Not only did they have my email address, they also had a copy of one of my phone numbers. I asked them where they got it from and they said:

Your phone number came from Parsely, Inc (wpvip.com) one of our customers who participates in our customer contributor network by sharing their business contacts with the Apollo platform.

I've never done any business with Parsely. They have no reason to have my phone number and absolutely no permission to share it with other organisations.

Back in 2021, Parsely became part of WordPress VIP. Ah yes, our old "friends" at Automattic with their somewhat lax attitude to privacy.

I took advantage of WordPress VIP's GDPR policy and sent a terse but polite "Hey, WTAF?" to them. Their response was quick:

Thanks for reaching out. We are currently investigating our systems to locate any personal data regarding your request. We appreciate your patience.

After a bit of prodding, they eventually replied with:

It appears that we obtained your contact information as a result of a meeting you had with a representative for the WPScan service around August 5, 2022. WPScan is owned by our parent company Automattic.

We have no record of Parsely, Inc. (which is no longer in existence) or WPVIP Inc. (the owner of the Parse.ly service) having any relationship with Apollo.io.

We also have no record of Parsely, Inc. or WPVIP Inc. having sold or otherwise provided your information to any third party.

I have no memory and no record of meeting anyone from WPScan - although I concede it is possible I did as part of a previous job.

But even if it was in an email signature when I contacted them that still doesn't explain how it made its way to Apollo for them to give to spammers everywhere. Was it a hack? A data leak? A treacherous employee? A deliberate sale? A sneaky app update? Or maybe just Apollo lying to me.

I don't care any more. I'm just so tired of shitty companies treating personal data as a commodity to be traded, sold, repackaged, and abused.

A few weeks ago I signed up for BrowserStack as I wanted to join their Open Source programme. I had a few emails back-and-forth with their support team and finally got set up.

A couple of days later I received an email to that email address from someone other than BrowserStack. After a brief discussion, the emailer told me they got my details from Apollo.io.

Naturally, I reached out to Apollo to ask them where they got my details from.

They replied:

Your email address was derived using our proprietary algorithm that leverages publicly accessible information combined with typical corporate email structures (e.g., firstname.lastname@companydomain.com).

Wow! A proprietary algorithm, eh? I wonder how much AI it takes to work out "firstname.lastname"????

Obviously, their response was inaccurate. There's no way their magical if-else statement could have derived the specific email I'd used with BrowserStack. I called them out on their bullshit and they replied with:

Your email address came from BrowserStack (browserstack.com) one of our customers who participates in our customer contributor network by sharing their business contacts with the Apollo platform.

The date of collection is 2026-02-25.

So I emailed BrowserStack a simple "Hey guys, what the fuck?"

I love their cheery little "No spam, we promise!"

Despite multiple attempts to contact them, BrowserStack never replied.

Given that this email address was only used with one company, I think there are a few likely possibilities for how Apollo got it.

• BrowserStack routinely sell or give away their users' data.
• A third-party service used by BrowserStack siphons off information to send to others.
• An employee or contractor at BrowserStack is exfiltrating user data and transferring it elsewhere.

There are other, more nefarious, explanations - but I consider that to be unlikely. I suspect it is just the normalisation of the shabby trade in personal information undertaken by entities with no respect for privacy.

But, it turns out, it gets worse. My next blog post reveals how Apollo got my phone number from from a very big company.

Be seeing you 👌

I'll start by saying that I'm moderately positive on Online Safety. If services don't want to provide moderation then they shouldn't let their younger users be exposed to harm.

The social network BlueSky has taken a pragmatic approach to this. If you don't want to verify your age, you can still use its services - but it won't serve you porn or let people send you non-public messages.

I think that's pretty reasonable. I don't use BSky to look at naked mole rats people, and I already have plenty of other messaging accounts. So I haven't verified my age.

There are two slight wrinkles with BSky's implementation. Firstly, there's no way to retrieve DMs which were sent before this restriction came into force. Oh, you can one-click export your data - but it only includes public data. So no DMs.

Secondly, you can't turn off DM from people who have previously messaged you. I asked people to message me to see if they got an error - but it looks like the messages just get silently accepted. I probably look a bit rude if I don't answer them.

Worse still, the DM notification keeps incrementing!

It is possible to turn off DMs - but only if you can access your DM settings. Which you can't if you haven't passed age assurance.

Well, what about GDPR?

BlueSky's privacy policy has this to say about DMs:

Your Direct Messages. We store and process your direct messages in order to enable you to communicate directly and privately with other users on the Bluesky App. These are unencrypted and can be accessed for Trust and Safety purposes.

They go on to say that I may have the right to:

Request Access to and Portability of Your Personal Information, including: (i) obtaining access to or a copy of your personal information; and (ii) receiving an electronic copy of personal information that you have provided to us, or asking us to send that information to another company in a structured, commonly used, and machine-readable format (also known as the “right of data portability”);

So I sent off a Subject Access Request asking specifically for the Direct Messages sent to/from my account.

I was 100% sure that the messages I had sent were my personal data and should be returned to me. I wasn't sure if messages other people had sent to me could be considered personal data. But I figured that the OSA hadn't invalidated GDPR.

