US banks that can send PGP/MIME e-mail

Anonymous Remailer (austria) mixmaster at
Mon Feb 25 21:20:37 CET 2013

>> Why does the business case work in Germany?

>It doesn't.  It works for one particular bank.  It doesn't work for
>Germany as a whole.

Where does this idea that a business case must be recognized by all
suppliers for an entire industry in a whole country before it "works"?

A business case can be viable if there are *zero* implementations,
substantiated purely by analysis.  And having just one working case
goes as far as testing and proving that it works.

>Different banks have different clienteles and different incentives
>for how they deal with their clientele.

My point exactly.  One bank may offer a free t-shirt to get customers,
while another may offer more security and more convience in statement
delivery.  Just because one bank can survive on the t-shirt promo
doesn't make the GPG feature unviable.

>And as soon as a customer is on the phone with tech support for two
>hours trying to get GnuPG to work on their system, that's about $100
>the bank has now spent trying to retain this customer.  That's a lot.

You're making several errors in that one statement.

  1) First of all, you're assuming that the feature is
     officially supported.  A bank need not support anything,

  2) You're assuming that official support implies unlimited resources
     must be allocated to every call.  Nothing the bank does includes
     unlimited support.  If they choose to give any support at all,
     they can pick and choose the extent to which they offer support.
     And indeed, this is what happens.  Try just getting basic browser
     support if you're running Debian and Iceweasel, when it fails to
     handle all the javascript and flash that many banks (foolishly)
     use.  You'll exhaust the tech support in no time, and will never
     be given the opportunity to talk to the engineers.  And if you
     could, they aren't going to fix what's broken on their server to
     make the service work for you.

  3) An hour of tech support costs the bank about $5-10 for the cheap
     labor they've outsourced it to India.  Perhaps another $10 if the
     Indian call center has operators who have been trained to lose
     their accent and sound American.

  4) A bank can (and does) limit the configuration for which they will
     support, officially.  E.g. they might say they only support the
     latest MS Explorer.  Or they might say they only officially
     support PGP statements to customers who have hushmail accounts
     (so the dummies can get fool-proof service that needs no
     technical support) - while unofficially giving the nerds a means
     to submit their public keys.

>The only way to make the user profitable in such a case is to raise
>service fees, in which case that bank will hemorrhage business to
>their competitors.

IB has figured out that this is not true.  Their VIP customers pay
through the nose for their "premium" service, but they're the only
game in town, so nothing threatens their market share.

>If I were a banker and I had a choice between SSL-secured HTTPS that
>99% of my internet banking customers would approve of, which requires
>no special training or experience on their part, which requires no
>additional special training on the part of my tech support staff, or
>adding OpenPGP-secured statement delivery that would appeal to 1% of
>my userbase and each one of those users would have tech support costs
>orders of magnitude greater than the users as a whole, the presence
>of that 1% would require expensive training and retraining on the
>part of my tech support staff...

Then you would choose to be a dime-a-dozen bank, and compete with tens
of thousands of banks for 1/10000th of 99% of the market, which is
obviously not as profitable as taking the other 1% in whole.

>Honestly, if I was advising a consumer bank about this, I'd tell them to
>avoid OpenPGP.  I don't see the business case for it.  And until you can
>show me either (a) radical improvements in ease-of-use,

Partner with hushmail.

>(b) radical reductions in technical support costs,

Don't offer unlimited support.

>(c) explosive demand from the users, 

The demand need not be "explosive" if you're the only one (or one of
very few) supplying the demand.

>you really can't show me the business case for it, either.

You've failed to make a convincing case for why a business case
already proven to work in Germany would fail in the US.

More information about the Gnupg-users mailing list