big anniversary of the FSF approaches
Freenode Sniffing
The grown-ups left the building
The Only Thing Worse Than Misinformation is Misinformation Sold to Everyone as "Intelligence"
Misplaced trust is worse than none at all
The Register MS Now Openly Admits LLM Hype Does Damage, But It's Also Being Paid to Participate in the LLM Hype (With Paid 'Articles' and 'Webcasts' for Paying Advertisers)
The Register MS gets paid to do this
End of the Smartphone Era? No.
Maybe the media should focus on producing accurate, factual news
Over at Tux Machines...
GNU/Linux news for the past day
IRC Proceedings: Thursday, August 21, 2025
IRC logs for Thursday, August 21, 2025
Enshittification of Airports, Airlines, and Airplanes
If people are willing to tolerate standard declines and enshittification (nowadays sold as "pivot to AI" or "replaced by AI" or "AI layoffs") they will pay for it some other way
Latest Is Not Greatest: The Case of "Foldable" Tech
don't be shamed into abandoning old things just because the "fashion industry" of Apple and Samsung tells you to
Airlines and Their Tricks That Only Work in the 'Digital Age'
People sceptical of the direction technology has taken are not "Luddites"
Open Source Initiative (OSI), Which Became a Propaganda Front of Microsoft and "Hey Hi" (Hype, Misnomer), Wants You to Forget These Scandals
A lot of these issues won't be set aside until there's a resolution