Bonum Certa Men Certa

Suitable Online Bank(rupt)ing

Reprinted with permission from Alexandre Oliva (FSFLA and FSF)

For the past couple of decades, I've entered various fights with Brazilian banks over their threats to my software freedom in their Internet banking services. Back in 2002, the main threats were websites that required Internet Explorer, or the then-still-proprietary Java plugin, and there were plenty of alternatives without such abusive requirements. Nowadays, in the early 2020's, most banks require users to install security-theater malware and to use tracking devices, and those that make exceptions to the malware upon request are becoming very hard to find. Before running out of alternatives to these morally bankrupt practices, I've started legal action to defend my freedom using my consumer rights.



Java Trap



I was a happy customer of Banco do Brasil until around 2001, when it rolled out a Java applet for authentication. The Java VM only became free software years later, but even if the Java Trap had already been disarmed, the applet itself was a nonfree program I'd be required to run on my own computer, analogous to the JavaScript Trap that became a grave problem later on.



Both of these requirements were unacceptable to me, and I let the bank know in no uncertain terms. For some time, changing the browser-presented User-Agent identifier to pretend to be running some Java-incompatible system served as a workaround. When that was cut off and it became clear that there weren't going to be workarounds any more, I took my business to banks that did not impose such abusive requirements.



JavaScript virtual keyboards



Banespa and Real, both now part of Santander, at some point also started demanding a so-called "security" program on the customer's end, but both of them made exceptions upon request, so I didn't have to move on from them. Eventually, they also rolled out virtual keyboards for authentication in security theater, and at that, I blinked: without GNU LibreJS to warn me, I did not realize those were also nonfree programs running on my computer after being automatically installed by the browser. When I learned that this was the case, I had already accepted these features for too long, and I rationalized them as layout silliness that was borderline acceptable, and so I kept on using them. I'm embarrassed and sorry that I did; resisting back then might have made things easier for everyone else later on.



Hostile take-over



In 2008, my then-employer started paying salaries at Citibank. I gave it a try and was happy with how little JavaScript it used, so it became my favorite banking platform, and it served me well for some 10 years, until Itaú-Unibanco (henceforth just Itaú) bought its retail operations in Brazil and switched all customers to its own Internet banking service. That brought me two major problems: in order to perform banking transactions, they demanded a piece of malware they deemed "Guardian" (Diebold's Warsaw, really) to be installed on the desktop or laptop computer, and the bank's own One-Time Password (OTP) TRApp had to be installed on a portable tracking device (of the kind that usually can also make phone calls) for authentication purposes.



Workaround



Some colleagues mentioned that changing to FreeBSD the operating system name sent by the browser in the User-Agent identifier would disable the malware requirement, but authentication remained a challenge. It was no use to argue that my phone ran GNU/Linux (my smartphone has been a Neo Freerunner for way over a decade) and they only had nonfree apps, for other also-nonfree mobile operating systems; or that there were other OTP apps I could run, on it or elsewhere, that would serve the same purpose.



Backup plan



Santander still worked for me, but it's very uncomfortable to be tied to a single option, so I contacted a banking cooperative/credit union, Sicredi, explained that I was looking for a bank that would offer me Internet banking services without requiring me to install anything but a standards-compliant browser on any operating system of my choice, that this was the reason I had left Banco do Brasil before, and was leaving Itaú now, that I was very serious about not running nonfree software, to the point of maintaining my own Free version of Brazilian income tax software to avoid the government-provided nonfree version. They told me that they could indeed meet my requirements, and they'd be happy to take my business.



Plot twist



So I signed up with Sicredi, went to a branch of Itaú to transfer the balance, and then, only then, did Itaú think of offering me a hardware OTP token for authentication, just like the one Sicredi had offered me. I figured I could give Itaú a try, so I didn't trasfer the whole balance. I'm glad I didn't! I went back to the Sicredi branch, confirmed the transfer that activated the account, got the hardware token, moved a significant chunk of the balance to a long-term investment fund, and went home.



