Category Archives: Legal

The Clokie Project

In December 2018 Katherina Clokie, a known speaker, announced to look more outside the Tester community.

My reaction

Amazement, grief.

After a few months I realised that it was not a bad idea.

My change of heart

My wife has some really tough questions I have to answer. The biggest one is:
“What did you learn?”
Right behind each test conference.

So I reduced my number of test conferences and number of hours at the conferences. There are still some really good conferences like TestBash, Agile Testing Days, and European Testing Conference with plenty of awesome few insights.

I attended a lot of other conferences and after a while I would be just happy to pick up something new.

There is more to gain at a conference if you only know the basics. With more than 20 years of experience it is a way less.

It was time for my Clokie project.


Time for a small flashback to October and November 2018. I already had looked outside the Test Community.

Here are some notes from Infosecurity 2018:
In case of doubt treat data as personal data. Zip code and house number are personal data.

In EU there are several privacy government organisations, but they have different focus on privacy issues.

Steps in case of data breach:
Secure proof
Look in the logging
Determine scope
Communicate
Remediate
Learn

A change of behaviour can indicate an identity theft.

The way of accessing data in the cloud is the weakest link.

In GDPR, the European Privacy Law, a penalty is used to let the company feel the pain instead of putting a company out of business.

GDPR is not applicable for dead persons. But there can be other laws which are applicable for dead persons.

Meet the expos

How to attract people to an expo? Goodies, free access, and talks.

Some Healthcare and ICT notes of me in random order
Anonymize pictures, determine objects of interest, and annotate them using smart software.

First step is vision and then involve stakeholders like care providers, health insurers, and suppliers.

Patient panel discovered that 60 % of the patients want a personal health environment.

Care providers like hospitals and doctors are stimulated. They get money on basis of results and not on actions taken.

Law of customer’s rights. E.g. A care provider should only get information which is needed for the care to be provided.

Misconfiguration is becoming the weakest point in defense.

Meet the meetups

010dev is a small meetup in Rotterdam. It has Dutch characteristics like gezellig (cosy) and Buy Own Drink. It is in a pub after all. Once in a whole while it is in a company.

During my meetups there are no lectures, but I still listened a lot. As a tester was I am able to follow the small talk and tech talk?

In a few hours a lot of subjects passed. Programming languages, projects, and new trends were discussed. Somehow I could understand bits and pieces.

Developers.nl had a more traditional format for the meetup: free drinks, free meals, and free lectures.

I went to two meetups. The first one was abstract. It was about architecture. What are good guiding principles to set up a complex environment?

The second meetup was about vue.js. This was a challenging one. I had only basic knowledge about JavaScript and HTML. So I read some ebooks about vue.js which are based on these languages.

This talk was more understandable for me. The speaker shared some tips about vue.js.

How to speed up the performance by loading the needed content in 2 stages? First the necessary stuff was loaded for the web page. The rest followed while the user had a first impression of the page.

Looking under the hood

My blog has been made with WordPress. One day I was blogging and a conference in Rotterdam was announced in the dashboard.

There were some particular benefits: 25 Euro for a ticket including lunch, an environment friendly environment, meeting other WordPress users, short traveling distance.

As a tester I had not had a chance to attend a talk about accessibility. I honestly don’t understand this.

This conference offered more talks about this subject than I could process. I skipped the last ones.

Another interesting subject was security headers. It is possible to make WordPress secure. I was thinking that a header only contained some information.

For the interested reader have a look at my conference digest mind map.

Finishing thoughts

Retro: did I learn more than previous years?
Yes.

But what did I pick up in those previous years?
Mostly subjects related to programming and law. Less about testing.

Just made me think.


On Twitter Trish Koo placed a thought provoking tweet. In order to become better in software development  you have to learn both testing and programming.

A Bit More Responsive

Years ago some websites looked terrible on my smartphone. They looked like websites viewed from 6 meters distance.

The first time I visited my blog with my smartphone, I was really anxious: “Does it look right?”

5 seconds later “What did I worry about?”

Disclaimer

I am not a legal expert. So please have a look at my used sources. Or contact a legal expert.

I am just a tester finding test ideas about accessibility. Thanks for joining in advance.

Some test responsiveness stories

My first tablet app to be tested was intended for an iPad. I had a Windows PC instead of the tablet. This was not right.

My solution was to install Safari and let it emulate an iPad. In other words: “I know you are a Windows machine. Now you function like an iPad.”
It sounds like a hypnosis act.
“What did I worry about?”

