I was going to call this post “The Failure of IT at Ofquack”, but I think the failure is a little deeper than computers. The Complementary and Natural Healthcare Council have recently put the following announcement up on their web site:
Website HackersWe are extremely disappointed to have to share with you that we have had a number of unprecedented attempts by hackers to disable our website. We are currently taking IT and legal advice on how to resolve these issues.
Meanwhile we have reduced some aspects of the register’s functionality in order to ensure the security of personal details of applicants and registrants on the CNHC register.
If you have any difficulty in accessing any part of the CNHC website or retrieving information please call CNHC on 020 3178 2199 or e-mail firstname.lastname@example.org and we will assist you with your enquiries.
This sounds quite serious. Unprecedented attempts by hackers to disable their website? I am not so sure it is as simple as that. Firstly, a number of people have noticed that the CNHC were listing their members’ full personal details. Search for a name by putting in an initial letter and all quacks that had joined were listed along with all their details. It was easy to do so. The search functionality allowed you to enter simple wildcards and the results would list everyone on their register. Not only names, but home addresses and telephone numbers.
The Published Register
CNHC will make part of your register entry available to any enquirer as part of the published register.
The public can inspect the following information on the online register:
- Your full name
- Your profession or practice discipline
- Your approximate work location
- Your registration number
- Any restrictions imposed on your registration
Your home address, contact details, date of birth and other data are not available to the public.
In publishing their registrant personal contact details, the CNHC were in quite a serious breach of trust. The legality of publishing the details is dubious too, since the Data Protection Act insists data is only used for stated purposes.
In the last few days, it is no longer possible to gain these details on the CNHC web site. Far from them “reducing some aspects of the register’s functionality” because of “hackers”, the CNHC have finally stopped dishing out their members private data to all and sundry. Hackers have nothing to do with the “loss of functionality” – they were managing to cause privacy leaks all on their own.
But did some malicious person try to disable their web site? Well, last week I twittered that the CNHC web site was down. Well, it was not quite down, but the content management system was spewing out an error. What was quite remarkable was that a complete dump of debugging information was being returned to my browser. This information was giving me lots of information about the nature of their server and he code they were using to run the web site. In web site security rulebooks, this is a number one no no. “If an error is encountered, do not return technical error information to the user”. Such information is invaluable to a real hacker. Even if a hacker does compromise your server, you do not return more fuel for them to use. There is only really one conclusion I can make – Ofquack’s IT team are utterly incompetent. I can well believe that the CNHC management were told “it woz hackerz wot dun it” when the web site crashed.
So, it would look like the CNHC IT system is not fit for purpose. Not only was there a failure to describe proper functional requirements for the web site, including what data should be displayed, it would also look like it has been coded in a compromisingly amateurish way. I would not want my own data on the site.
I have no idea if hackers really did have a go at their site. And I would not condone such silliness. But the CNHC would appear to have been negligent in not anticipating problems and in not protecting their data. The web is a wild place and there are people out there who like attacking naive web sites just for the hell of it. You need to be prepared. You do not leave your front door open just because you live in a nice village of homeopaths and nutritionists.
But the bigger issue is that Ofquack is not being entirely open. There may well be people who want to see a list of registered members for perfectly legitimate reasons. The CNHC are providing a public service and have been funded by public money. We deserve some transparency in what they are doing, especially given that they have been so heavily criticised. They claim in their statement of values to be “open and transparent in our business”. I see little evidence of this.
My main criticism of the CNHC is that they have failed to answer the single most important question about themselves. Given that their “key purpose” is to “protect the public by means of regulating practitioners” they have not said how this is possible when they will not take into account if any of the alternative medicine techniques they claim to regulate are actually effective. If their members are making false, delusional or even fraudulent claims to the public, how do the CNHC claim to protect the public if they are not concerned about the truth of their members’ claims? There has been no “open and transparent” response to this concern.
Their website claims that “in order to meet our commitment to transparency, CNHC will make the minutes of its Board Meetings available.” They have failed to do this. Worse, they had published some minutes but have since removed them from public scrutiny.
I can speculate why this must be. In my last blog post on Ofquack, I noted that they had only managed to attract about 150 members. Given that they need 10,000 members to break even, they have managed to acquire independent funding to keep them afloat for a week. They have achieved less than 2% of their required income levels. Maybe they are hoping that by starting to regulate more forms of quackery later this year, they will make up the missing 98%. I would suggest, like all quackery, they are indulging in wishful thinking.
So, panic must be setting in. The main aspect of their register’s functionality they have removed is the ability to easily see how many members they have attracted. I would suggest that this is not the result of ‘hackers’, but an attempt to keep under wraps the increasing failure of this folly.