2019-02-15

Outside WiFi

Whilst we have excellent WiFi in the house, due to three access points, the garden was not as well covered. A brick wall and conservatory in the way, etc. The WiFi was OK in the garden but I thought I should really try out an actual proper outdoor WiFi access point.

I now have one of these, an Aruba AP-375, and yes, they do cost over £1,000, which is silly, I agree. But it works with the WiFi we have (all one controller), and is clearly robust and weather proof.

We now have excellent WiFi in our garden, and the gardens of several neighbours!

The garden really is not big enough to justify the cost, and if it was not more of an experiment to see how well it works, I doubt I would have got it.

As with the others it is run of PoE, so a simple network cable in to the loft to a PoE switch. I got proper external grade cat5e cable - from Amazon (here).

With solid core network cable you have to get the right plugs that work with solid cable. I actually got some cat6 plugs for solid cable from Amazon (here) which "just work".

I had to also order the wall bracket. Do not be fooled by pictures in the Internet, there is an "H" and "V" version for the surface on to which it is mounted being horizontal or vertical. There are sites selling one with a picture of the other! I fitted with some wall anchors, which, you guessed it, I got from Amazon (here) and drill bit (here).

I walked around the block, and even found a spot on the main road where our WiFi is just visible (through a few houses /gardens). It goes quite a way in open air from high up.

Walking around, it is amazing how many WiFi signals you see. It was nice to see, amongst the VM and BT names, at least one aa.net.uk signal from someone in the next street :-)

Obviously, where these access points make more sense is when you do have a large open space, not just a simple residential garden like mine. We have done WiFi at a beer festival a few times, and if we do that again I can see us putting a few of these in.

When is an email address not an email address?

I just saw an interesting tweet...
This case hinges on what is an email address. The key issue was that someone mistyped their email address on a form, leaving out a dot in the local part and hence did not get an email that was sent. The email did not bounce (which is not that uncommon), so the sender has no way to know the email address was not right.

The judgement is odd to me, it is that it is not in fact an email address if it is not valid. i.e.
I have come to the view that the expression “an email address” means an actual email address and not, as here, an address that has never been set up or registered to any user or users.
So, to be an email address, it has to be set up or registered to a user, whatever that means!

This raises all sorts of questions. What does set up, or registered even mean even? Who has the authority to say if an email address is registered to someone - where is this register kept? What if the email is registered to someone else, i.e. it is not the email address that was intended?

This does, however, raise a huge issue with both judgements like this and legislation like the PECR (The Privacy and Electronic Communications (EC Directive) Regulations 2003). In both cases there is a big issue which seems to have been missed - how does someone determine what they have? How does one actually apply the law/ruling in practice?

In this judgement, how does the sender know if the email address is an email address where the test is whether it is set up, or registered to any user (not even to the intended user). There is no test for that, and no way for the sender to know. They cannot rely on "does the email bounce?" as in this case the email did not, and that was not good enough.

In the PECR there is a test of whether the email address is for an individual subscriber. This too is defined, but it depends on the way the subscriber contracts for the communication service. This is something that the sender has no way to tell, but it changes whether they can send an email without being in breach of the regulations. Essentially the PECR only works if the sender has to assume every possible email address may be of an individual, so is not valid for unsolicited marketing. They have no way to know, meaning ALL emails are in scope and should not be sent (if unsolicited marketing emails). If that was the intention of the law, then why not say that - why create the illusion in the law that sending to commercial subscribers is OK when there is no test a sender can apply in order to comply. Either that of the sender has a defence that they could not know, and so the law is effectively useless. Basically the law is bad law as those that need to follow it have no way to reliably do so.

In this judgement there is a similar issue - the party sending the email needs to know they have an email address or not as it changes what they do and what timescales things have. They have no test they can apply to determine if what looks like an email address is in fact an email address based on this judgement.

