Category Archives: Privacy

System 1 and System 2 in testing – part 2

In the previous blog post System 1 and System 2 were introduced.

For the fast observations System 1 is used in most cases. This way of thinking provides fast, almost effortless way to digest information. Like walking to a cinema.

For the thoughtful observations System 2 is used. An example is choosing which movie to watch in a cinema.

There was a focus on System 1 in the previous episode. In this episode I will turn your attention to System 2. And how this system might lead to other test ideas.

Supporting System 2


During my regular visit to the web site, I was welcomed with a cookie banner. My first thought was to reduce the number of cookies to an absolute minimum. Of, course I could accept all cookies. But I pressed the Options button. Three groups of cookies were presented.

Each group of cookies had an explanation and a radio box for selection. I only chose the necessary cookies. The text was shown in agreeable font size, so i did not have to pinch my eyes to read it.

Then I had to look to the buttons. The button to accept all the cookies was in the right lower corner. The Save and Exit button was left to it. I pressed the button and was ready to use the web site.

“Categorised cookies, a simple explainer,
no scrolling needed, a normal sized font size.
These are a few of my favourite things.”
(On the melody of “My favorite things”)


It was time for a new headset for my PC. I had already done my homework: I found a good headset. I only had to buy it.

After clicking on the link in my notes, the web page with the right product was shown in my browser. I added it to my shopping cart and opened the order form with the usual questions.

Yes, I would like the headset be delivered to my home address. And I was home on the first suggested date. Of course, I wanted to enter some numbers from my gift cards.

Now I only needed to pay. I chose the cheapest option. Sorry, I am Dutch.

In short, I had to answer some questions and there were some good suggestions from the web site. Thanks for the support.

Knowledge about System 2 in good hands

A well-designed program simplifies the choices of the user. It reduces the time to make an informed decision.

Abusing System 2

Micro selecting

In my never-ending quest for information, I encountered a new cookie banner. I like to minimise the number of my cookies, so I wanted to change the settings. A dialog opened for my eyes.

While l tried to get an overview, I had to scroll down. There were about 9 groups of cookies. The categories looked almost identical. The selection of the permission was represented by a circle in the left side of some ellipse. It looked nice, but we do not use these switches in the Netherlands.

Now I had a screen reader installed for accessibility testing. This program tells what is happening on screen. I pressed the switch and heard that it was switched on. I did not like it. Another press let my screen reader announce that the switch was off.

“Scrolling down, another switch,
‘Legitimate interest’,
based on some law, which I don’t know.
Keep me safe, privacy laws“
(On the melody of  the chorus of “Take Me Home, Country Roads”)

But wait, there was more. There was a link for vendor information. After a click, I saw every single vendor with 1 or 2 switches. And the font size on the cookie banner was smaller than the font size on the web page.

This was an overwhelming experience for me. And it was not clear which options led to which consequences for me.

“Individual cookies, enormous explainer,
a scrollbar required, a small sized font size
These are a few of my dislikeable things.”
(On the melody of “My favorite things”)

Knowledge about System 2 in bad hands

Nowadays it is impossible to use programs or web sites without making choices. An abundant number of options may strike fear.

“When System 2 rules, when the user thinks,
when anxiety grows,
there were too many choices to be made
and an increasing fear.”
(On the melody of “My favorite things”)

To be continued

Minimal Viable Authentication: usability versus security

Trigger warning: stalking.

For the following stories I am using the imaginary VIP Cinema again instead of the real app. This way I can freely write about my experiences without naming the actual app.

Usability is king

The VIP Cinema app offered his clients a discount for parking. This service appealed to me. So, I contacted the customer service and got a power of attorney number. On request I had to mention the number to get my promised discount of 50 percent on parking.

After a while I wanted to reserve my parking without calling the customer service. There was a simple solution: a parking app. I installed the app and had to register. The first thing I did, was to have my power of attorney number ready.

The next step was to enter my email address and a password. Then I had to verify it by clicking on a link in an email. A dialog asked for my membership number of the Cinema VIP App. Then I opened the app and found the number.

I received an email to verify my email address for the parking app. After clicking a link, I had to enter my VIP Cinema membership number. The next moment I could reserve a parking place for my car without entering my power of attorney number.

The registration was smoothless and it saved me an extra step of entering another number. I really liked this experience.

Security is pauper

”I want to show something to you.”, I told another computer software professional.
“Here is my mobile. The Cinema VIP app is open and shows my membership number.”
I got a nod.

“Now I am going to the website to register a new user id and password for the parking website.”
Another nod followed.

This looks familiar

Then I entered a new email address and password. After clicking the link in the mail to verify my email address I asked him for my membership number. While he was citing the number, I entered it in the requested text field in the dialog,

 “Let us see what kind of information we can get based on this single number.
You can see where I live. This information is needed for billing.“

Worth noting

“Let’s have a look at my parking history. This is the parking I used every other week. This is an interesting pattern. Last week I parked there. So next Friday I will probably park the car there at 7 pm.”

