Thursday, September 28, 2017

Mash Me A Spammer

Match Me A Job directors Ifran and Tahir

One thing my friends and family know for certain is that when they have issues with spam, data breaches or dodgy looking emails, they can always come to me for advice.

In some ways it's like being that member of the family who can "fix laptops" - something I've worked hard to disassociate myself from over the years. However when I get spam myself I'm often a little puzzled, having taken numerous steps to avoid subscribing, being implicitly opt-ed in to or otherwise engaging with spammers.

This particular case involves my use of Jobsite.co.uk - an online jobs board who seem to have struggled in the past with data protection (in comparison to platforms like Monster). I added my details as a contractor looking for work and regularly poke through the jobs listings for suitable contracts.

What I can reasonably expect from this is - and according the general terms and conditions of such boards - that recruiters advertising live roles might grab my details and notify me of roles they have. They might store my details so that if that role doesn't suit a future role they might have will. That's all above board as far as I'm concerned.

This is important - these roles are live roles offered by the agencies on behalf of organisations. The distinction is that a jobs board provides the interface between candidate and agency (or directly from hiring organisations).

The standard (happy path) use of jobs boards looks like something like this:

Normal jobs board process - Click to enlarge

The Washing Machine


Match Me A Job however - and apparently the directors' other companies - do not fit into this paradigm. They scrape candidates details from Jobsite.co.uk and then absorb them into their "client" database. This may possibly include the entire set of organisations related to the MMAJ directors. MMAJ are not yet approaching the same league as other idiots such as My Job Matcher - but they appear to be trying to make a quick buck in similar ways.

Interesting business model: Instead of marketing, getting exposure of your brand and working at improving the corporate identity through direct engagement... they're essentially scraping Jobsite's candidate database and using it to create a new jobs board / platform as a competitor. Easier to get private equity partners to buy your company with a much bigger candidate database...

Jobsite seemingly take little interest when companies like MMAJ and MJM steal their candidate DB are reported to them. Normally they tell me that "they have no control over what the recruiters might do with your data", apparently unconcerned about someone creating a competitor to them from their own data. Monster, however, take a much dimmer view and have sanctioned people in the past for the same. As do ICO.

Back to MMAJ.

They then use other jobs platforms - like jobg8.com - to mesh the candidate keywords with the jobs on those platforms. Any results are then sent to the candidate. Note: These are not live roles offered by MMAJ or jobg8.com - they are offered by other recruitment agencies, and I'm not convinced that some of the agencies know their job ads are on jobg8.com a lot of the time. MMAJ don't actually have live roles nor are they allowed to do this given the specific consent provided when I subscribed to Jobsite.co.uk.

The diagram below shows how the flow of actual consent (c.f. data protection and marketing consent from a data subject - from people like us) in this situation:
The reality - everything outside of the primary Jobsite.co.uk platform in this case is unlawful
These emails are sent from fictitious MMAJ recruiters who's names are manufactured from a list. None of the replies I ever sent back to them ever received a response and none of the filed accounts for the company reflect employing so many people (even on a contract basis).

In fact, when I sent various requests and notices to them via email I selected around 10 recipients plus their info@ and Irfan's email address - All but the info@ and Irfan's address returned "Recipient unknown" messages.

One might have expected that these unsolicited messages would actually be useful had all the roles actually been live - in fact all of them were expired by the time the links were sent. An example below shows a totally unrelated job role (I'm a Solutions / Enterprise / Business / Data Architect working mostly in the financial industry), from an agency who I've actually worked with in the past.

Url shows Jobg8.com and the mailshot shows MMAJ's logo. Link clicked within 10 minutes of receiving the email.

Example "job" link from MMAJ gets you something like this - Click to enlarge
If it's a bug, no-one could have reported it as all the MMAJ 'staff' email addresses return "recipient unknown". I suspect no-one reported it and no-one wanted it.

