[LINK] Assault on Consumer Protection on the Net

[Alastair Rankine]

On 12/04/2007, at 10:35 AM, Roger Clarke wrote:

>              The Feasibility of Consumer Device Security
>                   Roger Clarke and Alana Maurushat
>
>     http://www.anu.edu.au/people/Roger.Clarke/II/ConsDevSecy.html

Roger,

I was reminded of your submission the other day when I came across  
the T&Cs for "My 3", the online account manager for the Three mobile  
phone carrier.

It struck me that Three were trying to indemnify themselves against  
the possibility that they would (inadvertently or otherwise) infect  
their customers with a virus. Here is the exact wording (emphasis  
added):

"This website contains information derived from customer databases  
and computer systems. There may be technical inaccuracies,  
typographical errors, programming bugs or **computer viruses** in  
this website or its contents. The information is provided "as is"  
without express or implied warranty. Use the information and links at  
your own risk."

This is a fairly standard clause I imagine. But it prompts the  
question: do any of the financial institutions who are pushing for  
reform for the EFT Code have any similar conditions in their own  
T&Cs? I didn't notice anything like this when I last read those from  
my own bank, but maybe I just missed it.

Anyway it seems only fair that if your bank wants to make you liable  
for malware infections on your own PC, then there should at least be  
an exception if they infect you. In other words, such a clause as  
written above should be incompatible with the idea of consumer  
responsibility for their own devices.

Apologies if you already addressed this in your paper, I confess I  
didn't read it all :).