Soapbox

Many e-commerce sites have session timeouts. Dawdle too long between the moment you enter the site and the moment you actually want to buy something, and you will be presented with an unpleasant message. The words “session timeout” will be there, drowned in a sea of technobabble, and you will have to restart from scratch. Using a bookmark will often have the same effect.

At this point, you may well be tempted to go shop elsewhere; indeed, it is the only principled response to such blatant contempt for customers. You will notice that successful sites like Amazon.com do not make their customers suffer such hassles – once you’re in, you are in, whether you have to take a lunch break or not. I don’t buy the security argument either – there is nothing sensitive about the contents of a cart, security belongs at checkout time, not browse time.

The reason why such crimes against usability are perpetrated is that business requirements too often take a back seat to technical expediency, paradoxically most often due to lack of technical competence. Many web development environments keep track of what you do on a website, the contents of your cart, and so on, in “sessions”, portions of memory that are set aside for this book-keeping purpose. They cannot be set aside forever, and must be purged to make room for new customers.

The tyro programmer will leave the default policy in place, which is to dump the session altogether and place the burden of recovering state on the customer. More experienced programmers will implement the session mechanism in a database so it can be kept almost indefinitely. In an era where disk space costs a dollar or two per gigabyte, and a desktop computer has enough processing power to crunch tens of thousands of transactions per minute, there is no justification for not doing so.

Homo trium literarum (man of three letters) is a synonym for thief in the 1922 edition of Roget’s thesaurus. The latin word for thief is fur, hence the pedantic periphrase. The only record I find of it ever being used was by Wedderburn, the British Solicitor-General against Benjamin Franklin, in front of the Privy Council:

I hope, my Lords, he exclaimed, with thundering voice and vehement beating of his fist on the cushion before him – I hope, my Lords, you will mark and brand the man, for the honour of this country, of Europe, and of mankind… He has forfeited all the respect of societies and of men. Into what companies will he hereafter go with an unembarrassed face, or the honest intrepidity of virtue? Men will watch him with a jealous eye; they will hide their papers from him, and lock up their escritoirs. He will henceforth esteem it a libel to be called a man of letters; homo trium literarum (i.e., fur, thief!).

Franklin had made public letters from the governor of Massachusetts, where the latter urged the British government to take draconian measures against the colonists.

That said, with so many CEOs and CFOs implicated in corporate embezzlement, this quaint expression might be overdue for a revival…

I cancelled my TiVo service today, after more than two years with it. I upgraded to a Panasonic DMR-E80H, which offers more capacity than my old Sony SVR-2000, but the main reason for the upgrade was the fact I have for some time lost any vestigial trust for TiVo (the company). They spam you with advertising in the user interface (one of the items in the PVR main menu is a rotating ad), expropriate a portion of your precious hard drive space for the said spam, track your usage patterns behind your back, and have a nasty habit of disabling features in software releases.

The Panasonic is pretty much a hard-drive VCR with a DVD recorder (well, at least it can automagically determine the time and time zone to avoid the dreaded blinking “00:00”, let’s see how well it copes with Daylight Savings Time). The user interface is not as streamlined as TiVo’s (among other things, it is annoyingly modal and does not have an online program guide or the permament 30-minute buffer that allows TiVo to “pause” live TV), but it is capable of editing recorded programs (i.e. excising advertisements). Its chief redeeming feature is that it is not a networked device, and as such cannot be remotely disabled whenever the manufacturer feels like stooping lower to appease advertisers and copyright pigopolists that seem to matter more than paying customers. It is also unable to send back detailed activity data to be analyzed by advertisers riding roughshod over privacy.

Economists use the term “ externality” to describe a situation where economic agents’ decisions are distorted by the fact they do not have to pay for some of the costs of their actions. This is usually addressed by regulation. The textbook example is pollution, but I find security to be at least as interesting.

In the US, the level of security associated with credit cards and credit reporting is abysmal. Most of Europe has switched to smart cards for their credit cards over a decade ago, leading to a much more secure system for offline purchases (which must be authenticated by the smart card and a PIN), rather than easy to tamper magnetic strips (which are kept, to allow visiting US tourists to make purchases). As the PIN code must be entered by the cardholder, a waiter in a restaurant verifies the card at the dining table and does not have the opportunity to engage in skimming.

There is usually no national credit bureau equivalent to Experian, Equifax or Trans Union in most European countries, because these would fall afoul of privacy laws. For this reason, credit card fraud is much rarer in Europe than in the US, and identity theft is almost unheard of.

In both cases, the externality is lax security, leading to lost time for consumers, whether simply an annoyance (credit card fraud) or a serious nightmare (identity theft). Credit reporting services do not bear most of the cost of identity theft, the hapless victims do. For online purchases, merchants are liable for fraud they have limited means to detect, and to add injury to insult, they also have to pay fees for the chargeback. Credit card companies figure the cost of processing claims and absorbing what little fraud they are liable for is less than the cost of upgrading the whole card reader infrastructure to use smart cards. They also think keeping perfunctory verification procedures will reduce barriers to impulse spending and thus increase profits.

They can do this, of course, because industry lobbying groups have been very effective at defeating consumer-friendly legislation in Congress or state legislatures. The time for action has come, however, because credit card fraud is now a primary source of funds for terrorists, whether abroad or in the US. To quote an interesting article in The Economist, it seems Al-Qaeda sometimes acts as a kind of venture capitalist for terror:

Units of his organisation are believed to raise money through financial and other sorts of crime. For example, Ahmed Ressam, an Algerian who plotted to bomb Los Angeles airport but later co-operated with American authorities, says he was given $12,000 of seed-money to set up his operation. When he asked for more cash, he was advised to finance himself by credit-card fraud.

For the sake of all, the credit industry cannot be allowed to continue in its complacent ways any more.

Updated 2003-06-02 following comments from “Saffiyya” regarding merchant liability

Eric S. Raymond is a celebrity of sorts in the open source world. He is mostly self-aggrandizing, having to his credit a couple of books and two minor email utilities.

A side of him not many geeks are aware of is his frothing-at-the mouth diatribes such as this one. As a person of Indian ancestry, I was tickled by one of the more laughable assertions in this collection of racist and bigoted remarks, that the British somehow “civilized” India, which had highly evolved cities with refinements like sewers in a civilization that dwarfed Egypt 5000 years ago.

British colonialism had everything to do with the extraction of resources through the sheer application of violence (as in their invention of concentration/extermination camps during the Boer war, their ruthlessly efficient genocide in Tasmania, the Opium wars or the Amritsar massacre), not any Kiplingian post-facto rationalizations of a supposed civilizing mission.

I won’t dignify the rest of his viscerally anti-muslim prejudice with comment, but this raises an interesting point. Raymond is a techno-anarchist libertarian, and a neo-paganist. As such, his profile looks very similar to that of the Dutch fascist Pim Fortuyn. There was certainly too much indulgence for Fortuyn’s racist rhetoric and proposed policies simply because he was homosexual, a perfect illustration of what Bertrand Russell called the “fallacy of the moral superiority of the oppressed”.