Programming

Being Sidetracked – Part 2

A few weeks ago I told my wife about the picture for this blog post serie. “There is a red light. And a green light. The rest of the picture is fuzzy.” It was about “Red Green Refactor”.

“You should [tidy up with known product name] the picture.”, she suggested.
I liked the fuzziness. This was about Refactor.

Second cycle

We had just finished the first cycle.
The DevOps engineer wrote another test. Ready for the next modification.
O yeah. Test Driven Development.

Let me sanitise me this example. This means so much like “all confidential information is changed”. On purpose. Everybody happy?

A file can only be processed, if the version number is 15, 20, or 31. After the first cycle every version number was accepted. The first test was:
“Is 15 the right version number?”
“Yes”
But this would lead to some bad side effects:
“Is 16 the right version number?”
“Yes”
Or worse:
“Would you please bring me a cup of coffee?”
“Yes”
What about
“Would you please transfer 1 Million Euro to my bank account?”
[Upset face]
[Whispering] “You are supposed to say: “Yes”.”.

Okay, back to the real example.
The first test was to determine whether 15 was a right version number.
The DevOps engineer added a second test to determine whether 16 was a wrong version number. He performed the last test and 16 was a right version number. This was wrong: a failing test. Red.

The DevOps looked at the invalid value and added a single condition to the code. If the version number is equal to 15, then return “Yes”. Otherwise return “No”. The second test was executed again: this time 16 was a wrong version number. This was right: a succeeding test. Green.

The code was very simple, so no refactoring was necessary. Refactor.

Then the DevOps engineer executed all or both tests and they were both correct. The second cycle was over.

While blogging, I realized old patterns of thinking were still present in my head. Let me answer a few questions.
Question 1: This code is so simple. Why do you need to write all the tests?
Answer 1: During every step the DevOps engineer can use the written tests to determine, whether the code is still good. This is especially handy for complex code. Failed unit tests can point to where things go wrong.

Question 2: why did the DevOps engineer not add a second test for valid version number 20 or 31?
Answer 2: it would not lead to failing test. In other words the code would not have to be modified because of this test. At that particular moment he would have written a redundant test. That is a waste of time.

Question 3: Do all these tests take a lot of time to execute?
Answer 3: No. The tests are unit tests and fast enough to execute. The hardware has been improved considerably, so these tests are executed within a fraction of second.

Question 4: Would you please continue?
Answer 4: Sure. No problem.

In the previous blog post I wrote about my disability to speak Chinese. That is quite confusing, because I look like a Chinese and not like a Dutchman.
Small recap with the restaurant in China:
“Do you speak English?”
“Yes.”
[Half hour later]
“I would like to order dinner.”
[Blank face] (Red)
“Did you understand me?”
“No.”
[I opened the menu.]
[Waitress approaches me.] (Green)
[I just ordered the dishes using my fingers and the menu.] (Refactor)

What I actually did, was trying to find other ways to order dishes. I could have written down my order, but the waitress could follow my hands. So no refactoring was needed.
No is unpleasant answer, but a lot of frustration was avoided. At least I understood, why hand sign language for numbers was included in the pocket book for frequently used phrases in Chinese.

To be continued.

Programming, Test automation

Being Sidetracked – Part 1

Every story has an expiry date.

So I have to hurry up.

While the junior DevOps engineer was programming aloud, I paid attention to all the steps he took. He used Test Driven Development. It is a cycle of Red, Green, and Refactor.

A small recap: he first made a tiny test, which failed. Red is a favourite colour for failing. Then he made code to let this failing test succeed. Green is that other favourite colour for DevOps, testers, and especially managers.

Then he refactored the code. The code became more maintainable and readable. Even for a tester not fluent in Java.

The first test was to check, whether a business rule failed. He wrote only code to let the test succeed.
Before I could think, the method was ready. It had only one return statement with 1 fixed value.

But this would only be the case for very specific situations. I showed my disbelief and he answered that the code had to pass the new test. Right, you are right.

This was a strange situation for me as a tester with a traditional background. Tests should be executed after the implementation and not before. Somehow my brain had pushed the theory about TDD aside. It felt so unnatural to me that I unconsciously switched back to Program First Test Next.

Anyways, the DevOps had a quick look to the code. I did not think that this could be refactored. One line single statement cannot be refactored.
Yes right again. The first cycle was finished. Red Green Refactor.

A return value from a method is like an answer from a human being. What the DevOps basically asked, was: “Is this value right?”
And the method would always answer with “Yes.”

This was strange to me. Now I realised, that this was the most minimal addition to the program.
Without a method the code would have be repeated multiple times and maintained at the same number of places. A recipe for disaster.

Aw I forgot to look in the right low box in the left corner in the room under the stairs.

Now programmers have a small heuristic for this one:
DRY. Don’t Repeat Yourself.