Let me guess

“There is a high chance, that I visit a cinema close to this parking. The discount is offered by the Cinema VIP app. Notice that no power of attorney number was asked. This would improve the security.”

All that being said

“Even worse: I did not get an email that another account was coupled to my parking account. I refreshed my inbox: no mail was found about the double registration.

Certain social media apps inform me directly, if my account is accessed from an unknown device. But this was not the case for this app.”

This time I did not get a nod, but an astonished face.

Signals of poverty

When I phoned the customer service of the parking service, no power of attorney number was requested.

During this phone call there was a check of my birthday, my zip code, and my house number. These can be obtained using social engineering or extracting private information without getting attention.

This I Learned

Authentication is about making sure that the right person gets access. Some shortcuts can have severe drawbacks.

My Workshop At Agile Testing Days 2019

Preparation costs energy

After all the last weeks’ changes I could finally start my actual workshop.

I felt an energy drop and watched an expectant audience from a far distance. I used my automatic pilot for the intro.

While nobody moved, my distance to the audience became closer while I was talking.

I was back in the room.

First test session

For me the most elementary things of Exploratory Testing are

  • Charter
  • Test idea
  • Explore
  • Debrief

For this I created a heuristic. CTED is pronounced as See TED. If I need some inspirational talks, then I go to

A charter is a short instruction for a test session.

Explore < target >
with < resources >
to discover < information>

This template of Elisabeth Hendrickson is compact and informative. As mentioned in Explore it.

For the interested people test charter is not found in the index, charter is.

In my workshop the Target was a website. But it is still quite big. Resources is often a web browser.

Information was focused on privacy. General Data Protection Regulation or GDPR, an European privacy law, is still quite huge, so the next step was to select some articles of GDPR.

Ik picked 2. 1 lead to the following question:
Does the website ask consent to gather information?

A charter can be quite abstract. A test idea can be used to focus on a feature, window, or term used in the website to explore.

Consent is not frequently used, but which words are used in a web site?
Privacy, cookies, permission, private data, etcetera.

Using the charter and test ideas it is possible to explore the web site, whether consent is actually asked from the user.

During the debrief the attendees shared their information, which could be used for the following test session.

Background information first test session

For the basic structure of the test session I used the heuristic DiSSS from Tim Ferriss. This stands for Deconstruction Selection Sequence Stakes.
I assume that i was added for pronounciation reasons.

I looked to all the steps I took during Exploratory testing.
Are detailed test cases needed? Not in every case. Most of the times a good description of the precondition is good enough.

What I noticed during Deconstruction was that certain steps always came back. These steps I used for the Selection for CTED. This also led to a logical Sequence. The Stakes were twofold: people had to tell whether the workshop is worthwhile. Also the fines for privacy could be quite high.

Second test session

One test session done.
Another one to do.

At the beginning of the session I enhanced the resources with personas. For me a persona is a person with a need, who interacts with the system.

Examples for a need are: acceptance, cooperation , safety, purpose, learning, support, inclusion, etc.

E.g. a known persona is a marketeer. The more she or he knows about a website visitor, the more she or he will sell.
For this purpose I had made a set of persona cards.

I also handed out an one pager to the attendees with articles and test techniques which could be used for testing websites on GDPR compliancy.

The test techniques were selected using DiSSS.

After the Explore phase more issues were mentioned during the Debrief phase.

Background information second test session

Once again I used a heuristic of Tim Feriss, CaFE. This is an abbreviation for Compression Frequency Encryption. Once again I assume that ‘a’ was added for pronunciation.

Was it possible to compress information for testing GDPR? Yes, by making an one pager.

I tried to make to Frequency high, so attendees had to go through Charter – Test idea – Explore – Debrief cycle multiple times.
I used Encryption by using CTED.

In case you need more background information, please have a mind map.

What went wrong

The time to explore was quite short. I did this on purpose. For beginners it can be terrible to click through a site for 10 minutes on your own without finding anything.

In hindsight a group activity was better suited to explore the website.

While I tried to keep the introvert involved, it was a challenge to give them enough speaking time. I really liked the sticky notes for found bugs in the workshop of Lisa Crispin and Lena Pejgan.

My prerequisite for the workshop for a laptop was not needed. I could demo certain tools using my own laptop. Luckily there was an Open Space to demonstrate GDPR and Exploratory Testing.

What went right

The demo was a great way to change the pace of the workshop. I had good feedback during the repetitions

My impression was, that most attendees were hesitant to test their own websites or websites of their employers. My test website provided a safe environment to explore.

During the preparations I learned a lot about websites and tools.

Thank you José Diaz and your team for this wonderful journey.