All posts by Mindful tester

Programming, Test automation

Being Sidetracked – Part 1

Every story has an expiry date.

So I have to hurry up.

While the junior DevOps engineer was programming aloud, I paid attention to all the steps he took. He used Test Driven Development. It is a cycle of Red, Green, and Refactor.

A small recap: he first made a tiny test, which failed. Red is a favourite colour for failing. Then he made code to let this failing test succeed. Green is that other favourite colour for DevOps, testers, and especially managers.

Then he refactored the code. The code became more maintainable and readable. Even for a tester not fluent in Java.

The first test was to check, whether a business rule failed. He wrote only code to let the test succeed.
Before I could think, the method was ready. It had only one return statement with 1 fixed value.

But this would only be the case for very specific situations. I showed my disbelief and he answered that the code had to pass the new test. Right, you are right.

This was a strange situation for me as a tester with a traditional background. Tests should be executed after the implementation and not before. Somehow my brain had pushed the theory about TDD aside. It felt so unnatural to me that I unconsciously switched back to Program First Test Next.

Anyways, the DevOps had a quick look to the code. I did not think that this could be refactored. One line single statement cannot be refactored.
Yes right again. The first cycle was finished. Red Green Refactor.

A return value from a method is like an answer from a human being. What the DevOps basically asked, was: “Is this value right?”
And the method would always answer with “Yes.”

This was strange to me. Now I realised, that this was the most minimal addition to the program.
Without a method the code would have be repeated multiple times and maintained at the same number of places. A recipe for disaster.

Aw I forgot to look in the right low box in the left corner in the room under the stairs.

Now programmers have a small heuristic for this one:
DRY. Don’t Repeat Yourself.

The fact that the answer was always “Yes”, bothered me. While blogging I remembered asking a restaurant in China, whether they could speak English. The answer was “Yes.” My wife and I were delighted until I ordered. O no.

To be continued

Legal, Marketing, Privacy, Visualise It

May 2018 Testing

For the interested British reader this is not about politics. It is about testing software so that it complies with the General Data Privacy Regulation or GDPR in May 2018.

For the people who are only concerned about money. It can cost your company 4% of the global annual revenue of your company or 20 million Euros. That is seriously a lot of money.
Thanks for your attention.

Disclaimer

I am not a legal expert. So please have a look at my used sources. Or contact a GDPR expert.

I am just a tester finding test ideas about GDPR.
Thanks for joining in advance.

Just show it to me

Suppose you have a cinema and a special web site. You can order tickets, drinks, and snacks in advance. This is a unique selling point.

A marketeer has a nice idea:
“Let’s make some profiles. We’ve got lot of sales numbers, so boost those numbers.”
“What do you have a mind?”
“We just tag customers: B movie, Friday night, first week, ..”
“First week?”
“Like ‘I want to see the movie in the first week after release.'”

If I would go to  this specific cinema, all my actions are recorded.
Big Buyer is being watched too. This sounds creepy. This is my alarm bell as a tester.

My simple question is:
Is profiling allowed?
More accurately, is profiling of European citizens allowed for this cinema web site according to General Data Protection Regulation?

What makes someone a European citizen?

sketchnote with cradle, parents passport and database

Obvious candidates are:  parents, place of birth, passports.  I just stick to Citizenship Administration. I found this one while doodling in my head.

Let me give you a royal example. The Dutch queen has the Dutch nationality, but had Argentine parents and was born in Argentina.

Let me show some graphs:

  • European Union
  • People with no nationality
  • People with 1 nationality
  • People with 2 nationalities

I could make these 2D graphs:

One chart of part of Europe and three coloured graphs about number of nationalities

I could try to stack them and squeeze them afterwards:

One more try:

3D graph made of a chart of a piece of Europe and pieces of sticky notes depicting the number of nationalities

So the best way to define an European citizen is that she or he is registered as an EU citizen in a Citizenship Administration in the EU. Now comes the difficult part: as a web site owner I have no access to this administration. Well. That is a good one.

How can I determine whether an European citizen is in my database?
In most cases I don’t. Because nationality or EU citizenship is not always registered.

“Is an address not sufficient?”
“What about An American in Paris?”
“Okay, email address.”
“What about american@home-in.nl or william-to-be-married@my-awesome-wedding.com?”
“The nationality is registered.”
“Good. What about EU citizens with two nationalities? ”

Looking at the context: if no nationality or EU citizenship has been registered, then I would suggest to look at GDPR. Otherwise definitely use it.

