Category Archives: Privacy

My Workshop At Agile Testing Days 2019

Preparation costs energy

After all the last weeks’ changes I could finally start my actual workshop.

I felt an energy drop and watched an expectant audience from a far distance. I used my automatic pilot for the intro.

While nobody moved, my distance to the audience became closer while I was talking.

I was back in the room.

First test session

For me the most elementary things of Exploratory Testing are

  • Charter
  • Test idea
  • Explore
  • Debrief

For this I created a heuristic. CTED is pronounced as See TED. If I need some inspirational talks, then I go to

A charter is a short instruction for a test session.

Explore < target >
with < resources >
to discover < information>

This template of Elisabeth Hendrickson is compact and informative. As mentioned in Explore it.

For the interested people test charter is not found in the index, charter is.

In my workshop the Target was a website. But it is still quite big. Resources is often a web browser.

Information was focused on privacy. General Data Protection Regulation or GDPR, an European privacy law, is still quite huge, so the next step was to select some articles of GDPR.

Ik picked 2. 1 lead to the following question:
Does the website ask consent to gather information?

A charter can be quite abstract. A test idea can be used to focus on a feature, window, or term used in the website to explore.

Consent is not frequently used, but which words are used in a web site?
Privacy, cookies, permission, private data, etcetera.

Using the charter and test ideas it is possible to explore the web site, whether consent is actually asked from the user.

During the debrief the attendees shared their information, which could be used for the following test session.

Background information first test session

For the basic structure of the test session I used the heuristic DiSSS from Tim Ferriss. This stands for Deconstruction Selection Sequence Stakes.
I assume that i was added for pronounciation reasons.

I looked to all the steps I took during Exploratory testing.
Are detailed test cases needed? Not in every case. Most of the times a good description of the precondition is good enough.

What I noticed during Deconstruction was that certain steps always came back. These steps I used for the Selection for CTED. This also led to a logical Sequence. The Stakes were twofold: people had to tell whether the workshop is worthwhile. Also the fines for privacy could be quite high.

Second test session

One test session done.
Another one to do.

At the beginning of the session I enhanced the resources with personas. For me a persona is a person with a need, who interacts with the system.

Examples for a need are: acceptance, cooperation , safety, purpose, learning, support, inclusion, etc.

E.g. a known persona is a marketeer. The more she or he knows about a website visitor, the more she or he will sell.
For this purpose I had made a set of persona cards.

I also handed out an one pager to the attendees with articles and test techniques which could be used for testing websites on GDPR compliancy.

The test techniques were selected using DiSSS.

After the Explore phase more issues were mentioned during the Debrief phase.

Background information second test session

Once again I used a heuristic of Tim Feriss, CaFE. This is an abbreviation for Compression Frequency Encryption. Once again I assume that ‘a’ was added for pronunciation.

Was it possible to compress information for testing GDPR? Yes, by making an one pager.

I tried to make to Frequency high, so attendees had to go through Charter – Test idea – Explore – Debrief cycle multiple times.
I used Encryption by using CTED.

In case you need more background information, please have a mind map.

What went wrong

The time to explore was quite short. I did this on purpose. For beginners it can be terrible to click through a site for 10 minutes on your own without finding anything.

In hindsight a group activity was better suited to explore the website.

While I tried to keep the introvert involved, it was a challenge to give them enough speaking time. I really liked the sticky notes for found bugs in the workshop of Lisa Crispin and Lena Pejgan.

My prerequisite for the workshop for a laptop was not needed. I could demo certain tools using my own laptop. Luckily there was an Open Space to demonstrate GDPR and Exploratory Testing.

What went right

The demo was a great way to change the pace of the workshop. I had good feedback during the repetitions

My impression was, that most attendees were hesitant to test their own websites or websites of their employers. My test website provided a safe environment to explore.

During the preparations I learned a lot about websites and tools.

Thank you José Diaz and your team for this wonderful journey.

Warning: Code of Conduct ahead

On November 5th I gave a workshop about Exploratory Testing and General Data Protection Regulation. GDPR is an European privacy law.


In the past I wrote about the Code of Conduct. A good set of rules will ensure the safety of the delegates, the speakers, and the organisers of a conference. When enforced.

Therefore I was keen to adhere to this Code. The more diverse people at a conference, the more perspectives being shared. A new perspective is not always out of the box thinking, but natural for some people.

A woman looks different to privacy than a man.

Now I had a dilemma: I had a workshop about privacy. If a name and address would become public, then unpleasant things could happen to certain people.

I remembered a conversation with a white man not realising the consequences of a data breach. So I shared a story with him. It had some impact on him.

But this same trick would have a bad impact on women present in my workshop. So I would not stick to the Code of Conduct.

Imagine being removed from the conference as a speaker. Not good. At all.


It was time for me to mail to Uwe Gelfrich, my contact at the conference. I made a brutal honest warning like:
the workshop contains situations about violence and harassment.