The fact that the answer was always “Yes”, bothered me. While blogging I remembered asking a restaurant in China, whether they could speak English. The answer was “Yes.” My wife and I were delighted until I ordered. O no.

To be continued

Legal, Marketing, Privacy, Visualise It

May 2018 Testing

For the interested British reader this is not about politics. It is about testing software so that it complies with the General Data Privacy Regulation or GDPR in May 2018.

For the people who are only concerned about money. It can cost your company 4% of the global annual revenue of your company or 20 million Euros. That is seriously a lot of money.
Thanks for your attention.

Disclaimer

I am not a legal expert. So please have a look at my used sources. Or contact a GDPR expert.

I am just a tester finding test ideas about GDPR.
Thanks for joining in advance.

Just show it to me

Suppose you have a cinema and a special web site. You can order tickets, drinks, and snacks in advance. This is a unique selling point.

A marketeer has a nice idea:
“Let’s make some profiles. We’ve got lot of sales numbers, so boost those numbers.”
“What do you have a mind?”
“We just tag customers: B movie, Friday night, first week, ..”
“First week?”
“Like ‘I want to see the movie in the first week after release.'”

If I would go to  this specific cinema, all my actions are recorded.
Big Buyer is being watched too. This sounds creepy. This is my alarm bell as a tester.

My simple question is:
Is profiling allowed?
More accurately, is profiling of European citizens allowed for this cinema web site according to General Data Protection Regulation?

What makes someone a European citizen?

sketchnote with cradle, parents passport and database

Obvious candidates are:  parents, place of birth, passports.  I just stick to Citizenship Administration. I found this one while doodling in my head.

Let me give you a royal example. The Dutch queen has the Dutch nationality, but had Argentine parents and was born in Argentina.

Let me show some graphs:

  • European Union
  • People with no nationality
  • People with 1 nationality
  • People with 2 nationalities

I could make these 2D graphs:

One chart of part of Europe and three coloured graphs about number of nationalities

I could try to stack them and squeeze them afterwards:

One more try:

3D graph made of a chart of a piece of Europe and pieces of sticky notes depicting the number of nationalities

So the best way to define an European citizen is that she or he is registered as an EU citizen in a Citizenship Administration in the EU. Now comes the difficult part: as a web site owner I have no access to this administration. Well. That is a good one.

How can I determine whether an European citizen is in my database?
In most cases I don’t. Because nationality or EU citizenship is not always registered.

“Is an address not sufficient?”
“What about An American in Paris?”
“Okay, email address.”
“What about american@home-in.nl or william-to-be-married@my-awesome-wedding.com?”
“The nationality is registered.”
“Good. What about EU citizens with two nationalities? ”

Looking at the context: if no nationality or EU citizenship has been registered, then I would suggest to look at GDPR. Otherwise definitely use it.

But this is a premature advice. This is a warning. Please read on.

Finding GDPR

If there is one thing I hate about learning, it is memorising information for the sole purpose of memory. I like to have some fun in a good sense of humour.

Here’s where deliberate practice comes in.
Determine a strange situation and look it up.

On my search for the official GDPR document I quickly determined that my target was:
Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation)
Yes, it takes some time to read it.
And a natural person is human being. Like you and me.

I am well aware that English is not everyone’s native language. Now the EU has this little nice webpage with links to GDPR in your favourite language. Hopefully.
No Chinese, but maybe French?

Profiling and data subjects

Profiling can take place after informing the data subject, who has agreed to these terms for data processing. [GDPR 32, 42]
That is a lot of info.

Let’s go a step back to nationality. I warned you for this.
I am not familiar with the American laws. Remember I am not a legal expert.
Suppose profiling of natural persons is legal according to the American law. For example ‘s sake.

Take a case of an American woman who starts buying action movie tickets. My guess is that her new boyfriend is lucky. Piece of case.

It is very easy to make a profile of her boyfriend. Now this lucky guy happens to be British. And has some royal blood. It rhymes on What?!.

There is still no problem, because it cannot be traced back to some palace. Unless I would couple the data with the email address of a fortunate American actress. Oops intended.

Chain of Gift

The American woman is a data subject. All kind of data is collected, but there is an unpleasant side effect: her boyfriend or fiancee also ended up as a data subject. I doubt whether he would have given any permission. No thank you.

Actrice gives something to a prince.

The Chain of Gift leads to interesting doodles. In orange is the American woman and in blue an European Citizen wearing something called a crown.

Quick explanation for the colours: the European flag is a blue flag with yellow stars. So the EU citizen is blue. For the American woman the colours white and red remain. Somehow these are not appropriate. So I chose orange.

So there is a difference between buyer and user. A man can buy movie tickets and give them to his children. ‘Finding Marlin’ and ‘Monsters Unlimited’ seem quite innocent pieces of data to share.