Indeed, as warned in the case, the intended recipient of the email can game the system by providing an email they know to be invalid but which does not bounce.

You also have the question of when the email is valid. Is it set up, or registered to a user when supplied, or when the email was sent? Anyone with a domain can decide if and when an email is valid on a whim as they require.

And then there are wildcard domains, which some people have, and emails using wildcards and pattern matches. None of these (as complete email addresses) are registered to a user so does that mean all such email addresses are now invalid, and not an email address under law?

Shame...

Update...

After a bit more discussion, I still feel quite strongly this is just wrong.  The wording is :-
(3)  An early conciliation certificate will be deemed received—
(a)  if sent by email, on the day it is sent; or
To me, this makes it pretty clear that the sender has done their job if they send an email (to the address notified to them). This is pretty common wording for email and post, and it means that if the person providing the address makes a mistake, then that is their problem. The sender is expected to send to the address notified - there is not any more you can expect from them, and it is not their fault if the address turns out to be wrongly provided to them, and also not their fault if the delivery system (post, or email) does not get it to the recipient.

The wording could have been something that requires the recipient to have actually received the notice/certificate. I have seen things like that. That would put the onus on the sender to somehow check the recipient has got it, and make the sender responsible for correct addressing and delivery. But that is not the wording in this case. To me, this means a typo is the problem of the person that makes the typo.

The ruling could have said a typo is the problem of the person making the typo, with possible exception that something that is obviously not an email address should be spotted by the sender (i.e. just has to have the appearance of an email address, or meet the internet standards). The ruling could have said this is all down to communicating, and the email has to actually be the correct one for the recipient, and if the email does not get to them, it is not "deemed received".

To me, the whole point of "deeming" it received is because actual receipt is not the senders problem. If the law as that it actually has to be received, by the right person, it would not need a clause on "deeming" it so.

The actual ruling is in the middle. It says that it is not "an email address" even if it "looks like one" if not "set up" or "registered to a user". So a typo is the problem of the person making the typo if and only if their typo ends up being a valid email address. But if their typo makes an email that is not a valid email address it is the problem of the sender (who has no way to tell there was a typo), even if the mistyped email has a valid domain with MX record and email correctly goes to that server.

Surely the judge should have clearly decided - "whose responsibility is it if a typo is made?" Having decided that, one way or the other, he could make a ruling on whether this is an email address or not. This ruling does not actually answer that.

This comment muddies the water even more :-
Since the object of the Form is to enable communication, the intention must have been to solicit an email address that could be used to send the certificate. If so the phrase must mean an actual email address.  That is what the request on the form sought. I find it difficult to accept that Parliament intended the words “an email address” to include invalid addresses that could not be recognised as an email address by a server and forwarded.
But the email address was one that could be "recognised and forwarded" as the domain part was not mistyped, so the mail could be sent to the correct MX record. This is the same as sending a letter to a postal address. What happens then is down to name or department written on the letter, but it has been delivered to the "address" by the postal service.

2019-02-10

Decent WiFi

The Aruba AP-515 "WiFi-6" Access Point
My home needs more than one WiFi access point. This is partly because it is a 5 bed house, and partly because the garage conversion for my office involved a lot of Celotex (metal foil coated insulation) in the walls and ceiling, which kind of stops WiFi signals dead. It would be just about possible to cover the whole house with one access point in the ceiling at the top of the stairs (as my neighbour does) but that would not get to my garage. So we actually have three access points.

Getting good WiFi at home

If you have a large home, or one with thick or insulated walls, you may need more than one access point to get good WiFi coverage. BT are making a point of this in recent adverts, but please do think carefully about this. WiFi is simply part of your home or office network infrastructure and a totally separate thing to your Internet Connection. Yes, smaller homes often have one box for all (modem, router and WiFi), and that does work for smaller homes. But if you want good networking at home or office, I'd recommend thinking about your network infrastructure (WiFi, Cabling, and switches) as a separate project than your choice of ISP. Good networking at home can make all the difference. WiFi repeaters and power ethernet devices are generally no match for running a network cable to where you need an access point. With PoE (power over Ethernet) that can be one cable and no need to find a power socket near where the AP is located (important when on the ceiling). Any fixed machines on desks, or TVs, etc, are often better handled on cable as well, and there are some nice PoE powered 5 port switches that are available making it easy to run one cable to behind the TV for several devices and not need another power socket.