By this time though, your name, address, DoB, entire employment history and possibly other details (depending what you decide to share on your resume) are now in the hands of a string of organisations monetising said data. In fact if were being more cynical I might suggest that this is one of many data laundry enterprises, churning out data to be monetised.

When I was caught in this particular machine cycle I received over 100 emails in the space of a few weeks, all for roles that were almost completely unrelated and all unavailable.

After being the recipient of attempts to breach systems and data stores over the years I'm more inquisitive about emails from strangers that seem to know a lot about me.

Data Protection


MMAJ essentially refused to answer my SAR - the only time they actually attempted to fulfil it was after I lodged a case in the small claims court. That lack of response was a breach of the requirements of a DPA section 7 request / notice. 

PECR paragraph 22 requires that an entity acquiring personal data for the purposes of direct email marketing must first acquire the explicit consent of the subject; prior to the sending of any unsolicited marketing messages (which a job alert is). Because I subscribed to a specific jobs board with the expectation to receive messages from recruiters about their own live vacancies, no consent was in place for MMAJ.

Even the DPA requires explicit consent to acquire, store and process personal data (many sections in the Act to refer to) and MMAJ failed to acquire this consent for the purposes they actually enacted.

The regulator, ICO, also enforces non-compliance with registration as a data controller - two of the companies operated by the MMAJ directors are registered (ZA110541, ZA110536) but not MMAJ itself. One of my companies is a registered DC because of the personal data that is sometimes acquired during the course of investigation - I know from experience that regular information and update mail shots are available directly from ICO, and you have an option to sign up when you first register as a controller.

A company who routinely scrapes, stores and shares personal data should certainly be registered. MMAJ's directors operate companies which had been registered for some time.

Any which way you want to spin that, the directors are responsible and aware of their obligations.

MMAJ's Position


Only in their filed defence did MMAJ reveal their process and essentially answer the SAR I sent:
  • They admitted scraping the personal data from jobsite.co.uk - although they claim it was for the purpose of "recruitment", not offering live job roles themselves; and despite effectively entering me into a subscription process which I had no say in until some time after the fact
  • They claimed I did not avail myself of the unsubscribe link; however they didn't have consent as per PECR in the first place to send the emails with the links in them, nor is it best practise to click links in emails you've received from persons unknown
  • They claimed I'm not a genuine job seeker - which was amusing. In fact they claimed I'm a sadistic opportunist. As a contractor of nearly 20 years experience I suppose some would consider me mercenary; I'm quite an aggressive racer when I compete in a kart too, but MMAJ clearly wanted to avoid the actual issues and enter into a mud slinging competition
  • They ignored my emailed SARs and NBA for months but replied when the paperwork was served; yet claimed to be essentially pro-active in their response
There's always a case for reasonable exception - that's the whole point of a legitimate jobs board. What we should not have to stand for is being subscribed to services (and spammed as a result) which we do not want, nor were consulted about.

The entire defence seemed to be based around the total lack of accountability for which a company handling personal data should have. The law apparently doesn't apply to them - they're special.

B2C-style recruiters are the more typical business models, but the most concerning development of late is B2B recruiters. They're outsourced agency staff who may not even work inside the EU (therefore breaking the stringent data protection laws of the EU and UK). Agencies out source their searches to other agencies, who presumably take a small percentage for candidates that eventually get a contract or role.

Corporate Entities


From the companies related to the two directors of MMAJ, Irfan Lohiya and Tahir Islam, seem to exchange recommendations for each other and share infrastructure. Not unusual and a good cost mitigation option.

Tahir's LinkedIn profile lists him as a case handler for Lloyds Bank, although he may just be a silent / investment partner. All correspondence relating to the litigation was signed by Irfan who seems thick with links to recruitment - working for agencies as per his LinkedIn profile whilst running his own. Nothing really wrong with that though.

Astoria Green Executive Search, Jobm8 (not jobg8.com),Total Jobs, Green Recruitment Solutions, Top Resourcing, Proficient Outsourcing Ltd and MMAJ are the companies one or both directors own / operate - only Jobm8 and MMAJ are nominally shared.

