How do you stop people accessing data they shouldn't?

A padlock engraved into a circuit board.

I used to work in a call centre for a Very Big Company. Every week, without exception, we'd get a bunch of new starters to train. And every week, without exception, a newbie would be fired after looking up a famous person's data. This was in the days before GDPR. There was a lot less […]

Continue reading →

Poorly folded letters lead to exposure of medical data

A letter addressed to me. Just inside the plastic window you can see the word "colonoscopies".

I returned home from holiday to a pile of letters. Mostly junk, a few Christmas cards, and something from the NHS. This is what the envelope looked like: As it happens, I'm not particularly concerned about who knows I had a fairly normal medical procedure. I've blogged a bit about it and Tweeted about the […]

Continue reading →

EBCDIC is incompatible with GDPR

Dutch text and a diagram.

Welcome to acronym city! The Court of Appeal of Brussels has made an interesting ruling. A customer complained that their bank was spelling the customer's name incorrectly. The bank didn't have support for diacritical marks. Things like á, è, ô, ü, ç etc. Those accents are common in many languages. So it was a little […]

Continue reading →

"Advanced Network Error Search" - how to turn off Virgin's least helpful service

Screenshots showing adverts next to my mispelled domain.

tl;dr you have to keep complaining to Virgin for several months and then take them to the Communication & Internet Services Adjudication Scheme then complain to their Data Protection team by contacting them on LinkedIn. Background Virgin have a spammy DNS hijacking service. If you accidentally misspell a domain - for example example.coom - Virgin […]

Continue reading →

£25 GDPR Compensation - why it's always worth complaining

A tiny lego Storm Trooper eats a chocolate coin.

Back in 2011, I sold all of my shares in my former employer and used the money to buy solar panels. I closed my account at the same time. Or so I thought Fast-forward 9 years, and I was surprised to receive an unwanted email from the corporate shareholding service. It was some nonsense about […]

Continue reading →

Don't trust Cloudflare with your personal data

It has been over a year since I cancelled my Cloudflare account. They keep emailing me and haven't taken me off their marketing lists despite repeated requests. Their CTO told me he would investigate, but nothing changed. Their Data Protection Office hasn't respond to my requests. Cloudflare do not appear to respect the GDPR. I've […]

Continue reading →

GDPR and common sense

Some giant question marks standing in a field.

Every so often, I get a glimpse into the thought processes of someone who has a very different view of the world to me. I don't deal with people's personal information often. So I was surprised to receive an email with a multi-megabyte spreadsheet called "Pay and Bonuses 2020". The email contained this doozy of […]

Continue reading →

Can you trust CloudFlare with your personal data?

Email with CloudFlare's new privacy policy.

I'm increasingly concerned with the power that CDNs wield - and CloudFlare in particular. So I decided to delete my CloudFlare account. While they claim to have removed my account, they still seem to count me as an active customer. I wonder how many people bought shares in their IPO based on inaccurate customer numbers? […]

Continue reading →

Responsible Disclosure - Citizens Advice Bureaux

A quick report into a nasty privacy vulnerability I found with the CAB. Unusually for me, this has no Internet component. Regular readers will know about my recent court visit. As part of that, I had to telephone the CAB Volunteers at the court who look after witnesses. I called, and was put on hold, […]

Continue reading →

Is HTTP 451 suitable for GDPR blocking?

451: Unavailable for legal reasons We recognise you are attempting to access this website from a country belonging to the European Economic Area (EEA) including the EU which enforces the General Data Protection Regulation (GDPR) and therefore cannot grant you access at this time. For any issues, e-mail us at or call us at 888-460-8725.

Hello, it's me - the idiot who helped inspire the HTTP 451 status code. I graciously allowed Tim Bray to do the hard work of getting it through the IETF process, and now it is an official RFC. Recently, I've seen lots of people getting het up about its "misuse" - so I want to […]

Continue reading →