This work around did not stop me to demand an iPad. There is nothing like the real thing.

Responsive web design is basically about creating the best possible user experience in the assigned space on the screen.

This blog looks good on a mobile device and a laptop. The same features are shown only in a different order and in a different way, but it feels the same. Really responsive.

The last years I learned CSS or Cascading Style Sheets. CSS determines how the websites looks. It is even possible to change the locations of web elements.

If I look to this website in a browser on a laptop, I can make the window smaller by resizing the window. The effect is that elements of the web page are resized or relocated or not shown any more.

During a debriefing a developer showed me this resizing trick.
Resize and look for bad things like hidden buttons or partially shown texts.
It is a fast way for the first impression.

Can not install on my machine

All that resizing stuff is not an exact science and Safari … cannot simply be installed on a company laptop because of a company policy. So I did a bit of research. If you don’t mind.

Firefox has a special feature Dev Tools. It can be accessed using the F12 key. In the upper right corner of this sub window there is a button with two rectangles, which look like a smartphone and a tablet.
A green eclipse marking a button with a smartphone and a tablet in the menu bar of Dev Tools!

This opens a lot of options to test smartphones and tablets.

It also support the screen orientation like portrait and landscape.

Just look to this website on a mobile phone while holding it in portrait mode. Then change it to landscape. In portrait mode only the headers of my last blog posts are shown, in the landscape mode the last complete blogs posts are shown. Courtesy of my website software.

Chrome and Edge also have Dev Tools which can be accessed using F12 key. Both Dev Tools windows have an emulator tab for mobile devices.

Concerning responsiveness

One of the biggest search engines decided to give a higher ranking to mobile friendly websites. So support for small screens can give a positive boost to let a user find a website.

Most people have a PC or laptop with 1 screen. It is sometimes tedious to switch application. So I tend to resize the applications to fit more of them on my screen. My preference is squeezed and usable.

Another thing for responsiveness is language. Some customers prefer to use a website or application in their own language. OK is translated to OK, but Cancel to Annuleren or Annullieren. So the button should be resized after translation.

Responsiveness is not only about reshuffling web page elements. It is also about resizing the web page elements in case of bigger fonts.

Suppose I have bad eyes, then I need to make fonts bigger so that I can actually read the text. Pressing the Ctrl key and the + key at the same time will enlarge the text in browsers and Windows applications.

Problem solved?
No, I am so sorry.

As a user I have to scroll a lot. It is like watching a picture which is split over three different screens. I have to change my seat to get the whole picture.

In 2024 this could have some legal consequences in Europe.
In Annex 1 of the European Accessibility Act “flexible magnification” is mandatory for specific commercial websites.

In case of American customers for an e-commerce website there is a law already in place at this very moment. Americans with Disabilities Act (ADA) explicitly points to  the WCAG or Web Content Accessibility Guidelines on page 196 of Americans with Disabilities Act Title III Regulations.

In WCAG  also attention must be paid to screen size and orientation.

One more chat

“How would you like your website?”
“Responsive please.”
“No problem.”
“Thank you, my dear.”
“You are welcome, grandma.”

Link Missing In Action

“Know the ways of all professions”
– Miyamoto Musashi

UX designer

A few blog posts ago I told about my attempts to make this very blog more accessible. I just walked my talk.

For people who need a story:
As a user with no or bad view I want headers tagged as headers, so that the screen reader can read the headers differently aloud.

Web master

I changed the look of the headers in a lot of blog posts. I went in a flow and gained more speed in the process, until …

A small square disappeared. I just did an undo and continued editing.

The next time I let the square disappear, I had already updated the blog post on the web.

Hit the OK, Jack.
[on the melaody of “Hit the road, Jack”]

This was not good for my user journey. I did not want to lose a user by a missing link. Just stick around.

Tester

There was an easy trick for finding missing links. On the internet there were free websites and add ons for browsers available.

Marketeer

As a marketeer I had some problems with broken link reporters. A reporter had to hit every page and every link in it. So the number of hits would increase significantly.

Even worse there are web pages referring to other web pages. So some pages are counted double. Then there are categories and months referring to pages. So some pages are counted more than twice.

This would hide the real traffic in my daily reports. But this is not a company web site. Otherwise I should have to add a note about a maintenance period. For an auditor. So I could skip this role.

Tester again

First pick of a broken link service stopped half way. The second looked promising, but it had terms and conditions.

Legal expert

Now I was curious. I clicked on the link and landed on a page with lots of legal sentences. Must be American thing.

