Monday 19 January 2015

Apologetic Vision Direct

I get a lot of spam, and a good proportion of it is from legitimate British businesses.  It costs me time and effort to remove it from my mail box, time, effort and processing power to run the spam filtering software (which is only partly effective), causes me to miss important emails, breaks my concentration and is generally quite annoying.  The fact that British businesses are doing this is quite surprising given that spamming is unlawful in the EU.  In particular, The Privacy and Electronic Communications Act 2003 says that:
  1. You can't send marketing mail to someone you've never done business with unless they have explicitly told you that they consent.  Consenting to a third party doesn't count (e.g. the "do you consent for our partners to send you marketing emails" tick boxes aren't allowed).
  2. If you've previously done business with someone then you can send them marketing emails about "related products" so long as they either opted in, or did not opt out.  However, the ICO's guidance says that where an opt-out system is used, the opt-out mechanism must be very clear and prominent at the point where the contact details were collected.
The "legitimate business" spam I get is split between both groups.  The first group are definitely acting unlawfully; the second is not so clear-cut since I can't necessarily prove that I opted out (or that I wasn't given the option to opt out), but given that I always look for the opt-out box and try to ensure it always gets ticked whenever I hand over contact details, I think I can argue that if I didn't opt out, the option was not clear and prominent.

I've been sending notices to both groups for a while, pointing out that they are acting unlawfully, and for the most part I've had no response and continue to receive spam from them.  Where organisations have ignored these notices, I've filed complaints with the Information Commissioner's Office.  Unfortunately, the ICO's response seems to amount to writing to the offending companies and doing nothing else.

As of the start of the year, I have started sending preaction notices to legitimate British companies who's spam ends up in my inbox.  This opens the door to me being able to file a court case against them if I so wish.

VisionDirect is one company who I have made purchases from - I have bought contact lens solutions from them, and usually purchase a year's worth of solutions at a time.  As a result, they have also been spamming me for at least 2 years.  The frequency of emails varied, but it was as much as one email a week towards the end of last year, offering me things that are extremely tangentially related to contact lenses - e.g. "win 2 LUXE London Fashion Weekend tickets".

I've previously complained to VisionDirect and my complaints have been met with absolutely no response (and continued spamming).  I sent them a preaction notice on Tuesday, and less than a week later I've now had a apologetic phone call from them.  They did confirm:
  1. They're aware that the ICO guidance is to use an opt-in rather than opt-out system, but have chosen to ignore it.
  2. They claim there would have been an opt-out box that I hadn't ticked.  This can't have been very prominent if I missed it.
  3. Their excuse for opting people in by default is so that they can send contact lens reorder reminders.  Given that they know from my order that I wouldn't need to reorder for a year, I'm not sure why they think this justified sending me 4-5 emails a month.
They have said they will review their systems.  Whether or not this actually happens or is just something they said to make me happy is another question.

Thank you VisionDirect for finally unsubscribing me from your spam list, and if you review your marketing practices so that you're not continuing to act unlawfully then that's great.  It's a shame that you ignored the previous emails and it has taken the threat of court action for you to take note.

Tuesday 13 January 2015

Using an attack on freedom to attack freedom

Following the violent attack against the staff at the Charlie Hebdo offices in Paris, we've now got David Cameron calling for more powers to snoop on people.  Here's a transcript of his speech:
In our country, do we want to allow a means of communication between people that even in extremis, with a signed warrant from the home secretary personally, that we cannot read? Up until now, governments have said no, we must not.
That is why, in extremis, it has been possible to read someone’s letter, to listen to someone’s call, to mobile communications … We have a better process for safeguarding this very intrusive power than probably any other country i can think of.
But the question is are we going to allow a means of communications which it simply isn’t possible to read. My answer to that question is: no, we must not. The first duty of any government is to keep our country safe. The attacks in Paris demonstrated the scale of the threat that we face and the need to have robust powers through our intelligence and security agencies in order to keep our people safe.
The powers that I believe we need, whether on communications data, or on the content of communications, I feel very comfortable these are absolutely right for a modern, liberal democracy.