Please, don't do what I saw in one place. We spent a weekend at a large holiday home. WiFi did not reach from one end to the other. They had installed two totally separate ISP connections each with a separate WiFi modem/router with the default ISP set SSID and password, in order to "cover" the whole house!

Ubiquiti/Unifi

Ubiquiti have been pretty groundbreaking in making a lot of network equipment available at a reasonable price, including good WiFi access points. I tried these and we were selling them at A&A. I am using Ubiquiti IP Cameras and they are pretty good (just got some of the G3 Pro models which do proper PoE, and they are nice).

I tried these access points at home, and I did run in to a real problem with iPhones, roaming between access points, and IPv6. At one point we thought FireBricks may be a factor, but it seems that is just because A&A sold Ubiquti APs, FireBrick routers and IPv6 networking - the problem was seen with non FireBrick routers. The problem looks like it is probably iPhone related, but hard to say if iPhone bug or not. The big clue was when someone found that turning off IGMP snooping on the AP solved the issue. This makes some sense as IPv6 uses multicast for neighbour discovery, so broken IGMP and multicast could break IPv6. What is interesting is we have also seen this on another make of AP now, though still iPhone specific, and it looks like it relates to 802.11r roaming. My guess is an iPhone bug.

Aruba

I changed to Aruba access points. They are a bit more pricey than Ubiquiti - around twice the price. Ubiquiti really have done a good job on price.

They have a confusing array of model numbers which fooled me a bit. Not only for different grades of WiFi standard and speed, and number of radios, but for indoor and outdoor, and for internal and external antenna. They have models for specific countries - the one we need is "RW" (which I assume means Rest of World).

Like most systems to manage a set of access points you need a controller. Ubiquiti do controller software for multiple platforms for free. What Aruba were doing is a separate hardware controller, but they then added Aruba Instant which is where one of the APs acts as a controller for the set, providing a nice web interface. This has the advantage of no separate controller, but also, if that AP is off line another takes its place with the same config, so redundancy built in. What was confusing is that this was a separate model - the IAP-305 is the one that can be a controller and the AP-305 cannot. What fooled me further is that later models are all able to be a controller but don't have the I in the name, so an AP-375 is an outdoor AP and there is no IAP-375 which confused me. The AP-375 can be stand-alone / controller. I'll be trying an outdoor AP (AP-375) soon, to ensure good coverage of the garden for the summer, and I'll no doubt post more on that.

As for roaming iPhones and IPv6, the Aruba has control of separate roaming related settings for 802.11r, 802.11k, and 802.11v. It seems only the 802.11r breaks iPhones and IPv6, but roaming is pretty seamless with the other two settings turned on. I am sure one day this will be fixed in iPhones and so 802.11r can be enabled.

Personally I like the Aruba better, but that does come at a price.

WiFi-6

One of the interesting things for both manufacturers is the new 802.11ax standard (aka WiFi-6). I don't have a device that can use it yet, but it is rumoured that iPhones may have this year. Aruba have an AP that does it (AP-515). Once they are both available, I'll give them a try and keep you posted.

2019-02-04

Don't make up email addresses

Why do people do this?

I have a junk domain, one I use for signing up for stuff, and which works. It usually has the name of the place I used the email address in the address. E.g. youtube@example.com for signing in to YouTube, though obviously example.com is just an example and not my domain.

Some idiot keeps signing up for instagram and using my domain.

