Are all systems built equally?

So one thing that keeps coming up is thoughts like, “but if someone wants to find a way in they will”.  This is mainly from customers of Baby’s Days who seem to be saying that the 2 security issues I’ve found on the system, one about photos and the other abut parent comments not being stored securely, have come about because I’m “looking for issues”.

The two flaws I’ve posted about, I was not “looking” for; the first a parent told me about after he found it out by accident trying to download his child’s photos in bulk (as parents can not bulk down their children’s photos from their logins).  The second came up after I was looking at URL strings trying to find out if my own photos were stored somewhere on my own laptop in a temporary folder.  Both issues have cropped up quite by accident, there was no looking or probing involved.

Some other customers have also suggested that the same issue could come up with any of the EYFS online software providers and with this post I’m really hoping to clear up that misconception.

Before I continue it I want to make it clear that the issues I am talking about below aren’t necessarily connected to Baby’s Days uniquely, I am talking about computer programming as a whole.

The first question is, “Is it true that a determined “hacker” could get into any internet system if they tried hard enough?”  I’m not really qualified to answer that question with 100% certainty but from briefly reading around this area, it seems that if someone was dedicated enough they would find a way into almost any system.  As I’ve posted before Baby’s Days claims of being 100% secure are ludicrous but obviously some systems are easier to get into that others and some people are better at getting into them than other people.

So does this mean those that claim, “it’s ok that you found these flaws Hayley, anyone can find flaws in anything if they try hard enough” have a valid point?  It is my opinion that these people are missing the point somewhat; whilst their opinion is true it is rather short sighted.  I will try and explain this with a simple analogy.

All houses are houses and if you try hard enough despite the best security systems there will probably always be one clever burglar that could get in if he or she really wanted. If you had a suitcase of cash which house would you put it in?

House 1: The house with every external security system going, it was designed by an award winning architect and the structure is perfect.

House 2: This house has all the same features as house one in terms of external security.  But it was the first house this builder had ever made, and he didn’t quite get all the bricks lined up properly and there are a couple of little cracks here and there.

They are both houses, but you’re going to put your suitcase into house 1 aren’t you?  This is because although both houses carry the risk of getting broken into by some burglar, house 1 carries less risk than house 2.

So yes, “anyone can find flaws in anything if they try hard enough”, but the point is some systems are considerably harder than others to access.  It is deeply unfair on those systems that take time, money and effort to ensure the programme they create is on par with the award winning architect in House 1, to simply shrug issues like this away.

I understand that people don’t need the added stress and worry in life of thinking too much about these things and it’s far more convenient to just hope for the best.  But as a practitioner that should be working in accordance with the Data Protection Act, “well these days shit just happens doesn’t it?” wont curry any favours with the ICO unfortunately.

Please put that new feature of bulk download to good use and download your system to your home computer daily.  You really don’t want to be in the position I am in right now.

 

 

Can Baby’s Days access your system and info?

In their Privacy Policy Baby’s Days/Sys IQ Ltd state,

Our staff do not have access to any user passwords and are, therefore, unable to access the organisation’s account or data without receiving an invitation from the Master Administrator.

I have had a few blog readers and Facebook members tell me that Baby’s Days have accessed their systems without the user providing them with a user name and password.  If this has happened to you please comment below, if you post using the name Anon, Baby’s Days will not know it was you.

I’m hoping that some of the techie blog readers can help with some questions around this issue?

  1. Baby’s Days record users IP addresses.  In theory could they access a users system without a username and password using the IP address?
  2. If you stopped using Baby’s Days and they kept a record of your IP could they in theory still access your computer even if you no longer run the programme?
  3. If someone could access you computer using the IP address alone, can they change data on your laptop or only view it?

Obviously I could never say categorically that Baby’s Days have accessed users systems with IP addresses only.  But it would be interesting to learn if this is possible.

Pop back tomorrow when I will be blogging about a how all systems are not built equally.

 

 

Would any other EYFS company keep a customers data?

So, in my search for an alternative to Baby’s Days, I questioned as anyone might, whether it was wise to place my data with another EYFS software provider.  Since the blog started many readers and Baby’s Days customers have asked me the same question, “could this happen again with a different company?  Isn’t it a case of better the devil you know?”

It started to dawn on me that what Baby’s Days / Sys IQ Ltd has done to 3.5 years worth of my data may reflect badly on other EYFS provider, so I thought I would post a blog post to clarify that I truly believe this would never have happened with a different online EYFS provider.

When you read reviews of Baby’s Days the one consistent theme is that customer service is terrible; the man behind the customer service is Mark Kahl as far as I am aware.  He is the company director of Sys IQ Ltd.  He is also the common denominator in almost every single negative experience a customer of Baby’s Days has had.  In the interest of fairness, I’m sure lots of customers also find him very helpful.  The point in that he does not work with any other company and so his customer service techniques are isolated to the Baby’s Days brand alone.

I contacted a few different companies and asked them:

…I have a lot of people asking me if they were to leave Baby’s Days for another online software company, how could they be sure the new company wouldn’t withhold their data in the same way Baby’s Days has withheld mine.  How can customers be sure their data would be returned?