That's a lot of very small companies - question marks for me arise relating to; if MMAJ has my data, who else does? With idiots like MMAJ you shouldn't rule anything out.

Summary


In the end I had an issue with the postal deliveries, meaning I missed a lot of paperwork relating to the case. I couldn't therefore press the claim home and the last I'd heard MMAJ refused to engage in mediation pre-trial. It's a shame because I'd created a retrospective data consent agreement and wanted to see it enforced at district level. Of course, there's no guarantee but I could easily disprove each statement of the defence - some of which by using their own evidence.

The amount of time you have to spend on these things is immense - unless you're a lawyer being paid to write and argue the case there's virtually no financial benefit to it. What I do for a living is investigate (in other fields) - and that's where the commonality is for me, and that the regulator is often swamped with other cases from local government.

But also because there are so few - if any - people actually raising awareness of the growing problem in data protection.

It took direct legal action to force MMAJ just to answer my SAR, and even then it was without any acceptance that they'd actually broken the law. If someone hold their hands up and says, "Ok - yeah. We were wrong - really sorry and it won't happen again" it's generally a reasonable situation which needs no further prodding.

In May 2018 the British equivalent of GDPR comes into force so the additional weighting in favour of explicit / DS enacted consent; the types of activity MMAJ admitted to (or were observed enacting in cases where they denied it) would net them massive fines and potentially criminal convictions. Had I engaged ICO over the matter they could have invoked their powers within the law to review criminal prosecution against MMAJ (if they'd had the time amongst their already mountainous case loads).

I've worked with a lot of recruiters over the last 20 years and there are some real diamonds out there. Recalling past conversations with recruiters I've known for years as well as new firms who made a silly mistake with their data handling - all it takes is a five minute phone call to resolve. However there's also some real used car salesmen holding the reputation of the industry back.

There's so many of them though.

Thursday, September 07, 2017

Très Européen


(Before anyone says / thinks anything - I'm Pro-EU. Post title not a dig at Brexit insanity)

Europcar sit within an industry which makes it's money but getting people to pay more than the cost of a car for borrowing it. It's a good business model even with the shadier parts of it's industry. They're relentless spammers too - they provide no option to explicitly opt-in to marketing messages when you purchase or sign-up for their services (not even an explicit opt-out until after the fact). We'll come back to PECR in a moment.

Background


Back in 2015 I rented a car from Europcar - there was no issue with payment, no problem picking up the car, nor returning it at the end of the rental.

All well and good it seems? We've used them since on holidays in Cornwall too. Again... all seemed fine.

Last year I needed the same service whilst my own car was in the shop - booked the rental online, paid upfront, scheduled the pick up date for the Sunday afternoon before I travelled and thought nothing more of it.

When I arrived on the Sunday afternoon expecting to pick up the Merc E-class (*or similar) I was told that the vehicle was no longer available.Which was interesting because I could see the receipt on my phone, and could see the set of vehicles out back that matched the description.

I asked "Do you not have the vehicle class available?".

"Yes", the member of staff said, "but we cannot provide it to you".

Well that was always going to peak my curiosity. After various different attempts at rewording the question "Why the hell not?" in different ways to try and get an answer, they offered me a vehicle the size of my shoe.

Nope.

Drive to and from Norwich in a hand basket? No thanks. 322 miles of tall-person-comedically-cramped-into-a-hatstand? Double nope.

So I cancelled the rental and got a refund ... but no-one could tell me why. I know from past experience in that same office that they were happy to explain to me why another customer was not able to rent one of their vehicles - their staff explained why the argument started to attempt to keep my business I guess.

But they couldn't tell me - to my face - what the problem was.

I sent them a SAR later that week (oh come, on, what else did you expect from me eh?). No reply. Sent a follow up over 40 days later. This isn't to some obscure email address incidentally, this to the email address advertised on their own support, contact and T's and C's pages.

