{"id":920,"date":"2009-04-06T20:38:00","date_gmt":"2009-04-06T19:38:00","guid":{"rendered":"http:\/\/www.quackometer.net\/wpblog\/2009\/04\/the-failure-of-openness-at-ofquack.html"},"modified":"2009-04-06T20:38:00","modified_gmt":"2009-04-06T19:38:00","slug":"failure-of-openness-at-ofquack","status":"publish","type":"post","link":"https:\/\/www.quackometer.net\/blog\/2009\/04\/failure-of-openness-at-ofquack.html","title":{"rendered":"The Failure of Openness at Ofquack"},"content":{"rendered":"<p><a href=\"http:\/\/www.quackometer.net\/blog\/uploaded_images\/zx81-748783.bmp\"><img decoding=\"async\" style=\"MARGIN: 0px 10px 10px 0px; WIDTH: 200px; FLOAT: left; HEIGHT: 175px\" border=\"0\" alt=\"\" src=\"http:\/\/www.quackometer.net\/blog\/uploaded_images\/zx81-748768.bmp\" \/><\/a>I was going to call this post \u201cThe Failure of IT at Ofquack\u201d, but I think the failure is a little deeper than computers. The Complementary and Natural Healthcare Council have recently put the following announcement up on their web site:<\/p>\n<blockquote><p><\/p>\n<div><strong>Website Hackers<\/strong><\/div>\n<div>We are extremely disappointed to have to share with you that we have had a number of unprecedented attempts by hackers to disable our website. We are currently taking IT and legal advice on how to resolve these issues.<\/p>\n<p>Meanwhile we have reduced some aspects of the register\u2019s functionality in order to ensure the security of personal details of applicants and registrants on the CNHC register.<\/p>\n<p>If you have any difficulty in accessing any part of the CNHC website or retrieving information please call CNHC on 020 3178 2199 or e-mail <a href=\"mailto:info@cnhc.org.uk\">info@cnhc.org.uk<\/a> and we will assist you with your enquiries.<\/p>\n<p>Added: 01-04-2009<\/p><\/div>\n<\/blockquote>\n<p><\/p>\n<p>This sounds quite serious. Unprecedented attempts by hackers to disable their website? I am not so sure it is as simple as that. Firstly, a number of people have noticed that the CNHC were listing their members\u2019 full personal details. Search for a name by putting in an initial letter and all quacks that had joined were listed along with all their details. It was easy to do so. The search functionality allowed you to enter simple wildcards and the results would list everyone on their register. Not only names, but home addresses and telephone numbers. <\/p>\n<p>Their own privacy policy states,<\/p>\n<blockquote>\n<p><strong>The Published Register<\/strong><br \/>CNHC will make part of your register entry available to any enquirer as part of the published register.<\/p>\n<p>The public can inspect the following information on the online register:<\/p>\n<ul>\n<li>Your full name <\/li>\n<li>Your profession or practice discipline <\/li>\n<li>Your approximate work location <\/li>\n<li>Your registration number <\/li>\n<li>Any restrictions imposed on your registration<\/li>\n<\/ul>\n<p>Your <strong>home address, contact details, date of birth and other data<\/strong> are not available to the public.<\/p>\n<\/blockquote>\n<p>In publishing their registrant personal contact details, the CNHC were in quite a serious breach of trust. The legality of publishing the details is dubious too, since the Data Protection Act insists data is only used for stated purposes.<\/p>\n<p>In the last few days, it is no longer possible to gain these details on the CNHC web site. Far from them \u201creducing some aspects of the register\u2019s functionality\u201d because of \u201chackers\u201d, the CNHC have finally stopped dishing out their members private data to all and sundry. Hackers have nothing to do with the \u201closs of functionality\u201d \u2013 they were managing to cause privacy leaks all on their own.<\/p>\n<p>But did some malicious person try to disable their web site? Well, last week I <a href=\"http:\/\/twitter.com\/lecanardnoir\" target=\"_blank\">twittered<\/a> that the CNHC web site was down. Well, it was not quite down, but the content management system was spewing out an error. What was quite remarkable was that a complete dump of debugging information was being returned to my browser. This information was giving me lots of information about the nature of their server and he code they were using to run the web site. In web site security rulebooks, this is a number one no no. \u201cIf an error is encountered, do not return technical error information to the user\u201d. Such information is invaluable to a real hacker. Even if a hacker does compromise your server, you do not return more fuel for them to use. There is only really one conclusion I can make \u2013 Ofquack\u2019s IT team are utterly incompetent. I can well believe that the CNHC management were told \u201cit woz hackerz wot dun it\u201d when the web site crashed.