Like many other countries, The Netherlands uses a chip card for paying and using public transport, and while there’s been a number of issues regarding its security, privacy, and stability, it won’t be going anywhere any time soon. Just today, the various companies announced a new initiative where Android users can use their smartphones instead of their chip cards to pay for and use public transport.
The new initiative, jointly developed by the various companies operating our public transport system and our carriers, is Android-only, because Apple “does not allow it to work, on a technical level”, and even then, it’s only available on two of our three major carriers for now.
This got me thinking about something we rarely talk about: the increasing reliance on external platforms for vital societal infrastructure. While this is a test for now, it’s easy to see how the eventual phasing out of the chip cards – already labelled as “outdated” by the companies involved – will mean we have to rely on platforms beyond society’s control for vital societal infrastructure. Chip cards for public transport or banks or whatever are a major expense, and there’s a clear economic incentive to eliminate them and rely on e.g. smartphones instead.
As we increasingly outsource access to vital societal infrastructure to foreign, external corporations, we have to start asking ourselves what this actually means. Things like public transport, payments, taxes, and so on, are absolutely critical to the functioning of our society, and to me, it seems like a terrible idea to restrict access to them to platforms beyond our own control.
Can you imagine what happens if an update to an application required to access public transport gets denied by Apple? What if the tool for paying your taxes gets banned from the Play Store days before the tax deadline? What if a crucial payment application is removed from the App Store? Imagine the immense, irreparable damage this could do to a society in mere hours.
If these systems – for whatever reason – break down today, we can hold our politicians accountable, because they bear the responsibility for these systems. During the introduction of our current public transport chip card and its early growing pains, our parliament demanded swift action from the responsible minister (secretary in American parlance). Since the private companies responsible for the chip card system took part in a tender process with strict demands, guidelines, rules, and possible consequences for failure to deliver, said companies could and can be held accountable by the government. This covers the entire technological stack, from the cards themselves up to the control systems that run everything.
If we move to a world where applications for iOS and Android are the only way to access crucial government-provided services, this system of accountability breaks down, because while the application itself would be part of the tender process, meaning its creator would be accountable, the platforms it runs on would not – i.e., only a part of the stack is covered. In other words, if Google or Apple decides to reject an update or remove an application – they are not accountable for the consequences in the same way a party to a government tender would be. The system of accountability breaks down.
Of course, even today this system of accountability isn’t perfect, but it is a vital path for recourse in case private companies fail to deliver. I’m sure not every one of you even agrees the above is a problem at all – especially Americans have a more positive view of corporate services compared to government services (not entirely unreasonable if you look at the state of US government services today). In countries like The Netherlands, though, despite our constant whining about every one of these services, they actually rank among the very best in the world.
I am genuinely worried about the increasing reliance on – especially – technology companies without them actually being part of the system of accountability. The fact that we might, one day, be required to rely on black boxes like iOS devices, Microsoft computers, or Google Play Services-enabled Android phones to access vital government services is a threat to our society and the functioning of our democracy. With access to things like public transport, money, and all that come with those, locked to closed-source platforms, we, the people, will have zero control over the pillars of our own societies.
What can we do to address this? I believe we need to take aggressive steps – at the EU-level – to demand full public access to the source code that underpins the platforms that are vital to the functioning of our society. We, the people, have the right to know how these systems work, what they do, and how secure they really are. As computers and phones become the only way to access and use crucial government services, they must be fully 100% open source.
We as The Netherlands are irrelevant and would never be able to make such demands stick, but the EU is one of the most powerful economic blocks in the world. If you want access to the wealthy 450 million customers in the European Union (figure excludes the UK), your software must be open source so that we can ensure the security and stability of our infrastructure. If you do not comply, you will be denied access to this huge economic block. Most of you will probably balk at this suggestion, but I truly believe it is the only way to guarantee the security and stability of vital government services we rely on every single day.
We should not rely on closed-source, foreign code for our government services. It’s time the European Union starts thinking about how to address this threat.
I generally agree that this kind of dependency should and could be avoided by open source.
But I seriously wonder how independent our goverment and administration is today, by using Microsoft Windows and Office nearly everywhere…
Even without access to Windows or Office, the documents they create and edit would still be accessible. You can’t really call that dependence when operations can still continue even without them. It’s a reasonable case for complacency though.