When I got there, I tried to access the Internet banking service and check everything out, just to find out that it demanded the installation of the same piece of "security" malware as Itaú. Unlike Itaú, I couldn't even see my balance without it, whereas Itaú worked beautifully once I had its hardware token and the User-Agent workaround.



For some time, I had FreeBSD as the operating system name in User-Agent to authenticate with Itaú, but eventually I tried GNU instead of the misnomer Linux, and that worked too.

Once again, GNU helped me keep my freedom!



Seeking consumer protection



Still, I felt unsafe, because the User-Agent workaround was not documented nor recommended. The bank even denied its existence. It also unilaterally decided to stop sending me monthly statements by mail, which was part of the service I'd hired and was quite important to me, since the viable alternative, namely getting the file with the Internet banking service, could be cut off at any time. So I filed complaints about both Itaú and Sicredi with the local consumer protection agency, Procon.



Not that I expected much to come out of it: in my experience, Procon could only fine violators, that would be taken as cost of business, and even protect the violators from any further complaints from me over the same issue.



In this case, I wasn't even sure Procon would recognize my rights; its agents were not familiar with the notion of software freedom, but once I explained that in terms that made sense to consumer protection agents, they seemed quite excited about it. Procon eventually found in my favor in both cases, fined both banks, and confirmed the fines on appeal.



Surprise!



I expected the banks wouldn't change their behavior over it, though. It turned out I was surprisigly wrong. Not long after the initial Procon decision, Itaú started changing its Internet banking service. It wasn't for the better, though.



Progressively, over several years, some kinds of transactions would no longer accept authentication with the secure and entirely offline hardware token, and instead insisted on a tracking device-based OTP instead. After some time, they'd start demanding the Guardian malware, or their own brand new app, now available for a small selection of operating systems, including GNU/Linux/x86_64, but nonfree software nevertheless.



As I write this, relevant features I've noticed as blocked are payments of bills that aren't scheduled automatically, payments of some taxes, outgoing wire transfers, international wire transfers, credit card statements, activating new cards, and even updating contact and investor information and obtaining the consolidated information needed to fill in income tax returns, all in name of "security". At least the tax information is made available on another website maintained by the bank, that clearly doesn't care so much about "security".



That wasn't all at once. One day a feature worked, next day it didn't any more. Then another. And another... For some time, even redeeming from investment funds (to avoid a negative balance over automatically scheduled payments) stopped accepting confirmation with the hardware token, but at least on this one they seem to have retreated. Not on the others.



Not fine



Meanwhile, Sicredi accused me of dishonesty: they wouldn't believe I hadn't come across the very clear information about their software requirements, shown on a web page that's not even reachable without JavaScript, reason why I ended up contacting the branch to explain my requirements. That absurd accusation earned them a reprimand in the appeal decision, but not a higher fine.



Lawsuit



As Itaú tightened the knot, I talked to my lawyer about defending my rights with a lawsuit. He wasn't enthusiastic about it at first, apparently expecting the bank to take back on the impositions, not realizing back then how they were show-stoppers for me, while most people wouldn't even notice or realize that there was an injustice there. We couldn't count on a public uproar for the bank to retreat.



We had to demand the bank to live up to the obligations it acquired along with the Citibank retail business: it couldn't unilaterally change the terms, quality and requirements of the service I had so carefully selected because I wouldn't use a service that demanded nonfree software. So, in the middle of 2022, he filed a lawsuit against Itaú on my behalf, grounded mainly on consumer rights, asking the court to order the bank to offer the services I had hired, under the conditions I had hired them, restoring the services that it was progressively discontinuing.



Picking battles



Ironically, because of COVID-19, I had to attend a conciliation session held through nonfree software. My lawyer was surprised that even that sort of online program would be objectionable for me, and invited me to attend along with him at his office. That's no way to get full justice, but... that's another fight, that we're going to have to have at a higher court. He's optimistic about the legal arguments in the ongoing lawsuit, and though they're not quite founded on software freedom, we do mention freedom and dignity as constitutional rights that the bank's imposition violates.



