[LINK] Assault on Consumer Protection on the Net

Roger Clarke Roger.Clarke at xamax.com.au
Thu Apr 12 10:35:02 AEST 2007 

The Australian Securities and Investments Commission (ASIC) is 
undertaking a Review of the Electronic Funds Transfer Code of Conduct:
http://www.asic.gov.au/asic/asic.nsf/byheadline/Review+of+the+Electronic+Funds+Transfer+Code+of+Conduct+2007?openDocument

Business interests are seeking to significantly reduce the consumer 
protections that the Code provides.  The following submission has 
been sent to ASIC to counter that manoeuvrre.

The submission argues that consumer devices are inherently insecure, 
and incapable of being made secure, and that it is therefore not 
appropriate to impose liabilities on people who use them to conduct 
financial transactions.

It would be valuable if consumers and consumer advocacy groups voiced 
to ASIC their concern about this.

Feel free to re-post this email to interested lists, organisations 
and individuals.


              The Feasibility of Consumer Device Security
                   Roger Clarke and Alana Maurushat

     http://www.anu.edu.au/people/Roger.Clarke/II/ConsDevSecy.html

Consumers have available to them a wide array of Internet-connected 
devices. A great many of the uses that consumers are putting these 
devices to involve transactions with organisations and other 
individuals. Many of these transactions are financially risky, 
particularly those that involve payment.

The Australian Electronic Funds Transfer Code of Conduct (EFT Code) 
provides consumer protection in relation to most electronic funds 
transfers. This includes payment transactions conducted on ATMs, at 
EFT/POS devices, through Internet banking, and using credit-card 
details over the Internet.

The EFTS Code is currently under review. As part of that process, 
corporations are seeking to significantly reduce the consumer 
protections that the Code currently affords. In particular, 
corporations want to shift liability for financial loss from the 
corporation to the consumer where devices are insufficiently secure. 
The proposal uses vague terms, and is not accompanied by an adequate 
analysis of its practical and legal implications.

The corporations' argument is predicated on the assumption that 
consumers are capable of taking responsibility for the security of 
the devices that they use. This paper surveys the security threats, 
and the vulnerabilities of consumer devices. It assesses the 
effectiveness of available safeguards and the practicability of 
imposing responsibilities on consumers to understand the risks 
involved, to install relevant software, to configure it 
appropriately, and to manage it on an ongoing basis.

The nature of consumer devices is such that it is entirely infeasible 
to impose responsibility on consumers in the manner that corporations 
desire.  Indeed, many eCommerce and even eBanking services only work 
because they exploit vulnerabilities on consumer devices.  More 
practicable approaches are identified, to enable the increasing risk 
of error and fraud to be addressed.


-- 
Roger Clarke                  http://www.anu.edu.au/people/Roger.Clarke/
			            
Xamax Consultancy Pty Ltd      78 Sidaway St, Chapman ACT 2611 AUSTRALIA
                    Tel: +61 2 6288 1472, and 6288 6916
mailto:Roger.Clarke at xamax.com.au                http://www.xamax.com.au/

Visiting Professor in Info Science & Eng  Australian National University
Visiting Professor in the eCommerce Program      University of Hong Kong
Visiting Professor in the Cyberspace Law & Policy Centre      Uni of NSW

More information about the Link mailing list