While most 0 days are found by mistake, manipulation error, completely different purpose hacking etc… Having thé source code of the target increase productivity of bug discovering dramatically. Ask experts, there is no such system as 100% Secured system.
Society is led by unsecured system from thé beginning of digital Era. It has Everest been
The speed with which bug are found in open source is generally a good thing though. With limited exceptions (mostly stuff in libc or the kernel itself), I usually have my Linux system secure again within 24 hours after a new CVE affecting it comes out. My Windows systems on the other hand often take at least a week to get updates, and there’s nothing I can do to accelerate that myself. Notably, public disclosure embargoes are usually shorter on open source projects too, so there is generally more incentive for users to get their systems fixed ASAP.
My heart bleed.
Which while not noticed for so long, involved a feature most people didn’t use (which is part of why it wasn’t noticed), and was trivial to harden against once discovered (rebuild OpenSSL with one changed configure option).
It also works as a counter-example too by the way, the code was out there and almost nobody noticed it. If OpenSSL wasn’t open source, it might have never been found at all, and even if it was, it probably wouldn’t have been fixed as fast.
Yes you probably should ask the experts.
Edited 2017-05-23 10:33 UTC
I’m no expert and neither am I going to ask one but think it’s a kinda no-brainier to claim no system can be 100% secure.
quackalist,
It really depends how you want to look at it.
Systems built on discrete mathematics can be proven to be 100% correct. That’s not hard to do in principal, and for small systems it’s quite achievable, you just need to prove that every possible outcome is correct for every possible input. Given that computers are strictly finite computation machines, proving the correctness of arbitrarily large algorithms is theoretically possible. However large algorithms quickly exceed our human ability to prove them. Even small and medium code bases can have edge cases that are very difficult to prove. And then even if the software is proven to be 100% correct, the hardware and toolchains may not be.
On top of that physics itself is inherently probabilistic, so we can’t rely on real machines to execute our code 100% reliably – there will always be the possibility for error.
We try and mitigate hardware errors with ECC RAM and disk data, but those are also probabilistic and will eventually experience an error. An attacker might try to exploit this by irradiating the target’s CPU, or manipulating power to derail the correct code execution.
So mathematically speaking, a system could be 100% secure, but when we allow for physical attacks, no machine can be “100% secure”.
Rather than forcing an entity to do something they don’t wish to do and would otherwise legally be allowed to not do, and have possibly specifically decided not to do regardless of their rationale for it, how about just not putting all eggs in one basket?
Certainly alternative systems could exist, could they not? Isn’t an easier approach simply practicing what any cautious entity should? That is, not to conquer some other entity (or ban it if conquering isn’t possible), but to ensure that reliance doesn’t exist solely on it.
I’m no expert, but surely a chip system and a smartphone app could coexist, even if companies may desire a monopoly.
Sure, it would be great if more companies had truly open source code for their major products, products which millions of people rely on for their everyday lives. However an approach in which you force it out of their hands by threatening to remove it from the very people who rely on it to begin with, due to being unable to sneak a peek at what it looks like inside, is rather unpleasantly extreme regardless of whether you’re the company, the consumer, or the perpetrator.
If a system is relied upon too heavily, then come up with alternatives. Reduce your dependencies, don’t focus on them more. The problem isn’t monochrome.
That said, this is just my initial impression of the post. Perhaps I didn’t properly understand the proposed policy. Though I disagree with the conclusion, I think it’s a great write up and a good point of discussion.
See, I’m all for open source software. My own computers all run a flavor of linux (openSUSE), I push to install servers with open source software whenever possible and I try to get customers on open source land two feet.
Besides all that, I can not really see as obligatory use of open source software as the only reasonable solution to the problem of access to public services.
For the last almost forty years we have been hammering the importance of open interfaces and protocols to guarantee accessibility and interoperability and it does not have changed on my eyes, and it does not matter if the code is public or not.
Of course, if the development of the system is backed-up by public funds it is more than reasonable to ask for open source implementation.
What we really should ask is guarantees and accountability. Do you want to participate? Fine, here are the interface/protocols to use, but keep in mind, if we find an exploit on your side of thing, you will be singled as responsible for the possible losses of people affected.