2023-02 update



In February 2023, a sentence landed ordering Itaú to abide by our request, restoring services without demanding the installation of additional programs, with a small daily fine in case of noncompliance. It's a full victory in the first round, but my lawyer tells me theirs are likely to file an appeal, so we can celebrate some, but this is not over yet.



In other news, the month before Itaú emailed me about its renewed plans to phase out the hardware token: no new ones would be issued, though the ones in use would be usable as long as their batteries lasted. The lawsuit will hopefully enable us to come to an agreement so that I can start using oathtool or FreeOTP+.



2023-04 update



Surprisingly, there was no appeal. The sentence is final. It remains to be determined whether it will be obeyed.



Procon fines Sicredi



Back on the week the lawsuit had been filed, coincidentally, Procon published the appeal decision in the case against Sicredi, and I was contacted by its lawyers trying to find some way to reach an agreement and avoid the fine. I wrote and published a long open letter (in Portuguese) explaining why I rejected that and any other piece of nonfree software over philosophical (defending my software freedom on principle), practical (defending my freedom to choose what computer and operating system to use) and security (the alleged need for obscurity suggests insecurity) concerns.



I restated my wish for service delivered through a standards-compliant browser on any operating system, noting the possibility of removing the requirement for specific users, before or after authentication, and offering an alternative: getting documentation on the networked programming interfaces that their own apps rely on, for me to implement relevant features on Gnucash.



Coincidence?



A few days later, I was supposed to make a payment to my lawyer for his service in preparing the initial filing against Itaú. I went on to Santander's Internet banking website, that had served me well while Itaú and Sicredi let me down, and I couldn't get in: it was demanding me to agree to a so-called "privacy policy" (in Portuguese) that, besides requiring JavaScript to be viewed and not allowing printing or saving as a whole, contains abusive terms unrelated to the notion of privacy policy, or even to the terms of use bundled with it.



That policy had allegedly been in effect for nearly a whole year, so it seemed an unbelievable coincidence that they'd start demanding agreement to it right then. The next day, the requirement was gone, only to return a couple of weeks later. Meanwhile, I could make the payment, but my lawyer joked he could already tell the next bank we were going to sue.



Some of the abusive terms were the power to choose computers and operating systems the customer would have to use to get service, and the power to discontinue the service unilaterally for any reason, including changes to the technological platform. My lawyer's guess is probably right, but I've started by filing a complaint with the consumer protection agency and agreeing only to the terms identifiable as privacy policy. The bank did not dispute my understanding in its response, so the case got closed with the understanding that they agreed, but the fight goes on.






Copyright 2022-2023 Alexandre Oliva
Copyright 2023 FSFLA



Permission is granted to make and distribute verbatim copies of this entire document worldwide without royalty, provided the copyright notice, the document's official URL, and this permission notice are preserved.



https://www.fsfla.org/texto/bancarrota

Recent Techrights' Posts

IBM - Like Microsoft - is a Dying Company and Perishing Brand ("AI" is a Lie and Decoy)
"Arvind is cutting costs (layoffs, PIPs, forced RTO, etc...) like crazy. IBM offices are closing all over the place in the US."
"Code of Conduct" Invoked When Fedora and Red Hat Users (Since the 1990s) Don't Want to Use Wayland
That is IBM "DEI"
Microsoft Layoffs Next Week: About 10% to be Laid Off in Microsoft Gaming (2 Days Before Independence Day), About 20%+ of XBox Staff
Microsoft is rapidly collapsing
Why Techrights Cannot be Vilified (and Instead It Gets SLAPPed Repeatedly by Microsoft People)
Attack dogs are all "bark"; because they have no actual "bite"
Links 25/06/2025: Elon Musk’s Lawyers Caught Lying, WhatsApp Faces More Bans
Links for the day
Wayland Pushers Lose the Argument, Use LLM Slop and Chatbots to Make Up Arguments for IBM
Another new low and low blow
 
