Bonum Certa Men Certa

Suitable Online Bank(rupt)ing

Reprinted with permission from Alexandre Oliva (FSFLA and FSF)

For the past couple of decades, I've entered various fights with Brazilian banks over their threats to my software freedom in their Internet banking services. Back in 2002, the main threats were websites that required Internet Explorer, or the then-still-proprietary Java plugin, and there were plenty of alternatives without such abusive requirements. Nowadays, in the early 2020's, most banks require users to install security-theater malware and to use tracking devices, and those that make exceptions to the malware upon request are becoming very hard to find. Before running out of alternatives to these morally bankrupt practices, I've started legal action to defend my freedom using my consumer rights.



Java Trap



I was a happy customer of Banco do Brasil until around 2001, when it rolled out a Java applet for authentication. The Java VM only became free software years later, but even if the Java Trap had already been disarmed, the applet itself was a nonfree program I'd be required to run on my own computer, analogous to the JavaScript Trap that became a grave problem later on.



Both of these requirements were unacceptable to me, and I let the bank know in no uncertain terms. For some time, changing the browser-presented User-Agent identifier to pretend to be running some Java-incompatible system served as a workaround. When that was cut off and it became clear that there weren't going to be workarounds any more, I took my business to banks that did not impose such abusive requirements.



JavaScript virtual keyboards



Banespa and Real, both now part of Santander, at some point also started demanding a so-called "security" program on the customer's end, but both of them made exceptions upon request, so I didn't have to move on from them. Eventually, they also rolled out virtual keyboards for authentication in security theater, and at that, I blinked: without GNU LibreJS to warn me, I did not realize those were also nonfree programs running on my computer after being automatically installed by the browser. When I learned that this was the case, I had already accepted these features for too long, and I rationalized them as layout silliness that was borderline acceptable, and so I kept on using them. I'm embarrassed and sorry that I did; resisting back then might have made things easier for everyone else later on.



Hostile take-over



In 2008, my then-employer started paying salaries at Citibank. I gave it a try and was happy with how little JavaScript it used, so it became my favorite banking platform, and it served me well for some 10 years, until Itaú-Unibanco (henceforth just Itaú) bought its retail operations in Brazil and switched all customers to its own Internet banking service. That brought me two major problems: in order to perform banking transactions, they demanded a piece of malware they deemed "Guardian" (Diebold's Warsaw, really) to be installed on the desktop or laptop computer, and the bank's own One-Time Password (OTP) TRApp had to be installed on a portable tracking device (of the kind that usually can also make phone calls) for authentication purposes.



Workaround



Some colleagues mentioned that changing to FreeBSD the operating system name sent by the browser in the User-Agent identifier would disable the malware requirement, but authentication remained a challenge. It was no use to argue that my phone ran GNU/Linux (my smartphone has been a Neo Freerunner for way over a decade) and they only had nonfree apps, for other also-nonfree mobile operating systems; or that there were other OTP apps I could run, on it or elsewhere, that would serve the same purpose.



Backup plan



Santander still worked for me, but it's very uncomfortable to be tied to a single option, so I contacted a banking cooperative/credit union, Sicredi, explained that I was looking for a bank that would offer me Internet banking services without requiring me to install anything but a standards-compliant browser on any operating system of my choice, that this was the reason I had left Banco do Brasil before, and was leaving Itaú now, that I was very serious about not running nonfree software, to the point of maintaining my own Free version of Brazilian income tax software to avoid the government-provided nonfree version. They told me that they could indeed meet my requirements, and they'd be happy to take my business.



Plot twist



So I signed up with Sicredi, went to a branch of Itaú to transfer the balance, and then, only then, did Itaú think of offering me a hardware OTP token for authentication, just like the one Sicredi had offered me. I figured I could give Itaú a try, so I didn't trasfer the whole balance. I'm glad I didn't! I went back to the Sicredi branch, confirmed the transfer that activated the account, got the hardware token, moved a significant chunk of the balance to a long-term investment fund, and went home.



When I got there, I tried to access the Internet banking service and check everything out, just to find out that it demanded the installation of the same piece of "security" malware as Itaú. Unlike Itaú, I couldn't even see my balance without it, whereas Itaú worked beautifully once I had its hardware token and the User-Agent workaround.



