Sunday, July 01, 2007

Making customers responsible for security

Maybe you saw this? New Zealand banks have adopted a new Code of Practice which, among other things, makes customers using online banking responsible for losses that occur if they did not take appropriate precautions to secure the computer they used to do their banking.

The New Zealand Bankers’ Association’s Code of Banking Practice [“CBP”] (4th ed. 2007) begins by advising online banking customers that “[y]our computer . . . is not part of our system therefore we cannot control and are not responsible for, its security.” CBP page 33. It follows this disavowal of institutional responsibility with reassurances that “we will inform you . . . how best to safeguard your online information and the steps you should take to protect yourself and your own computer from fraud, scams or unauthorized banking transactions.” CBP page 33.

As to the latter, the CBP says the financial institution will have available online “information and advice” on the benefits of installing and maintaining protection, in respect of, for example” anti-virus software, firewalls, anti-spyware and operating system security updates. CBP page 33. It also says the financial institution will tell you where to find this information “[w]hen we first give you access to our Internet Banking services.” CBP page 33. And the CBP goes on in that vein for another page or two, mostly telling customers what it will and will not do (such as sending emails asking for personal or account data). CBP page 33-34.

The next page or so explains that customers will not be held liable for “Unauthorised Transactions” under various circumstances, such as that you promptly inform the bank that you password or other access information has been compromised. CBP page 36-37. Nothing unusual so far.

But then we get to the section entitled “Your Liability (Responsibility). CBP page 35. This section advises online bank customers that “[y]ou may be liable if an Unathorised Transaction occurs” under any of the following circumstances:
  • You have a PIN or a password “of a type you have been warned not to choose (this goes back to earlier advice about not using family names, birthdates, pet names, etc.).
  • You either voluntarily disclosed your PIN or password to someone else or you wrote it down or recorded it electronically.
  • You used computer equipment “that does not have appropriate protective software and operating system installed and up to date.”
CBP page 37. There are several other circumstances that trigger customer liability for an unauthorized transaction, including leaving “your computer unattended when logged on to the Internet Banking service”. CBP page 37. (I wonder how they can tell when that happened?)

If any of the circumstances listed in this section of the CBP existed when your account was compromised, then your “maximum liability will be the lesser of” (i) the actual loss at the time you notified the bank of the problem or (ii) the amount that would have been available from withdrawal from your account “between the time any unauthorised access was made and the time you notified” your bank. CBP page 37. If you used or allowed your account to be used to access fraudulent or unauthorized transactions, then you “may be liable for some or all of the loss suffered by the party who has been defrauded, regardless of the balance available in your account.” CBP page 37.

And, finally, we come to the section of the CBP that has been creating quite a lot of discussion:
We reserve the right to request access to your computer . . . in order to verify that you have taken all reasonable steps to protect your computer . . . and safeguard your secure information in accordance with this Code. If you refuse our request for access then we may refuse your claim.

CBP page 37.

I want to comment briefly on two aspects of the CBP.

The first is the idea of imposing some responsibility on civilians – regular people – to secure their computers and be cautious when online. I have written about why I think this is a good idea elsewhere, and so won’t belabor the point here.

In the articles I have written on this topic, I explain in detail that the traditional system of crime control – law enforcement’s reacting to completed crimes by apprehending the criminals, who are then convicted and punished – neither is nor will be an adequate strategy for keeping online crime under control. As I explain elsewhere, the traditional model, which works adequately for real-world crime, is based on the premise that if you find and conviction someone who committed a crime, you control the commission of future crimes by (i) taking that offender out of circulation for some period of time (or permanently, if the death penalty applies) and/or (ii) discouraging others from following her example, because they see that the costs of committing crimes outweighs the benefits.

