Category Archives: Privacy

GDPR – The forgotten tests – Test 3

[Update July 30rd 2019] the last weeks I did some research and discovered that my advice was wrong. So I removed it.

My initial take was to describe a situation, that was not GDPR compliant. But I was wrong, so I wrote down the latest status .

This blog post is about the mysterious status code 451. It still contains some really interesting information.

[End update July 30rd 2019]

Disclaimer

I am not a legal expert. So please have a look at my used sources. Or contact a GDPR expert.

I am just a tester finding test ideas about GDPR. Thanks for joining in advance.

Experience report

This is my way to reflect on my research in GDPR of the last months. It took me lots of hours.

If I missed a legal or W3C link, you can always contact me. I am happy to update this blog post.

This spring I prepared a workshop about blogging. I tweeted about the use of sketch notes to find fieldstones. It got attention from @ConstanceHermit and Mike Rohde.

Mike had a familiar name. I bought his book about sketch noting.
He asked me for a sketch note for testing. OK. Wow. WOW.
Sure no problem.

I only had to wait for a good opportunity to put his request in practice. After a few months I saw a tweet about code on a web page:
“451: the website cannot be shown because of legal reasons.”

I visualised some scenarios and found some problems in the chosen solution. In case of impatience you can skip to the end of the article for the sketch notes. Be my guest.

Numbers are fast to communicate. If people want a pizza and call numbers, then I can go to the website and just enter the called numbers.

A pizza menu was used to abbreviate the pizza names: 16 is pizza Salami, etc. This way a protocol was set up.

The internet Hypertext Transfer Protocol is used for web sites. Status codes like 451 provide information to the user.

The problem with being a tester is to make an understandable message. This is quite hard. It is like telling how a car works without using names of car parts. I wanted to put 451 in the sketch note, but that was intimidating. I also skipped flow diagrams.

I also wanted to show off with test techniques. This was again: Not done. This is only nice for testers, but this is no good for people unfamiliar with testing. I can guarantee you that their number is way bigger than the number of testers.

Several drafts later.
One sketch note became 2 sketch notes. First I drew with a dark marker, then I used other markers for more details.

Then I set a new deadline for myself. I would use the sketch notes in a presentation. If a speaker could not make it at the test conference a week later, then I would volunteer. GDPR is still interesting stuff for testers. In legal terms it is good for the public interest.

Now I had to check my picture. And I hit the wall. It hurt.
Access is denied to the website because of tracking without consent

451 was used for legal demands. I clicked on the link to the official request to add an extra code to the HTTP protocol.
This looked pretty official.

In this case the ministry of justice contacted the internet service provider, which in turn shows a 451 to the user. Sorry access denied.

So this was not about web sites silencing themselves.
So all the hours spent were for nothing. I lost hours of work. I felt miserable. This is part of research.

The weekend before the test conference I looked on the internet. This time I searched on 451 and GDPR. The blog post ‘Is http 451 suitable for GDPR blocking?’ popped up.

So I started my due diligence.

Is it right
What I write?

The author is Terence Eden. That was the guy who had the idea for 451. I looked again in the official proposal for 451. Terence was mentioned. So my sketch note was almost good.

So I only had to change the picture. And I was all set.
Access is sometimes denied to the website because of tracking without consent
I shared my deadline with my kids and they talked about it the next days.

The evening before the conference I checked my sketch note about citizenship. GDPR was quite vague:
“Data subjects who are in the EU” [Article 2]

I could not find something about nationality. So a Dutchman in his own country is a data subject in EU. But a Dutchman in the US is not a data subject in the EU. Did I miss something?

So again I was facing a legal problem in my sketch note.

I used my search engine and found several answers on my question: is it possible to track EU citizens outside the EU?
On Quora there was majority in favour for not tracking. One legal looking website had a complex advice with lots of conditions.

Law is not about democracy, but about sticking to the rules.
Basically I hit the wall again.

Now I am a Dutchman. The big advantage is that the number of Dutch web pages is lower than the number of English web pages.

I entered several Dutch words in my search engine and I found an official web page
“Bedrijven buiten de EU die gegevens van EU-burgers verwerken, moeten een vertegenwoordiger in de EU aanwijzen.”

Please allow me to translate this in English by using the language button on the page:
“Non-EU based businesses processing EU citizen’s data have to appoint a representative in the EU.”

These are the first 2 times I found “EU citizen” on the official EU website pointing to GDPR.
“Is this legal stuff for the court?”
“Sorry no.”
“Really?”

There is a legal notice in the footnote containing a disclaimer. So I am quoting from an interpretation of the EU of GDPR. GDPR is leading and not the interpretation.

The day before first publication date I read article 2 again:
“This Regulation applies to the processing of personal data of data subjects who are in the Union by a controller or processor not established in the Union, where the processing activities are related to:

  • (a) the offering of goods or services, irrespective of whether a payment of the data subject is required, to such data subjects in the Union; or
  • (b) the monitoring of their behaviour as far as their behaviour takes place within the Union.”