Here's what happened:

Timeline

• 2025-07-24 - Sent request to their support desk and received an acknowledgement.
  • Response: "I've gone ahead and shared your request with our team and will follow up with you if any additional information or verification is needed."
• 2025-07-31 - Sent a reminder to them.
  • Response: "We've escalated your concern to our developers and are still waiting for their response and confirmation. We'll get back as soon as we get this information."
• 2025-08-25 - One month later sent an escalation to their legal team reminding them of their obligations.
  • Response: Asked to provide my country of residence and to prove my account ownership by send an email from the address associated with my BSky account.
• 2025-09-05 - Sent yet another chaser.
• 2025-09-13 - Over seven weeks since the initial request. Told them that I wanted to know which data protection authority they were registered with so I could make a formal complaint.
  • Response: "Please be aware that we are currently in the process of making your data available for download. We will notify you as soon as it is ready."
• 2025-09-22 - 8 weeks since the complaint was raised. Sent another chaser asking how long until my data would be ready to download.
• 2025-09-25 - After 64 days they sent me a CSV with my data!

Result

Here's an extract of the CSV. I've lightly redacted the data, but you can see how JSON embedding works.

convoId,sentAt,sender,contents
3kt6f7a2,2025-07-24 05:50:09.339+00,did:plc:pxy4cjqfu5aa6eadtx5,"{""text"": ""Testing testing""}"
3ku4lvbh,2024-06-04 18:17:52.414+00,did:plc:i6misxex577k4q6o7gl,"{""text"": ""Thought this might be up your alley. I've been to a few of them - pretty good crowd. thegeomob.com/post/july-3r..."", ""facets"": [{""index"": {""byteEnd"": 114, ""byteStart"": 85}, ""features"": [{""uri"": ""https://thegeomob.com/post/july-3rd-2024-geomoblon-details"", ""$type"": ""app.bsky.richtext.facet#link""}]}]}"

Thoughts

I didn't have to prove my age. I just proved account ownership and then politely but insistently asked for my data. Frankly, it is baffling that such a well-funded company takes this long to answer a simple request.

Does this expose a gaping whole in the idea of online safety?

No. Not really. I suppose that a theoretical abuser could send messages to a minor and then that minor could go through a Subject Access Request process to try and access them. But that all feels a bit far-fetched and is likely to draw attention to both parties.

But why didn't you just…

This was definitely "playing on hard mode". There were other ways to get my DMs. Here are some alternatives which I didn't try and why I didn't try them.

• Use a VPN to circumvent the geoblock.
  • Why should I have to pay for a VPN, or trust my browsing data to a dodgy 3rd party? I shouldn't have to install and configure software just to work around a crappy design decision.
• Go through age verification.
  • I don't browse BlueSky for the "gentlemen's special interest" section. I already have lots of ways people can contact me. I'm not against a KYC process - but I simply don't need it.
• Use a 3rd party client to download the data.
  • I don't trust my data with 3rd party apps, and neither should you!
• Use the API to read DMs.
  • I wasn't sure if the API required age verification. And, frankly, I couldn't be faffed learning a brand new API.
• Escalate straight to the CEO or via a friend who works there.
  • I like doing things the official way. Not everyone has a friend who works at BSky (thanks <REDACTED>!) and I feel it is better if legal teams get direct feedback from users; not management.
• Ignore this and use a better social network.
  • I go where my friends are. I have lots of friends on Mastodon and other services. BSky is OK, but I'm only there for my friends. But, while they are there, I didn't want an obnoxious DM notification taunting me.

Next Steps

I've emailed BlueSky to ask them to completely disable my inbox and clear my notifications. We'll see how long that takes them!

The best thing about QR codes is that they're free. It doesn't cost any money to generate one. They're an open standard with no middle-men. Users can go direct to your site!

Except… Some people want to insert themselves into your conversation. Sometimes it is for malicious reasons, sometimes it is greed for user data, and sometimes it is just incompetence.

Let's take this example - a health centre wants people to register. Scan the QR and get started. Fab!

Photo shamelessly stolen from a LinkedIn contact.

But what happens when you scan the QR code? Rather than taking you directly to an authoritative and trusted NHS.UK domain name, it sends you through https://register-with-gp.ht1.uk/.

Who on earth are HT1.UK?

According to their website, they're an automation company who are "on a mission to make the NHS the most advanced healthcare system in the world."

Good for them. But what information are they collecting about users who traverse through their QR codes? If you take a look at their privacy policy you won't find anything specific. Never mind, let's email their friendly privacy team. What's their email address?

Of course, emailing that gets you back this error:

Emoji! How fun!!

So I emailed the new address to see what information they were collecting. Their response wasn't particularly informative.

because Healthtech-1 is a processor of information and the GP practice is the data controller any requests about how your data is handled should be made to the GP practice who can inform you of the information you requested.

…

I can confirm that there is no information stored about users who scan the QR codes and no cookies placed.

But, of course, users have no way of verifying what this company is storing about them. There's simply no reason to use an untrusted 3rd party like this to provide either a QR code or an intermediary website.

Why this is a problem

Trust is everything. People are constantly being scammed. One of the great things that GOV.UK did was to say "This here is our trusted brand. If you don't see GOV.UK in the URl bar - don't trust it!"

The NHS should be doing the same. Every hospital, surgery, and clinic should have an NHS.UK domain name. When a user sees a link to a healthcare service which doesn't go through NHS.UK, they should feel suspicious and not click on it.

There is no way as a regular user to know that HT1.UK is a trusted domain. What about HT1.biz? HT2.UK? NHS.info.ly? What happens if HT1 go bust or have their domain name hijacked?

The NHS must stop the proliferation of these 3rd party domain names. They need to reinforce users' understanding that NHS.UK is the only trusted domain name for official NHS services.

I'm sure HT1.UK aren't doing anything nefarious with the data of people who visit their QR codes. I'm sure they're not inserting tracking cookies or selling my data. But I shouldn't have to be sure. All users should be pointed directly to an NHS.UK domain without having to risk whether their details are going via a dodgy site.

Here endeth the rant.

I put in a random number, and it refused to let me in.

