How difficult can Denplan make it for customers to protect their personal information?

It turns out the answer is “quite”.

Consider the following gem from the “corporate claim form” – this is a piece of paper you have to sign and send to Denplan if you’ve had treatment and are claiming back the costs, as covered by your corporate dental insurance:

(Click the image for a larger version)

This is how I understand this part (let’s call it “Part 1”):

  • As long as you use our services, we’ll send your personal information to anyone we like.

Reading on, we reach Part 2:

(again, click on image for larger version)

Here we are told: “You may be contacted by phone, telephone or electronically if appropriate. If you DO NOT wish us to do this please tick below as appropriate.”

This is how I understand this:

  • Ticking below will stop us from contacting you.

And then, the million-dollar statement:

“Denplan Limited may send you details of other products and services.”

The way this is phrased, putting a tick right next to it directly implies “YES, you may”! Even though the sentence above implies the exact opposite.

The lunacy continues with Part 3:

(click on image for larger version)

This part says “To enable them to send you details of their services we may also share some of your details with other AXA group companies based within the European Economic Area [TICK?] and with other carefully selected companies based within the European Economic Area [TICK?]”

Again, it’s not clear how the customer can indicate “No, I don’t want my details shared with others!”, as both phrasing and intuition say “don’t tick here”, but the instructions tell you to “tick as appropriate if you don’t want this to happen”.

Absolute rubbish. Certainly a strong candidate for the Plain English Campaign‘s Golden Bull Award.

If you’re a Denplan customer, I’d suggest writing to them to point out this gobbledygook and get it fixed.

It’s a simple web page!

No it’s not.

Most pages on the web nowadays:

  1. draw content from multiple sources
  2. execute programs (scripts) on your computer, also from multiple sources

What does this mean for you?

Well, for starters it’s important to leave behind the misconception that a web page is a simple thing. There is usually a lot going on in the background that you don’t see. But it’s there. This is how online advertising revenue is generated, and how “advanced” online services operate.

It’s also important to realise that “trust” is a very thorny issue. Visiting the website of (for example) National Geographic shouldn’t be an issue – I mean they’re a respectable business, right? But hang on, on closer examination, look what happens when you visit a single page:

All of a sudden it’s evident that this web page, hosted on nationalgeographic.comĀ  is requesting content from EIGHT (8) different domains, not all of which have an obvious relevance to the web page you are trying to see.

Do you know and trust all of them?

Further, aggregating content from many different domains in one web page usually translated to executing code in your browser, on your computer, from all those different domains you had no idea you were communicating with!

In summary:

All you did was request to see a web page from – which you trust.

Subsequently, and without your express permission or knowledge, your computer was instructed by to download content from,,,,,, and

Your computer also downloaded and executed programs (scripts) from the following domains:,,,,,,, and

I’m only aware of this carnage because of two Firefox addons I use: NoScript and RequestPolicy. But they’re cumbersome to use and require constant adjustments.

Have that in mind next time you catch yourself thinking “I’m safe online because I don’t visit random websites”.

Here come the “smart” phones

I’m very glad someone took the effort to prove this can be done, for all the denialists and optimists-to-the-point-of-criminal-negligence out there to get a grip:

“A team of security researchers has created a proof-of-concept Trojan for Android handsets that is capable of listening out for credit card numbers – typed or spoken – and relaying them back to the application’s creator.”

Source: ThinkQ article

This means that installing a single malicious “app” for your smartphone can turn it into the ultimate tool to steal any of your confidential information. Notice that anything you *say* over the phone is also suspect.

Blog post by Bruce Schneier with good links here.

The funny part with this is that the optimists will say “yeah, but it needs user permission!”, as if they know exactly where each and ever piece of software they installed on their computer/phone came from. Or as if automated remote installation of smartphone apps will not come knocking on our doors as it did for personal computers.

Quidco cookies

I’ve been using Quidco lately to benefit from cashback deals for stuff I purchase on the Internet.

It’s always been on my mind to figure out how such businesses make their money and I suspected there would be a lot of tracking going on (for a little bit of extra cash).

Well, last week I got some time to play with this, so I deleted all browser cookies and then booked a train ticket and a hotel room for my next trip. The result was 67 cookies on my local disk! Other than the obvious ones (the train company, the hotel company, quidco itself), the standard ones that are linked to everything and you can’t avoid grabbing a cookie from (facebook, yahoo, twitter etc), the list still sported an impressive assortment of sites I had no idea my computer was doing business with:

Needless to say, purchasing anything through Quidco is very difficult with privacy-enhancing plugins like RequestPolicy and NoScript (it takes too much work to manually allow all cross-site communications, scripts etc) – so I just use my “throwaway” browser (Internet Explorer) to use Quidco and then wipe out all cookies with Ccleaner.

PDF file listing all cookies dropped to my machine during that session: Quidco cookies log

A “perfect storm” of cyber attacks

What an utter load of baloney:

Not that I expect any self-respecting reader to pay heed to what such papers tout, but this fear mongering is still impressive.

Here’s what a more respectable organisation (BBC) has to say on the exact same issue:

Risks of cyber war ‘over-hyped’ says OECD study

And here is the OECD study itself (pdf)

Now, why is the Metro trying to mislead and scare the public like that?

I accept, please, no more!

Clearly, all passengers of trans-Atlantic flights do read the four lengthy legalese documents necessary to book a flight…

This is an interesting problem.

Companies can insert whatever terms they wish in those documents on the safe assumption that (statistically) nobody will read them. Why does that happen? Probably because these pesky things stand in the way of the customer’s primary task*, which is booking the flight and getting it over with.

Perhaps a more automated solution similar to P3P might be worth considering, to make contracts between vendors and customers more meaningful. As it is, we’re at the mercy of whatever Terms & Conditions the vendors decide to impose on us.

Remember, you’re voluntarily entering this contract. It will be very difficult to complain afterwards.

* See page 40 of Peter Gutmann’s security usability book chapters for a good (and funny!) example of how this problem-solving model works.

September 11th security fee

I recently booked some tickets to fly to the USA and noticed this little gem:

But what is the “September 11th Security Fee“?

It would appear this is a tax on passengers imposed by the US government to finance our continued abuse by the TSA. There’s a certain irony in that… Thoreau might have had a snigger.

The name itself is pure propaganda, implying that paying this extra money keeps us safe against incidents like the Sept. 11th 2001 attacks in New York City.