On all years I watched, making people responsible for their acts (and failures) have been the best method to keep them careful of what they spill out.
The current EULA(s) and agreements are almost an offense and a free pass to make poorly implemented software float around.
There’s a foundation for that: http://fsfe.org
Congrats on all of your own contribution, Thom.
Thom, first off: Thanks for this kind of content!
I suspect this has to do with apple’s decision to monopolize NFC functions on IOS. Apple has a lot of incentives to ban 3rd party NFC applications to kill off the competition, but it’s absolutely devastating for independent innovation.
I understand why people don’t want government stepping in to force changes, but leaving corporations to their own vices consistently produces the worst outcomes for the public good: technology that takes away owner control, banking practices that trigger financial calamities, manufacturers that deceive, predatory practices to kill competition, manufacturers contractually banning component repairs, etc.
The Netherlands may have very little influence on apple, but at the very least there could be a campaign to name and shame the corporations like apple that are actively taking away our rights. Imagine if your public transport system could put up large billboards showing how apple holds back technology, that would get the public’s attention very quickly – even beyond the Netherlands. It would perhaps spark the public debate we need to have about technology designed to take away our rights.
Edited 2017-05-22 14:09 UTC
If the main concern is problems with the app update, then perhaps having the application also available via fdroid or amazon might be a good fall back.
Lots of security implications here that would take a while to figure out. You want everything to be open, but not so open that its easy for fraudulent implementations to exist. Smart cards seem to be a rather smart solution, when viewed in this light.
Quite an interesting view, Bill. Is Fully Open, easy to fraud? Which one the more? Fully Open, or Fully Closed?
What about Closed Silicon Hardware [which still is default]? Remembering those Electronics Cards embedded on black resin.
Remembering those repair shops passing the shop to the back. Or bakeries becoming just front stores. We don’t know anymore, Bill. My Coke drink declaring content: Coke concentrate, édulcorant, carbonated water.
We’re self abandoning to a continuous exercise of FAITH.
Comming back to an OPEN culture, an OPEN society with adopted, open technologies is now an URGENT, survival request.
No longer able to sleep tight, Bill. A symptom of faith overdose.
Sorry, maybe I shouldn’t have commented without time to explain. The risk is similar having Firefox or Chrome trust any and all cert authorities. Which would allow craziness like anyone pretending to be your bank.
There needs to be some central authority to vet options even in an open environment, to prevent fraud.
Bill Shooter of Bul,
One approach that could be interesting is to have a standard app signing protocol where applications are directly signed by website owners.
A website could host the public key, and the app could be signed with the private key, thereby proving the app came from the owners of the website regardless of how it got installed (bittorrent, http, app store, etc).
Well, ok. Do you really want any/all websites to be used to process payments? Even if they aren’t fraud, are they themselves protected against attacks by fraudsters? Should every commuter have to choose a provider in a list of thousands? Which ones have good security and privacy practices?
Bill Shooter of Bul,
I was really referring to a ways to solve the problems you brought up in the original post. In particular, solving fraud in app distribution. Cryptographic signatures solve this problem very nicely.
What you’re asking here seems to be a bit different: how do you trust a website to process payments and how do you choose good providers from a list of thousands? I’m not really able to answer that, but regardless of how people choose their services, cryptography can be used to eliminates fraud.
Cryptographic technology is way ahead of the industry, and personally I blame visa/mastercard for not doing more to embrace 1990’s era crypto for payment processing.
With PKI:
1) Each individual transaction could be signed.
2) the merchant couldn’t just claim the customer authorized a payment, it would have to be cryptographically signed by the customer.
3) even if the merchant account was 100% breached, no one would be able to issue new fraudulent transactions using the information since the merchant never sees the private signing key.
4) we could even require the banks themselves to use PKI such that even employees of the bank couldn’t transfer your funds without your cryptographic signature.
Alfman,
I totally agree with you about security of operations using cryptography being stronger, though, it does not dispel the worries about security and who is going to bear the consequences of breaches.
When I think about security I imagine an elder citizen using her/his smart phone on every interaction she/he may need. Now, suppose her/his phone is hacked and his/her cryptography signature stolen.