No, I Don't Want Your Latest XYZ, ThankYouVeryMuch...
Wayland is finally ready?
LWN is a Voice of GAFAM (Through Linux Foundation, Their Front Group or Occupying Force Inside Linux)
remember who the chief editor works for and who sponsors many of the articles
China Keeps Breaking Into Microsoft Systems, So for True Sovereignty, Nations Wary of China Need to Dump Microsoft
Looking at data from Taiwan (not China) and Maharlika (not Philippines, the king is dead and Spain is out), there are encouraging signs
Linux Journal Wants Ads on Its LLM Slop or Ads as 'Articles'
it's basically another BetaNews
How to Kill a Monopoly
in 10 simple steps
Mozambique: GNU/Linux Rose From 0.5% Last Year to 3% This Year
what (or how) statCounter is measuring
Next Month Marks 11 Years Since Our In-Depth EPO Coverage
The same is happening to Microsoft right now
Free Software Foundation (FSF) Campaigns Against Vista 11, Adds 4 New Associate Members Per Day
If more people understood the underlying principles, more of them would flock to Free software overnight
Canonical Seems to Have Culled Some Sources of LLM Slop From Planet Ubuntu
It's like "junk food", it's not information
Over at Tux Machines...
GNU/Linux news for the past day
IRC Proceedings: Wednesday, June 25, 2025
IRC logs for Wednesday, June 25, 2025
On "Weak Claims"
For the record, they sent me unjustified threats, repeatedly tried injunctions (censorship)
EPO Squeezing the Staff - Part I - Burnout and Family Health
more exceptional circumstances
This Month's Mail (MX) Server Survey Shows Microsoft at 0.20% "Market Share"
We need to remind people that desktops and laptops decline (in proportion to other client devices) and at the "back end" GNU/Linux is already dominant and has long been dominant
Links 26/06/2025: Filespooler Guide and Learning to Code
Links for the day
The 'Case' of the Serial Strangler From Microsoft is a Lot of Copypasta (Maybe Also LLM Slop) From the Matthew Garrett 'Case'
5RB deserves to know and the matter shall be properly reported in due course (when the time is right)
Austrian GNU/Linux Usage Up to About 5% as More of Europe Abandons Microsoft
Since inauguration day the Austrian people have adopted more and more of GNU/Linux
Why the "Wayland People" and "Rust People" Will Lose Hearts and Minds (Same Reasons)
Wayland pushers are fast becoming like "Rust People"
5,600 Pages/Articles Per Year
So far this year we've kept all the promises
BetaNews Beginning to Show What Its True Goals Are
The 'new' BetaNews won't be about journalism. It's trying to sell things.
Microsoft Has Lost "The War"
We'll soon see the 9th or 10th wave of Microsoft layoffs in 2025 alone
Slopwatch: A Wreck and a Dreck, "Flooding the Zone With Dreck" or Flooding the Web With Junk
"Slopwatch" continues today because we have many new examples
Links 25/06/2025: Thwarting More Software Patents, Overlap Grows Between EPO Corruption and Illegal Kangaroo Patent Courts in EU
Links for the day
Brian Fagioli Created Another Slopfarm Targeting "Linux" After BetaNews Became a Slopfarm of Phantom Accounts and Pseudonyms
Mr. Fagioli even had slop about a dead Torvalds (hypothetical) as clickbait
Wayland is Perfect, Nobody Can Escape Its Perfection! (Or Not)
Do not form on opinion on Wayland based on politics
What is "MATA"?
Think of it as GAFAM or "Meta"
Moral Duty for "Linux Sites" to Speak Out Against LLM Slop
My wife has long complained about "Linux bloggers" keeping quiet and thus passive about a growing problem: slop
In Recent Hours Google News Promoted at Least 3 Slopfarms That Relayed Linux Foundation Propaganda Made by Bots or LLM "Bullshit Generators" (as Dr. Stallman Dubbed Them)
