Monday, 9 July 2012

Paypal? Privacy? Competence? Apparently not.

Despite my (repeated) warnings, the implementation of the new cookie legislation caught our technical gurus with their figurative pants down. Some disclaimers were cobbled together quickly and posted up.

But it seems we're doing a much better job than Paypal.

Don't get me wrong - I know that (done properly) cookies greatly enhance the security of interaction - indeed I'd be very wary of a payment processing system that didn't implement cookies - but then I'm also very wary of payment processors whom don't implement the law.

Bought some stuff today from Paypal - the first time I'd used Paypal for several months - no mention of cookies. It actually dropped no less than 40 cookies on my browser! FFS! No mention of cookies let alone an opt-in. And while the majority of the cookies were session cookies, it's interesting to note that Paypal DOES NOT END the session at the completion of payment.  That's right. after paying for goods via paypal and returning to the orignal site, you are still logged into Paypal!

"We use cookies written with Flash technology to help prevent fraud "

 Are the criminal classes still that incompetent that don't know how to get around evercookie?

To top it all, it seems that Paypal now stuff more data into their cookies than they are willing to consume. after I wrote this post I went back to double check if there was any effort to comply with The Privacy and Electronic Communications (EC Directive) Regulations 2003, only to get failures accessing with an error message indicating that I was returning more cookies than it could cope with:

 (the green bar was added by me to redact my data). It seems that someone thought it a good idea to transfer transactional information via cookies.

Just now the news is full of the arrogance and incompetence of the financial institutions - to a certain extent I have reserved judgement. But increasingly it appears that the IT operations are run by the CEOs nephew who once read a book about programming - OK maybe I exaggerate. There are some very competent and brilliant people out there, some of whom I'm acquainted with - it just seems that the less able IT people of my ken seem to be in the well paid jobs. Grrrrrr!

1 comment:

  1. Just read on ServerFault about someone failing their PCI-DSS compliance for exactly that Apache error screen.