Analysis

I want to analyse what he's getting at, so I'll take the above transcript a bit at a time:
Do we want to allow a means of communication between people ... that we cannot read?
Cameron is quite specific here - do we want to allow a means of communication, not "do we want to find ways to spy on communication". It seems to me that this directly implies not allowing means of communication between people that the security services can't read - i.e. banning such mechanisms.
Up until now, governments have said no, we must not. That is why ... it has been possible to read someone’s letter, to listen to someone’s call, to mobile communications
I think it can be argued that previous governments haven't said "no, we must not" at all.  There's an important distinction between the examples he cites and the "means of communication" that he is proposing outlawing:
  • A letter is sent in the clear (that is: unencrypted), and is handled by a third party (the post office).  If the security services want to read it, they can present a warrant to the post office to intercept it and simply open the letter and read it.
  • A land-line telephone call is similar - it is sent in the clear and handled by the telephone company.  If the security services want to listen to it, again they can get the telephone company to intercept it for them.
  • Mobile calls are slightly different - the call is encrypted as it is sent over the air.  But importantly, the telephone company decrypts it and, like a land-line call, they handle it in the clear and it can be intercepted in just the same way.
The distinction I'm getting at is that all of these means of communication are already readable, the government has just legislated access rights to the communications that are being handled by third parties.  You can send encrypted data through the post and the government won't be able to read it - no previous governments have ever legislated to stop this.
But the question is are we going to allow a means of communications which it simply isn’t possible to read. My answer to that question is: no, we must not.
He's not really added any new information here, he's just reinforcing the point that he wants to ban all means of communication that can't be spied on.
The attacks in Paris demonstrated the scale of the threat that we face and the need to have robust powers through our intelligence and security agencies in order to keep our people safe.
The attacks in Paris do indeed demonstrate the scale of the threat that we face - as horrible as the attacks were, the scale of the threat boils down to "pretty insignificant".  Lets compare it to a few other random statistics from the UK in 2012:
  • 552 people were murdered
  • 5,981 people aged 15 or over committed suicide
  • 1,496 people died from drug misuse
And these are just a few fully preventable examples... we can also have a brief look at casualties that could certainly be reduced but aren't totally preventable: 1,754 people died from traffic accidents and a whopping 64,164 from heart disease.

In the same year, it seems there were no terrorism related deaths in the UK.  In fact, in the past 5 years there have only been 2 people killed in the UK through terrorism.

Secondly, the Paris attacks are a pretty bad excuse to extend surveillance powers - all of the attackers were already known to the security services, they just didn't have the resources to keep tabs on all suspects all of the time.  Additional surveillance powers wouldn't help here - more resources would.  But then, given the above figures, how about we instead spend some of those resources on road safety, cardiovascular treatment, drug education, mental health treatment, general police work and the hundreds of thousands of other things that are a more significant threat than terrorism?

The people at Charlie Hebdo were attacked because they were exercising their right to freedom, and here we have the British Prime Minister using them as justification for removing our freedoms.

Solutions?

So given that David Cameron wants to outlaw any communications that the government can't read, he's got a few options.  Its important to realise that encryption is used by pretty much everyone in their day-to-day lives, and most of it is actually pretty strong and not something the government can routinely break.

1. Just outlaw encryption

Lets say Cameron outlaws encrypted communications entirely.  So we can no longer do any online financial transactions - no online shopping, no online banking - doing these without using encryption would leave everyone way too vulnerable to criminals.

There are a lot of technologies, such as Chip & Pin, Oyster cards, etc. that also require encryption, but maybe he would make exceptions for that kind of stuff?

I wouldn't get much work done either - a big chunk of my work involves administering servers all over the UK from the comfort of my office.  But that involves me using encrypted connections to those servers - using unencrypted connections would leave the servers very vulnerable to being taken over by criminals.  So most of my time would be spent driving all over the country to do administration tasks that would usually just take me 5 minutes to do from my desk.  I don't really want to think of the pollution implications of this amount of driving either.

Of course, using most foreign online services wouldn't be possible since many of them require encryption and the operators wouldn't be subject to UK law requiring them to implement an encryption-free version (with all the horrible security nightmares that would entail).

So anyway, we'll assume all the law abiding citizens are not using encryption at all.  I'm sure the terrorists who think that it's ok to commit mass murder are going to comply with that law and avoid encryption too so that the authorities can spy on them.  Or maybe not...

A great idea though - maybe the authorities can spot the terrorists by seeing who is using encryption!  Well no, as it turns out, they can't - by using a combination of steganography and an old encryption method called a one time pad, anyone could send encrypted communications that are mathematically provable to be undetectable... so bang goes that theory.

In a world where encryption is outlawed, only outlaws will have encryption.

2. Outlaw strong encryption

We could have legislation that allows encryption, but only encryption that is weak enough for the security services to break.  This has most of the same problems as outlawing encryption entirely - you can be sure that if the security services can crack it, so can the criminals, and once again the outlaws themselves can continue to use strong crypto since they don't care about the law.

3. Key escrow

Probably the best option is key escrow - this is where you can continue to use encryption as normal, but everyone is legally required to hand their encryption keys over to the government.

If the keys ended up being leaked out to third parties then everyone would be screwed, of course.  It would take a massive rewrite of pretty much every piece of software that employs encryption, which seems quite unfeasible.