Dad gives movie tickets to children.

Is it possible to determine the birthdays of the children just based on his cinema visits?
Not based on the movie titles. There is a better chance looking at the number of bought children tickets.

“When are we going to the cinema with my friends?”
“What do you think?”
“On my birthday?”
“Good girl.”
[Big smile]

Birhday party

Another interesting case: a man who buys gifts for his  grandchildren. Depending on the gifts I could guess gender, age, and hobbies. If those grandchildren live in the EU, you might have a major problem.

Man gives gift to daughter, who gives it to her children.

With a low number of children per family it is relatively easy to make a family tree.
I can guess that princess cookies are for 5 year old grand granddaughter and that superhero suit with XS size is for …
You get my points.

My best guess is to make a GDPR compliant approach for my whole customer base. There is no way to determine which European people you are profiling.

Permission granted

Scenario 1
Suppose I am in the living room and one of my kids tries to sneak out of the room. I look in the right direction and get eye contact. The door is opened and closed.

A few days later a man is at my front door with a box of 20 tablets. You know those fancy computer things.
The name of my kid is on the box. O oo O.

Scenario 2
Suppose I am in the living room and one of my kids tries to sneak out of the room. I ask:
“What are you up to?”
“I gonna hack. You don’t mind?”
“Yes, but”
The door is opened and closed.

A few days later a man is at my front door with a box of 20 tablets. The name of my kid is on the box.
“Where can I place the other 500 boxes in my truck?”

Scenario 3
Suppose I am in the living room and one of my kids tries to sneak out of the room. I ask:
“What are you up to?”
“Just read this legal document and you will be just fine.”
“It has more than 10 pages.”
“Can I go now?”
“Okay.”
The door is opened and closed.

A few days later a man is at my front door with a box of tablets. The name of my kid is on the box.
“There are three extra trucks coming with tablets. Where can we unload the four trucks?”

Let me finish the three scenarios at the same time.

A box, one truck and a group of 4 trucks on the way to a finish

“Excuse me, I have to call someone.
Would you please wait outside?”
I close the door and the mobile phone is in my left hand instantly. My kid picks up the phone right away.
“A package arrived for you.”
“The tablet arrived?”
“You can better say: ‘Tablets.’”
“Huh, those are the most expensive tablets on the world. They cost a fortune.”
“That’s why I am calling you. How can you afford these things?”

“You know dad, I needed some purpose in a life.”
“Yes?”
“So I learned to hack.”
“O no.”
“It’s worse.”
“Huh?”
“Legal hackers don’t get paid much. I had my eyes on this tablet. So I said: ‘You pay me in Those Tablets.’
If I got one extra, I could always give it to my Best Friend.”
You’ve got a friend in me.

Websites sometimes are like kids. Scenario 1 would look like:
A window where no permission is asked but just taken
No permission is asked, just taken.

Scenario 2 would lead to the following picture:
A window with a default permission for profiling
A very fast designer filled in a preference.

Scenario 3:
A window with unreadable text with a request to accept these conditions
O yeah. The legal stuff one.
At least the checkbox for the conditions has not been filled. But I cannot install the program, unless I agree with them. Hmm.

GDPR forbids all these three options. They lack the support for the user who wants to protect her or his privacy. Website 1 must use transparency, website 2 a default for no profiling. And finally website 3 must use concise and plain language. [GDPR 32]

Thanks for jumping in

For the interested British reader this is not about politics. It is about testing software so that it complies with the General Data Privacy Regulation or GDPR in May 2018. Déjà vu.

There might be readers in my audience who had another association with May 2018. I know that Harry is a major export product for the UK. And I am not writing about the scarred man who has been featured in a lot of books, movies and a theme park.

Some people are more interested in an upcoming royal wedding of Harry. That might have some impact on your online Harry product web shop. For the people interested in performance tests here are some nice blog posts about performance test and Q&A. From yours Mindfully.

Some research notes

A lot of you who are reading this can still follow me. What you actually missed, is my nonlinear search. For the answer on my question: Is profiling of an EU citizen allowed according to GDPR?

The first thing I did was to download all relevant legislation. With a search engine a legal document could easily be found. Then my inner critic voiced his concerns: where are you basing this blog post on?

What I needed, were traceable sources for my research. The more EU the better. Again I am not writing about politics.
I found some links to some non EU websites. But my main target was the GDPR on an official EU website. This took me some browsing. At last I downloaded the wanted document and saw no differences with the other document on first sight.

I took no risk and started to use the official document as main source for this blog post. There was one big but. BUT the document was a pdf. This format is widely supported by all kinds of apps, but not search friendly. A search takes a while on my smartphone.

I converted the document to epub. Now I had a significant win in time. There was no more interruption in my flow of thoughts.