I tried to distil the information. The most important message was that the service was provided as is. There were no financial consequences for the service providers.

I have a website which does not provide me any income.
So what was I waiting for?

Enter my website and show my broken links you can find.

Author

Now it was the turn for the author to have a fix.
Yeah. Sure.

The first broken link was ejc2008.de. This is short for European Juggling Convention 2008 in Germany. More than 10 years ago. This must be an old-timer.

I entered the URL in the browser and got an error message. After 10 years the website was taken offline. But I needed a link.

Then I looked for internet archive wayback machine in my search engine. This website stores all versions of visited websites. I entered ejc2008.de and found my website.

I picked a link to 2019 copy and replaced the link in the blog posts. This way people can still read about a convention which was visited by more than 3,000 people sharing the fun of juggling.

In my list of broken links I found a link to a Let’s Test conference in 2015. I had a better link available, so I just updated the link. A similar situation for the first TestBash conference in the Netherlands.

It was a simple test tool. No need to switch to tester mode.

Another run of broken link test revealed that I had not changed the About me page. Why did they show up now? No idea.
Anyways. Fixed.

3rd test run revealed no more missing links. But something was wrong. I missed the comeback of the square. Popping back in view.

Web master again

In my memory I tried to locate the square. It was during header 6 handling. Then I remembered the use of anchors.

An anchor is a fast way to get a reader at the right place in a blog post instead of the top of the post. This saves the reader some scrolling. Example time.

In my blog post about a test exercise the following code is shown in my code editor:

My last upload before my workshop was for me <a href="http://mindfultester.com/a-look-behind-the-scenes/#disaster">another exercise in exploration</a>.

In my blog post “A look behind the scenes – in Runö” the following code is shown in my code editor:

<h1><strong><a id="disaster"></a>Flirting with disaster</strong></h1>

A broken link checker only checks whether the link exists and ignores the presence of an anchor. So it was an anchor missing in action.

Now I had to check the 90ish blog posts for anchors. Preferably automatically and not clicking all links myself. Please.

If I could only find them. I got a flash of insight. It was possible to find blog posts with a search engine in my Content Management System or website authoring program.

I looked for #. And yes, all blog posts with anchors and links with anchors were listed. Now it was easy to add missing anchors.

Professions

So I was

  • Tester
  • Marketeer
  • Legal expert
  • UX designer
  • Author
  • Web master

I skipped the auditor though.

2024 Testing

This year I wrote some blog posts about legal and certification stuff. like January Testing and May 2018 Testing. So it would be appropriate to shed some light on accessibility and laws.

Disclaimer

I am not a legal expert. So please have a look at my used sources. Or contact a legal expert.

I am just a tester finding test ideas about accessibility. Thanks for joining in advance.

What?

During #30DaysOfTesting I recommended to follow Karl Groves and Albert Gareev on Twitter for accessibility. Karl had interesting news for European software suppliers. Some law for accessibility was coming.

Accessibility is coming to EU.
[On the melody of “Santa Claus is coming to town.”]

I started my search engine and found the European Accessibility Act or EAA.
Great, a new abbreviation for upsetting the PO.

On November 8 the EU wrote a proposal to improve accessibility. In section 3.5 “The proposal” of Annex 1 is written, that the implementation should take place within 6 years.

A lot of readers might think:
“No worries, mate.
2024 is beyond the horizon.”

So what?

A lot of companies would think, that this is a rehearsal of the GDPR situation. A lot of companies still think, that everything is under control. Just have a read over a forgotten test.

Okay, a typical reaction about accessibility is:
“There is no law in place.”

Let me give several comments to this statement.

  • It is not ethical. People are dependent from the internet. There are online shops, online bank portals, online government points of access, and so on. People with limitations have a right to use them.
  • There are human rights and right no 9 states, that things must be accessible. Basically the EU bought companies some time.
  • The global organisation World Wide Web Consortium or W3C created Web Content Accessibility Guidelines to help people and companies to make applications accessible. WCAG or Web Content Accessibility Guidelines is mentioned in EAA. So it is a set of practical information to make websites accessible.
  • Actually there are American laws for accessibility.
    These laws are based on WCAG.

    Accessibility is coming from the States.
    [On the melody of “Santa Claus is coming to town.”]

    Companies are being sued because of these laws at this very moment. So watch out with shipping your software to the States.

  • Websites for European institutions must be accessible.
  • Maybe at the end of this blog post I have some other comments.
    : )
    Just scroll down and up.
    I can wait.

What now?