Putting in a genuine O2 number let me through. So what is it doing to validate numbers?

It is making an API call to this URl:

https://www.o2.co.uk/o/customer/mods/lookup/447700900123

After a bit of testing, this is how I think it works.

If you give it an O2 phone number, it replies with:

{"type":"ONE"}

If you give it a number which isn't on O2, it gives:

{"type":"ZERO"}

A number it doesn't recognise gives:

{"message":"Unable to find the requested resource."}

A malformed or incomplete phone number gives:

{"message":"Something's wrong. Please try again later."}

Responsible Disclosure?

As far as I can tell, O2 no longer have a Bug Bounty or Responsible Disclosure offering. So I'm publishing it here to let people know.

It is possible that someone could use this API to disclose a (minor) piece of personal information about you - namely whether your phone number is on O2 or not. I don't think that's particularly sensitive, but it is probably worth knowing.

A few years ago I was sat in the proctology waiting room. Anyone who knew me would have seen I was waiting for an bum doctor. They may not have known my specific complaint, but the laser-display board announced that my appointment was with Doctor X. Anyone can look up Doctor X online and see that they specialise in removing foreign objects which have mysteriously found their way inside a person. Whither privacy?

But that's the kind of trade-off we make. It would be expensive to have individual waiting cubicles. And most people aren't famous enough to be recognised in public. And the chances of your neighbour also being in hospital are slim. Any you might just be waiting for a friend. So we sort of hand-wave it away because it is a small but difficult problem to solve.

Anyway, a few months later, I received a letter from the hospital. It was delivered in a plain envelope with no hospital markings. The return address was a suitably anonymous bulk mailing service. There were no warning markings to say this was a medical letter. There is no way that my postman, my housemate, or my cleaner would have known what the letter was about.

But see if you can spot the incredibly subtle mistake that was made:

Printing a physical letter on paper and then folding it in such a way that both the address is displayed and the paper cannot slip is a surprisingly hard problem. I get letters from lots of organisations where this has happened.

But, before lighting up the pitchforks, what's the real harm that has occurred here and how could it be prevented?

My postie now knows some of my medical info. That's assuming they bothered reading past the address, and that they remember anything specific from the 500 letters they had that day. My postie seems nice enough - but I don't doubt that a postal worker somewhere could use this to blackmail or intimidate a vulnerable person.

Anyone with access to my letterbox, and who gets there before me, also has sight of my information. Again, I tend to trust the people I let in. But not everyone is so lucky. A sufficiently abusive person would have opened the letter regardless of what they saw.

A fully paper envelope with no plastic window reduces one specific class of error - but may be too expensive to implement at scale. And, of course, if there's no window then there is the chance that the wrong letter might go into an envelope addressed to someone else.

Would going digital solve this? Email is mostly end-to-end encrypted between the big providers, so it would be unlikely that anyone saw it as it was being delivered.

Most email clients show the first few lines of a message - and some of them will show that preview as a pop-up on a locked phone. So anyone with access to your device could see something untoward. A sender name and subject have to be useful to the receiver - but is "FROM: Proctology. RE: The object we pulled out of you" too revealing?

An email could be fairly anonymous and link to a download portal of the real message. But that's quite a lot of work for a user to do. And an abuser could still have access to your device.

An email encrypted with your public key and send with a cryptic subject line is the sort of theoretical magic that geeks love, while forgetting that most people reuse their passwords and leave their laptops unlocked in the coffee shop.

What I'm getting at is that there's no perfect solution. Only incremental changes which may introduce a new class of problem.

This was in the days before GDPR. There was a lot less general awareness of data protection issues. It didn't matter how often will drilled it into trainees' heads - someone would breach privacy within 5 minutes of getting on the system.

It seemed to be an almost irresistible honey-pot. Imagine being able to look up the REDACTED bill of a pop-star. Or your neighbour. Or your no-good cheating ex. Or... you get the idea. It's no wonder that countless people felt compelled to risk their own jobs.

Training had some effect. We repeatedly warned what would happen if you were caught. We patiently explained how every interaction was logged. But that wasn't enough. Some people forgot. Or thought they could outsmart us. Or had a human moment of fragility and slipped.

Warning messages helped for a little while. Forcing people to read a dire warning of the consequence of a policy breach. But, after about the 2nd time of seeing them, people's eyes glazed over. Forcing them to type "I understand and agree" didn't seem to help. And, of course, anything which led to longer call times meant lower customer satisfaction.

For the same reason, two-person approval was also a non-starter. Before accessing an account, a manager had to approve the request. It isn't hard to distract an over-worked supervisor and, in some cases, it didn't take much to bribe them.

We tried tying access to an incoming phone call. Only present the account if the call came from the caller's registered phone number. But people have multiple numbers. Or are at the office. Or withheld their number. So that didn't help much.

One suggestion was to only allow viewing an account during a phone call. It was a good idea, with one minor flaw. Customers would quite often finish one transaction and then say "Can you please help me with my other account". Telling them to call back was a non-starter, so users had to be able to access multiple accounts per call. A simple "please hold" and a ne'er-do-well could spoof access to a different account.

Passwords nearly worked. "Please can I have the 3rd, 7th, and 19th character from your password?" The system presented a box for the call centre worker to type in the characters. But most callers hadn't set up a password. And those that had couldn't remember it. And, as call times increased, we were forced to scrap it.

Two-factor authentication was supposed to be the saviour. We'd text or email a code to a caller and that would unlock access to their account. But people don't always have access to their mobile, or have a good signal, or - in those days - have their email in front of them. Even if they did, callers got increasingly frustrated at the baroque security barriers.