For some time, I had FreeBSD as the operating system name in User-Agent to authenticate with Itaú, but eventually I tried GNU instead of the misnomer Linux, and that worked too.

Once again, GNU helped me keep my freedom!



Seeking consumer protection



Still, I felt unsafe, because the User-Agent workaround was not documented nor recommended. The bank even denied its existence. It also unilaterally decided to stop sending me monthly statements by mail, which was part of the service I'd hired and was quite important to me, since the viable alternative, namely getting the file with the Internet banking service, could be cut off at any time. So I filed complaints about both Itaú and Sicredi with the local consumer protection agency, Procon.



Not that I expected much to come out of it: in my experience, Procon could only fine violators, that would be taken as cost of business, and even protect the violators from any further complaints from me over the same issue.



In this case, I wasn't even sure Procon would recognize my rights; its agents were not familiar with the notion of software freedom, but once I explained that in terms that made sense to consumer protection agents, they seemed quite excited about it. Procon eventually found in my favor in both cases, fined both banks, and confirmed the fines on appeal.



Surprise!



I expected the banks wouldn't change their behavior over it, though. It turned out I was surprisigly wrong. Not long after the initial Procon decision, Itaú started changing its Internet banking service. It wasn't for the better, though.



Progressively, over several years, some kinds of transactions would no longer accept authentication with the secure and entirely offline hardware token, and instead insisted on a tracking device-based OTP instead. After some time, they'd start demanding the Guardian malware, or their own brand new app, now available for a small selection of operating systems, including GNU/Linux/x86_64, but nonfree software nevertheless.



As I write this, relevant features I've noticed as blocked are payments of bills that aren't scheduled automatically, payments of some taxes, outgoing wire transfers, international wire transfers, credit card statements, activating new cards, and even updating contact and investor information and obtaining the consolidated information needed to fill in income tax returns, all in name of "security". At least the tax information is made available on another website maintained by the bank, that clearly doesn't care so much about "security".



That wasn't all at once. One day a feature worked, next day it didn't any more. Then another. And another... For some time, even redeeming from investment funds (to avoid a negative balance over automatically scheduled payments) stopped accepting confirmation with the hardware token, but at least on this one they seem to have retreated. Not on the others.



Not fine



Meanwhile, Sicredi accused me of dishonesty: they wouldn't believe I hadn't come across the very clear information about their software requirements, shown on a web page that's not even reachable without JavaScript, reason why I ended up contacting the branch to explain my requirements. That absurd accusation earned them a reprimand in the appeal decision, but not a higher fine.



Lawsuit



As Itaú tightened the knot, I talked to my lawyer about defending my rights with a lawsuit. He wasn't enthusiastic about it at first, apparently expecting the bank to take back on the impositions, not realizing back then how they were show-stoppers for me, while most people wouldn't even notice or realize that there was an injustice there. We couldn't count on a public uproar for the bank to retreat.



We had to demand the bank to live up to the obligations it acquired along with the Citibank retail business: it couldn't unilaterally change the terms, quality and requirements of the service I had so carefully selected because I wouldn't use a service that demanded nonfree software. So, in the middle of 2022, he filed a lawsuit against Itaú on my behalf, grounded mainly on consumer rights, asking the court to order the bank to offer the services I had hired, under the conditions I had hired them, restoring the services that it was progressively discontinuing.



Picking battles



Ironically, because of COVID-19, I had to attend a conciliation session held through nonfree software. My lawyer was surprised that even that sort of online program would be objectionable for me, and invited me to attend along with him at his office. That's no way to get full justice, but... that's another fight, that we're going to have to have at a higher court. He's optimistic about the legal arguments in the ongoing lawsuit, and though they're not quite founded on software freedom, we do mention freedom and dignity as constitutional rights that the bank's imposition violates.



2023-02 update



In February 2023, a sentence landed ordering Itaú to abide by our request, restoring services without demanding the installation of additional programs, with a small daily fine in case of noncompliance. It's a full victory in the first round, but my lawyer tells me theirs are likely to file an appeal, so we can celebrate some, but this is not over yet.