Let them flow.
[On the melody of Let it go.]

So I sought on the word child and hit my next obstacle: the word article. Now are articles quite common in laws, but to my dismay I had not encountered this word before.

I did another search: article. My references to this document were obviously wrong. So I was referring to numbers between parentheses. I switched back to the pdf document to find exact starting point of the first article. It was roughly at the same spot: 38.6 % of the document. Apparently I was referring to some notes in the introduction. And that is not a problem. I think.

Kids, definitions, and laws

Of course there are some exceptions. And exceptions on exceptions. This is a great playground for testers. For sure. For ever.
Because people tend to change their minds. This is my most political statement BTW.

Writing about kids reminds me about the definitions debates which pop up every now and then.
“Children have special protection.”
“What do you mean?”
“You need the permission or consent of the people who take care of the child.” [GDPR 38, article 8]

“And the exceptions are…”
“services for prevention and counseling. In these cases you need consent of the child after asking it in a way easily understandable for child. It is not about child proof but about child friendly.”
“What is a child according to GDPR?”
“A person who is not older than 16 years.” [GDPR Article 8]
“No exception?”
“Of course. Glad you asked. Some national laws can set the limit on 13 years.” [GDPR Article 8]

The first time I read about laws. I thought about stacking them like this.

national privacy law stacked on GDPR

A few weeks later I came up with this.

A pyramid with the following layers from the bottom up; Human rights, GDPR, National privacy law, Region law, and Place law

Yes, another test pyramid.
Why? Because the lower the law, the bigger the impact of the law.
And this model is dead wrong.
Small reminder: it is my model, which is wrong.
Next is my proof.

Let me focus on two layers of this pyramid: GDPR and a national privacy law. If I am a judge judging about a privacy case in Belgium, this is my route: GDPR, Belgian privacy law.
Sign with GDPR pointing pointing to sign with Belgian Privcay Law

Time to add some complexity. You know exception on exception. I have to judge a person with two nationalities.

Sign with GDPR pointing to signs with Belgian Privcay Law and Spanish privacy lawas pointing in the same direction

This is my route: GDPR, Belgian privacy law. and Spanish Privacy law.
I am really lucky. Both laws lead to the same judgement.
Now people will say:
“Hey. I can still use the pyramid?”
“I can make it a camel case”
[Pun intended]
GDPR block with two smalls blocks on top: Belgian privacy law and Spanish Privacy Law

“What about this?”
Sign with GDPR pointing to signs with Belgian Privcay Law and Spanish privacy lawas pointing in the different directions

Summarised: the test pyramid uses impact instead of direction, which is rather complicating things.

Finders fixers

The one, who finds a problem, solves it. This is common practice in my DevOps team. I made a model for testing purposes and found a fault in it, so I have to correct it. Fair enough.

When I was looking for the best law to apply, I thought about the strongest law. Something with the most articles and most severe penalties.

I looked on the internet and found a page in Wikipedia about Conflict of laws. My children are quite sceptical about Wikipedia. “My teacher told me that you cannot trust Wikipedia, because everyone can edit the page.”

A flag, a house, and an arrow pointing to a big dot

Anyways, the following laws seem proper candidates: the law of the country where you live or the law of one of the nationalities or the proper law.
So my mental picture of the signs is the right one. Sign intended.

Writing about signs. I could make a model like this:

A sign which points to 2 signs, which in turn point to 2 signgs
But this model is also too simple. The Benelux, a union of 3 countries, is more complex than this model. The Netherlands is part of the Benelux and has 12 regions. It is difficult to show this in a 2D figure.

A few sticky notes, which hold smaller sticky notes, which in turn hold smaller sticky notes.

But frankly this is even for me confusing. So I rebuilt this 3D by using sticky notes with blue lines:

Sticky notes with 3 blue vertical lines on them

Then I put a sticky note with curly red lines to one sticky:

Sticky notes with verticla blue lines and one has a ticky note with red curly lines.

An then I connect some very small sticky notes with a single orange lines to the last attaches sticky note:

Sticky notes with verticla blue lines and one has a ticky note with red curly lines, which have sticky notes on it with orange line

This model gives me a more appropiate way to handle the laws.

Also on Wikipedia there is a page which described how to determine the right law.  There is basically a set of rules which a judge must follow.

And yes, I do mind the warnings of my kids and their teachers. Kids are like websites: sometimes I cannot ignore them.

If your company is GDPR compliant, then there is no time to rest. You still have to browse through the national laws. [GDPR 8]

This might sound complicated. Let’s take a huge example: the United States of America. If you live in Florida, you have to stick to the laws which are used for all states and the Florida State Law.

What now?

So have a chat about GDPR with the people from the legal department. They can become your best friends in the coming months. And beyond.

To boldly go where no techie has gone before.

Sharing knowledge about testing and other things on my mind