Sure, we recorded every call for "training and monitoring purposes" but there was such a huge volume of calls that the chances of finding a transgression was vanishingly low - and post-hoc processes don't stop data from leaking.

As a stop-gap measure we put a flag on the account of famous people. Access to their accounts was forbidden unless authorised by two managers. They were a small proportion of callers, so that process didn't overwhelm staff. But... How do you know if someone is famous? There are lots of Maurice Micklewhites - only one of which is Michael Caine. And, of course, it's unlikely that your ex-wife's new boyfriend is on that list.

Every single measure that we put in place to protect people ended up alienating customers and/or slowing down workers. Every roadblock needed an exception. And those exceptions could be abused.

Of course, some people didn't care about being fired once they had acquired their target's details.

So, what did we do in the end?

I'd love to tell you that we found some magic technological solution which fixed all our problems. Some really cool cryptographic key exchange where customers kept their data in self-hosted pods and access was written to an append-only P2P Merkle-Tree. Perhaps infallible AI which noticed suspicious access patterns?

Instead, we went with a slightly dystopian set of posters and Post-It notes with a glowing pair of eyes printed on them. There's some science to this - people tend to behave more honestly when they think they are being watched.

It wasn't foolproof and, eventually, the eyes lost their power.

Nowadays customers are a lot more accepting of data protection needs. Being asked for a password is a necessary chore. But every so often there's a story about the family of someone with dementia being locked out of an account or a bereaved widow losing access because she forgot her PIN.

There's no right answer here. We either accept that people will occasionally be locked out of their accounts, or we accept that nefarious actors might have access to our information. Tracking access and punishing wrongdoers acts as a deterrent - but won't stop someone sufficiently reckless or determined.

How would you solve this problem?

This is what the envelope looked like:

As it happens, I'm not particularly concerned about who knows I had a fairly normal medical procedure. I've blogged a bit about it and Tweeted about the experience in an attempt to de-stigmatise it.

Terence Eden is on Mastodon

@edent

Replying to @edentMorning folks!
I survived the night, and now have a couple of hours to wait until someone shoves a camera up me.
Not going to live stream it.

Probably.

---

Terence Eden is on Mastodon

@edent

Replying to @edentAll done, and pretty uneventful.
Lovely NHS staff (as always) & complimentary biscuits afterwards.

Didn't get a copy of the colonoscopy video, but have some lovely colour photos which I'll be glad to show you when you pop round.

Still a bit 🥴 from the drugs. Staying offline.

---

But there will be plenty of people who are mortified that their postie knows that someone shoved a camera up their bum. Or that other people living in their home know that their guts are playing up. I'm sure you can imagine a worst-case scenario.

There are several ways to prevent this - each with potential drawbacks:

• Use a cover sheet which only has the address on. Will this double the cost?
• Print the address on one side of the paper and the letter on the other side. How does that test with users though?
• Don't use a windowed envelope and print the address separately. Are there cost implications?
• Ensure that the first few lines don't contain any sensitive information. How can that be enforced?
• Manually check outgoing letters to ensure they're compliant. Again, what's the cost of that?

I'm sure you can think of a few more. Some people have even tried to standardise this:

Thankfully, the letter told me that I didn't need an additional screening. Which was something of a relief.

Now, if you'll excuse me, I need to find the Data Protection Officer and become a pain in their arse!

The Court of Appeal of Brussels has made an interesting ruling. A customer complained that their bank was spelling the customer's name incorrectly. The bank didn't have support for diacritical marks. Things like á, è, ô, ü, ç etc. Those accents are common in many languages. So it was a little surprising that the bank didn't support them.

The bank refused to spell their customer's name correctly, so the customer raised a GDPR complaint under Article 16.

The data subject shall have the right to obtain from the controller without undue delay the rectification of inaccurate personal data concerning him or her.

Cue much legal back and forth. The bank argued that they simply couldn't support diacritics due to their technology stack. Here's their argument (in Dutch - my translation follows)

Bank X also explained that the current customer data management application was launched in 1995 and is still running on a US manufactured mainframe system. This system only supported EBCDIC ("extended binary-coded decimal interchange code"). This is an 8-bit standard for storing letters and punctuation marks, developed in 1963-1964 by IBM for their mainframes and AS/400 computers. The code comes from of the use of punch cards and only contains the following characters…

(Emphasis added.)

EBCDIC is an ancient (and much hated) "standard" which should have been fired into the sun a long time ago. It baffles me that it was still being used in 1995 - let alone today.

Look, I'm not a lawyer (sorry mum!) so I've no idea whether this sort of ruling has any impact outside of this specific case. But, a decade after the seminal Falsehoods Programmers Believe About Names essay - we shouldn't tolerate these sorts of flaws.

Unicode - encoded as UTF-8 - just works. Yes, I'm sure there are some edge-cases. But if you can't properly store human names in their native language, you're opening yourself up to a lawsuit.

Source

GDPRhub - 2019/AR/1006

Dance

Reactions

Marie ʕʘᴥʘʔ Julien

@mariejulien

Très intéressant !

Terence Eden is on Mastodon

@edent

This is interesting.
A bank claimed it couldn't use diacritics in a customer's name due to technical limitations.
Customer sued… and won!
Your name is personal data, and GDPR says it should be recorded accurately.

---

---

Grumpy Nat 🇨🇭🇧🇷🇲🇫

@Nat_Keely

Hâte de mettre en justice tous les sites et autres compagnies qui ont décidé que le fait que j'ai un accent dans mon nom de famille soit source de bug (avec évidemment un message d'erreur qui n'a rien à voir. Histoire de bien pas comprendre pourquoi ça marche pas)

Terence Eden is on Mastodon

@edent

This is interesting.
A bank claimed it couldn't use diacritics in a customer's name due to technical limitations.
Customer sued… and won!
Your name is personal data, and GDPR says it should be recorded accurately.