<\/p>\n<p>So, it would look like the CNHC IT system is not fit for purpose. Not only was there a failure to describe proper functional requirements for the web site, including what data should be displayed, it would also look like it has been coded in a compromisingly amateurish way. I would not want my own data on the site.<\/p>\n<p>I have no idea if hackers really did have a go at their site. And I would not condone such silliness. But the CNHC would appear to have been negligent in not anticipating problems and in not protecting their data. The web is a wild place and there are people out there who like attacking naive web sites just for the hell of it. You need to be prepared. You do not leave your front door open just because you live in a nice village of homeopaths and nutritionists. <\/p>\n<p>But the bigger issue is that Ofquack is not being entirely open. There may well be people who want to see a list of registered members for perfectly legitimate reasons. The CNHC are providing a public service and have been funded by public money. We deserve some transparency in what they are doing, especially given that they have been so heavily criticised. They claim in their <a href=\"http:\/\/www.cnhc.org.uk\/pages\/index.cfm?page_id=84\" target=\"_blank\">statement of values<\/a> to be \u201copen and transparent in our business\u201d. I see little evidence of this.<\/p>\n<p>My main criticism of the CNHC is that they have failed to answer the single most important question about themselves. Given that their \u201ckey purpose\u201d is to \u201cprotect the public by means of regulating practitioners\u201d they have not said how this is possible when they will not take into account if any of the alternative medicine techniques they claim to regulate are actually effective. If their members are making false, delusional or even fraudulent claims to the public, how do the CNHC claim to protect the public if they are not concerned about the truth of their members\u2019 claims? There has been no \u201copen and transparent\u201d response to this concern.<\/p>\n<p>Their website claims that \u201cin order to meet our commitment to transparency, CNHC will make the minutes of its Board Meetings available.\u201d They have failed to do this. Worse, they had published some minutes but have since removed them from public scrutiny.<\/p>\n<p>I can speculate why this must be. In my last blog post on Ofquack, I noted that they had only managed to attract about 150 members. Given that they need 10,000 members to break even, they have managed to acquire independent funding to keep them afloat for a week. They have achieved less than 2% of their required income levels. Maybe they are hoping that by starting to regulate more forms of quackery later this year, they will make up the missing 98%. I would suggest, like all quackery, they are indulging in wishful thinking.<\/p>\n<p>So, panic must be setting in. The main aspect of their register&#8217;s functionality they have removed is the ability to easily see how many members they have attracted. I would suggest that this is not the result of \u2018hackers\u2019, but an attempt to keep under wraps the increasing failure of this folly.<\/p>\n","protected":false},"excerpt":{"rendered":"<div class=\"mh-excerpt\"><p>I was going to call this post \u201cThe Failure of IT at Ofquack\u201d, but I think the failure is a little deeper than computers. The <a class=\"mh-excerpt-more\" href=\"https:\/\/www.quackometer.net\/blog\/2009\/04\/failure-of-openness-at-ofquack.html\" title=\"The Failure of Openness at Ofquack\">[&#8230;]<\/a><\/p>\n<\/div>","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_monsterinsights_skip_tracking":false,"_monsterinsights_sitenote_active":false,"_monsterinsights_sitenote_note":"","_monsterinsights_sitenote_category":0,"footnotes":""},"categories":[19],"tags":[45,47,188],"class_list":["post-920","post","type-post","status-publish","format-standard","hentry","category-ofquack","tag-cnhc","tag-complementary-and-natural-healthcare-council","tag-ofquack"],"_links":{"self":[{"href":"https:\/\/www.quackometer.net\/blog\/wp-json\/wp\/v2\/posts\/920","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.quackometer.net\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.quackometer.net\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.quackometer.net\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.quackometer.net\/blog\/wp-json\/wp\/v2\/comments?post=920"}],"version-history":[{"count":0,"href":"https:\/\/www.quackometer.net\/blog\/wp-json\/wp\/v2\/posts\/920\/revisions"}],"wp:attachment":[{"href":"https:\/\/www.quackometer.net\/blog\/wp-json\/wp\/v2\/media?parent=920"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.quackometer.net\/blog\/wp-json\/wp\/v2\/categories?post=920"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.quackometer.net\/blog\/wp-json\/wp\/v2\/tags?post=920"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}