No response. Now I'm irked and have had to explain to a client why I couldn't travel to client site for the week in question. So in an NBA went...again..no response. Nothing at all. Normally that gets a "Oh sorry we lost your email in all the spam, let us sort your SAR out now". But not this time.

The Case


So I try a claim in the small claims court for failure to respond to SAR - because:
  1. my website booking completed - they accepted my money and my details and we entered into a deal
  2. they failed to notify me of a problem until after I'd travelled by train to their pick-up office
  3. they refused to tell me why they were no longer honouring my booking
  4. they spammed me every time I buy something without actually acquiring express / explicit consent. Even after telling them to piss off directly
  5. they had ignored my subject access request
  6. they continued to spam me after rejecting my custom, and without asking me whether I wanted it or not
All reasonable so far - so I alleged that they'd failed to respond to SAR, added the breaches of PECR for the spam and filed it. About 4 pages of particulars / witness statements on essentially a very simple claim.

This is their filed defence:

That's the whole defence btw
As there's almost nothing to it I'll explain why this is a strange defence to file.

Paragraph 1 & 2: In terms of the consent for marketing; I agree with a more general legal opinion that "Consent by definition requires some sort of positive action on behalf of the recipient." - PECR section 22 also infers a direct and explicit action on the part of the potential recipient of unsolicited marketing in order to opt-in to it. There was also no consent statement on the page when I hired any cars - so there's no reasonable effort from Europcar at all.

Europcar's approach of burying this consent and then relying on the "purchase of goods or services" exception doesn't really wash - if the explicit opt-in was available as it should be, and the customer does nothing they are indicating they have no desire to get spammed. GDPR levels the playing field and requires explicitly activated opt-in for spam (amongst other things). Roll on May 2018.

Paragraph 3 & 4: I use a different email address for each purchase so that - when a company inevitably gets hacked or stupidly decides to sell it's customer database - I can tell who the idiot was. To say there was "no information to suggest that [I] the claimant has requested ... not be used for [spam]" is a massive lie - they'd failed to acquire consent at all.

Paragraph 5: By post?! I'd sent a number of messages (including serving the particulars of the claim) via email and they try to reply by post? Surely that's just trying to hide away from making a simple effort of sending an email? Unfortunately whomever actually received this letter must have rejected it on the basis that delivery was attempted at the wrong address. I regretfully never had the opportunity to reject it.

The Result


The defendant claimed never to have received any of the documents - the same documents they were reading in order to file a defence incidentally.

The defendant also claimed that they never received the emailed SAR or NBA.

That changed the moment I produced their own auto-responders for each message I'd sent; and they subsequently settled for a menial amount. I've still not received a response to my SAR but they agreed to cease spamming me. I just wanted to know why they went back on their word.

Because no-one apparently reads the emails from their customer service inbox; if you have similar issues with Europcar in future I'd recommend to contact their relations officer, John Cooper, directly. This ensures there's no misunderstandings in communication - it is 2017 after all. Email john.cooper@europcar.com or via phone on 0116 217 3422.


Don't expect a welcoming conversation or any admission of wrongdoing - even when their error is as plain as the nose on their faces.

Friday, September 01, 2017

Current Events

This is what it took to get a correct final bill

Some significant time ago, I wrote about our experiences between Scottish Power and Spark Energy. It's taken a lot to get resolved including small claims court, regulator action and a lot of wasted paperwork. Whilst it's difficult to put an exact value on their financial throughput they're certainly able to invest in customer service.

Background


After moving to a 3rd supplier earlier last year and letting the dust settle, we discovered how little honesty had been involved.

Spark essentially refused to relinquish control of one of the supplies, claiming that there was an unpaid bill - actually they had failed to complete their own data entry procedures during the original transfer to them. Because they delayed the transfer one of our energy supplies was put onto the "default" tariff - the more expensive one they're legally obliged to move you off.

To compound the situation they then claimed that they'd never told us the supply was incomplete; so I sent them a subject access request to include all call recordings to prove them wrong. After the usual to-and-fro regarding the £10 access fee - an obstruction that disappears with GDPR - they relented when I suggested they simply add the fee to the outstanding bill.