---

---

Lays Y. M. Farra

@LYMFHSR

La France va sortir de l'UE juste pour que leur état-civil et autres administrations puissent continuer à ruiner la vie de quelqu'un parce qu'il a un tilde dans son nom

Terence Eden is on Mastodon

@edent

This is interesting.
A bank claimed it couldn't use diacritics in a customer's name due to technical limitations.
Customer sued… and won!
Your name is personal data, and GDPR says it should be recorded accurately.

---

---

KristoferA 🌏

@KristoferA

Does this mean that Z̷̡̧̢̰͓̪͖̭͙̰̣̱̬̹̙̜̪̣̏̿̏̋͑́̒͑́̒̿̇̈̍̇̌͝͝a̵̡̧͍̘̮̤̙̹͙̦̙͙͖͓̥̟̦͔͒̇̊̊̔̓́͒́̌̈́̑͋̏̏̏̚͘͝͠͝l̶͉̯̱͇̭̭̉̉̈́̿͐̽̒̎̽͌̚͜ģ̸̧̛͙̩̹̰̤̱̖̘̻̪̻̮̫̟̙̲͍̰̻͕̗̫̿̆̃́͗̽̊̽̌̔̂͂̈͊̐̈́̈̈́̈̓̆͌̑́̕͜ǫ̶̢̹̥̮̟͍̔̑̔̽ can finally open a bank account?

Terence Eden is on Mastodon

@edent

This is interesting.
A bank claimed it couldn't use diacritics in a customer's name due to technical limitations.
Customer sued… and won!
Your name is personal data, and GDPR says it should be recorded accurately.

---

---

Bastien Nocera

@hadessuk

Next up, I’m suing La Poste for still using ISO-8859-1 when printing labels. Poor “Frédéric” I recently sent a game to…

Terence Eden is on Mastodon

@edent

This is interesting.
A bank claimed it couldn't use diacritics in a customer's name due to technical limitations.
Customer sued… and won!
Your name is personal data, and GDPR says it should be recorded accurately.

---

---

Michael Büker 🇺🇦

@emtiu

Eine Erschütterung der Macht, als würden Millionen Banken-ITler in panischer Angst aufschreien und dann verstummen.

Terence Eden is on Mastodon

@edent

This is interesting.
A bank claimed it couldn't use diacritics in a customer's name due to technical limitations.
Customer sued… and won!
Your name is personal data, and GDPR says it should be recorded accurately.

---

---

Background

Virgin have a spammy DNS hijacking service. If you accidentally misspell a domain - for example example.coom - Virgin will pretend that the domain exists and serve you up an advertising page.

Yahoo powered! Yeuch! This means my data is sent to these advertisers without consent.

For the technically minded, the Virgin Media DNS should return NXDOMAIN instead it fraudulently returns NOERROR and redirects the user to the spam site.

Don't worry, there's a link to switch off the service.

But it is broken. It always says "the advanced network error search is already switched off."

Lots of people report having this problem but Virgin don't have an official fix for it. It is possible to change your devices' DNS servers - but it is impossible to change the DNS on the SuperHub. But, frankly, you shouldn't have to. Virgin should provide a proper DNS service.

So, here's how I got them to fix it. I hope this works for you too.

Raise a complaint

I raised an issue in the community forums. That's generally the best way to get in touch with the UK-based support team.

Eventually someone contacted me there and I was able to explain the issue. They started raising it with their IT team. But were unable to fix it.

I also raised a complaint directly with Virgin's complaints team.

After two months of being ignored, lied to, and misdirected - I asked for a Deadlock Letter. That allows you to make a complaint to the dispute resolution service.

Sadly, Virgin refused to issue a Deadlock. But as it had been longer than eight weeks, I was able to complain directly vis https://www.cedr.com/consumer/cisas/.

A couple of weeks later, I got a notification that my complaint had been accepted by CISAS. By complete coincidence I received a phone call from Virgin the exact same day offering me a solution!

Apparently the only way to change this setting was for Virgin to delete my customer account and rebuild it from scratch. Yup, their solution was to literally turn my account off then on again. Their only other option was to release me from my contract without penalty. As they're the only fibre provider near me, I let them switch me off for a couple of hours.

It didn't work.

The Data Protection Angle

I reckoned that if Virgin were sending my browsing data to a 3rd party without my consent, that was a GDPR issue. So I emailed Virgin's Data Protection team saying:

Virgin Media have forcibly enrolled my account into their "Advanced Network Error Search" service.

When I mistype a domain name, Virgin redirects me to an advertising service powered by Yahoo.

I would like to understand on what legal basis are you sharing my data with Yahoo and the advertising partners on the service. I see no mention of it in https://www.virginmedia.com/shop/the-legal-stuff/privacy-policy

As per your policy, I wish to assert the following rights:

5. The right to restrict processing

I have repeatedly asked your technical team to remove me from the Advanced Network Error Search service. They have refused. I am therefore instructing you to restrict the processing of my data for the purposes of this service.

Please let me know your response by 1st March.

I didn't hear back.

So I found their Head of Data Protection on LinkedIn and politely asked him to take a look into it for me. He told me to email a generic address. I explained that I had already done so but received no reply, so he gave me his direct address. I forwarded him the above, and got a swift reply saying they'd look into it.

A week later, I got a weird email saying my Web Safe Parental Controls had been changed.

I hadn't changed them. But, obviously someone at Virgin had monkeyed around with my account - because the accursed Advanced Network Error Search had gone!!

They phoned me shortly afterwards and confirmed that the issue had finally been resolved.

And all it took was three-months of complaining...

Compensation

Virgin offered a one month bill refund - £48 - by way of an apology.

In light of the months of arguing back-and-forth and the amount of time I wasted trying to get this fixed, I asked for £300 of compensation. Which they paid. (!!!!!!)

They separately also gave me bill credit for the delay in processing the case.

What Have We Learned?

Virgin media have shitty customer service. Their backend systems are antiquated and unreliable. But they have fastest speeds in my area and low(ish) prices, so I'm stuck with them.

But, more importantly, the threat of GDPR is an excellent way to force companies to behave!

Join Virgin Media and get £50 bill credit

If you fancy putting up with this sort of nonsense, join Virgin Media and we both get £50.

Fast-forward 9 years, and I was surprised to receive an unwanted email from the corporate shareholding service. It was some nonsense about their corporate rebranding.

I dropped them a note saying that I hadn't been a customer for many years and that I was pretty sure they were breaching GDPR. They did not agree:

We can confirm your account will be retained for a period of six years, dated from when the holding drops to zero. This is in line with record keeping requirements under General Data Protection Regulation. Please note, should you contact us within that time or access your account online, the six year period will reset.

I told them that it had been longer than 6 year since my balance dropped to zero, and I hadn't logged in since. They replied bluntly:

We can confirm that we are currently unable to delete your account.

My reply was equally blunt "Please escalate this to your Data Protection Officer".

A week later, they capitulated:

Following a review of Computershare’s records, I confirm that you have not accessed your online account or contacted Computershare regarding your shareholding since the above mentioned date. Therefore, Computershare should have processed your request to delete your account. Please be advised that the information provided in Computershare’s email of 26 October 2020 was incorrect and your account is available for deletion in accordance with GDPR.

Please accept my apologies for the poor level of service that was provided to you on this occasion. I am sorry to say that this has fallen well short of the normal high standards we expect and I assure you that the appropriate action will be taken to prevent any instances of this nature from occurring in the future.

In light of the above, I have upheld your complaint and arranged for a £25.00 ex-gratia payment to be issued you your registered bank account as a gesture of goodwill.

Of course, they sent the money to an account I've not had for over 5 years...

£25 is a small amount of money to them - and in truth only gets me a bonus takeaway. But if enough people start pushing back, complaining, and demanding compensations - perhaps these incompetent companies will start taking data protection seriously?

Perhaps I should have asked for more? But what loss or harm have I suffered? The main problem is that it has increased the attack surface against me. There's yet another database containing my data. That means one more target for those who are trying to scam me. I want my data on as few systems as possible and, ideally, under my control.

Always complain.

Cloudflare do not appear to respect the GDPR.

I've escalated this to the highest levels of Cloudflare, but they just don't seem to be able to take any action. This is concerning.

Terence Eden is on Mastodon

@edent

@jgrahamc @Cloudflare Done. It was the email apologising for your most recent outage.

---

Sadly, John Graham-Cumming - the CTO - deleted his Tweet saying that he'd look into it. I assume that JGC doesn't like his personal data being misused. If only I were able to delete my personal data from Cloudflare, eh?

Luckily, the Internet Archive has a backup

Despite promising an investigation and a response from their Data Protection Office - I've received no assurance that they have respected my rights.

Timeline

At the start of August last year, I cancelled my Cloudflare account. I received confirmation from them that I was no longer a customer. My login was disabled. That should have been the last I heard from them.

Two months later, I received an email update about their privacy policy.

I complained on Twitter, and their CTO promised he'd look into it:

(Again, tweet deleted, but saved in the Internet Archive)

I never heard back from John. But one of his minions sent me this:

When we receive a request for account deletion, we may retain the email address on the account up to a year to ensure that we comply with internal policies and legal obligations.

*Pffft* Whatever. No mention of that is made in their privacy policy.

At the end of August this year - well over 12 months after I unsubscribed - I received another email from Cloudflare. This time apologising for their downtime!

Terence Eden is on Mastodon

@edent

Replying to @edentJust received more spam from @Cloudflare. With no unsubscribe link.
It has been more than a year since I asked them to delete my account.

You cannot trust Cloudflare with your personal data. pic.x.com/y3qkyagm81

---

There was no option to unsubscribe. I'm not a customer - but apparently I still have to receive emails from them.

I got a message from someone at Cloudflare who said that they have multiple customer mailing lists and they are rarely in sync with each other. They don't have a good idea of who they are sending emails to, or whether people have consented. I think this is unacceptable for a company of this size to be so lax about their GDPR obligations.

I asked Cloudflare to report this breach to the Information Commissioners Office, and I suggested that they may need to notify the SEC if they are expecting a large fine. They may also need to let investors know if they have misrepresented their customer numbers.

I asked JGC and Cloudflare PR for a comment - but they were not inclined to provide one. They said their DPO would get back to me last week, but I heard nothing.

At this point, I can only conclude that Cloudflare do not respect their users' privacy. Cloudflare has no idea who its customers are, nor how many they have. Cloudflare doesn't care about your data rights.

CLOUDFLARE’S PROMISE

Our mission to help build a better Internet is rooted in the importance we place on establishing trust with our Customers, users, and the Internet community globally. To earn and maintain that trust, we commit to communicating transparently, providing security, and protecting the privacy of data on our systems. Cloudflare's privacy policy

*bitter laugh*

I don't deal with people's personal information often. So I was surprised to receive an email with a multi-megabyte spreadsheet called "Pay and Bonuses 2020". The email contained this doozy of a sentence:

“Due to GDPR the attached file is password protected, I will send the password in a separate email”

I shit you not.

I checked the sender. They didn't work for my organisation, or any related organisation. We had exchanged emails before, so I suspect email autocomplete had got a bit confused and autofilled "Terence Eden" rather than "Tegan Jovanka" or something.

Two minutes after receiving the email - and before I'd had a chance to inform the sender of their mistake - I received another email.

The password is "03022020" - no quotes

Yup, today's date. Fiendishly difficult to crack...

What are you trying to prevent?

I'm trying to understand the thought process going on here. I think it's based on some faulty comparison to the regular post service. If someone randomly snatches an email, they are unlikely to also randomly get the password.

But that's not the threat we're facing here. If someone is listening to the network - they'll have both emails. If someone gets access to my inbox - they'll have both emails. If you've sent the email to the wrong person - they'll have both emails.

The only thing this prevents is someone accidentally forwarding a single email.

How to solve this?

Sending an encrypted document through email is fine.

But the password should be sent through an independent channel - preferably one you can authenticate.

In this case, here's the process I would recommend:

1. Send the document via email
2. Call the intended recipient
3. Verify you're speaking to the right person
4. Confirm that they have received the email
5. Tell them the password

Hopefully they'll store it somewhere secure, rather than write it on a Post-It note.

There are alternatives, of course.

• Send a link and have someone sign in with the correct credentials.
• Call the recipient and tell them how to access the document.
• Text them the password
• I'm sure you can think of more.

But, please, whatever you do - think about the threats you are trying to defend against.

I wonder how many people bought shares in their IPO based on inaccurate customer numbers?

Timeline

• 2019-08-04 I raised a support ticket to close my account.
• 2019-08-05 CloudFlare sent me confirmation that they'd removed my account.
• 2019-10-02 I received an email from CloudFlare "because I am a customer"

The ironic thing? It was an update to their privacy policy!

I can't log in to CloudFlare, and I can't reset my password. So they appear to have disabled my account. But, somewhere in their labyrinthine data warehouse, they still retain my email address and other information. They seem to think it's acceptable to call me their customer and continue to contact me.

Does it really take over 2 months to remove someone's data? If this message had been a physical bit of post, I'd get it - they're often prepared months in advance. But this is the Internet. We expect global giants with no legacy infrastructure to be able to instantly manipulate data.

I emailed their privacy team to find out exactly why they're still emailing ex-customers. After a month, I hadn't heard back from them. But a bit of public Twitter prompting got the CTO to respond.

A few hours later, I got this:

Sorry for the late reply about your issue. When we receive a request for account deletion, we may retain the email address on the account up to a year to ensure that we comply with internal policies and legal obligations. Per your account deletion request, we scheduled your account for deletion and it has not yet been purged. This is why you received the email about our updated privacy policy. Your account is scheduled to be purged from our systems and when that happens, you should no longer receive communications from us unless that email address is used to sign up for a new account.

Politely, I think that's bunkum. Their new privacy policy doesn't make any mention of retaining data for a year. I can't comment on the legal aspects, but I've never had another company continue to email me after they've "deleted" my account. Or are they saying I am still beholden to their policies even after I'm no longer a customer?

I can't help but wonder what other data are they holding hostage. How many of their "active" customers have "deleted" their accounts?

Regular readers will know about my recent court visit. As part of that, I had to telephone the CAB Volunteers at the court who look after witnesses.

I called, and was put on hold, then asked to leave a message. There's a popular myth that you can trick phone systems to sending your call to the operator if you hold down the zero button.

So I rang back...

"Please hold while we try to connect you..."

*presses the 0 key*

"You have... two... unread messages. To listen to your messages, press 1. To change your mailbox greeting, press 2...."

I hung up quickly. This was a service which deals with potentially vulnerable witnesses. An attacker could ring the CAB Court Volunteers, and listen to the voicemails.

This is not a theoretical attack. This is exactly how the Phone Hacking Scandal worked. Playing back voicemails without permission - thanks to a lack of PIN protection.

I eventually got through to someone at CAB to report the problem - they also gave me details of someone I could email.

2018-07-12 - I send a detailed report.

2018-08-02 - I received confirmation that it had been fixed.

On receiving your email from my colleague, I contacted [the] Operations Manager for the Witness Service, who immediately escalated this. I also called the Uxbridge Witness Service contact number and confirmed that it also allowed me to follow options and access voicemails, however I noted that the 2 voicemails did not include any actual messages, there was some background noise and at the end of the messages the phone receiver is heard clicking indicating the call had been ended, on both messages.

On the 13/07/2018, we had a nationwide action for all Team Leaders to check voicemails for the Court contact number mailboxes, to confirm that they are secure with a pin code access. This action enabled us to be sure that each mailbox was secure and accessible only via a pin code, this was recorded and shared with Management so that we could ensure that each court had been verified. Our IT team was also involved in helping check some sites remotely and assist Team Leaders where they were experiencing difficulties.

Action was taken immediately to firstly check other Court mailboxes to ensure they too were not accessible, and where it was found that the voicemails were not secure, pin codes were immediately requested from IT or set up where this was possible.

I would like to thank you for taking the time to inform us of your experience as it enabled us to take swift action and ensure that the phone mailboxes were checked and secured.

An impressively quick response. Great to know that they were able to rapidly respond and fix. I've previously reported problems to the CAB and they take this stuff seriously.

If you have a voicemail system - whether personal or for a business - please make sure that it is adequately secured.

Recently, I've seen lots of people getting het up about its "misuse" - so I want to clarify a few things.

The GDPR (General Data Protection Regulation) gives people in the EU strong data protection rights.

Some companies do not wish to comply with these laws. Those companies block content to people within the EU.