The location of the home of the user was not enough. Again I was trying to attempt to tweak this blog post.

Wait. In 2 (a) I found an interesting exception clause. What if an American shop offers products in the EU.
So I drew a shop in the EU.

Okay, here are the promised sketch notes. Sorry for the lengthy introduction.

In the first sketch note I point out that the web site uses the location of the laptop to identify an EU citizen. But this is different from GDPR. The nationality of the user and the location of the shop should be used instead.

Sketch note showing that a web site is denying access based on location instead of nationality and location shop because of tracking.

In the second sketch note there are two situations, which were not intended by the web site owner.

An American cannot access a website in the office in the EU. But GDPR is not applicable.

Suppose your American colleague comes to Germany to help you a hand. Then he wants to go to a website with an expensive subscription. It is not possible: 451. The web site owner will probably state something about GDPR. Hopefully a disclaimer was added for this case.

Looking at GDPR there is no violation. So no privacy penalties are involved.

The second sketch note is really worrying, because an EU citizen is tracked during her or his holidays in the US.

[Update July 30rd 2019]

My interpretation of GDPR  was, that this was not allowed.

This spring I heard that it was possible to track the behaviour of European citizens outside the European Union. I filed it for later research. Last month I did some research for my workshop about GDPR. In a blog post it was again stated that behaviour outside the EU could be tracked.

Use the source, Luke

So I searched in the original law text in English. Then I switched over to Dutch and I found an article stating the tracking possibility.

As a tester I immediately started to look for other loop holes.

What about an European tourist in an European embassy in the US? If I would go to an embassy, then I need some help. As a Dutch citizen I would go to the Dutch embassy which is based on Dutch territory.

In this paragraph I made a lot of assumptions, which I had to verify one by one.

I am Dutch. I have a passport, so this is true. The same for a Dutch embassy in the USA.

The 451 status code is given based on an IP address. In plain language every internet device has an address on the internet. If I ask for some information, this info should be sent to my phone and not to a laptop 3 towns away. According to me using 451 status code based on location is highly plausible.

It is not possible to determine, whether the smartphone is in an embassy. For an internet provider it is possible to determine the longitude and latitude of a smartphone. If this is exact enough, I have some doubts.

The IP address of my smartphone does not change. This assumption is wrong. The set of IP addresses for a region of the world is fixed. If I go to the US, then I get another IP address. So a fixed IP address for a smartphone all over the world is not true.

The final assumption was, that the Dutch embassy is based on Dutch territory. This is not true. More important it is to determine which law applies.  It is the law of the host as stated  in article 21 of the Vienna Convention of Diplomatic Relations.

[End update July 30rd 2019]

Tips for testing

  • Go as close to the source as possible.
    Read GDPR or find interpretation of the law given by the legislator or representative.
  • Check and double check information and sources.
  • Gamify testing by using different tools.
    I used sketch notes, mind maps, and the internet.
  • Get used to hitting the wall.

Note about experience report

This is my experience report about GDPR testing. I ran in some problems, but I was able to resolve them. I could just skip the problems encountered, but you, the reader, could get a false impression. Learning is stumbling and standing up. And walking again.

GDPR – the Forgotten Tests – Test 2

Black box testing is quite popular: the tester only has to focus on the functions of the system. There is no need to know about things like programming and other techy things.

“But the box in the picture is not completely black.”
“That is a good observation, because it is part of a black box.

Time for a legal break. After the break a pen test.

Disclaimer

I am not a legal expert. So please have a look at my used sources. Or contact a GDPR expert.

I am just a tester finding test ideas about GDPR. Thanks for joining in advance.

The following story has been sanitised by me. Important details have been changed.

Pen test

My wife had bought a gift and she had also found a better gift. So she gave the second gift. And I had the pleasure to return the first gift to the shop. No problem dear.

I went into the shop straight to the counter. After a few sentences I came to my point.
“I want to get my money back.”,
while showing the first gift and the receipt.

The 2 young men went into action. There was a lot of pressing of keys and a new receipt was shown.
“Would you please sign this receipt?”

This was a standard computer generated receipt without a signature field. And I had to leave my signature here. I signed.

I remembered to explore.
“Why do I need to sign this?”
“This way my manager can control, that a customer is returning an article. And not we.”

I ran a quick scenario of returning articles in my head. This sounded reasonable.

But I was still hesitant to leave my signature in the hands of two young men.
“How long will my signature be saved?”
This question led to puzzled faces.

I scribbled the question on a piece of paper. It would be great to have a written answer, so I left my email address.

Then I got my money back and returned 1 week later.

The young man behind the counter recognised me. He went to a pole and pulled my paper with email address off. This was bad.

He dutifully repeated the story about the signature of a customer actually returning an article. The signature would be saved for 1 month. That was fine.

On my way home I was not convinced about the privacy. I had witnessed a breach of my personal data.

Breakdown

In this breakdown I will point to several articles of General Data Protection Regulation or GDPR.