And again, since the terrorists don't care about the law, there's no reason why they would comply with it and hand over their keys; and as previously mentioned, there would be no way to detect that this is happening.

Summary

So there we go, Cameron has said what he wants to do, but it seems that it is all pretty much unfeasible.  Which I guess is a relief, but I suspect that this won't prevent them passing ill-conceived legislation that erodes civil liberties whilst providing no additional security.

Corollary: this is what you get when you have politicians legislating about technologies they don't understand.

Friday 9 January 2015

The Npower saga continues

So it turns out that Npower informed the ombudsman that they had complied with the order on November 27th.  They said:
In accordance with the remedy I can confirm that we have
  • Credited account for missed discounts.
  • Credited disputed amount to the account to clear balance.
  • Credited your account as a gesture of goodwill.
  • Refunded remaining credit by cheque, you will receive this in the post in the next 7-10 working days.
  • Please accept my apologies for the delay in issuing you with a correct statement and for the issues surrounding your discount.
Except I haven't received the letter or the cheque and Npower's customer services have confirmed that no cheque has been sent out.  They do claim to have complied with the resolution by crediting my (closed) Npower account, even though they have completely failed to send me an actual refund!

So as far as I can tell, Npower acknowledged the Ombudsman's orders, decided not to comply and then lied to the Ombudsman to say they had complied.  At least, I can't think of any other reason of saying "we have" complied instead of "we will" comply if they hadn't actually already done it.

So to recap, here's why I'm never going to do business with Npower again:
  1. They never actually sent me any kind of contract when I opened an account with them.
  2. In January 2013 they put me on the wrong tariff... of course they didn't actually tell me this immediately.
  3. They set up the direct debit but didn't actually withdraw any funds from it... and again, I didn't get informed of this immediately, and hadn't noticed.
  4. In July 2013 I got my first bill, which came as a shock since it was for a more expensive tariff and none of it had been paid by the direct debit they were supposed to be using.
  5. Their complaints people initially said that (i) yes they had screwed up and put me on a more expensive tariff, (ii) no they weren't going to fix it or refund me because their internal systems wouldn't let them, (iii) the direct debit not being used was clearly my fault as apparently the customer is responsible for checking their bank account every month to make sure Npower have done their job correctly.  After some argument they agreed that I could cancel my direct debit until things got resolved so I didn't have to over-pay them.
  6. They said they would call me back within 10 days... they didn't.
  7. They started sending me nastygrams because I hadn't paid the overbilled account (for which my complaint was still being "processed").
  8. They informed me that I wouldn't get my direct debit discount since I had cancelled my direct debit (with their permission).  Eventually they agreed I could have it.  I paid off the hundreds of pounds of debt that had been racked up by their failure to use the direct debit.
  9. In January 2014 I found that they had "forgotten" to apply my direct debit discount.  I called them and they confirmed it had been forgotten and said they had now credited it to my account but I would need to wait 6 months for my next bill for it to be applied.
  10. In May 2014 I got a demand to pay hundreds of pounds within 9 days... Yet again they had decided to simply stop using the direct debit for no reason, and waited until this had been going on for months before informing me with a "pay within 9 days or else" nastygram.
  11. The still hadn't credited the direct debit discount that they said they had in January... they said it was still being "processed" - apparently it takes 6 months to "process" a credit.
  12. They now swore blind that I wasn't due a direct debit discount at all, despite having previously said that they had credited it.
  13. I raised a formal complaint with Npower and got a automated reply saying they would get back to me within 10 days.
  14. They didn't get back to me at all, and in fact ignored all my further attempts to raise a complaint too.
  15. They started sending increasingly threatening nastygrams because I refused to pay the overbilled amount.
  16. The debt collection department said they couldn't do anything to stop legal action and that I would need to raise a complaint about the disputed amount.  When I pointed out I had tried to raise a complaint and had been repeatedly ignored, I was told that I should probably raise a complaint about that (!)
  17. I referred the whole thing over to the Energy Ombudsman, who quickly decided on a "remedy" and ordered Npower to comply by December 24th.  Npower sent a response to the Ombudsman to say they had complied on November 27th.
  18. Part of the resolution (which Npower told the Ombudsman had been actioned) was to send me a refund.  Npower have confirmed to me that this was never done.
  19. Npower still claim they complied with the Ombudsman's orders on time, even though they also confirm that they never sent the refund (!).
  20. They don't really seem to be in a rush to fix things - apparently I have to wait another 10 days for them to send a cheque because they can't do a bank transfer.  So assuming they actually manage to do what they say they're doing (which would surprise me, given everything else that's happened), that means I'll get my refund on January 19th, 26 days after the Ombudsman's deadline and a year after I should have received it!