As a reader you have the right to ask for test ideas.
OK, let’s have a look at an OK button.

  • Is it possible to navigate to this button using the keyboard?
  • Is the contrast of the text “OK” and the background big enough?
  • Is OK written in clear font?
  • Are symbols and colours used to indicate, that a press of the button is a confirmation?
  • Is OK not offensive in this context?
  • Does the screen reader recognise the OK button?
  • Etc.

Imagine the dialog with the “OK” button.
Roll up your sleeves.

  • Are the consequences of pressing the OK button clear?
  • Is a pop up dialog really necessary?
  • And so on. And so forth.

What are we waiting for?

It takes time to find the right combination for accessibility.

Did I already mention, that American companies have a clear advantage?
Or the fact, that government websites in the Netherlands must be accessible to a certain degree.

Accessibility on Dutch goverment websites.
[On the melody of “Santa Claus is coming to town.”]

GDPR – The forgotten tests – Test 3

[Update July 30rd 2019] the last weeks I did some research and discovered that my advice was wrong. So I removed it.

My initial take was to describe a situation, that was not GDPR compliant. But I was wrong, so I wrote down the latest status .

This blog post is about the mysterious status code 451. It still contains some really interesting information.

[End update July 30rd 2019]

Disclaimer

I am not a legal expert. So please have a look at my used sources. Or contact a GDPR expert.

I am just a tester finding test ideas about GDPR. Thanks for joining in advance.

Experience report

This is my way to reflect on my research in GDPR of the last months. It took me lots of hours.

If I missed a legal or W3C link, you can always contact me. I am happy to update this blog post.

This spring I prepared a workshop about blogging. I tweeted about the use of sketch notes to find fieldstones. It got attention from @ConstanceHermit and Mike Rohde.

Mike had a familiar name. I bought his book about sketch noting.
He asked me for a sketch note for testing. OK. Wow. WOW.
Sure no problem.

I only had to wait for a good opportunity to put his request in practice. After a few months I saw a tweet about code on a web page:
“451: the website cannot be shown because of legal reasons.”

I visualised some scenarios and found some problems in the chosen solution. In case of impatience you can skip to the end of the article for the sketch notes. Be my guest.

Numbers are fast to communicate. If people want a pizza and call numbers, then I can go to the website and just enter the called numbers.

A pizza menu was used to abbreviate the pizza names: 16 is pizza Salami, etc. This way a protocol was set up.

The internet Hypertext Transfer Protocol is used for web sites. Status codes like 451 provide information to the user.

The problem with being a tester is to make an understandable message. This is quite hard. It is like telling how a car works without using names of car parts. I wanted to put 451 in the sketch note, but that was intimidating. I also skipped flow diagrams.

I also wanted to show off with test techniques. This was again: Not done. This is only nice for testers, but this is no good for people unfamiliar with testing. I can guarantee you that their number is way bigger than the number of testers.

Several drafts later.
One sketch note became 2 sketch notes. First I drew with a dark marker, then I used other markers for more details.

Then I set a new deadline for myself. I would use the sketch notes in a presentation. If a speaker could not make it at the test conference a week later, then I would volunteer. GDPR is still interesting stuff for testers. In legal terms it is good for the public interest.

Now I had to check my picture. And I hit the wall. It hurt.
Access is denied to the website because of tracking without consent

451 was used for legal demands. I clicked on the link to the official request to add an extra code to the HTTP protocol.
This looked pretty official.

In this case the ministry of justice contacted the internet service provider, which in turn shows a 451 to the user. Sorry access denied.

So this was not about web sites silencing themselves.
So all the hours spent were for nothing. I lost hours of work. I felt miserable. This is part of research.

The weekend before the test conference I looked on the internet. This time I searched on 451 and GDPR. The blog post ‘Is http 451 suitable for GDPR blocking?’ popped up.

So I started my due diligence.

Is it right
What I write?

The author is Terence Eden. That was the guy who had the idea for 451. I looked again in the official proposal for 451. Terence was mentioned. So my sketch note was almost good.

So I only had to change the picture. And I was all set.
Access is sometimes denied to the website because of tracking without consent
I shared my deadline with my kids and they talked about it the next days.

The evening before the conference I checked my sketch note about citizenship. GDPR was quite vague:
“Data subjects who are in the EU” [Article 2]

I could not find something about nationality. So a Dutchman in his own country is a data subject in EU. But a Dutchman in the US is not a data subject in the EU. Did I miss something?

So again I was facing a legal problem in my sketch note.

