O2 UK's Weird MSISDN Lookup API


Sorry, we don’t recognise this number. Please try again.

It's always fun keeping your network inspector tab open. While looking around the O2 UK website, I found this page all about eSIMs. For some reason, it wants to know the user's phone number. I put in a random number, and it refused to let me in. Putting in a genuine O2 number let me through. So what is it doing to validate numbers? It is making an API call to this URl: https://www.o2.co.uk/o/customer/mods/lookup/447700900123 After a bit of testing, this is how I think it works. If you …

Continue reading →

Envelopes and GDPR


A letter addressed to me. Just inside the plastic window you can see the word "colonoscopies".

Privacy is a funny concept, isn't it? Very few people want the whole world to know what medical complaints they have. But most hospitals are open-access buildings, where the waiting rooms have large monitors to tell patients that their doctor is running late. A few years ago I was sat in the proctology waiting room. Anyone who knew me would have seen I was waiting for an bum doctor. They may not have known my specific complaint, but the laser-display board announced that my appointment was…

Continue reading →

How do you stop people accessing data they shouldn't?


A padlock engraved into a circuit board.

I used to work in a call centre for a Very Big Company. Every week, without exception, we'd get a bunch of new starters to train. And every week, without exception, a newbie would be fired after looking up a famous person's data. This was in the days before GDPR. There was a lot less general awareness of data protection issues. It didn't matter how often will drilled it into trainees' heads - someone would breach privacy within 5 minutes of getting on the system. It seemed to be an almost…

Continue reading →

Poorly folded letters lead to exposure of medical data


A letter addressed to me. Just inside the plastic window you can see the word "colonoscopies".

I returned home from holiday to a pile of letters. Mostly junk, a few Christmas cards, and something from the NHS. This is what the envelope looked like: As it happens, I'm not particularly concerned about who knows I had a fairly normal medical procedure. I've blogged a bit about it and Tweeted about the experience in an attempt to de-stigmatise it. Terence Eden is on Mastodon@edentReplying to @edentMorning folks!I survived the night, and now have a couple of hours to wait until someone…

Continue reading →

EBCDIC is incompatible with GDPR


Dutch text and a diagram.

Welcome to acronym city! The Court of Appeal of Brussels has made an interesting ruling. A customer complained that their bank was spelling the customer's name incorrectly. The bank didn't have support for diacritical marks. Things like á, è, ô, ü, ç etc. Those accents are common in many languages. So it was a little surprising that the bank didn't support them. The bank refused to spell their customer's name correctly, so the customer raised a GDPR complaint under Article 16. The data subj…

Continue reading →

"Advanced Network Error Search" - how to turn off Virgin's least helpful service


Screenshots showing adverts next to my mispelled domain.

tl;dr you have to keep complaining to Virgin for several months and then take them to the Communication & Internet Services Adjudication Scheme then complain to their Data Protection team by contacting them on LinkedIn. Background Virgin have a spammy DNS hijacking service. If you accidentally misspell a domain - for example example.coom - Virgin will pretend that the domain exists and serve you up an advertising page. Yahoo powered! Yeuch! This means my data is sent to these advertisers…

Continue reading →

£25 GDPR Compensation - why it's always worth complaining


A tiny lego Storm Trooper eats a chocolate coin.

Back in 2011, I sold all of my shares in my former employer and used the money to buy solar panels. I closed my account at the same time. Or so I thought Fast-forward 9 years, and I was surprised to receive an unwanted email from the corporate shareholding service. It was some nonsense about their corporate rebranding. I dropped them a note saying that I hadn't been a customer for many years and that I was pretty sure they were breaching GDPR. They did not agree: We can confirm your…

Continue reading →

Don't trust Cloudflare with your personal data


It has been over a year since I cancelled my Cloudflare account. They keep emailing me and haven't taken me off their marketing lists despite repeated requests. Their CTO told me he would investigate, but nothing changed. Their Data Protection Office hasn't respond to my requests. Cloudflare do not appear to respect the GDPR. I've escalated this to the highest levels of Cloudflare, but they just don't seem to be able to take any action. This is concerning. Terence Eden is on…

Continue reading →

GDPR and common sense


Some giant question marks standing in a field. Photo by https://www.flickr.com/photos/dbrekke/181939582/

Every so often, I get a glimpse into the thought processes of someone who has a very different view of the world to me. I don't deal with people's personal information often. So I was surprised to receive an email with a multi-megabyte spreadsheet called "Pay and Bonuses 2020". The email contained this doozy of a sentence: “Due to GDPR the attached file is password protected, I will send the password in a separate email” I shit you not. I checked the sender. They didn't work for my org…

Continue reading →

Can you trust CloudFlare with your personal data?


Email with CloudFlare's new privacy policy.

I'm increasingly concerned with the power that CDNs wield - and CloudFlare in particular. So I decided to delete my CloudFlare account. While they claim to have removed my account, they still seem to count me as an active customer. I wonder how many people bought shares in their IPO based on inaccurate customer numbers? Timeline 2019-08-04 I raised a support ticket to close my account. 2019-08-05 CloudFlare sent me confirmation that they'd removed my account. 2019-10-02 I received an…

Continue reading →

Responsible Disclosure - Citizens Advice Bureaux


Logo for citizens advice bureau.

A quick report into a nasty privacy vulnerability I found with the CAB. Unusually for me, this has no Internet component. Regular readers will know about my recent court visit. As part of that, I had to telephone the CAB Volunteers at the court who look after witnesses. I called, and was put on hold, then asked to leave a message. There's a popular myth that you can trick phone systems to sending your call to the operator if you hold down the zero button. So I rang back... "Please hold…

Continue reading →

Is HTTP 451 suitable for GDPR blocking?


451: Unavailable for legal reasons We recognise you are attempting to access this website from a country belonging to the European Economic Area (EEA) including the EU which enforces the General Data Protection Regulation (GDPR) and therefore cannot grant you access at this time. For any issues, e-mail us at techguy@journaltimes.com or call us at 888-460-8725.

Hello, it's me - the idiot who helped inspire the HTTP 451 status code. I graciously allowed Tim Bray to do the hard work of getting it through the IETF process, and now it is an official RFC. Recently, I've seen lots of people getting het up about its "misuse" - so I want to clarify a few things. The GDPR (General Data Protection Regulation) gives people in the EU strong data protection rights. Some companies do not wish to comply with these laws. Those companies block content to people…

Continue reading →