The penalties can be quite big. Let me quote the worst cases
’20 000 000 EUR, or in the case of an undertaking, up to 4 % of the total worldwide annual turnover of the preceding financial year, whichever is higher’ [Article 83 5].

Let me review the most important steps during my visits again. I wanted to return an article and get a refund. Because money is involved, the request for a signature is good [Article 5 1(b)].

The receipt was a bit confusing for me, because there was no clear signature field. I just had to trust what the young men told me [Article 6 1 (f)].

One of the most important things about data is retention period or how long will it be saved. The check of my signature could be executed within a month and then be destroyed. [Article 5 1(e)]

A signature alone is not special. But if I had paid in the online shop, then it is simple to combine my signature with my name and other personal data. This way it is possible for someone else to write letters on behalf of me. It is criminal, but possible.

The note with my email address on a pole was a personal data breach [Article 4 (12)]. It was not intended, but I could get a lot of mails with false promises.

Tips for testing

  • Test the UX or User Experience of the receipt.
    Is it clear to customers that they have to sign a receipt for a refund?
    Can they be specific about any doubts?
  • Ask the people behind the counter, how they explain the refund procedure. Also how they handle personal data like phone numbers and email addresses.
    There are of course managers who will answer the questions flawlessly. Unfortunately they cannot be present in more than 50 shops at the same time all the time.Receipts with signatures should be stored in the same way as money. I did not see how my receipt was stored.

    Small sidestep: after May 25 2018 there were boxes outside shops to collect receipts of customers. If I put a receipt with my name and phone number in the box, then I could be the lucky winner of some fantastic prize. They were cardboard boxes standing on tables.

  • This is an important lesson for myself. If something strange happens, wait to remember it and mention it.

To be continued

GDPR – The Forgotten Tests – Test 1

General Data Protection Regulation or GDPR is all about privacy. If a company handles privacy in the right way, then it can dodge penalties like 20 million Euro or 4 % of the worldwide revenue.

Time for a legal break. Right after this break some idea.

Disclaimer

I am not a legal expert. So please have a look at my used sources. Or contact a GDPR expert.

I am just a tester finding test ideas about GDPR. Thanks for joining in advance.

The following story has been sanitised by me. Important details have been changed.

Bad idea

The job interview was about an agile tester. I thought I could handle that role. The probing questions from the interviewers were increasing. I tried to stay calm and answer the questions in a friendly way.

Then came the expected question about test cases. They should be written beforehand. Time to explore.
“You never know what you will find.”, I remarked.
“Let me give me an example.”

“Your company sent me this mailing.”
I showed a part of the mail.
“At the bottom of the mail I could say, whether I like this mail.”
There were two pictures: one green thumb up and one red thumb down. There was an orange arrow pointing to the thumb up.

“If I hover above the picture of the green thumb, the URL will be shown in the status bar of the mail.” The URL was contained in a red eclipse.

A sketch of a mail with an orange arrow pointing to a thumb up next to a thumb down. The mail also contains a URL in a red eclipse.

“As you notice: the URL is http. This is not secure. If the mail is intercepted, then the reaction of the customer can easily be determined. This is an email about credit, so you can derive that the customer probably has some debts.”

One of the interviewers politely interrupted me:
“Is it possible to intercept mail?”
I gave a technical answer using normal words.
Okay, I got his attention.

Then the exploratory tester awoke in me. And I could not stop him.
“There is a customer number in the mail. This number can be used to get access to an online account.”
I went in full brainstorm mode and described all kinds of product risks or things which could harm the user. I could find information about correspondence about money.

I didn’t get the job, but the mailing was fixed afterwards. Obviously 20 million Euros are not enough to qualify as a tester.

But there are retrospectives for.
[On the melody of ‘That’s What Friends Are For’.]

Breakdown

Most of the time primary systems were and are tested for GDPR and national privacy laws. Sometimes this software did not easily support mailings. An easy solution was to use another system outside the company. Specialised in mailings.

All kinds of data like email addresses, names, and profiles were used for mailings. Technical decisions were taken like http instead of https. Somehow the legal department and testers missed something.

According to GDPR the protection of personal data is a fundamental right [ (1) on page 1]. The economic situation of a person can be used for profiling. In turn this can be used to exclude people to get certain services like mortgage [ (75) on page 15].

My tips for testing:

  • become a customer of your own company and use all available channels. Watch for the legal details like the missing s of https. (See last tip)
  • follow security experts on social media. (You know about the last tip)
  • explain legal and security stuff in normal words.
  • let the owner control the flow of information. I should have send my brainstorm on request.
  • read  ‘Here’s Why Your Static Website Needs HTTPS’ by Troy Hunt, a security researcher. It contains an entertaining 25 minute video with several attacks on an http website.
    For people new to security, just watch the video and focus on what you would not like to happen on your website.

Closing note:
At the moment there are browsers showing whether a website is insecure. This was not the case, when I received this mailing.

To be continued.