This is annoying. But also it is pointless, as I am now simply using the "forgotten password" on instagram to set a strong password, change the profile pic to something rude, set default date of birth, change the name to "Idiot using my domain", confirm the email address, and turn off all email notifications.

It is rather odd of instagram, by the way, that they see my login as "suspicious" (presumably as from a different country even) so they send a 6 digit security code for me to enter. What is odd is they send that by email, to the same email address they just sent the password link. What is the point in that?

So the idiot does not get to use the instagram account at all.

What is weird is that not only do they try and login to it (which just makes instagram send me a "you are having trouble" password reset link), but they have even tried the "forgotten password" link that emails *ME* a reset password link. Why do that?

At one point they tried to change the email address on an account - not sure how they did that - maybe it is one I had not set a new password on yet - but I was emailed and given the option to revert that change and confirm my email address. So I did. They were trying a Russian email address.

If his keeps happening, I'll make a small shell script to automatically zap the login the second they create it!

By why do it? Why use someone else's email address on such things? What is the point?

2019-02-03

An interesting scam (I wonder how Amex will cope).

I am no expert on scams, honest, but I thought this was interesting.

I saw an advert (on Facebook) for a handheld inkjet printer. This looks cool, and I have previously seen some article on them. I vaguely recalled that they cost several hundred pounds, and the advert was for $44, which seemed very cheap. To be fair, many printers you can buy are stupidly cheap as they sting you on the consumables - so very possible. This is what the printer looks like: https://youtu.be/Va3A7QcBlLE

I decided to order one. My reasoning was that :-
  • If it is real, it is a cool gadget at a good price.
  • Not totally implausible I guessed (turns out I had mis-remember the cost of these).
  • I rashly assumed Facebook would have taken down a scam advert, LOL.
  • I assumed Amex would not deal with scammers.
  • I assumed Amex would be good at handling a dispute if it was a scam.
  • It is only $44 so not the end of the world and worth a shot, even though I kind of guessed it was a scam.

So how did I fair?

Well, it was a scam - what a surprise! Shame, as it would have been cool.

Basically, I got an email confirmation of my order, but it said it would ship in a few weeks. The first step in causing delay.

After nothing arrived, I put in a dispute with Amex.

Out of the blue (and perhaps because of dispute) the scammer sent an email saying it had been shipped! I did not hold out much hope, and I assume another delaying tactic.

The advert on Facebook popped up several more times, with different company names, and I complained to Facebook. They would not take action even though clearly a scam - the comments made it clear too. Also, it seems, these printers are normally around $8000 or something crazy so obviously a scam, had I bothered to check.

A while later, something arrived in the post... Signed-for, from China:-


They have the right description, but what they sent was a paper tape for a dymo labeller! As it happens, I had just got a Dymo labeller for my grandson, so it did not go to waste.

So, what next?

The "dispute" on Amex showed as complete, and no credit, and no contact from Amex. I did wonder if it had gone in spam and been deleted (spam not held for long). Seems not, as emails now from Amex are not going in to spam.

I raised a dispute again, and now even that has vanished, not showing a dispute complete or anything. Both were via the Amex app, which seemed to make raising the dispute quite easy!

I ended up doing a chat on their web site - apparently the dispute was stuck somehow, which is odd. He cleared it and made a new one and gave me a link to upload documents (e.g. above image). It would not take a jpeg but would take a PDF with a jpeg embedded! Crazy!

One issue is they wanted details of what the merchant had advertised. They were sneaky as the original advert was a video on Facebook and not there any more, and I did not even have a screenshot. Later Facebook adverts were different company name, so I could not use that. The confirmation email just had the description "Handheld Portable Printer" and even the "view my order" link (which no longer works) only had that description and not more detail nor an image.

So the evidence to Amex that I can provide is somewhat limited. Indeed, only the description on the label is in my favour. I wonder if they will claim that there is something lost in translation and a paper tape is all they were trying to sell? Oddly, such a tape is not even worth $44.

