It's always fun keeping your network inspector tab open. While looking around the O2 UK website, I found this page all about eSIMs. For some reason, it wants to know the user's phone number. I put in a random number, and it refused to let me in. Putting in a genuine O2 number let me through. So what is it doing to validate numbers? It is making an API call to this URl: https://www.o2.co.uk/o/customer/mods/lookup/447700900123 After a bit of testing, this is how I think it works. If you …
Continue reading →
Privacy is a funny concept, isn't it? Very few people want the whole world to know what medical complaints they have. But most hospitals are open-access buildings, where the waiting rooms have large monitors to tell patients that their doctor is running late. A few years ago I was sat in the proctology waiting room. Anyone who knew me would have seen I was waiting for an bum doctor. They may not have known my specific complaint, but the laser-display board announced that my appointment was…
Continue reading →
I used to work in a call centre for a Very Big Company. Every week, without exception, we'd get a bunch of new starters to train. And every week, without exception, a newbie would be fired after looking up a famous person's data. This was in the days before GDPR. There was a lot less general awareness of data protection issues. It didn't matter how often will drilled it into trainees' heads - someone would breach privacy within 5 minutes of getting on the system. It seemed to be an almost…
Continue reading →
I returned home from holiday to a pile of letters. Mostly junk, a few Christmas cards, and something from the NHS. This is what the envelope looked like: As it happens, I'm not particularly concerned about who knows I had a fairly normal medical procedure. I've blogged a bit about it and Tweeted about the experience in an attempt to de-stigmatise it. Terence Eden is on Mastodon@edentReplying to @edentMorning folks!I survived the night, and now have a couple of hours to wait until someone…
Continue reading →
Welcome to acronym city! The Court of Appeal of Brussels has made an interesting ruling. A customer complained that their bank was spelling the customer's name incorrectly. The bank didn't have support for diacritical marks. Things like á, è, ô, ü, ç etc. Those accents are common in many languages. So it was a little surprising that the bank didn't support them. The bank refused to spell their customer's name correctly, so the customer raised a GDPR complaint under Article 16. The data subj…
Continue reading →
tl;dr you have to keep complaining to Virgin for several months and then take them to the Communication & Internet Services Adjudication Scheme then complain to their Data Protection team by contacting them on LinkedIn. Background Virgin have a spammy DNS hijacking service. If you accidentally misspell a domain - for example example.coom - Virgin will pretend that the domain exists and serve you up an advertising page. Yahoo powered! Yeuch! This means my data is sent to these advertisers…
Continue reading →
Back in 2011, I sold all of my shares in my former employer and used the money to buy solar panels. I closed my account at the same time. Or so I thought Fast-forward 9 years, and I was surprised to receive an unwanted email from the corporate shareholding service. It was some nonsense about their corporate rebranding. I dropped them a note saying that I hadn't been a customer for many years and that I was pretty sure they were breaching GDPR. They did not agree: We can confirm your…
Continue reading →
It has been over a year since I cancelled my Cloudflare account. They keep emailing me and haven't taken me off their marketing lists despite repeated requests. Their CTO told me he would investigate, but nothing changed. Their Data Protection Office hasn't respond to my requests. Cloudflare do not appear to respect the GDPR. I've escalated this to the highest levels of Cloudflare, but they just don't seem to be able to take any action. This is concerning. Terence Eden is on…
Continue reading →
Every so often, I get a glimpse into the thought processes of someone who has a very different view of the world to me. I don't deal with people's personal information often. So I was surprised to receive an email with a multi-megabyte spreadsheet called "Pay and Bonuses 2020". The email contained this doozy of a sentence: “Due to GDPR the attached file is password protected, I will send the password in a separate email” I shit you not. I checked the sender. They didn't work for my org…
Continue reading →
I'm increasingly concerned with the power that CDNs wield - and CloudFlare in particular. So I decided to delete my CloudFlare account. While they claim to have removed my account, they still seem to count me as an active customer. I wonder how many people bought shares in their IPO based on inaccurate customer numbers? Timeline 2019-08-04 I raised a support ticket to close my account. 2019-08-05 CloudFlare sent me confirmation that they'd removed my account. 2019-10-02 I received an…
Continue reading →
A quick report into a nasty privacy vulnerability I found with the CAB. Unusually for me, this has no Internet component. Regular readers will know about my recent court visit. As part of that, I had to telephone the CAB Volunteers at the court who look after witnesses. I called, and was put on hold, then asked to leave a message. There's a popular myth that you can trick phone systems to sending your call to the operator if you hold down the zero button. So I rang back... "Please hold…
Continue reading →
Hello, it's me - the idiot who helped inspire the HTTP 451 status code. I graciously allowed Tim Bray to do the hard work of getting it through the IETF process, and now it is an official RFC. Recently, I've seen lots of people getting het up about its "misuse" - so I want to clarify a few things. The GDPR (General Data Protection Regulation) gives people in the EU strong data protection rights. Some companies do not wish to comply with these laws. Those companies block content to people…
Continue reading →