But this is a premature advice. This is a warning. Please read on.

Finding GDPR

If there is one thing I hate about learning, it is memorising information for the sole purpose of memory. I like to have some fun in a good sense of humour.

Here’s where deliberate practice comes in.
Determine a strange situation and look it up.

On my search for the official GDPR document I quickly determined that my target was:
Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation)
Yes, it takes some time to read it.
And a natural person is human being. Like you and me.

I am well aware that English is not everyone’s native language. Now the EU has this little nice webpage with links to GDPR in your favourite language. Hopefully.
No Chinese, but maybe French?

Profiling and data subjects

Profiling can take place after informing the data subject, who has agreed to these terms for data processing. [GDPR 32, 42]
That is a lot of info.

Let’s go a step back to nationality. I warned you for this.
I am not familiar with the American laws. Remember I am not a legal expert.
Suppose profiling of natural persons is legal according to the American law. For example ‘s sake.

Take a case of an American woman who starts buying action movie tickets. My guess is that her new boyfriend is lucky. Piece of case.

It is very easy to make a profile of her boyfriend. Now this lucky guy happens to be British. And has some royal blood. It rhymes on What?!.

There is still no problem, because it cannot be traced back to some palace. Unless I would couple the data with the email address of a fortunate American actress. Oops intended.

Chain of Gift

The American woman is a data subject. All kind of data is collected, but there is an unpleasant side effect: her boyfriend or fiancee also ended up as a data subject. I doubt whether he would have given any permission. No thank you.

Actrice gives something to a prince.

The Chain of Gift leads to interesting doodles. In orange is the American woman and in blue an European Citizen wearing something called a crown.

Quick explanation for the colours: the European flag is a blue flag with yellow stars. So the EU citizen is blue. For the American woman the colours white and red remain. Somehow these are not appropriate. So I chose orange.

So there is a difference between buyer and user. A man can buy movie tickets and give them to his children. ‘Finding Marlin’ and ‘Monsters Unlimited’ seem quite innocent pieces of data to share.

Dad gives movie tickets to children.

Is it possible to determine the birthdays of the children just based on his cinema visits?
Not based on the movie titles. There is a better chance looking at the number of bought children tickets.

“When are we going to the cinema with my friends?”
“What do you think?”
“On my birthday?”
“Good girl.”
[Big smile]

Birhday party

Another interesting case: a man who buys gifts for his  grandchildren. Depending on the gifts I could guess gender, age, and hobbies. If those grandchildren live in the EU, you might have a major problem.

Man gives gift to daughter, who gives it to her children.

With a low number of children per family it is relatively easy to make a family tree.
I can guess that princess cookies are for 5 year old grand granddaughter and that superhero suit with XS size is for …
You get my points.

My best guess is to make a GDPR compliant approach for my whole customer base. There is no way to determine which European people you are profiling.

Permission granted

Scenario 1
Suppose I am in the living room and one of my kids tries to sneak out of the room. I look in the right direction and get eye contact. The door is opened and closed.

A few days later a man is at my front door with a box of 20 tablets. You know those fancy computer things.
The name of my kid is on the box. O oo O.

Scenario 2
Suppose I am in the living room and one of my kids tries to sneak out of the room. I ask:
“What are you up to?”
“I gonna hack. You don’t mind?”
“Yes, but”
The door is opened and closed.

A few days later a man is at my front door with a box of 20 tablets. The name of my kid is on the box.
“Where can I place the other 500 boxes in my truck?”

Scenario 3
Suppose I am in the living room and one of my kids tries to sneak out of the room. I ask:
“What are you up to?”
“Just read this legal document and you will be just fine.”
“It has more than 10 pages.”
“Can I go now?”
“Okay.”
The door is opened and closed.

A few days later a man is at my front door with a box of tablets. The name of my kid is on the box.
“There are three extra trucks coming with tablets. Where can we unload the four trucks?”

Let me finish the three scenarios at the same time.

A box, one truck and a group of 4 trucks on the way to a finish

“Excuse me, I have to call someone.
Would you please wait outside?”
I close the door and the mobile phone is in my left hand instantly. My kid picks up the phone right away.
“A package arrived for you.”
“The tablet arrived?”
“You can better say: ‘Tablets.’”
“Huh, those are the most expensive tablets on the world. They cost a fortune.”
“That’s why I am calling you. How can you afford these things?”