In other news, the month before Itaú emailed me about its renewed plans to phase out the hardware token: no new ones would be issued, though the ones in use would be usable as long as their batteries lasted. The lawsuit will hopefully enable us to come to an agreement so that I can start using oathtool or FreeOTP+.



2023-04 update



Surprisingly, there was no appeal. The sentence is final. It remains to be determined whether it will be obeyed.



Procon fines Sicredi



Back on the week the lawsuit had been filed, coincidentally, Procon published the appeal decision in the case against Sicredi, and I was contacted by its lawyers trying to find some way to reach an agreement and avoid the fine. I wrote and published a long open letter (in Portuguese) explaining why I rejected that and any other piece of nonfree software over philosophical (defending my software freedom on principle), practical (defending my freedom to choose what computer and operating system to use) and security (the alleged need for obscurity suggests insecurity) concerns.



I restated my wish for service delivered through a standards-compliant browser on any operating system, noting the possibility of removing the requirement for specific users, before or after authentication, and offering an alternative: getting documentation on the networked programming interfaces that their own apps rely on, for me to implement relevant features on Gnucash.



Coincidence?



A few days later, I was supposed to make a payment to my lawyer for his service in preparing the initial filing against Itaú. I went on to Santander's Internet banking website, that had served me well while Itaú and Sicredi let me down, and I couldn't get in: it was demanding me to agree to a so-called "privacy policy" (in Portuguese) that, besides requiring JavaScript to be viewed and not allowing printing or saving as a whole, contains abusive terms unrelated to the notion of privacy policy, or even to the terms of use bundled with it.



That policy had allegedly been in effect for nearly a whole year, so it seemed an unbelievable coincidence that they'd start demanding agreement to it right then. The next day, the requirement was gone, only to return a couple of weeks later. Meanwhile, I could make the payment, but my lawyer joked he could already tell the next bank we were going to sue.



Some of the abusive terms were the power to choose computers and operating systems the customer would have to use to get service, and the power to discontinue the service unilaterally for any reason, including changes to the technological platform. My lawyer's guess is probably right, but I've started by filing a complaint with the consumer protection agency and agreeing only to the terms identifiable as privacy policy. The bank did not dispute my understanding in its response, so the case got closed with the understanding that they agreed, but the fight goes on.






Copyright 2022-2023 Alexandre Oliva
Copyright 2023 FSFLA



Permission is granted to make and distribute verbatim copies of this entire document worldwide without royalty, provided the copyright notice, the document's official URL, and this permission notice are preserved.



https://www.fsfla.org/texto/bancarrota

Recent Techrights' Posts

[Video] Time to Acknowledge Debian Has a Real Problem and This Problem Needs to be Solved
it would make sense to try to resolve conflicts and issues, not exacerbate these
Daniel Pocock elected on ANZAC Day and anniversary of Easter Rising (FSFE Fellowship)
Reprinted with permission from Daniel Pocock
Ulrike Uhlig & Debian, the $200,000 woman who quit
Reprinted with permission from disguised.work
Girlfriends, Sex, Prostitution & Debian at DebConf22, Prizren, Kosovo
Reprinted with permission from disguised.work
 