I used my search engine and found several answers on my question: is it possible to track EU citizens outside the EU?
On Quora there was majority in favour for not tracking. One legal looking website had a complex advice with lots of conditions.

Law is not about democracy, but about sticking to the rules.
Basically I hit the wall again.

Now I am a Dutchman. The big advantage is that the number of Dutch web pages is lower than the number of English web pages.

I entered several Dutch words in my search engine and I found an official web page
“Bedrijven buiten de EU die gegevens van EU-burgers verwerken, moeten een vertegenwoordiger in de EU aanwijzen.”

Please allow me to translate this in English by using the language button on the page:
“Non-EU based businesses processing EU citizen’s data have to appoint a representative in the EU.”

These are the first 2 times I found “EU citizen” on the official EU website pointing to GDPR.
“Is this legal stuff for the court?”
“Sorry no.”
“Really?”

There is a legal notice in the footnote containing a disclaimer. So I am quoting from an interpretation of the EU of GDPR. GDPR is leading and not the interpretation.

The day before first publication date I read article 2 again:
“This Regulation applies to the processing of personal data of data subjects who are in the Union by a controller or processor not established in the Union, where the processing activities are related to:

  • (a) the offering of goods or services, irrespective of whether a payment of the data subject is required, to such data subjects in the Union; or
  • (b) the monitoring of their behaviour as far as their behaviour takes place within the Union.”

The location of the home of the user was not enough. Again I was trying to attempt to tweak this blog post.

Wait. In 2 (a) I found an interesting exception clause. What if an American shop offers products in the EU.
So I drew a shop in the EU.

Okay, here are the promised sketch notes. Sorry for the lengthy introduction.

In the first sketch note I point out that the web site uses the location of the laptop to identify an EU citizen. But this is different from GDPR. The nationality of the user and the location of the shop should be used instead.

Sketch note showing that a web site is denying access based on location instead of nationality and location shop because of tracking.

In the second sketch note there are two situations, which were not intended by the web site owner.

An American cannot access a website in the office in the EU. But GDPR is not applicable.

Suppose your American colleague comes to Germany to help you a hand. Then he wants to go to a website with an expensive subscription. It is not possible: 451. The web site owner will probably state something about GDPR. Hopefully a disclaimer was added for this case.

Looking at GDPR there is no violation. So no privacy penalties are involved.

The second sketch note is really worrying, because an EU citizen is tracked during her or his holidays in the US.

[Update July 30rd 2019]

My interpretation of GDPR  was, that this was not allowed.

This spring I heard that it was possible to track the behaviour of European citizens outside the European Union. I filed it for later research. Last month I did some research for my workshop about GDPR. In a blog post it was again stated that behaviour outside the EU could be tracked.

Use the source, Luke

So I searched in the original law text in English. Then I switched over to Dutch and I found an article stating the tracking possibility.

As a tester I immediately started to look for other loop holes.

What about an European tourist in an European embassy in the US? If I would go to an embassy, then I need some help. As a Dutch citizen I would go to the Dutch embassy which is based on Dutch territory.

In this paragraph I made a lot of assumptions, which I had to verify one by one.

I am Dutch. I have a passport, so this is true. The same for a Dutch embassy in the USA.

The 451 status code is given based on an IP address. In plain language every internet device has an address on the internet. If I ask for some information, this info should be sent to my phone and not to a laptop 3 towns away. According to me using 451 status code based on location is highly plausible.

It is not possible to determine, whether the smartphone is in an embassy. For an internet provider it is possible to determine the longitude and latitude of a smartphone. If this is exact enough, I have some doubts.

The IP address of my smartphone does not change. This assumption is wrong. The set of IP addresses for a region of the world is fixed. If I go to the US, then I get another IP address. So a fixed IP address for a smartphone all over the world is not true.

The final assumption was, that the Dutch embassy is based on Dutch territory. This is not true. More important it is to determine which law applies.  It is the law of the host as stated  in article 21 of the Vienna Convention of Diplomatic Relations.

[End update July 30rd 2019]

Tips for testing

  • Go as close to the source as possible.
    Read GDPR or find interpretation of the law given by the legislator or representative.
  • Check and double check information and sources.
  • Gamify testing by using different tools.
    I used sketch notes, mind maps, and the internet.
  • Get used to hitting the wall.

Note about experience report

This is my experience report about GDPR testing. I ran in some problems, but I was able to resolve them. I could just skip the problems encountered, but you, the reader, could get a false impression. Learning is stumbling and standing up. And walking again.