Any organisation that sees the £10 SAR fee as a realistic way of recouping the cost of answering a SAR has a seriously ineffective accounting approach. This fee was originally instituted in the last century when email was not readily or normally available - so would cover the cost of print & post.

During this process - and without even sending us a final bill - Spark sent two separate debt collection firms after us at the same time. Each were told that there were legal issues relating to the case; that the matter was with Spark and that they were not to contact us again (i.e assumed rights of entry revoked). Some small part of me wished that one of them had attempted to get a CCJ, because I could then raise a counter-claim directly against Spark which included compensation for distress.

Spark made no attempt to reply to the messages above, even though they were included in the CC line.

As a side note, and during the final stages of conversation with the supplier; Spark noted that they had supplied the final bill to a portal - which they had neither told us about, nor notified us of the arrival of any document on it. Despite our standard opt-out of marketing messages this would be considered a "service message" and therefore be exempt from PECR section 22. There's simply no excuse for that level of communication in 2017.

I suggested that Spark use the same document sharing portal that they use for their bills and statements; I suggested that they upload to a file sharing service I would make available to them with credentials I would supply them. No - it would have to be via post.

£10 barely covers postage of a bunch of CD's - even though I pointed out that I don't own a computer that still has a CD / DVD drive - never mind the FTE cost of fulfilling the SAR request. Essentially the £10 fee has become largely meaningless - A business adhering to the law (the DPA in this case) must absorb this as a cost of doing business, based on the risk of how many SAR's they expect to receive vs. the frequency which is reasonable to respond to per customer. Most organisations I even feel the need to SAR often realise something is amiss and waive the fee - SME's usually get some free DPO advice as a reward if there are actually any issues.

After about two months they'd failed to send anything at all - frankly I half expected them to tell me they'd delivered it to a previous address. I wish I'd checked as this is a far more serious breach of the DPA.

However I didn't - and raised a claim in the courts for SAR failure as well as raising the issue with the energy ombudsman. None if this is a quick process and you can expect the company you're dealing with to spin it out as long as possible to try and make you lose interest. Involve the regulator and they start charging the company for every day the complaint is active.

The EO charges roughly £250 per complaint per day back to the supplier for each case, which means that they'll start taking it [slightly] more seriously.

During this process and on regular intervals Spark continued to send more debt collection firms our way. In total five different firms were involved and each were told to jog on. Yet not one direct message from Spark attempting to resolve the issue directly.

The Result


Unsurprisingly, in 2017 Spark were told to compensate us for the trouble, adjust the bill to correct the charge (the tariff we actually signed up for). Spark labelled this in their post-regulator letter as a "goodwill gesture", but they were simply told to compensate us then correct the bill - which then reduced the cost further.

The only admission of failure on Sparks part is highlighted

The EO refused to tell Spark to enhance their customer processes to prevent this happening again saying that it "wasn't within the scope of their powers". I would imagine that with the number of complaints being swept under the rug and emerging with the EO is roughly 85% of complaints lodged with providers, and of those (according to the EO 2016 stats PDF): 63% (of nearly 85k complaints) upheld or settled, with another 30% listed as 'maintained'. Only 7% of complaints lodged with OE were rejected.

Surely something is wrong where a BAU failure demand rate is at 85% of customer complaints being dealt with by a 3rd party?

It cost Spark £250 pd x 3 months for the OE case, plus their lawyers retainer to answer the small claims case (which was eventually struck out when I failed to receive the DQ request from the courts) - I've no idea what their defence was for refusing to fulfil a SAR without grounds to withhold; and most of their claim to the supply liability. Peanuts in comparison to their bottom line - which is why they simply continue not to care at all.

The final bill was around £15 - which still included the £10 SAR fee they had taken last year. At the time of writing Spark never responded to the SAR. They never admitted fault for the switches in either direction; even though both our current supplier, Scottish Power and the regulator conclusively identified them as the cause of the problems.