[Video] Debian's Newfound Love of Censorship Has Become a Threat to the Entire Internet
SPI/Debian might end up with rotten tomatoes in the face
Joerg (Ganneff) Jaspert, Dalbergschule Fulda & Debian Death threats
Reprinted with permission from disguised.work
Amber Heard, Junior Female Developers & Debian Embezzlement
Reprinted with permission from disguised.work
[Video] IBM's Poor Results Reinforce the Idea of Mass Layoffs on the Way (Just Like at Microsoft)
it seems likely Red Hat layoffs are in the making
IRC Proceedings: Wednesday, April 24, 2024
IRC logs for Wednesday, April 24, 2024
Over at Tux Machines...
GNU/Linux news for the past day
Links 24/04/2024: Layoffs and Shutdowns at Microsoft, Apple Sales in China Have Collapsed
Links for the day
Sexism processing travel reimbursement
Reprinted with permission from disguised.work
Microsoft is Shutting Down Offices and Studios (Microsoft Layoffs Every Month This Year, Media Barely Mentions These)
Microsoft shutting down more offices (there have been layoffs every month this year)
Balkan women & Debian sexism, WeBoob leaks
Reprinted with permission from disguised.work
Martina Ferrari & Debian, DebConf room list: who sleeps with who?
Reprinted with permission from Daniel Pocock
Links 24/04/2024: Advances in TikTok Ban, Microsoft Lacks Security Incentives (It Profits From Breaches)
Links for the day
Gemini Links 24/04/2024: People Returning to Gemlogs, Stateless Workstations
Links for the day
Meike Reichle & Debian Dating
Reprinted with permission from disguised.work
Europe Won't be Safe From Russia Until the Last Windows PC is Turned Off (or Switched to BSDs and GNU/Linux)
Lives are at stake
Over at Tux Machines...
GNU/Linux news for the past day
IRC Proceedings: Tuesday, April 23, 2024
IRC logs for Tuesday, April 23, 2024
[Meme] EPO: Breaking the Law as a Business Model
Total disregard for the EPO to sell more monopolies in Europe (to companies that are seldom European and in need of monopoly)
The EPO's Central Staff Committee (CSC) on New Ways of Working (NWoW) and “Bringing Teams Together” (BTT)
The latest publication from the Central Staff Committee (CSC)
Volunteers wanted: Unknown Suspects team
Reprinted with permission from Daniel Pocock
Debian trademark: where does the value come from?
Reprinted with permission from Daniel Pocock
Detecting suspicious transactions in the Wikimedia grants process
Reprinted with permission from Daniel Pocock
Links 23/04/2024: US Doubles Down on Patent Obviousness, North Korea Practices Nuclear Conflict
Links for the day
Stardust Nightclub Tragedy, Unlawful killing, Censorship & Debian Scapegoating
Reprinted with permission from Daniel Pocock
Gunnar Wolf & Debian Modern Slavery punishments
Reprinted with permission from Daniel Pocock
On DebConf and Debian 'Bedroom Nepotism' (Connected to Canonical, Red Hat, and Google)
Why the public must know suppressed facts (which women themselves are voicing concerns about; some men muzzle them to save face)
Several Years After Vista 11 Came Out Few People in Africa Use It, Its Relative Share Declines (People Delete It and Move to BSD/GNU/Linux?)
These trends are worth discussing
Canonical, Ubuntu & Debian DebConf19 Diversity Girls email
Reprinted with permission from disguised.work
Links 23/04/2024: Escalations Around Poland, Microsoft Shares Dumped
Links for the day
Gemini Links 23/04/2024: Offline PSP Media Player and OpenBSD on ThinkPad
Links for the day
Amaya Rodrigo Sastre, Holger Levsen & Debian DebConf6 fight
Reprinted with permission from disguised.work
DebConf8: who slept with who? Rooming list leaked
Reprinted with permission from disguised.work
Bruce Perens & Debian: swiping the Open Source trademark
Reprinted with permission from disguised.work
Ean Schuessler & Debian SPI OSI trademark disputes
Reprinted with permission from disguised.work
Windows in Sudan: From 99.15% to 2.12%
With conflict in Sudan, plus the occasional escalation/s, buying a laptop with Vista 11 isn't a high priority
Anatomy of a Cancel Mob Campaign
how they go about
[Meme] The 'Cancel Culture' and Its 'Hit List'
organisers are being contacted by the 'cancel mob'
Richard Stallman's Next Public Talk is on Friday, 17:30 in Córdoba (Spain), FSF Cannot Mention It
Any attempt to marginalise founders isn't unprecedented as a strategy
IRC Proceedings: Monday, April 22, 2024
IRC logs for Monday, April 22, 2024
Over at Tux Machines...
GNU/Linux news for the past day
Don't trust me. Trust the voters.
Reprinted with permission from Daniel Pocock
Chris Lamb & Debian demanded Ubuntu censor my blog
Reprinted with permission from disguised.work
Ean Schuessler, Branden Robinson & Debian SPI accounting crisis
Reprinted with permission from disguised.work
William Lee Irwin III, Michael Schultheiss & Debian, Oracle, Russian kernel scandal
Reprinted with permission from disguised.work