Tuesday, 11 May 2021

Make EDPB webpages readable again - howto

The recent EDPB website redesign kills usability and ergonomics for those with widescreen monitor. Maybe they were trying to make the site user-friendly for mobiles/tablets, but the result is that it's user-unfriendly for desktop PCs/laptops.

Viewed on a computer with widescreen monitor, the left sidebar or margin's passed on, it's no more, it has ceased to be... it's an ex-margin! (hi Monty Python fans).

This means that the main webpage text is no longer centered onscreen.

Cue neckache or crick from having to twist or turn the head too far to the left (and hold it there) just to read the main webpage text! What to say, that's certainly one way to deter desktop/laptop website users.

This seems to be an EDPB website matter, as the general Europa website is still fine. But it can be a pain in the neck for EDPB website visitors, literally!

To center EDPB webpages on your widescreen monitor again and save your neck, three options to try:

1. Un-maximise ("restore") your browser window, move the window (or drag the left edge) to the right till the main text is centered onscreen, and read EDPB webpages only from the restored window. 

2. Use the Liquid Page bookmarklet (instructions are on that webpage), if you prefer to keep your browser window maximised. Then, you can drag the "Latest news" column on the right (and beige box behind it, and the flag thing) even further to the right, out of the way. Then drag the main text column to the right, and scroll down as usual. (Links won't work till you refresh the page, but you can rightclick the link and open in new tab). More troublesome maybe than 1., but I do like outside the box creative solutions - have fun dragging stuff around!

3. Simplest solution (tested in Chrome and Edge on a Windows 10 PC) - use my bookmarklet or favelet: /Fix EDPB. Instructions: ensure your browser bookmarks or favourites toolbar is visible, drag that link to the toolbar e.g. between other bookmarks then, when you're on a no-margin EDPB webpage, just click that bookmark. Or, if you prefer, follow the bookmarklet creation instructions under Solutions but, in step 4, name the bookmark whatever name you wish and, in step 6, instead of pasting the code shown there, paste the following code:
javascript:(function(){document.body.style.marginLeft = "500px";})();
All fixed, main text is centered on screen! This also narrows the text column so it's easier to read scrolling down.

  • Keyboard shortcut fans: hotkeys to run this in Chrome are Alt-e, b, then type the 1st letter of the bookmarklet name (I made that the / symbol here so as not to clash with other bookmarklets, but feel free to edit the bookmarklet's name yourself), then Enter if necessary.
  • Per webpage only: if you navigate to another EDPB webpage, you'll need to click the bookmarklet or use the hotkey again. It's a per page rather than permanent fix, as it adds a margin to the current page after it's been downloaded to your browser. Unfortunately it can't modify the original pages on the EDPB website, only the EDPB can do that.
  • Margin width:- a 500 pixel left margin works for me. If it's too narrow/wide for you, rightclick the bookmarklet in the toolbar, Edit, under URL just change 500 to 400 or 600 as you wish (but obviously don't change the rest of the code) and Save. 
My neck feels better already! (and this works on BAILIII too, BTW).

I hope this helps other EDPB website visitors too.

Saturday, 10 April 2021

Security / identity theft risks - reporting Covid-19 home test results

It's laudable that free Covid19 lateral flow home test kits became available in England yesterday, e.g. from pharmacies.

You're meant to report results even if negative (though that could be made clearer), by phone/online. But - then you get an email from Gov.uk Notify with your result, advocating continued social distancing etc - with your name, date of birth and NHS number, right at the top of the email! Full marks for promptness, but - for security/privacy...?

As is well known, email is insecure. If your email or the NHS's gets hacked, or intercepted, or shoulder surfed, bad guys can use your name, DoB and NHS no. for fraud and/or identity theft. I guard my DoB jealously, not just because some women don't like revealing their age (yes, I am over 30!), but because of this risk of crime. I only ever give my real DoB to government, health and financial organisations (perturbation anyone? 😁).

Too many organisations use just name and DoB to identify customers who contact them, sometimes combined with address/postcode, which usually aren't difficult for criminals to discover. (Recall that in Germany, for using just name and DoB for authentication, 1&1 got fined €9.55m, reduced by the court to €0.9m – which is still substantial.)

I'm OK with the UK DHSC requesting my DoB and NHS number (as long as they store it securely and share it securely and only on a need to know basis). But, I already know my own DoB and NHS no., wouldja believe it, and, with this type of home test kit, I do actually already know my result! There's absolutely no need to email any of that info to me.

Even if they'd adapted a previous standard form of email designed to go to people who didn't already know their results, again there's no need to include DoB or NHS number. (It's not just the DHSC - other organisations are guilty of emailing people with their DoB too, including an optician I was unfortunate enough to try using.)

I suspect that if I didn't give my DoB/NHS no. they wouldn't take my report, or if I asked for that info not to be automatically included in their followup email, they'd reply "The computer says no, the system hasn't been designed that way, we can't tell it to omit that info!"

Let's count the UK GDPR issues here:

  • Art.5(1)(f) integrity and confidentiality, and the related Art.32 security.
  • Art.5(1)(c) data minimisation, most definitely. 
  • (Not to forget Art.25 data protection by design & by default of course. And Art.35 on data impact assessments aka DPIAs.) 
Also, the UK NIS Regulations under the EU NIS Directive require operators of essential services or OESs (critical infrastructure, including the healthcare sector) to take appropriate and proportionate technical and organisational measures to manage risks to the security of their network and information systems. (Ironically, the DHSC doesn't seem to be caught under those Regs, although NHS Trusts are.)

The worst consequence of the DHSC's approach is that it might cause privacy/security-conscious people (like data protection professionals!) to decide not to report their test results (at least if negative) while it's not legally-required, in order to avoid the risk of fraud and identity theft. Meaning that the NHS may not receive fully comprehensive data...

Because, in connection with Covid-19, it handles sensitive, special category data like health data, the DHSC might be expected to be more careful about security and privacy than most. Our NHS heroes of course deserve our greatest respect and gratitude. But real security and privacy risks to individuals can be created unless everything is thought through carefully when conducting the DPIA (I hope there was one?) - even supposedly minor process issues like the content of standard followup emails after home test reports.

I've emailed the DHSC's data protection officer (at the email address in the privacy notice linked to from the test results reporting webpage), and I really hope the DHCS will change this risky practice ASAP.

Thursday, 11 February 2021

Digital Services Act infographic summary

Here's my infographic summarising the key liability and due diligence rules under the EU Digital Services Act, proposed in December 2020.