The Failure of Openness at Ofquack

I was going to call this post “The Failure of IT at Ofquack”, but I think the failure is a little deeper than computers. The Complementary and Natural Healthcare Council have recently put the following announcement up on their web site:

Website Hackers

We are extremely disappointed to have to share with you that we have had a number of unprecedented attempts by hackers to disable our website. We are currently taking IT and legal advice on how to resolve these issues.

Meanwhile we have reduced some aspects of the register’s functionality in order to ensure the security of personal details of applicants and registrants on the CNHC register.

If you have any difficulty in accessing any part of the CNHC website or retrieving information please call CNHC on 020 3178 2199 or e-mail [email protected] and we will assist you with your enquiries.

Added: 01-04-2009

This sounds quite serious. Unprecedented attempts by hackers to disable their website? I am not so sure it is as simple as that. Firstly, a number of people have noticed that the CNHC were listing their members’ full personal details. Search for a name by putting in an initial letter and all quacks that had joined were listed along with all their details. It was easy to do so. The search functionality allowed you to enter simple wildcards and the results would list everyone on their register. Not only names, but home addresses and telephone numbers.

Their own privacy policy states,

The Published Register
CNHC will make part of your register entry available to any enquirer as part of the published register.

The public can inspect the following information on the online register:

Your full name

Your profession or practice discipline

Your approximate work location

Your registration number

Any restrictions imposed on your registration

Your home address, contact details, date of birth and other data are not available to the public.

In publishing their registrant personal contact details, the CNHC were in quite a serious breach of trust. The legality of publishing the details is dubious too, since the Data Protection Act insists data is only used for stated purposes.

In the last few days, it is no longer possible to gain these details on the CNHC web site. Far from them “reducing some aspects of the register’s functionality” because of “hackers”, the CNHC have finally stopped dishing out their members private data to all and sundry. Hackers have nothing to do with the “loss of functionality” – they were managing to cause privacy leaks all on their own.

But did some malicious person try to disable their web site? Well, last week I twittered that the CNHC web site was down. Well, it was not quite down, but the content management system was spewing out an error. What was quite remarkable was that a complete dump of debugging information was being returned to my browser. This information was giving me lots of information about the nature of their server and he code they were using to run the web site. In web site security rulebooks, this is a number one no no. “If an error is encountered, do not return technical error information to the user”. Such information is invaluable to a real hacker. Even if a hacker does compromise your server, you do not return more fuel for them to use. There is only really one conclusion I can make – Ofquack’s IT team are utterly incompetent. I can well believe that the CNHC management were told “it woz hackerz wot dun it” when the web site crashed.

So, it would look like the CNHC IT system is not fit for purpose. Not only was there a failure to describe proper functional requirements for the web site, including what data should be displayed, it would also look like it has been coded in a compromisingly amateurish way. I would not want my own data on the site.

I have no idea if hackers really did have a go at their site. And I would not condone such silliness. But the CNHC would appear to have been negligent in not anticipating problems and in not protecting their data. The web is a wild place and there are people out there who like attacking naive web sites just for the hell of it. You need to be prepared. You do not leave your front door open just because you live in a nice village of homeopaths and nutritionists.

But the bigger issue is that Ofquack is not being entirely open. There may well be people who want to see a list of registered members for perfectly legitimate reasons. The CNHC are providing a public service and have been funded by public money. We deserve some transparency in what they are doing, especially given that they have been so heavily criticised. They claim in their statement of values to be “open and transparent in our business”. I see little evidence of this.

My main criticism of the CNHC is that they have failed to answer the single most important question about themselves. Given that their “key purpose” is to “protect the public by means of regulating practitioners” they have not said how this is possible when they will not take into account if any of the alternative medicine techniques they claim to regulate are actually effective. If their members are making false, delusional or even fraudulent claims to the public, how do the CNHC claim to protect the public if they are not concerned about the truth of their members’ claims? There has been no “open and transparent” response to this concern.

Their website claims that “in order to meet our commitment to transparency, CNHC will make the minutes of its Board Meetings available.” They have failed to do this. Worse, they had published some minutes but have since removed them from public scrutiny.