Now, who is going the bear the consequences? The elder citizen, the OS seller, the producer of the software that was unlucky to have its software used on fraudulent transactions?
I think banks and credit card companies will be more than happy to share the burden with the OS sellers and the other software vendors on the stack, but till now all we have is an offensive indemnity on EULAs and agreements over use.
You probably know that if you want a bigger slice of the pie you must take more responsibility on failures. I have said here many times that my main customers are small business. Some of them would like to lower the cost of credit card operations. It is possible to have a contract so that an internal system pre process the payment and as so lower the cost of the operation, it does, though, shift part of the responsibilities of fraudulent operations to who is pre processing them. Big business can afford the costs because they can spread the risk between a large base of customers and it has an (almost) fixed cost to develop and secure the system. It does not work well on small scale. When I explain this to them, the many point-of-failure in the chain, they usually, let me know that they want to keep what is “working”.
Now, I know that my business is not to cast fear on my friends, and that is what all they are, hearts, but I don’t want them to incur on costs that can hurt their source of income. If we really want a better system, guarantees and accountability must be very well established.
acobar,
See my post on the other thread about cards with EMV chips.
Public transport depends on lot of technologies; winner above all electric grid -reliability issues related.
Countries with 99.99% Uptime at their critical lines. [Admiration to Electrical Engineering civilized view of duty
].
Nowadays, another energy options at place to back-up failures.
Lack of LOCAL options, is a clear sign of Administrations missing Security scientists, engineers and technicians.
Not going to talk this time of another, “pooping baby” technologies.
Being that I am a US citizen, I am still amazed that so many countries rely on closed source software from the US. I would think that countries that don’t have a large software presence would invest in its people to support something like FreeBSD or Debian which in turn could be used within the country to eliminate the exodus of money.
That closed software is not perceived as coming from USA, it is perceived as coming from global megacorporations. Which is not better, but a different nuance.
As for those country pushing for alternate OSes, is all about apps and compatibility. And those other OSes also come from global entities.
Getting in step with tech is good and all; However, relying on consumer devices, to enable such services that Thom speaks of. Is the wrong approach.
I rarely use my “smartphone”. Only time I bring it with me is when I’m expecting an non social related call. Which equals to about 2-3 times a month. Heck I haven’t carried physical currency(cash) in almost 15 years. My debit cards replaced cash.
If government services or what not. Want to force you to use tech, to utilize their services. They need a more general approach. Facial recognition perhaps, not reliance on a android/iOS or what-ever consumer device.
Good Point, Ibrahim: As in NHS case, relaying on “consumer grade” technology.
Have no doubt that eventually Alphabet will release stronger products.
But is this excessive reliance on such a HUGE pile, or stack, which I find of little sense, to begin with.
Remembering an Old American Express campaign: “Your key to the World” or something like that. Is stupid to have ONE key to the World. Such a big and fragile one, also. [Sorry about the term, but absolutely appropriate].
Many toll systems at highways use “pass-by” remote tech which stand on small [private] stacks.
Again, is RELIEF tech, to reduce length of waiting lines. All other options remain present.
ibrahim,
That may be fine for you, but it’s not to say they’re not useful for many other people. Having choice is the important factor here. The free market can only work when everyone can decide for themselves what works without being coerced. We need to recognize that whenever the industry becomes dominated by a few giants, independent competition becomes nonviable and innovation gets stifled.
Visa and mastercard are examples of a stifled industry at great cost to both consumers and merchants in terms of noncompetitive transaction fees and notoriously regressive security practices. If we could somehow displace the incumbents and give give alternatives some breathing room, it could do wonders for innovation and competition.
Even though I agree with your assertion, there is a reason they are at their positions and it is for accountability, if something goes wrong on transfer of funds in a transaction they are the ones you will be calling (usually). It is like a mafia sell of protection, but one most of us have, somehow, consented on paying. Society is still a wild west when money is at stake, accountability is a must.
acobar,
Well, as a consumer, you deal with your bank. Even store credit/debit cards are backed a bank. Try calling the phone number on the back of your cards, you’ll find it reaches the bank and not Visa/Mastercard. They are strictly middlemen and if we had widely deployed open source transaction processing networks, then visa/mastercard would be entirely unnecessary.