Google is circling down the drain and Google News too is hopeless
Linux Journal is a Slopfarm, It's Experimenting With LLM 'Authors'
Is Slashdot next?
WebProNews is a Slopfarm
Please avoid linking to WebProNews
Microsoft LinkedIn is Dying and Many More Layoffs Are on the Way
LinkedIn is just a failed acquisition of Microsoft. It causes losses and debt.
Gemini Links 25/06/2025: Combinatorial Music and Self Hosting
Links for the day
Richard Stallman Coming Back to Europe This Autumn to Give More Talks
His last talk in Europe attracted about 400-450 people
Over at Tux Machines...
GNU/Linux news for the past day
IRC Proceedings: Tuesday, June 24, 2025
IRC logs for Tuesday, June 24, 2025
Social Control Media, Technology & Catholicism: Synod on Synodality review and feedback
Reprinted with permission from Daniel Pocock
How Many More Women Will Managers at Microsoft Strangle and Tell to Kill Themselves (or Try to Kill)?
The world needs to know what happened
The New BetaNews: 7 New 'Articles', All of Them LLM Slop
BetaNews is basically defunct. Nobody writes there anymore.
Another "Told You So!": XBox Mass Layoffs at Microsoft (Many Recent Reports Were Chaff and Spin), Many Other Divisions Affected
With mass layoffs at Microsoft the world would be much better
statCounter Estimates Only 1 in 300 Iranians Would Use Microsoft for Search
Iranians don't quite trust Microsoft
Gemini Links 24/06/2025: ftpd on FreeBSD and Online Small Web Magazine
Links for the day
Google News Does Great Harm by Promoting Slopfarms as Legitimate News Sites
Slopfarms are sites which are 100% LLM slop
Links 24/06/2025: Trouble at "Open" "AI" and ‘Siarhei is Free’
Links for the day
Gemini Links 24/06/2025: Stimulants and Subscription Costs for DRM
Links for the day
When the Microsoft Aggressors Rely on Several Law Firms ('Attack Dogs', 'Guns for Hire'), Not Just One, Lawyering Up Against Techrights (Acting on Behalf of Americans Against UK Publishers)
From serving customers at some restaurant he has moved on to bullying people with demand letters
Links 24/06/2025: OpenAI [sic] May Soon Die (Too Much Debt) and Social Control Media Accused of Being Misinformation/Disinformation/Propaganda Amplifier
Links for the day
Nirbheek Chauhan in Planet GNOME Explains Why Wayland Pushers Are Losing
"A strange game. The only winning move is not to play."
Polygamy, from Catholic Synod on Synodality to Social Control Media & Debian CyberPolygamy
Reprinted with permission from Daniel Pocock
Only a Third of or 1 in 3 Web-Connected Devices is a Desktop or Laptop, According to statCounter
we can expect Android to widen its lead
The Days Are Getting Shorter, the First Half of 2025 is Almost Over
We're gratified to see significant increase in traffic and also positive feedback on the work we do
Turning GNU/Linux Into a Political Football
X (not the site) is Free software
X Server Still Works for Many People
A lot of people will grow suspicious of Wayland boosters/pushers if they persist and insist on using these tactics
Exactly a Week Ago "BetaNews Staff" Said "Betanews Is Growing Alongside You". Since Then Every Article (All by "Camila Nogueira") Has Been LLM Slop.
BetaNews is basically a slopfarm
Over at Tux Machines...
GNU/Linux news for the past day
IRC Proceedings: Monday, June 23, 2025
IRC logs for Monday, June 23, 2025
The "Tarzan Effect" in Compilers and Software
What happens when you forcibly make things 'work', either by hacks or by disregarding warnings (like those that compilers tend to issue)?
Gemini Links 23/06/2025: Mass Tourism, Hair Love, and Google Gemini as a Googlebomb
Links for the day