I can speculate why this must be. In my last blog post on Ofquack, I noted that they had only managed to attract about 150 members. Given that they need 10,000 members to break even, they have managed to acquire independent funding to keep them afloat for a week. They have achieved less than 2% of their required income levels. Maybe they are hoping that by starting to regulate more forms of quackery later this year, they will make up the missing 98%. I would suggest, like all quackery, they are indulging in wishful thinking.

So, panic must be setting in. The main aspect of their register’s functionality they have removed is the ability to easily see how many members they have attracted. I would suggest that this is not the result of ‘hackers’, but an attempt to keep under wraps the increasing failure of this folly.

12 comments

zeno 6th April, 2009 10:28 pm

Nice one, LCN!

One small correction: OfQuack are still providing the home landline numbers and mobile numbers of their registered quacks, despite their own privacy policy.

HolfordWatch 7th April, 2009 1:25 am

Taking a leaf out of British Rail’s Guide to PR it does look as if OfQuack are defining hacker as “visitor who is not entirely sympathetic to our viewpoint, notices error and highlights it which is mean”.

gimpy 7th April, 2009 10:00 am

I’m surprised they haven’t blamed Big Pharma for this yet.

On the subject of where their 9,800 or so new members will come from if you do a search for ‘complementary therapy’ on yell.com you get a 9,200 results, many of which are duplicates. Dare I say it but there could be less than 10,000 complementary therapists in the UK, many of whom could be homeopaths (2,000 or so) and will have nothing to do with Ofquack.

They are screwed.

_Arthur 7th April, 2009 4:39 pm

OfQuack can economise some money by never undertaking any attempt at enforcement, that would be fine with their paying members.

zeno 8th April, 2009 12:06 am

Yet more hiding of heads in the sand – or rather, hiding their website pages so Google can't search them!

Yes, OfQuack deliberately prevent ALL search engines from accessing their website pages so no one can Google for information on, say, how to complain about a quack!

Read the story on Think Humanism at http://www.thinkhumanism.com/phpBB3/viewtopic.php?f=14&t=2682&p=52008#p52008.

Sean Ellis 9th April, 2009 4:03 pm

Admission time. I once sent a “%” character to their web page! Wait, is that the police… ?

I noticed, early on, that you could obtain a full listing of all the quacks at once, just by typing “%” (the SQL wildcard character) into the name or postcode search on the OfQuack site.

I certainly would not count this as a “hack” – it was an exposed, predictable, piece of functionality on their site with no harmful side-effects. (Other than, of course, allowing us critics to discover how few quacks had actually been inducted at that point.) This loophole was closed very quickly.

It has been interesting to see how their search has morphed over time. Initially, typing “a” would allow you to see anyone with an “a” in their name. This was tightened up too.

Despite their supposed commitment to openness, there is no way that a user of the website can obtain a list of quacks, other than by laboriously trying many different queries. There is no summary page of statistics that lets us see how much work we are getting for our nearly-a-million quid. The board meeting minutes have been removed from the site. They are in breach of their own data protection statements.

I suspect that what they call “hacking” is actually just attempts to squeeze the camel of the (publicly available) data that they have, through the needle of their needlessly crippled search interface.

Le Canard Noir 9th April, 2009 4:24 pm

Sean – I suspect you are right. When Ofquack think they have been ‘hacked’ what they mean is that their web interface has been used in ways that they did not quite anticipate. Utter naivity and a failure to understand what it means to put a public register on the web.

Gusfoo 11th April, 2009 3:55 pm

Well, I would say that since they weren’t blocking SQL wildcards (schoolboy error) they’re lucky someone didn’t search for

foobarfoo’; DROP TABLE practitioners; SELECT 1;

See http://en.wikipedia.org/wiki/SQL_injection for the full hilarity.

zeno 12th April, 2009 7:20 pm

Come off it you lot! A public register made available to the public? What kind of an organisation do you think OfQuack is? 😉

They still say they make their quacks’ registration numbers public, but don’t. It isn’t sufficient to just use names: the public has to be told what their unique registration number is. Unless they’re not really interested in ensuring their quacks can be properly identified by the public!