The Policy Hack

I've found a delightfully exploitable social hack which I presented at UK GovCamp.
It applies to any uncooperative bureaucracy.

Here's how it works. You ask someone to do something and they reply with "I'm sorry sir, that's against our policy."

You should say "I'm sorry to hear that. Please can you send me a copy of the policy?"

Turns out, most times, there is no policy!

Clip from the film "The Matrix" - a young bald boy is saying "There is no spoon."

Shocking, I know. So much of modern life rests on the whim of whichever call-centre worker you happen to get. If they can't be bothered to do something, they can hide behind a non-existent policy.

Here are a few examples where it has worked for me.

A supplier refused to issue documentation via email and insisted on posting it out. Why? "It's our security policy."

I asked for a copy of the policy - so I could understand why I was allowed to send them documentation via "insecure" email, but they couldn't reciprocate. Of course, there was no policy. They just didn't know how to do email attachments.

A previous employer had an internal system which insisted that password could only be 8 alphabetic characters. No number, no special characters. Oh, and it had to change every 28 days. Again, asking for the policy showed that it was one person's "overenthusiastic" interpretation of the IT department's actual policy.

This happens repeatedly.


This isn't a foolproof technique. Sometimes there is a genuine and well thought out policy in place.

A few examples of where it hasn't worked.

  • "My manager won't let us share it." (So I escalate to the manager and we repeat the process.)
  • "Sorry sir, that's an internal policy and we can't share it." (At which point you can apply for a Subject Access Request under the Data Protection Act to see how the decision was made.)
  • "Certainly sir. Here is the policy which has been thoroughly reviewed by our lawyers." (Fair enough, I guess!)

Anyway, this technique is now yours to try. See what works and report back.


Two important points to consider.

  1. This works for me. Of course, I have the confidence of a mediocre white man - your success may vary depending on your level of privilege.
  2. It's rarely the fault of the person blocking your way. They're stuck in a dystopian system which rewards them for denying you access. Don't get angry with them - fix the system instead.

Share and Enjoy

One thought on “The Policy Hack

  1. Dave says:

    “(At which point you can apply for a Subject Access Request under the Data Protection Act to see how the decision was made.)”

    Really not sure that’ll get you very far. An internal policy won’t (I hope!) have any personal details it it so a subject access request wouldn’t reveal the policy. It would only reveal how the decision was made if that information was recorded against one of your records which would seem unlikely to go much further than “advised was against policy”.

    Good news with GDPR is that the subject access request will be free though so worth giving it a go!

Leave a Reply

Your email address will not be published. Required fields are marked *