Implicit in this strategy, however, are the premises that (i) you can find the perpetrators of enough crime to have the desired effect and (ii) having found them, you can get custody of them for prosecution, conviction and sentencing. As I demonstrate in detail elsewhere, criminals’ ability to use cyberspace frustrates law enforcement’s ability to apprehend cybercriminals because it becomes difficult, if not impossible, to identify them. And even if law enforcement can identify certain perpetrators, it may not be possible to extradite them for prosecution where the crimes (or some of them) were committed. These difficulties are further exacerbated by the tremendous resource costs entailed by online investigations, costs that must be added to the costs needed to pursue real-world criminals because, after all, people will continue to “harm” each other in various ways in the real, physical world.

Okay, so I think we – the “users” of cyberspace – need to learn that we must assume some level of responsibility for protecting ourselves while online. And elsewhere, I’ve outlined some ideas as to how we go about changing societal norms (which currently tend to assume that crime is the police’s problem and that they will always catch the criminals) to make this one of the endemic, implicit assumptions we all share. So I really don’t have any problem with that aspect of the CBP.

My problem lies with the other aspect of the CBP provisions on “user” responsibilities. The articles I’ve seen about the CBP all focus on what they see as an invasion of privacy that results from the bank’s reserving the right to check the security on your system, apparently after an unauthorized transaction has taken place and you are seeking reimbursement for the losses.

The invasion of privacy concern doesn’t bother me all that much. It seems to me to fall in what the law calls “assumption of risk.” I get what I contract for, in other words. We see this in air travel. I may find airport screening of me and my bags very intrusive, a real invasion of privacy, but the law’s response to is, simply, that I have a choice. I can submit to those procedures, I can travel by other means or I can choose not to travel.

I’m sure some will point out that if all banking institutions starting using codes of this type (as is apparently now true in New Zealand), I won’t have a choice. I wonder. I tend to suspect that a market would grow up for financial institutions that would give their customers alternatives, in the same way bank secrecy became a marketable item in Switzerland and, later, in other countries.

But I don’t want to talk about what doesn’t interest me that much about the CBP. What I find interesting, and flawed, about it is that they seem to be relying on bank inspection of people’s computers as the incentive for customers’ beefing up security on their computers. As I’ve written in elsewhere, I don’t think this kind of enforcement system is the way to go to achieve the result I noted above, i.e., to change our culture so that we all begin to assume a level of responsibility for protecting ourselves online.

I don’t think it’s the way to go for several reasons. One is that customers may conclude (as the authors of articles about the CBP already seem to have concluded) that the tactic is high-handed and overreaching. As we all know, when people (me, included) perceive they’re being treated like that, their response is either to abandon ship (head for another bank) or be passive-aggressive, comply at some minimal level and then argue about it if and when a problem occurs.

The other problem I have with this tactic is the one I’ve written about before in analyzing somewhat comparable schemes (online driver’s license, security checks generally) that would seek to achieve the same thing. Some have argued that we should approach online security the way U.S. states dealt with seatbelts: Seatbelts have apparently been available in cars since the 1960s, but no one really started to use them till roughly twenty years later, when states started adopting “click it or ticket” laws, i.e., laws that made it a very minor offense (like a speeding violation) not to wear a seatbelt. That approach worked for seatbelts, but I don’t think it could ever work for citizen computer security.

Seatbelt laws are easy to enforce because it’s easy for a police officer to tell if you’re wearing on. And seatbelts are easy to use; citizens don’t have to keep adding patches to their seatbelts or upgrade to better seatbelts or any of that.

Why is that important? It goes to the efficacy of enforcement. If people don’t understand WHY they’re supposed to do something, something that isn’t easy for most people today, then they’ll be resistant. Resistance requires pouring more resources into enforcement (think alcohol prohibition in the 1920s and the war on drugs more recently), which, in and of itself, is not ever likely to be effective in getting people to do that “something” you want them to do.

So, I applaud the New Zealand bankers for trying to do something to encourage people to secure their computers and themselves when online. I just don’t think they’ve chosen a very good approach to the task.

No comments: