Mash Me A Spammer

Match Me A Job directors Ifran and Tahir

One thing my friends and family know for certain is that when they have issues with spam, data breaches or dodgy looking emails, they can always come to me for advice.

In some ways it's like being that member of the family who can "fix laptops" - something I've worked hard to disassociate myself from over the years. However when I get spam myself I'm often a little puzzled, having taken numerous steps to avoid subscribing, being implicitly opt-ed in to or otherwise engaging with spammers.

This particular case involves my use of Jobsite.co.uk - an online jobs board who seem to have struggled in the past with data protection (in comparison to platforms like Monster). I added my details as a contractor looking for work and regularly poke through the jobs listings for suitable contracts.

What I can reasonably expect from this is - and according the general terms and conditions of such boards - that recruiters advertising live roles might grab my details and notify me of roles they have. They might store my details so that if that role doesn't suit a future role they might have will. That's all above board as far as I'm concerned.

This is important - these roles are live roles offered by the agencies on behalf of organisations. The distinction is that a jobs board provides the interface between candidate and agency (or directly from hiring organisations).

The standard (happy path) use of jobs boards looks like something like this:

Normal jobs board process - Click to enlarge

The Washing Machine

Match Me A Job however - and apparently the directors' other companies - do not fit into this paradigm. They scrape candidates details from Jobsite.co.uk and then absorb them into their "client" database. This may possibly include the entire set of organisations related to the MMAJ directors. MMAJ are not yet approaching the same league as other idiots such as My Job Matcher - but they appear to be trying to make a quick buck in similar ways.

Interesting business model: Instead of marketing, getting exposure of your brand and working at improving the corporate identity through direct engagement... they're essentially scraping Jobsite's candidate database and using it to create a new jobs board / platform as a competitor. Easier to get private equity partners to buy your company with a much bigger candidate database...

Jobsite seemingly take little interest when companies like MMAJ and MJM steal their candidate DB are reported to them. Normally they tell me that "they have no control over what the recruiters might do with your data", apparently unconcerned about someone creating a competitor to them from their own data. Monster, however, take a much dimmer view and have sanctioned people in the past for the same. As do ICO.

Back to MMAJ.

They then use other jobs platforms - like jobg8.com - to mesh the candidate keywords with the jobs on those platforms. Any results are then sent to the candidate. Note: These are not live roles offered by MMAJ or jobg8.com - they are offered by other recruitment agencies, and I'm not convinced that some of the agencies know their job ads are on jobg8.com a lot of the time. MMAJ don't actually have live roles nor are they allowed to do this given the specific consent provided when I subscribed to Jobsite.co.uk.

The diagram below shows how the flow of actual consent (c.f. data protection and marketing consent from a data subject - from people like us) in this situation:

The reality - everything outside of the primary Jobsite.co.uk platform in this case is unlawful

These emails are sent from fictitious MMAJ recruiters who's names are manufactured from a list. None of the replies I ever sent back to them ever received a response and none of the filed accounts for the company reflect employing so many people (even on a contract basis).

In fact, when I sent various requests and notices to them via email I selected around 10 recipients plus their info@ and Irfan's email address - All but the info@ and Irfan's address returned "Recipient unknown" messages.

One might have expected that these unsolicited messages would actually be useful had all the roles actually been live - in fact all of them were expired by the time the links were sent. An example below shows a totally unrelated job role (I'm a Solutions / Enterprise / Business / Data Architect working mostly in the financial industry), from an agency who I've actually worked with in the past.

Url shows Jobg8.com and the mailshot shows MMAJ's logo. Link clicked within 10 minutes of receiving the email.

Example "job" link from MMAJ gets you something like this - Click to enlarge

If it's a bug, no-one could have reported it as all the MMAJ 'staff' email addresses return "recipient unknown". I suspect no-one reported it and no-one wanted it.

By this time though, your name, address, DoB, entire employment history and possibly other details (depending what you decide to share on your resume) are now in the hands of a string of organisations monetising said data. In fact if were being more cynical I might suggest that this is one of many data laundry enterprises, churning out data to be monetised.

When I was caught in this particular machine cycle I received over 100 emails in the space of a few weeks, all for roles that were almost completely unrelated and all unavailable.

After being the recipient of attempts to breach systems and data stores over the years I'm more inquisitive about emails from strangers that seem to know a lot about me.

Data Protection

MMAJ essentially refused to answer my SAR - the only time they actually attempted to fulfil it was after I lodged a case in the small claims court. That lack of response was a breach of the requirements of a DPA section 7 request / notice. 

PECR paragraph 22 requires that an entity acquiring personal data for the purposes of direct email marketing must first acquire the explicit consent of the subject; prior to the sending of any unsolicited marketing messages (which a job alert is). Because I subscribed to a specific jobs board with the expectation to receive messages from recruiters about their own live vacancies, no consent was in place for MMAJ.

Even the DPA requires explicit consent to acquire, store and process personal data (many sections in the Act to refer to) and MMAJ failed to acquire this consent for the purposes they actually enacted.

The regulator, ICO, also enforces non-compliance with registration as a data controller - two of the companies operated by the MMAJ directors are registered (ZA110541, ZA110536) but not MMAJ itself. One of my companies is a registered DC because of the personal data that is sometimes acquired during the course of investigation - I know from experience that regular information and update mail shots are available directly from ICO, and you have an option to sign up when you first register as a controller.

A company who routinely scrapes, stores and shares personal data should certainly be registered. MMAJ's directors operate companies which had been registered for some time.

Any which way you want to spin that, the directors are responsible and aware of their obligations.

MMAJ's Position

Only in their filed defence did MMAJ reveal their process and essentially answer the SAR I sent:

• They admitted scraping the personal data from jobsite.co.uk - although they claim it was for the purpose of "recruitment", not offering live job roles themselves; and despite effectively entering me into a subscription process which I had no say in until some time after the fact
• They claimed I did not avail myself of the unsubscribe link; however they didn't have consent as per PECR in the first place to send the emails with the links in them, nor is it best practise to click links in emails you've received from persons unknown
• They claimed I'm not a genuine job seeker - which was amusing. In fact they claimed I'm a sadistic opportunist. As a contractor of nearly 20 years experience I suppose some would consider me mercenary; I'm quite an aggressive racer when I compete in a kart too, but MMAJ clearly wanted to avoid the actual issues and enter into a mud slinging competition
• They ignored my emailed SARs and NBA for months but replied when the paperwork was served; yet claimed to be essentially pro-active in their response

There's always a case for reasonable exception - that's the whole point of a legitimate jobs board. What we should not have to stand for is being subscribed to services (and spammed as a result) which we do not want, nor were consulted about.

The entire defence seemed to be based around the total lack of accountability for which a company handling personal data should have. The law apparently doesn't apply to them - they're special.

B2C-style recruiters are the more typical business models, but the most concerning development of late is B2B recruiters. They're outsourced agency staff who may not even work inside the EU (therefore breaking the stringent data protection laws of the EU and UK). Agencies out source their searches to other agencies, who presumably take a small percentage for candidates that eventually get a contract or role.

Corporate Entities

From the companies related to the two directors of MMAJ, Irfan Lohiya and Tahir Islam, seem to exchange recommendations for each other and share infrastructure. Not unusual and a good cost mitigation option.

Tahir's LinkedIn profile lists him as a case handler for Lloyds Bank, although he may just be a silent / investment partner. All correspondence relating to the litigation was signed by Irfan who seems thick with links to recruitment - working for agencies as per his LinkedIn profile whilst running his own. Nothing really wrong with that though.

Astoria Green Executive Search, Jobm8 (not jobg8.com),Total Jobs, Green Recruitment Solutions, Top Resourcing, Proficient Outsourcing Ltd and MMAJ are the companies one or both directors own / operate - only Jobm8 and MMAJ are nominally shared.

That's a lot of very small companies - question marks for me arise relating to; if MMAJ has my data, who else does? With idiots like MMAJ you shouldn't rule anything out.

Summary

In the end I had an issue with the postal deliveries, meaning I missed a lot of paperwork relating to the case. I couldn't therefore press the claim home and the last I'd heard MMAJ refused to engage in mediation pre-trial. It's a shame because I'd created a retrospective data consent agreement and wanted to see it enforced at district level. Of course, there's no guarantee but I could easily disprove each statement of the defence - some of which by using their own evidence.

The amount of time you have to spend on these things is immense - unless you're a lawyer being paid to write and argue the case there's virtually no financial benefit to it. What I do for a living is investigate (in other fields) - and that's where the commonality is for me, and that the regulator is often swamped with other cases from local government.

But also because there are so few - if any - people actually raising awareness of the growing problem in data protection.

It took direct legal action to force MMAJ just to answer my SAR, and even then it was without any acceptance that they'd actually broken the law. If someone hold their hands up and says, "Ok - yeah. We were wrong - really sorry and it won't happen again" it's generally a reasonable situation which needs no further prodding.

In May 2018 the British equivalent of GDPR comes into force so the additional weighting in favour of explicit / DS enacted consent; the types of activity MMAJ admitted to (or were observed enacting in cases where they denied it) would net them massive fines and potentially criminal convictions. Had I engaged ICO over the matter they could have invoked their powers within the law to review criminal prosecution against MMAJ (if they'd had the time amongst their already mountainous case loads).

I've worked with a lot of recruiters over the last 20 years and there are some real diamonds out there. Recalling past conversations with recruiters I've known for years as well as new firms who made a silly mistake with their data handling - all it takes is a five minute phone call to resolve. However there's also some real used car salesmen holding the reputation of the industry back.

There's so many of them though.

Très Européen

(Before anyone says / thinks anything - I'm Pro-EU. Post title not a dig at Brexit insanity)

Europcar sit within an industry which makes it's money but getting people to pay more than the cost of a car for borrowing it. It's a good business model even with the shadier parts of it's industry. They're relentless spammers too - they provide no option to explicitly opt-in to marketing messages when you purchase or sign-up for their services (not even an explicit opt-out until after the fact). We'll come back to PECR in a moment.

Background

Back in 2015 I rented a car from Europcar - there was no issue with payment, no problem picking up the car, nor returning it at the end of the rental.

All well and good it seems? We've used them since on holidays in Cornwall too. Again... all seemed fine.

Last year I needed the same service whilst my own car was in the shop - booked the rental online, paid upfront, scheduled the pick up date for the Sunday afternoon before I travelled and thought nothing more of it.

When I arrived on the Sunday afternoon expecting to pick up the Merc E-class (*or similar) I was told that the vehicle was no longer available.Which was interesting because I could see the receipt on my phone, and could see the set of vehicles out back that matched the description.

I asked "Do you not have the vehicle class available?".

"Yes", the member of staff said, "but we cannot provide it to you".

Well that was always going to peak my curiosity. After various different attempts at rewording the question "Why the hell not?" in different ways to try and get an answer, they offered me a vehicle the size of my shoe.

Nope.

Drive to and from Norwich in a hand basket? No thanks. 322 miles of tall-person-comedically-cramped-into-a-hatstand? Double nope.

So I cancelled the rental and got a refund ... but no-one could tell me why. I know from past experience in that same office that they were happy to explain to me why another customer was not able to rent one of their vehicles - their staff explained why the argument started to attempt to keep my business I guess.

But they couldn't tell me - to my face - what the problem was.

I sent them a SAR later that week (oh come, on, what else did you expect from me eh?). No reply. Sent a follow up over 40 days later. This isn't to some obscure email address incidentally, this to the email address advertised on their own support, contact and T's and C's pages.

No response. Now I'm irked and have had to explain to a client why I couldn't travel to client site for the week in question. So in an NBA went...again..no response. Nothing at all. Normally that gets a "Oh sorry we lost your email in all the spam, let us sort your SAR out now". But not this time.

The Case

So I try a claim in the small claims court for failure to respond to SAR - because:

1. my website booking completed - they accepted my money and my details and we entered into a deal
2. they failed to notify me of a problem until after I'd travelled by train to their pick-up office
3. they refused to tell me why they were no longer honouring my booking
4. they spammed me every time I buy something without actually acquiring express / explicit consent. Even after telling them to piss off directly
5. they had ignored my subject access request
6. they continued to spam me after rejecting my custom, and without asking me whether I wanted it or not

All reasonable so far - so I alleged that they'd failed to respond to SAR, added the breaches of PECR for the spam and filed it. About 4 pages of particulars / witness statements on essentially a very simple claim.

This is their filed defence:

That's the whole defence btw

As there's almost nothing to it I'll explain why this is a strange defence to file.

Paragraph 1 & 2: In terms of the consent for marketing; I agree with a more general legal opinion that "Consent by definition requires some sort of positive action on behalf of the recipient." - PECR section 22 also infers a direct and explicit action on the part of the potential recipient of unsolicited marketing in order to opt-in to it. There was also no consent statement on the page when I hired any cars - so there's no reasonable effort from Europcar at all.

Europcar's approach of burying this consent and then relying on the "purchase of goods or services" exception doesn't really wash - if the explicit opt-in was available as it should be, and the customer does nothing they are indicating they have no desire to get spammed. GDPR levels the playing field and requires explicitly activated opt-in for spam (amongst other things). Roll on May 2018.

Paragraph 3 & 4: I use a different email address for each purchase so that - when a company inevitably gets hacked or stupidly decides to sell it's customer database - I can tell who the idiot was. To say there was "no information to suggest that [I] the claimant has requested ... not be used for [spam]" is a massive lie - they'd failed to acquire consent at all.

Paragraph 5: By post?! I'd sent a number of messages (including serving the particulars of the claim) via email and they try to reply by post? Surely that's just trying to hide away from making a simple effort of sending an email? Unfortunately whomever actually received this letter must have rejected it on the basis that delivery was attempted at the wrong address. I regretfully never had the opportunity to reject it.

The Result

The defendant claimed never to have received any of the documents - the same documents they were reading in order to file a defence incidentally.

The defendant also claimed that they never received the emailed SAR or NBA.

That changed the moment I produced their own auto-responders for each message I'd sent; and they subsequently settled for a menial amount. I've still not received a response to my SAR but they agreed to cease spamming me. I just wanted to know why they went back on their word.

Because no-one apparently reads the emails from their customer service inbox; if you have similar issues with Europcar in future I'd recommend to contact their relations officer, John Cooper, directly. This ensures there's no misunderstandings in communication - it is 2017 after all. Email john.cooper@europcar.com or via phone on 0116 217 3422.


Don't expect a welcoming conversation or any admission of wrongdoing - even when their error is as plain as the nose on their faces.

Current Events

This is what it took to get a correct final bill

Some significant time ago, I wrote about our experiences between Scottish Power and Spark Energy. It's taken a lot to get resolved including small claims court, regulator action and a lot of wasted paperwork. Whilst it's difficult to put an exact value on their financial throughput they're certainly able to invest in customer service.

Background

After moving to a 3rd supplier earlier last year and letting the dust settle, we discovered how little honesty had been involved.

Spark essentially refused to relinquish control of one of the supplies, claiming that there was an unpaid bill - actually they had failed to complete their own data entry procedures during the original transfer to them. Because they delayed the transfer one of our energy supplies was put onto the "default" tariff - the more expensive one they're legally obliged to move you off.

To compound the situation they then claimed that they'd never told us the supply was incomplete; so I sent them a subject access request to include all call recordings to prove them wrong. After the usual to-and-fro regarding the £10 access fee - an obstruction that disappears with GDPR - they relented when I suggested they simply add the fee to the outstanding bill.

Any organisation that sees the £10 SAR fee as a realistic way of recouping the cost of answering a SAR has a seriously ineffective accounting approach. This fee was originally instituted in the last century when email was not readily or normally available - so would cover the cost of print & post.

During this process - and without even sending us a final bill - Spark sent two separate debt collection firms after us at the same time. Each were told that there were legal issues relating to the case; that the matter was with Spark and that they were not to contact us again (i.e assumed rights of entry revoked). Some small part of me wished that one of them had attempted to get a CCJ, because I could then raise a counter-claim directly against Spark which included compensation for distress.

Spark made no attempt to reply to the messages above, even though they were included in the CC line.

As a side note, and during the final stages of conversation with the supplier; Spark noted that they had supplied the final bill to a portal - which they had neither told us about, nor notified us of the arrival of any document on it. Despite our standard opt-out of marketing messages this would be considered a "service message" and therefore be exempt from PECR section 22. There's simply no excuse for that level of communication in 2017.

I suggested that Spark use the same document sharing portal that they use for their bills and statements; I suggested that they upload to a file sharing service I would make available to them with credentials I would supply them. No - it would have to be via post.

£10 barely covers postage of a bunch of CD's - even though I pointed out that I don't own a computer that still has a CD / DVD drive - never mind the FTE cost of fulfilling the SAR request. Essentially the £10 fee has become largely meaningless - A business adhering to the law (the DPA in this case) must absorb this as a cost of doing business, based on the risk of how many SAR's they expect to receive vs. the frequency which is reasonable to respond to per customer. Most organisations I even feel the need to SAR often realise something is amiss and waive the fee - SME's usually get some free DPO advice as a reward if there are actually any issues.

After about two months they'd failed to send anything at all - frankly I half expected them to tell me they'd delivered it to a previous address. I wish I'd checked as this is a far more serious breach of the DPA.

However I didn't - and raised a claim in the courts for SAR failure as well as raising the issue with the energy ombudsman. None if this is a quick process and you can expect the company you're dealing with to spin it out as long as possible to try and make you lose interest. Involve the regulator and they start charging the company for every day the complaint is active.

The EO charges roughly £250 per complaint per day back to the supplier for each case, which means that they'll start taking it [slightly] more seriously.

During this process and on regular intervals Spark continued to send more debt collection firms our way. In total five different firms were involved and each were told to jog on. Yet not one direct message from Spark attempting to resolve the issue directly.

The Result

Unsurprisingly, in 2017 Spark were told to compensate us for the trouble, adjust the bill to correct the charge (the tariff we actually signed up for). Spark labelled this in their post-regulator letter as a "goodwill gesture", but they were simply told to compensate us then correct the bill - which then reduced the cost further.

The only admission of failure on Sparks part is highlighted

The EO refused to tell Spark to enhance their customer processes to prevent this happening again saying that it "wasn't within the scope of their powers". I would imagine that with the number of complaints being swept under the rug and emerging with the EO is roughly 85% of complaints lodged with providers, and of those (according to the EO 2016 stats PDF): 63% (of nearly 85k complaints) upheld or settled, with another 30% listed as 'maintained'. Only 7% of complaints lodged with OE were rejected.

Surely something is wrong where a BAU failure demand rate is at 85% of customer complaints being dealt with by a 3rd party?

It cost Spark £250 pd x 3 months for the OE case, plus their lawyers retainer to answer the small claims case (which was eventually struck out when I failed to receive the DQ request from the courts) - I've no idea what their defence was for refusing to fulfil a SAR without grounds to withhold; and most of their claim to the supply liability. Peanuts in comparison to their bottom line - which is why they simply continue not to care at all.

The final bill was around £15 - which still included the £10 SAR fee they had taken last year. At the time of writing Spark never responded to the SAR. They never admitted fault for the switches in either direction; even though both our current supplier, Scottish Power and the regulator conclusively identified them as the cause of the problems.

20 Years Later....

In heady days of the mid-to-late nineties, the web was fresh and so was the spam. It was the era of Lycos, Napster and MetaCrawler - Google had barely been incorporated, Palm was making smart phones and Apple were making blue plastic TV paperweights.

During such heady days of technological marvel I signed up a for hotmail.co.uk email address - one I've been using ever since. Of course, in the [web] medieval days spam was in a different order to today: the economies surrounding ads and direct marketing was dramatically smaller, and simple junk mail rules were sufficient.

Today though things are different. Data slurping fisheries such as TeraData scrape personal data from jobs boards, people still believe online surveys and prize giveaways are actually rewarding, and companies bitter at receiving SARs and ICO complaints never used to sell your data on.

As a result the majority of traffic on my Microsoft accounts are ads, phishing attempts or newsletters I didn't subscribe to. Thanks to Microsoft - since getting shot of Balmer they've come such a long way - its easy to get shot of all this spam in one go.

Last month I added a new alias to use for my core MS services and set it as the primary alias. Aside from a couple of complications with the Xbox Insider Program and Amazons Xbox app authentication it was smooth sailing. I had to notify one organisation of an email address change - that's it. Android apps related to the account all seem to have switched themselves over.

This is no mean feat considering the authentication model, security and architecture involved with multiple devices (phones, consoles, laptops, desktops) happened seamlessly and without support intervention.

So today, with little or no incident logged as a result - an achievement in itself - I'm deleting the now unused hotmail.co.uk alias. Perhaps that will trigger an avalanche of account issues, but if there are no more posts from me on the subject over the next few weeks, assume all went well.

[Updated August 2017 - All went well, the rate of spam to my Hotmail Outlook.com addresses dropped like a stone]

From a humanist perspective I feel like departing from the Hotmail domain and fully accepting the Outlook.com moniker is saying goodbye to the old family home in a lot of ways. The email address, for me at least, dates back to essentially the beginning of the web (which evokes nostalgic thought of AOL, university HP-UX lab time, Half-Life and Team Fortress lan parties) I've no doubt there are probably still hundreds of thousands of people - perhaps millions - still using hotmail email addresses via Outlook.com, however it does feel like the personal loss of a battle in the war on spam.

I still get around 400 spam emails per month on the personal email addresses (excluding this hotmail address) I regularly use - a substantial increase from non-EEA countries of origin - the problem is far from over. But this set of spam arrives on domains and servers I control, which means the senders cannot hide. The usual jokers who begrudgingly respond to SARs and then add that email address to whatever spam subscriptions they can find basically.

I've been designing a filtering, tracking and reporting system - known only as project RingoDingo for the time being - which I hope to use to map the flow of personal data. It might just make some nice diagrams but could be useful for everyone - based on all the spam I get I'm trying to recycle it for good purpose by using it as test data. One of the primary goals is to deal with spam actors before they get to your door step. At the moment I'm looking to open-source the majority of the modules.

GDPR can't come fast enough and I just don't have time for legal action against spammers at the moment (in the last few years this has been the only effective way to force spammers into respecting the law itself); this is measured against the more recent actions from ICO, which are extremely promising. Recent direct communication I've had with ICO's dedicated anti-spam team also looks very promising and this apparently renewed sense of vigour in their approach is most welcome.

Retaining a more optimistic perspective, we could infer that the data trading and spamming industry will have to remap their entire business model, or face massive financial penalty. I've already seen tweets from DMA-affiliated accounts signal as much. So giving up my hotmail.co.uk email address is a small price to pay.

Last one to leave the domain, please turn off the lights.

Side Effect: Snoopers Charter [Part 4]

It's been a wholly unsurprising journey to the Room of Truth with my CSP, only to be locked out of the final door.

After an online chat I finally got my request through to the legal department, only to be told that because it was a corporate account the DPA does not apply, and also; under Part 4 Section 93 of the IPA the CSP is not allowed to release the ICR data to me.

So I replied and re-iterated that the moment my SAR arrived identifying me, and linking me directly to the ICR data in question - also providing my authority as the account holders director - the DPA does apply as my name is linked to the internet usage [and that as my internet usage may contain specific records] and sensitive personal data.

Section 93 also refers to ensuring that the CSP puts adequate controls in place to retain the data in a secure manner. Nothing to do with disclosure. I can find no provision of the IPA which prevents the disclosure of ICR to the data subject(s) in question.

I'm the middle of designing and developing anti-spam security solution so frankly just don't have the time to focus on this at the moment. Whilst legal opinion appears to be that the IPA is not legal, I doubt the Prime Minister or Home Secretary are willing to have that "grown-up conversation". However ICO has enough of a fight ahead convincing the cabinet that it needs to keep parallel laws to keep trading with Europe.

Time to draw another spidergram and send the details to ICO - I can't imagine that the government regulator will do anything other than side with the government communications provider in this case.

I am Jack's total lack of surprise.

Side Effect: Snoopers Charter [Part 3]

Last month I was curious about the effects of recent legislation on my internet usage. Since then I've had some conversation tennis with support teams at my ISP but no traction or movement.

Up until this morning I'd suspected that nothing was being done - I'd send an email from an account I use tracking systems with, get a response back within a few hours telling me that email address wasn't authorised for the support ticket, then I'd send a reply from the original email address authorising the second email address with the ISP... and then getting nothing in reply.

Twice.

I know the emails were opened in India and read twice each time within a few hours of sending. All other responses or communications were simply being swallowed up into a black hole.

This morning I tried using the live chat on the ISPs website and got a far better response (even if it wasn't what I wanted to hear).

Despite repeated requests to get status or answer any outstanding queries I've had nothing. The live chat support person, Linda, was able to tell me that the original recipient of the request fobbed me off onto the wrong department then closed the support ticket. And it's been that way ever since the 19th of January. 

Not really surprised but I pushed Linda to forward the request onto either their legal or compliance team. A bit of confusion - it sounds like their usual section 7 requests are for case notes, not ICR data - easily clarified. Now although Linda refused to re-open the support ticket she did promise to forward the request onto legal after I explained that the ISPs legal team would have had to review & sign-off the Snoopers Charter implications. This would involve them understanding the request and its terms.

However we're now over the 40 day limit for a SAR and there is no response other than acknowledgements that the ISP have received the request - it's going to be interesting to see how they respond from this point. Recent legal updates have included a major setback to the Investigatory Powers Act at ECJ level and some inevitable challenges to it's implementation; especially relating to the requirement to implement 'back doors' in all CSP platforms. Note emphasis there on CSP platforms, not anti-virus software or encryption software.

Whether or not this will really affect peoples daily lives or not is another matter, but I'd be concerned that local councils, HMRC, the Dept. for Education and other similar level government departments will inevitably use this type of information for purposes other than 'detection of a crime'.

'Detection' will easily slip into 'Prevention', and then we're in the tin-foil hat territory akin to Minority Report. I don't have government-level actors trying to hack my devices but if there is a method of access available, criminals will find it - and that's enough of a cause for concern for me. Just a quick glance at how busy ICO are with government departments and you begin to understand the scale of the data-protection problem: Here's a list of decision notices - when this article went live they were all councils on the receiving end of complaints.

Click to see larger image

Side Effect: Snoopers Charter [Part 2]

Last month I sent a rather well-known international internet provider a subject access request (SAR) - since that post (which you can recap on here) I've had some rather less entertaining communiques with them.

I'm not going to name the ISP just yet for security reasons but suffice to say that the following are true:

1. They ask that a cheque is sent in the post to them for £10 as part of the SAR process; yet do not accept cheques as a form of payment for any of their services
2. They do not advertise the email details for any legal department inbox, nor do they extend their current online issue registration capabilities to include SAR or similar filings
3. This is a company who sell themselves on high technological value (and do so on multiple continents) yet fail to provide a simple means for lodging a SAR - which is an individuals right under the law here in the UK [and EU]

After the last post I had received an assurance from the member of staff that she would contact the original member of staff to find out why it was [erroneously] passed to her department, and that she would call me back within 2 hours.

I've heard nothing since the 19th and 20th of January.

I've sent two follow-up emails to the ISP to which they have failed to reply within 48 hours - which is their SLA for business customers. I sent another further update request from an email address embedded within a tracking system.

This email got a response within 3 hours saying that the update request was "...not sent from the email address you used in your initial enquiry", and that "...for security reasons, we cannot provide an update unless you use the same email address that you originally used to contact us".

Actually I'm happy with that response as it's a verification of identity - the tracking system uses a completely separate domain and I'd be asking for the same verification from any of my customers too. So I sent back a message from the original email address used to the effect that yes - it was me, and that they should enact this second email address with the appropriate authorisation to deal with this issue.

That was the 2nd of February and there's been no further communication since.

So I repeated the latter part of the exercise and got the same response today - also read and responded to within 3 hours of being sent.

So what is clear is that the ISP are receiving the requests for update and essentially refusing to provide an update. As I've had adequate responses directly from the ISP staff they have received and acknowledged the request, and I've asked specifically how I can pay the £10 SAR fee without a cheque book.

As they're refusing to respond does that mean they're waiving it? Forgetting the fact that the fee was designed in the 1980's to cover the cost of postage of the potentially large printed documents to answer the SAR, I'm not sure how relevant that price is versus the cost of doing business - which the all businesses must acknowledge if they conform to the Data Protection Act.

I can show that each of the requests for information have been received, opened and read (all in India), yet have little to show in terms of meaningful response. I found another part of the same ISP - well it's a law firm that says it's part of this ISP and I'm going to send them a copy of these posts as well as the original request.

Expect another post in coming weeks as the time limit on the SAR (40 days) means the statutory limit expires on the 28th of February. At that point the ISP will be in breach of the DPA.

Disaster Recovery (Updated)

It had so much potential

Updated 12th March 2016. Newly added notes at the end of the post.

Back in 2014 I needed to choose a robust backup / DR solution that would help me prevent loss-of-hair & brown trouser moments - e.g. ransomware or user stupidity (my own mostly). All sorted and was fortunate enough to choose one that still covers my needs.

However since then I flirted with a couple of alternatives and ended up settling on a selection of cloudy storage options.

For the personal stuff I tend to use the big names (Google, Microsoft & Apple) which are linked into device accounts. These are really low-risk, low-value data items which business adversaries or other intruding agents [hackers] would find worthless.

However there's a lot of information which is business-focused - or that which is protected under one of my businesses ICO Data Controller registrations - which need more attention.

The reason I'm writing about it now is because since evaluating options I've moved away from Windows, so the requirements are now vastly different. So because I'm primarily focused on multi-platform solutions a lot of the offerings get defenestrated immediately.

Over the last few months I've been prodding and cajoling Tresorit to fix problems with their Linux client and have now officially given up. No responses from their support desk about quite critical issues in some time. One of the issues is that - whilst I had Visual Studio Code running, and doing some project work on a Python module - Tresorit started to sync one of the tresors which houses project work.

I watched in horror as the file list started reducing in number in VSC - it was like an unstoppable terror of code deletion. Anyone who's just discovered that code they've spent days or weeks applying themselves to is lost forever will know that feeling.

At first I hadn't made the connection between Tresorit and the file emigration but then I did a sudo find / -name <scriptname> only to see it right there. In a .tresorit/Trash/.. folder!!

Nope.

Not having that. Recovered all files - and a bunch of others I hadn't spotted were missing yet. Immediately closed Tresorit and fired up my previous DR solution. It took all night to get everything back up to sync and this morning to verify everything before ditching Tresorit completely.

Crisis averted. Still no response from Tresorit despite what now appears increasingly arrogant claims vs. it's competitors in the market. The Linux client came out of beta mid-2016 so should have been rigorously tested.

It's a real shame and I'm extremely disappointed - I really like that they have 2FA across a choice of mechanisms, and claim zero-knowledge across the entire platform (including via the web client - although this is unconfirmed). I'm not concerned with state actors as I've done nothing wrong but I need something that keeps competitors or their agents out - Tresorits Swiss & EU base fits this ideology too. I like the tresor mechanism of sharing and I'm now trying to frig something similar with my DR solution.

Perhaps their Windows and Mac clients are far better at this than their Linux offering so it might be unfair to tarnish their entire platform, but the lack of support (and wasted subscription fees) eroded my trust and after all, what is DR without faith?

Updates

I noticed that Tresorit tweeted a marketing message about feature enhancement, which - to me at least - seemed to confirm that they were essentially ignoring my bug notifications and support requests. I replied to the tweet and the account owner asked me for some details via DM.

After hearing nothing for a few weeks I prompted the Tresorit Twitter account again - this time they promised a response from their support & dev team. Five months to get a response from vendor on a critical issue (and only after complaining on social media).

The explanation given via email was more unsettling than the problem itself - they could not replicate the issue and that some fixes applied since November 2016 'may' have resolved some of the problems. What I take from that is that although none of the fixes were specifically aimed at resolving the problems I reported, they want me to see if they fix it.

In the same email the support member tried to tell me that I must have deleted the files from the tresor on a different machine, which triggered the removal on the machine in question. The problem with that is that I hadn't deleted any of the files on any other machine. The files in question were / are live code files related to an anti-spam module & reporting system I've been designing and writing - there's no way I would delete these files - I've put so much effort in. The other files I found after checking other tresors for mysteriously deleted files were legal documents I would never delete under any circumstances. I rechecked the other machine and I hadn't deleted either set of files there.

Tresorit's support suggested I check the logs - which I did - to see if any files were listed as deleted by user(s). They weren't. Essentially it was just the DR system wrongly flagging files as deleted and that removes all confidence I had using the platform in the first place.

I've since replicated what I liked about the tresor repository system within Spideroak One.

Overall, it's vindication that I made the right decision in abandoning Tresorit altogether, although I'm still wondering what was deleted that I haven't noticed yet.

Side Effect: Snoopers Charter [Part 1]

On the 6th of January 2017 the Investigatory Powers Bill came into effect. At this point all CSPs (ISPs such as TalkTalk, Vodafone and BT) must start collecting internet connection records - or ICRs.

I'm not going to get into the morality or the why's and wherefores but, according to the IPB these must contain the details of websites each internet connection connects to, but not the full URL or details of every page visited.

So how are they intending to collect that information? There's several ways to do that. Perhaps a form of DNS caching silo-ed to each household and business; perhaps packet inspection?

Whichever way this will be achieved the focus now shifts to the ICRs themselves - which of course are chunks of information stored about a person.

Wait... *sound of rustling paper* ...that means that under the Data Protection Act these ICRs come under the definition of personal data (section 1 I think states that but it is also referenced in schedule 2). But surely that would mean we could see what's being collected then? We each have the right to see all our data and meta-data to ensure that it is correct and being processed correctly.

Time for an exploration into some of these grey areas to see what will happen if I SAR my ISP for ICRs. The complication here is that I use a business account wired to my home address; but that isn't so much of a complication when you consider that when you inform someone that a Thing is personal data, you are associating your name with that Thing ... and therefore it becomes personal data (assuming it is about you). So... The ISP doesn't have an open email inbox although this makes sense - they'd just get spam.

Instead I have to log a request via the support system or send a *shudders* letter. My ISP also mandates that I should send them a cheque for £10 in the post before they'll deal with the SAR... but a) that's *shudders* basically a letter and b) I don't have a cheque book any more and and and and c) my ISP themselves don't accept cheques in payment for their services.

So I call cow poo on that one.

So this morning I logged the following support ticket - please feel free to take this and shape it to your own personal needs if you wish:

"Please pass this request to your legal department. It has been logged as a support request for tracking purposes.

This is a subject access (a section 7) request under the Data Protection Act.

As the internet services provided by this business account are also used for personal / home reasons, this SAR essentially ties the internet connection records (ICR) to my name, and therefore expands the scope of "personal data" to include the ICR themselves by association.

I am also the authorised person on the business account and am happy to be verified as such.

With that in mind, please provide copies of all data - in electronic format - and associated meta-data for the ICRs collected as required by the Investigatory Powers Bill - related to me.

As I do not have a cheque book it is impossible to follow your privacy guidelines about how to pay the £10 DPA-mandated fee, so ask that you contact me directly to provide alternative payment details."

Updates to follow (although bearing in mind the ISP involved, it won't be any time soon). I'm expecting some attempt to wiggle out of it either by admitting that they're not up-and-running with it yet, or that they try and claim a DPA exemption.

Update 1: Jan 19th, 2pm

Expected this sort of thing.
So the ISP has called a couple of times, the foreign call centre handler then immediately passed me through to their billings complaints department. After 10 mins of me telling them the reference number from their own email (and them claiming it wasn't a valid reference number), they agreed to speak to the call handler who had passed my call to them. They're now speaking to him and will call me back later.
I'm still a little surprised that this ISP (a large multinational) has live chat on the website, a ticketing system for non-standard queries and a web portal for account management still requires postal methods for a SAR. Seems an overly obstructive approach and making it almost dissuasive for most people.

The next few updates deserved a post of their own, check for new posts in coming days...