“You know dad, I needed some purpose in a life.”
“Yes?”
“So I learned to hack.”
“O no.”
“It’s worse.”
“Huh?”
“Legal hackers don’t get paid much. I had my eyes on this tablet. So I said: ‘You pay me in Those Tablets.’
If I got one extra, I could always give it to my Best Friend.”
You’ve got a friend in me.

Websites sometimes are like kids. Scenario 1 would look like:
A window where no permission is asked but just taken
No permission is asked, just taken.

Scenario 2 would lead to the following picture:
A window with a default permission for profiling
A very fast designer filled in a preference.

Scenario 3:
A window with unreadable text with a request to accept these conditions
O yeah. The legal stuff one.
At least the checkbox for the conditions has not been filled. But I cannot install the program, unless I agree with them. Hmm.

GDPR forbids all these three options. They lack the support for the user who wants to protect her or his privacy. Website 1 must use transparency, website 2 a default for no profiling. And finally website 3 must use concise and plain language. [GDPR 32]

Thanks for jumping in

For the interested British reader this is not about politics. It is about testing software so that it complies with the General Data Privacy Regulation or GDPR in May 2018. Déjà vu.

There might be readers in my audience who had another association with May 2018. I know that Harry is a major export product for the UK. And I am not writing about the scarred man who has been featured in a lot of books, movies and a theme park.

Some people are more interested in an upcoming royal wedding of Harry. That might have some impact on your online Harry product web shop. For the people interested in performance tests here are some nice blog posts about performance test and Q&A. From yours Mindfully.

Some research notes

A lot of you who are reading this can still follow me. What you actually missed, is my nonlinear search. For the answer on my question: Is profiling of an EU citizen allowed according to GDPR?

The first thing I did was to download all relevant legislation. With a search engine a legal document could easily be found. Then my inner critic voiced his concerns: where are you basing this blog post on?

What I needed, were traceable sources for my research. The more EU the better. Again I am not writing about politics.
I found some links to some non EU websites. But my main target was the GDPR on an official EU website. This took me some browsing. At last I downloaded the wanted document and saw no differences with the other document on first sight.

I took no risk and started to use the official document as main source for this blog post. There was one big but. BUT the document was a pdf. This format is widely supported by all kinds of apps, but not search friendly. A search takes a while on my smartphone.

I converted the document to epub. Now I had a significant win in time. There was no more interruption in my flow of thoughts.

Let them flow.
[On the melody of Let it go.]

So I sought on the word child and hit my next obstacle: the word article. Now are articles quite common in laws, but to my dismay I had not encountered this word before.

I did another search: article. My references to this document were obviously wrong. So I was referring to numbers between parentheses. I switched back to the pdf document to find exact starting point of the first article. It was roughly at the same spot: 38.6 % of the document. Apparently I was referring to some notes in the introduction. And that is not a problem. I think.

Kids, definitions, and laws

Of course there are some exceptions. And exceptions on exceptions. This is a great playground for testers. For sure. For ever.
Because people tend to change their minds. This is my most political statement BTW.

Writing about kids reminds me about the definitions debates which pop up every now and then.
“Children have special protection.”
“What do you mean?”
“You need the permission or consent of the people who take care of the child.” [GDPR 38, article 8]

“And the exceptions are…”
“services for prevention and counseling. In these cases you need consent of the child after asking it in a way easily understandable for child. It is not about child proof but about child friendly.”
“What is a child according to GDPR?”
“A person who is not older than 16 years.” [GDPR Article 8]
“No exception?”
“Of course. Glad you asked. Some national laws can set the limit on 13 years.” [GDPR Article 8]

The first time I read about laws. I thought about stacking them like this.

national privacy law stacked on GDPR

A few weeks later I came up with this.

A pyramid with the following layers from the bottom up; Human rights, GDPR, National privacy law, Region law, and Place law

Yes, another test pyramid.
Why? Because the lower the law, the bigger the impact of the law.
And this model is dead wrong.
Small reminder: it is my model, which is wrong.
Next is my proof.

Let me focus on two layers of this pyramid: GDPR and a national privacy law. If I am a judge judging about a privacy case in Belgium, this is my route: GDPR, Belgian privacy law.
Sign with GDPR pointing pointing to sign with Belgian Privcay Law

Time to add some complexity. You know exception on exception. I have to judge a person with two nationalities.