Here's the kicker - they use HTTP 451 "Unavailable for Legal Reasons".

Sven Slootweg 🏳️‍🌈 (@joepie91@pixie.town)

@joepie91

Well, this is the first time I've seen a website use the "451: Unavailable For Legal Reasons" HTTP status code. Who would've thought that it would be a result of the GDPR... pic.x.com/nzv7obo9a0

---

Is this the correct use of the status code? Some people are quite sure that it is not right.

I've had extended discussion with people on social media who are convinced that 451 should only be used in the case of government censorship. Those people are wrong.

Here's what I reckon

The RFC which specifies HTTP 451 does not mention censorship once. Similarly, there are no mentions of governments whatsoever.

From the introduction:

This document specifies a Hypertext Transfer Protocol (HTTP) status code for use when a server operator has received a legal demand to deny access to a resource or to a set of resources that includes the requested resource.

What is a legal demand? And what does it mean to receive one? (I don't want this to go all "It depends upon what the meaning of the word 'is' is" - but I think this is important).

If a court orders you to remove an illicit photo of me wearing a mankini, you would have received a legal demand. 451 would be appropriate.

What about if my lawyer sends you an email which says "Take down that photo of Terence wearing a mankini or we'll sue you for a million quid"? I think 451 would be appropriate.

Let's read further. The actual specification is (emphasis added):

This status code indicates that the server is denying access to the resource as a consequence of a legal demand.

• One does not have to have specifically received a demand. I've never personally been instructed by the courts not to deface money - it's just what UK law demands.
• The specification says nothing about the validity of the demand. Perhaps the demand is mistaken, or wrong, or legally deficient - you can still use 451 while attempting to clarify.
• The RFC doesn't mention specificity. Perhaps the law bans a single page on your site - using 451 on the whole site may make sense for you.

These companies have seen a legal demand from EU countries that their citizens' rights must be protected. If they want to continue to abuse their users' privacy without legal consequence, they should block users who could successfully sue them. 451 is appropriate.

If the only way to access a resource would involve serving content which breaks the law, then 451 is appropriate.

We can take another theoretical example. UK law bans the sale of pistols and some other weaponry. A US site may choose to use 451 to refuse service to users in the UK - even if the site believes in the right to arm bears. They may not have specifically received a legal demand, but UK law does demand that they don't sell to people in its territory.

The easiest fix would be for these companies to comply with the law and respect their users' privacy. That's what the law demands of them.

Media comprehension

I suspect that lots of people get hung up on the number 451 being a direct reference to Ray Bradbury's famous novel about censorship. Except, like in this case, Fahrenheit 451 is not about censorship.

Luckily, the Internet works due to rough consensus and running code. No one gets damaged if an http code is used incorrectly. And if the majority of sites use 451 to protect users from endless data mining, well that's just fine with me.

Anyway, that's what I reckon. Feel free to disagree with me - I promise I won't sue you. This does not confer any legally binding protection against lawsuits brought by me. All rights reserved. See back of packet for full terms and conditions. Errors and Omissions Excluded. Not valid in the state of Kentucky. Nil illegitimi carborundum.

In the early half of the twentieth century, certain physicists made breakthroughs in relativity, quantum mechanics, and nuclear energy. Many of these scientists were Jewish. The Nazis called these heretical ideas "Jewish Science" and suppressed their teaching.

Jewish physicists based in Germany fled the oncoming war. Many ended up in the USA where they worked on the Manhattan Project to develop nuclear weapons. The Nazis had caused such a "brain-drain" of expertise that it critically hampered their ability to wage atomic warfare.

It has long fascinated me that a culture expelled the set of people which could have saved it.

I'm going to tell you an anecdote which is a gross oversimplification, and is an unfair comparison.

In the early part of the twenty-first century, many people working in the fledgeling Internet industry started making noise about privacy, security, and ethics. The mainstream technologists called them fearmongers, idealists, and anti-business. Their ideas were unwelcome and they were thrown out of both the cathedral and the bazaar.

Many retreated to academia, some stayed and tried to cultivate a sense of responsibility in the industry, a few started lobbying governments around the world. By the time trust in the existing structures had begun to collapse, there were too few privacy-focused employees left to reverse the damage.

By expelling the boring and pessimistic doomsayers, the Internet behemoths had sowed the seeds of their own destruction.

All analogies break down eventually, and all simplifications obscure the truth. But there is an undeniable fact - Internet companies could have prevented their current difficulties if they had baked in privacy from the start. If they cared about their users' security. If they acted in an ethical manner.

But programmers want to concentrate on fun and exciting things, they don't want to be depressed by "experts" telling them they are acting irresponsibly.

In 1907, seventy-five people died when the Quebec Bridge collapsed. Ever since that day, Canadian engineers have worn an iron ring on their finger. Forged from the remnants of that bridge, it serves as a constant reminder that an engineer holds life in their hands. Mistakes can be deadly.

The computer industry has nothing like that. We have voluntary codes, which are mostly ignored. Programmers who commit blunders can shrug off responsibility. They face no professional sanctions and are sometimes lauded for their recklessness.

Indeed, one of our most sacred text proudly disclaims the very notion of a programmer being responsible for anything their code does:

This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE

Everyone who loudly and publicly complained about the lack of privacy on the modern web was eventually proven right. Those who were initially dismissed as tinfoil-hat-wearing paranoid freaks, now have the grim satisfaction of being able to say "I told you so!"

The security experts who screamed their heads off about the gaping holes in consumer devices are modern day Cassandras.

I doubt that "Web 2.0" is facing irreversible collapse. But I also doubt that people who raise issues of ethics will be dismissed quite so casually in the future.