GDPR – The Forgotten Tests – Test 1

General Data Protection Regulation or GDPR is all about privacy. If a company handles privacy in the right way, then it can dodge penalties like 20 million Euro or 4 % of the worldwide revenue.

Time for a legal break. Right after this break some idea.

Disclaimer

I am not a legal expert. So please have a look at my used sources. Or contact a GDPR expert.

I am just a tester finding test ideas about GDPR. Thanks for joining in advance.

The following story has been sanitised by me. Important details have been changed.

Bad idea

The job interview was about an agile tester. I thought I could handle that role. The probing questions from the interviewers were increasing. I tried to stay calm and answer the questions in a friendly way.

Then came the expected question about test cases. They should be written beforehand. Time to explore.
“You never know what you will find.”, I remarked.
“Let me give me an example.”

“Your company sent me this mailing.”
I showed a part of the mail.
“At the bottom of the mail I could say, whether I like this mail.”
There were two pictures: one green thumb up and one red thumb down. There was an orange arrow pointing to the thumb up.

“If I hover above the picture of the green thumb, the URL will be shown in the status bar of the mail.” The URL was contained in a red eclipse.

A sketch of a mail with an orange arrow pointing to a thumb up next to a thumb down. The mail also contains a URL in a red eclipse.

“As you notice: the URL is http. This is not secure. If the mail is intercepted, then the reaction of the customer can easily be determined. This is an email about credit, so you can derive that the customer probably has some debts.”

One of the interviewers politely interrupted me:
“Is it possible to intercept mail?”
I gave a technical answer using normal words.
Okay, I got his attention.

Then the exploratory tester awoke in me. And I could not stop him.
“There is a customer number in the mail. This number can be used to get access to an online account.”
I went in full brainstorm mode and described all kinds of product risks or things which could harm the user. I could find information about correspondence about money.

 

I didn’t get the job, but the mailing was fixed afterwards. Obviously 20 million Euros are not enough to qualify as a tester.

But there are retrospectives for.
[On the melody of ‘That’s What Friends Are For’.]

Breakdown

Most of the time primary systems were and are tested for GDPR and national privacy laws. Sometimes this software did not easily support mailings. An easy solution was to use another system outside the company. Specialised in mailings.

All kinds of data like email addresses, names, and profiles were used for mailings. Technical decisions were taken like http instead of https. Somehow the legal department and testers missed something.

According to GDPR the protection of personal data is a fundamental right [ (1) on page 1]. The economic situation of a person can be used for profiling. In turn this can be used to exclude people to get certain services like mortgage [ (75) on page 15].

My tips for testing:

  • become a customer of your own company and use all available channels. Watch for the legal details like the missing s of https. (See last tip)
  • follow security experts on social media. (You know about the last tip)
  • explain legal and security stuff in normal words.
  • let the owner control the flow of information. I should have send my brainstorm on request.
  • read  ‘Here’s Why Your Static Website Needs HTTPS’ by Troy Hunt, a security researcher. It contains an entertaining 25 minute video with several attacks on an http website.
    For people new to security, just watch the video and focus on what you would not like to happen on your website.

Closing note:
At the moment there are browsers showing whether a website is insecure. This was not the case, when I received this mailing.

To be continued.

Explaining exploratory testing with a table

Tables loaded with food and a class of kids playing on a lawn.

Another dad and I picked an all favourite Dutch subject: work.

“What makes a good tester?” the other parent informed.
“A good tester knows about exploratory testing.”

I saw wrinkles on his forehead. This was a bad start for this subject. I had to switch to his context. He was a police agent. Okay, second try.

“Suppose you ask for a driving license.”
I opened my imaginary jacket and pulled out an imaginary object.
“I place a gun on the table and”
I noticed a sudden sharpness.
“then I show you my driving license.”
This time I retrieved a thin imaginary object between my thumb and index finger.

“Would you be interested in the gun?”
“Yes, of course.”
He was constantly switching attention between my hands and the invisible gun on the table.
I continued with
“I would ask questions like
“Do you not feel safe?” or
“Is this your gun?””
He nodded.

Then I explained that a tester adjusts her or his activities based on observations during exploratory testing.

The focus would be on the gun instead of the driving license.

LS In Conf’rence Land

Greetings to the reader or Lectori Salutem.

Texting and talking about diversity

This spring I was invited to speak at a known Dutch test conference. I had a good proposal, so I only had to say: “Yes”. But I had to ponder this carefully. I had a public promise not to speak at a conference with an all male line up.

I also had obliged myself to say: “No”, if there were too few female speakers. Women look different at tech and they need female role models.

This year several male speakers declined to speak at a conference with an all male line up..

There was only one way to find out. Just ask the program committee. I texted my dilemma and asked for the number of female speakers. There were only 2 female speakers selected out of 3. Selection took place on quality of the presentations, theme, and target audience.

I got my dilemma back. Is 2 enough? Looking at the last conference it was an increase of 100% in the number of female speakers. But still it bugged me.

The only way for me to improve the diversity was to make suggestions for the keynote speakers. I texted 3 names of female speakers and subjects fitting to the theme. At the end of the same text message I also agreed to give a workshop.

When I saw the final version of the schedule, I could not suppress a smile on my face: one of my proposed keynote speaker candidates was a speaker with my suggested subject. Yes, mind reading is cool. And there was a female co keynote speaker.

During the conference I saw a tweet about testing of blockchain. There were two speakers and the female one could really explain it. That’s why diversity is so important. Just for the record the tweet was sent by an experienced male tester. And it was not me.

Continuing talking about diversity

Same test conference. There was a representative of a European test conference. One thing about the conf this size fits only 1. And I could not resist the urge to talk about diversity. The answer was of course quality. And the programme committee decided about the talks. Also the names of the submitters were not shown to the reviewers of the proposals.

I was not quite convincing. So the woman offered me her email address to send more information. So I sent information about Karoline Sczcur and a link to  A Balanced Conference Card. I received a polite Thank you.

So what went wrong?
Time for a retrospective. Yes it is an agile thing to do.

I had not prepared some talk. So here is the rebound.
As an organiser you can give guidelines to the programme committee. And you can reach out to female speakers in a positive way. Yes it takes time.

More important is to realise what is diversity about. People who think alike come with solutions alike. This means that these people will fall in the same pitfall.

Back to the conference. If there are a lot of white male speakers, then afterwards the attendees will make similar white male speaker errors. A female perspective can add a different and effective approach.

Also. What works for a white male engineer, might not work for a female engineer. A suggestion from her can easily be ignored or stolen. This can be avoided by using number 10 of survival tips for women in tech from Patricia Aas.

What really baffled me, was that lot of these tips also can be used by people of colour. As a man of colour I have to invest a considerable amount of time in finding and talking with allies. To get things tested.

In the Netherlands the campaign #NietGenoeg was started to get more women in tech.

Jez Humble tweeted about diversity in a refreshing way. You can only make good programs with empathy at the core.
“Empathy is _hard_. It means listening openly and deeply to people with very different perspectives, accepting the truth of those perspectives, questioning and changing your deepest assumptions about the world, and changing your behavior.”