I hope Amex do not deal with scammers - we will see.

2019-02-01

Personal (medical?) data

I am having a bit of an issue with a company called Withings!

I purchased a sleep monitoring gizmo, it goes under the mattress. It is actually pretty cool as it tracks sleep, and heart rate, and snoring. Working out what to do with the data is another matter, but is interesting, and could be quite helpful.


Obviously this device needs a way to present the data to me, and that is via an app on my phone. The ideal way would be to, say, bluetooth it to the app. Simple, and it has bluetooth.

But no, it seems to be set up so it uses my wifi to send data to Withings over the internet, and then the app on my phone gets it from them and displays it. This is not ideal, and it annoys me a little that people make devices work like that, but, in theory, GDPR comes to the rescue.

My sleep is not always good
Once upon a time companies could probably do what they like as part of T&Cs of some service they offered (though, bear in mind, I have not bought a "service", I bought a "device"). However, these days, they cannot simply use my data, they need to have a legal basis, and perhaps even consent.

Also, arguably, this is sensitive personal data (medical data), so subject to even tighter controls.

So, in theory, I should be able to use the device with the data being conveyed to them and back too my phone, and no more. Data being deleted when no longer needed, and not used for any other purpose. Or so you would hope.

The first clue of a problem was that the installation not only required me to agree their T&Cs (annoying) but "consent" to their privacy policy (here). This immediately rang alarm bells as "consent" is meant to be "freely given" under GDPR. Insisting I consent as part of installation is wrong.

So, I consented on the basis I want to use the device, and immediately emailed withdrawing my consent, as is my right. To be clear, I explained I accepted that there would be some data processing to provide the core functionality of monitoring my sleep and displaying that on the phone app, but I withdrew consent for any other purposes - specifically (as per their privacy policy): Developing and managing Products and Services, Conducting data studies, and Marketing, advertising and making recommendations. The last one being my main concern.

It is worth noting, had they had a number of entirely optional consent settings such as "share data with our developers to help improve the product" and so on, I may well have clicked on some. Making it mandatory to consent to usage as per their privacy policy was what kicked this all off!

They basically have no clue, seriously. Many emails back and forth. They kept telling me where their privacy policy was and asking if there was anything else they could help with. They totally failed to understand their obligations or what I was asking. Finally I have an email saying if I don't consent then that is not compatible with use of the product and they offer a refund. Well, no, I want to use the product, but my data only be used for that usage and nothing more. That is my right!

We'll see what happens next - I have written to them now as well.

However, there is a big gotcha here, and this is the same with T&Cs for installing a smart TV and a lot of other internet of shit stuff.

EVEN IF I CONSENT, what of other people?

This is not entirely hypothetical now. I was away for the weekend, and my sleep tracker says I slept one of those nights I (someone that does not snore!). Now, I happen to know who did sleep in my bed, he is 5, and not only did he not consent to Withings having his data, but he legally is too young to have done so.

(I believe my having his data probably comes under personal/domestic use in much the same way as if I marked his high on a door post).

But Withings will presumably want to use the data for Developing and managing Products and Services, Conducting data studies, and Marketing, advertising and making recommendations.

If the basis of this use is "consent", which they seem to suggest, then when and how did they get his consent exactly? I have asked them this. We will see what they say.

Basically, they cannot assume they have consent for any sleep data they collect to be used in such a way, at all, ever, as even if the installer or owner of the device consents, they do not know the person sleeping in the bed has consented.

As I say, this is much the same as smart TVs that could be recording you viewing patterns. Even if the installer has agreed terms and consented to such data processing, the people viewing the TV may not have.

This is a legal issue that needs sorting. I wonder if the sensitive nature of medical data in the case of the Withings sleep monitoring device will help get this to a test case? ICO have been told.

P.S. I checked, and it is at least talking over https.