Sign with GDPR pointing to signs with Belgian Privcay Law and Spanish privacy lawas pointing in the same direction

This is my route: GDPR, Belgian privacy law. and Spanish Privacy law.
I am really lucky. Both laws lead to the same judgement.
Now people will say:
“Hey. I can still use the pyramid?”
“I can make it a camel case”
[Pun intended]
GDPR block with two smalls blocks on top: Belgian privacy law and Spanish Privacy Law

“What about this?”
Sign with GDPR pointing to signs with Belgian Privcay Law and Spanish privacy lawas pointing in the different directions

Summarised: the test pyramid uses impact instead of direction, which is rather complicating things.

Finders fixers

The one, who finds a problem, solves it. This is common practice in my DevOps team. I made a model for testing purposes and found a fault in it, so I have to correct it. Fair enough.

When I was looking for the best law to apply, I thought about the strongest law. Something with the most articles and most severe penalties.

I looked on the internet and found a page in Wikipedia about Conflict of laws. My children are quite sceptical about Wikipedia. “My teacher told me that you cannot trust Wikipedia, because everyone can edit the page.”

A flag, a house, and an arrow pointing to a big dot

Anyways, the following laws seem proper candidates: the law of the country where you live or the law of one of the nationalities or the proper law.
So my mental picture of the signs is the right one. Sign intended.

Writing about signs. I could make a model like this:

A sign which points to 2 signs, which in turn point to 2 signgs
But this model is also too simple. The Benelux, a union of 3 countries, is more complex than this model. The Netherlands is part of the Benelux and has 12 regions. It is difficult to show this in a 2D figure.

A few sticky notes, which hold smaller sticky notes, which in turn hold smaller sticky notes.

But frankly this is even for me confusing. So I rebuilt this 3D by using sticky notes with blue lines:

Sticky notes with 3 blue vertical lines on them

Then I put a sticky note with curly red lines to one sticky:

Sticky notes with verticla blue lines and one has a ticky note with red curly lines.

An then I connect some very small sticky notes with a single orange lines to the last attaches sticky note:

Sticky notes with verticla blue lines and one has a ticky note with red curly lines, which have sticky notes on it with orange line

This model gives me a more appropiate way to handle the laws.

Also on Wikipedia there is a page which described how to determine the right law.  There is basically a set of rules which a judge must follow.

And yes, I do mind the warnings of my kids and their teachers. Kids are like websites: sometimes I cannot ignore them.

If your company is GDPR compliant, then there is no time to rest. You still have to browse through the national laws. [GDPR 8]

This might sound complicated. Let’s take a huge example: the United States of America. If you live in Florida, you have to stick to the laws which are used for all states and the Florida State Law.

What now?

So have a chat about GDPR with the people from the legal department. They can become your best friends in the coming months. And beyond.

To boldly go where no techie has gone before.

Reconstruction

January Testing

Somehow I ended up with this test term or test type. Actually is a subset of boundary value analysis. But I got your attention.

That’s my right

It was the second day of the year 2018. I was about to place a new post on my web site. I just knew something was wrong.

I went to the web site lay out. It took me a few clicks to open the footer. Then I changed the text to
“2014 – 2018. Mindful Tester. All rights reserved.”

Now I could add my post.

It is my right
for which I fight

That’s my audit input

The same week.
For the audit I ran a query in the defect registration system. The number of items on the list was startling low: 0. My query was wrong. That bugged me. Last year it gave the right results. Actually a few weeks earlier.

I had a look to the query and noticed:
StartOfYear()
I don’t know all the commands, but I could make a good guess.
This year started at January 1st 2018. I was one year off.
The report was about 2017 and not about 2018.

A few hours later I had to go to my boss. He still used the same old query. It was easily explained.

It is not the query
I marry

A test idea approach

Let me generate some test ideas:

  • Is there a checklist for things to be updated in the new year?
  • If yes, so when is it updated?
  • Are queries based on fixed dates instead of relative dates?
  • Are there changes in laws which I have to pay attention to?

Still wondering about the pic with door?

Janua is the Latin word for door.

What about May 2018 testing? Excuse me GDPR testing.
Do you know what the effects of the General Data Protection Regulation are? An European customer has the right to be forgotten. But what about payments?