In this way I could still talk about certain situations. Because people were warned in advance.

Uwe replied thoughtfully: violence and harassment would not be used in the workshop. And he proposed a warning along the following lines:
the workshop may contain situations about violence and harassment.

I agreed.
The warning was set on my abstract on the website.

And I would not use a rant.


During the preparation of my workshop I read a tweet about an anxiety attack of a delegate on a conference. According to me this person was angered about the vague content warning.

I reacted with the following tweet:
“During Global Diversity CFP Day this year I heard about trigger warnings for the first time.

So I did my homework.

I contacted the conference about a suitable and specific warning. It is on my abstract. It will be shown before and right after the start. I will tell it.”


On the day of my workshop I tweeted about the warning. It was retweeted by Agile Testing Days.

During the arrival of the delegates I regularly switched between the workshop title slide and the warning slide.

After the opening I gave a warning and an explicit permission to leave the room. I would not be offended. Then I waited about 20 seconds before continuing.

So this looked like an inclusive opening of my workshop.

Actually no.
I missed some accessibility items which will be covered in the next blog post. Reads like a pretty cliff-hanger.


On the Women and Allies evening a delegate told about a talk with HR. If colleagues would not behave themselves, then they would probably be removed from conferences because of the Code of Conduct.

The Clokie Project

In December 2018 Katherina Clokie, a known speaker, announced to look more outside the Tester community.

My reaction

Amazement, grief.

After a few months I realised that it was not a bad idea.

My change of heart

My wife has some really tough questions I have to answer. The biggest one is:
“What did you learn?”
Right behind each test conference.

So I reduced my number of test conferences and number of hours at the conferences. There are still some really good conferences like TestBash, Agile Testing Days, and European Testing Conference with plenty of awesome few insights.

I attended a lot of other conferences and after a while I would be just happy to pick up something new.

There is more to gain at a conference if you only know the basics. With more than 20 years of experience it is a way less.

It was time for my Clokie project.

Time for a small flashback to October and November 2018. I already had looked outside the Test Community.

Here are some notes from Infosecurity 2018:
In case of doubt treat data as personal data. Zip code and house number are personal data.

In EU there are several privacy government organisations, but they have different focus on privacy issues.

Steps in case of data breach:
Secure proof
Look in the logging
Determine scope

A change of behaviour can indicate an identity theft.

The way of accessing data in the cloud is the weakest link.

In GDPR, the European Privacy Law, a penalty is used to let the company feel the pain instead of putting a company out of business.

GDPR is not applicable for dead persons. But there can be other laws which are applicable for dead persons.

Meet the expos

How to attract people to an expo? Goodies, free access, and talks.

Some Healthcare and ICT notes of me in random order
Anonymize pictures, determine objects of interest, and annotate them using smart software.

First step is vision and then involve stakeholders like care providers, health insurers, and suppliers.

Patient panel discovered that 60 % of the patients want a personal health environment.

Care providers like hospitals and doctors are stimulated. They get money on basis of results and not on actions taken.

Law of customer’s rights. E.g. A care provider should only get information which is needed for the care to be provided.

Misconfiguration is becoming the weakest point in defense.

Meet the meetups

010dev is a small meetup in Rotterdam. It has Dutch characteristics like gezellig (cosy) and Buy Own Drink. It is in a pub after all. Once in a whole while it is in a company.

During my meetups there are no lectures, but I still listened a lot. As a tester was I am able to follow the small talk and tech talk?

In a few hours a lot of subjects passed. Programming languages, projects, and new trends were discussed. Somehow I could understand bits and pieces. had a more traditional format for the meetup: free drinks, free meals, and free lectures.

I went to two meetups. The first one was abstract. It was about architecture. What are good guiding principles to set up a complex environment?

The second meetup was about vue.js. This was a challenging one. I had only basic knowledge about JavaScript and HTML. So I read some ebooks about vue.js which are based on these languages.

This talk was more understandable for me. The speaker shared some tips about vue.js.

How to speed up the performance by loading the needed content in 2 stages? First the necessary stuff was loaded for the web page. The rest followed while the user had a first impression of the page.

Looking under the hood

My blog has been made with WordPress. One day I was blogging and a conference in Rotterdam was announced in the dashboard.

There were some particular benefits: 25 Euro for a ticket including lunch, an environment friendly environment, meeting other WordPress users, short traveling distance.

As a tester I had not had a chance to attend a talk about accessibility. I honestly don’t understand this.

This conference offered more talks about this subject than I could process. I skipped the last ones.

Another interesting subject was security headers. It is possible to make WordPress secure. I was thinking that a header only contained some information.

For the interested reader have a look at my conference digest mind map.

Finishing thoughts

Retro: did I learn more than previous years?

But what did I pick up in those previous years?
Mostly subjects related to programming and law. Less about testing.

Just made me think.

On Twitter Trish Koo placed a thought provoking tweet. In order to become better in software development  you have to learn both testing and programming.