I understand they initially filled an important purpose, but these days they’d be easily replaceable if it weren’t for their widespread market control.
Edit: I’m not particularly promoting bitcoins, but they are noteworthy for bringing about P2P technology to the point where all middle men, and even the banks can be eliminated.
Edited 2017-05-22 20:04 UTC
You don’t travel abroad a lot do you? If you did you would have the displeasure to discover that your bank may not has a presence on many countries but your credit card company does. They fill a niche, they are a middleman, but until we have a better system we have no option but deal with them. Your bank likes them because it allows your bank to cover a wider area without a lot of investment. Business owners count on them to lower the risks and try to compensate their own costs inserting any loss on products price. To them, after all, it is you that are going to pay the expenses.
As you, I would pretty much like to have lower taxes on transactions but, unless there is a large intervention on the way the system works today, I don’t see it going through a huge change. The incentives are not there for banks, even though it may be there for other business, specially big ones, and, for what I have seen, they all want their cut without changing the costs that much (actually, I suspect that Apple cuts would be worse).
Again, if such open source system is to be created, who is going to bear the cost of fraudulent operations? You know, they are not going to disappear.
For almost the same reason, lower risks, we buy insurance policies for burglary and whatnot. On an ideal world we should drop them but we don’t live at such world yet (perhaps, we never will).
acobar,
This is where having a competitive market would help. Unfortunately once the market is controlled by a few incumbents, new competition tends to be non-viable. Even counting on a government fix is unlikely since the lobbying power of credit card companies is too great.
OK, I think I should better explain my point.
It is not about if, technically, a better solutions is possible or not, it clearly is.
My worries are about guarantees and accountability. Now we have a system where there is a minimum of them established. Now, do you think that hardware producers, OS sellers and software vendors will change their mind about, “use at your own risk, no guarantees!” clause they have about possible malfunctions? If the software is open source, who will bear the consequences of poor implementations?
We need a better system but responsibilities must be established along the chain.
acobar,
I understand your point, but I don’t understand why it’s any worse than today?
If a merchant installs an ecommerce platform like Oscommerce or Magento, those are popular open source platforms that can accept payments, but they come with no guaranties whatsoever today. Responsibility for these lies with the merchant. If the merchant buys an ecommerce service, that may or may not come with a guarantee. I don’t understand why any of today’s responsibilities would need to change?
Edited 2017-05-23 01:46 UTC
My bad, I was thinking more about face-to-face sales where a machine reads data from a card with an EMV chip and a password must be entered on certified terminals. For Internet sales it is true that the seller ends up almost invariable paying for losses, be it by paying extra expenses as insurance or by absorbing the losses involved on the fraudulent transaction.
Anyway, things are not like they used to be and it is not true anymore that all liability ends up with merchants. Cards with EMV chips were created to address two things: increase security and improve the unbalanced relation that existed before over liability. Any new implementation must address both things.
acobar,
I am curious though, do you know if this is just a US thing? Are consumers liable for unauthorized chip&pin transactions in other countries as well?
In my country the laws usually side with consumer but, yes, when using a modern card with an EMV chip, which is fast becoming the norm (I think it already is), you may be pressed to prove you were not present on a face-to-face transaction. For Internet sales, things are, from buyer perspective, easier to sort out and the burden is shifted to merchants. Pretty same as USA.
I think I need to clarify my point.
1) I did “not” read the article.
A) I was going on my interpretation of Thom’s interpretation of the article.
i) which I understood to be, that some government services, were switching from RFID to strictly Android App. [ I don’t know how to insert preformatted text. So please don’t mind the bullets. i is a subsections of A and of 1. ]
If my interpretation on Thom’s interpretation, was correct. I felt relying solely on a consumer phone app, segregated me and possibly others like me from using that service. Hence the suggestion for a more general tech, such as facial recognition or something else. If the RFID card or a general ID card for said service, was being abandoned. I shouldn’t need to carry around my cellphone, just to use that service.
The money bit, was me pointing out, that I support tech for improvements. Such as digital currency. For me currently, that’s through two services.
“…it’s easy to see how the eventual phasing out of the chip cards – already labelled as “outdated” by the companies involved -“.
Eight thousand years and NOTHING has replaced a knife and a table, at the kitchen. Open tech -by the way.
Open tech doesn’t “outdate”, mature.
Specific to the concern of transportation payment cards: The British Government has developed an open payment standard called ITSO. Details <a href=”https://www.itso.org.uk/“>here.
Munchkinguy,
That’s a concern, but aside from that I really like the principals of inter-operable standards that many independent vendors/service providers are free to implement and use. That’s the kind of thing that makes technology better at serving our needs!
It’s because most public transport services in Britain are privately run, so I think the idea is that the standard allows each private company to have their own proprietary implementation.
Yeah, from an Australian perspective (well, the Sydney region, including Newcastle, Wollongong etc), Thom’s real-life example seems to be missing an obvious option. Our transport payment system’s backend is being augmented to (eventually) allow payment with bank cards as well as the current Opal cards. It’s all just NFC, so the physical carrier doesn’t really matter – you can already load a bank “card” onto a phone app, just as a transport payment app would be doing with a transport payment card.
Realistically, do you expect for the foreseeable future those cards to be replaced completely by smartphone apps? Around here it won’t fly, since an entire old generation does not reliably use smpartphones, if the government would give them free ones a lot of those people won’t know what to do with them. Yes, this generation would be mostly vanished in 10-20 years from now, but who can predict where technology will be in 10-20 years?
I would not worry much about denied updates or banned apps. Can you imagine public transport in a big European city blocked, hundreds of thousands (at least) people angry and a corporation “guilty” of that? It would be commercial suicide.
In the not to distant future the software industry will most likely undergo the same massive changes that physical engineering underwent in the late 19th and early 20th century.
Software engineers will need to be formally qualified, licenced and insured. Companies will be liable for severe civil and criminal punishments. Software will need be fully documented and all source code held on public registers. Mandatory international standard testing and design protocols will also need to be instigated. The whole hack, release and patch mentality must be replaced by a formal design and engineering process.
No government would ever allow a) an unqualified person to design or build a bridge or building, b) a project to be built without submitting formal plans and documents, c) an engineer to create his own arbitrary testing standards or d) fail to investigate or prosecute an engineering company if a building collapsed. Yet the equivalents are completely normal in the world of software.
If MS (and virtually every other software company) was in the civil construction business they would have been bankrupted decades ago by negligence lawsuits and fines.
Amen. The software industry and its practitioners have had it too easy for far too long. They should be subject to the same rigour and expectations (e.g., lemon laws) to which physical products are subject. Time to grow up and put on their big-person trousers like every other industry has had to at a certain point.
Edited 2017-05-26 09:26 UTC
Thanks Thom for the post! This is something I’ve been worrying about for several years.
In Sweden we have something called BankID. It’s a form of electronic ID meaning it’s not only used to log into one’s bank account but can also be used to file taxes, manage medicine prescriptions and much more. It’s owned by a private company that have been quite diligent in dropping support for older mobile and desktop OSes because it no longer made “economic sense”.
That’s not how you manage a vital piece of infrastructure!
Linux support was dropped completely in 2014 because “only about 5000 people were using it”. [1]
There was a news article recently about a few thousand Android and Windows Phone being locked out of BankID because their phones were deemed too old. [2]
I was contacted a while ago by a neighbour because BankID had stopped working on his computer. The problem was that he was running an older OS. To be able to upgrade it he first had to buy and install more RAM. Even after doing all that he probably only bought himself one more year.
I myself had the opposite problem once. I had installed an OS update and couldn’t access my online bank for about two weeks because the new version wasn’t supported yet.
All of this from a company with the goal that “in the future almost all Swedes will be using our product”. (Good thing they included the “almost”.)
Then there was the time when Apple started declining apps relying on BankID since it was against the rules for an app to depend on another app for its functionality. BankID managed to get a formal exception from this rule. [3]
[1] https://www.bankid.com/om-oss/nyheter/bankid-linux-fasas-ut
[2] https://www.svt.se/nyheter/ekonomi/tusentals-blockerade-fran-bank-id
[3] https://www.bankid.com/om-oss/nyheter/apple-godkanner-beroende-till-…