Most of the companies replied in an extremely shocked tone, they couldn’t believe that Baby’s Days didn’t allow me time to download my data before they terminated the agreement.  They were even more shocked when I told them that any attempts to retrieve the data after termination had also been fruitless and that the ICO had found Baby’s Days to be in Breach of The Data Protection Act.

It’s feel it is fair to conclude that that way Baby’s Days has handled my data isn’t the industries standard approach; as such readers of the blog shouldn’t think if they switch providers the same thing might happen with the new provider.  It seems to be a customer service issue isolated to Baby’s Days alone.

For those that would like to read more info, here is what each company said about their own policies regarding returning data to their customers after terminating an account:

Minding Matter (Previously Mega Minder):  “Your data will ALWAYS be accessible to YOU and the PARENTS of your setting. We will NEVER lock you or the parents of your setting out of your account

Easy Solution 4 Nursery Education: “All data is owned by the provider or [by] the family in the case of our ‘linked up’ (to the provider’s EASYpro) and the stand alone version EASYparent. 

We view our role as the guardians fo their data (as per our terms and conditions – 9.1 The Licensee shall own all rights, title and interest in and to all the Licensee Data and shall have sole responsibility for the legality, reliability, integrity, accuracy and quality of the Licensee Data).   Our software is applicable for children from birth until their eighth birthday, when the data is deleted. 

However, we give the setting, or the family in the case of EASYparent and EASY@home, ample opportunity to download all the information in a report form, before the data is removed.  We also offer to return to them, the photographs that have been uploaded in JPEG format, although there is a small charge for this service.  These conditions also apply to any setting that may cease to subscribe to EASYpro.

Owl Track:  “I have just had my first client leave recently due to financial reasons. As I mentioned before I cant send them data as such but they can access it via their account on [the] site. I have told this client that I will not delete the account for two months in order to give her time to download, save or print any information that her or her parents requires. I will also check with her before finally deleting it. This is good customer service which is vital for business these days.”

Orbit:  “We suppose we are slightly different in that Orbit is free, so there is no subscription. We also allow the download of children’s learning journeys at any time (as a pdf document) so you always have access to the data…. In the unlikely event that we were to stop providing the service, we would give our users the maximum amount of warning possible and allow them to download and backup data.”

2simple:  “You may access your information (in return for a small fee) and request details of the entities with whom we have shared your information by contacting us at info@2simple.com. In most cases we will comply promptly with your request and let you know when we have done so.

However, sometimes you will not be entitled to access your information. For example, where the public interest or your own interests override your rights under the Data Protection Act 1998. We may withhold information where we are legally allowed to do so.”

Target Tracker:  “I can advise that we would never withhold a subscribers’ data.  In fact we make it very easy to export the data at any point as a file or by exporting whichever reports are useful.

If a subscriber chooses to leave they are able to export their data up to the end of the subscription.  After that point a small admin charge may be applicable as we would need to re-enable the subscription in order to export it.

We like to put our subscribers at the heart of what we do and it would not be in anyone’s interest to make things difficult for any customer.”

EYFS Tracker:  We have only once been asked by a setting for access to their data after they had let their licence lapse. We re-enabled their account on the same day they requested it to allow them to download their data (as they had an Ofsted inspection the following day), and we did not charge a fee for this.

Connect Childcare:  Our viewpoint is very simple – we own the software but you own the data. At any stage you can download/back this up yourself if you wish.  We will help you do this as it’s yours.

I also contacted Jeans Database, although the package does not offer an online facility I felt it fair to include the company with the others.  Jean replied; “The CM Software database is not an on-line product – it resides 100% on whatever device the customer chooses to store it on.  Which means that they also have 100% access and ownership to their data at all times. “

Pop back tomorrow for a post about how many childminders believe simply sing Baby’s Days will result in them achieving an Ofsted Outstanding grade.

Sys IQ Ltd has not complied with Principle 7 of the Data Protection Act.

So it’s been confirmed by the ICO that one part of my problem with my data being withheld by Baby’s Days has been resolved at least.  Despite knowing we wanted the data back, Baby’s Days went ahead and deleted the data anyway.  The ICO have found that because this child’s data has been deleted by Baby’s Days / Sys IQ Ltd, they have not complied with Principle 7 of the Data Protection Act.

There are Eight Principles to The Data Protection Act and from my understanding Principle 7 – which is labelled “security”, is about, you guessed it – security.  How ironic that a company plugging itself as “100% secure” has not complied with the part of the DPA relating to Security!

The ICO website says Pinciple 7:

means you must have appropriate security to prevent the personal data you hold being accidentally or deliberately compromised

So which was it do you think blog readers?  Was my co-minders daughters data accidentally compromised, in which case, how can you be sure this won’t happen to any data you have stored with the company?

Or do you think my co-minders daughters data was deliberately compromised, in which case, again, how can you be sure this won’t happen to any data you have stored with the company?

Either option doesn’t exactly scream 100% secure to me.  What this now means is that under the DPA I have the right to take this matter to court, which obviously I intend to do.  If anyone reading this might know someone who would like to take the case get in touch via the contact option on the blog or through Facebook.

Has Baby’s Days lied to the ICO?

I’ve exchanged some very bizarre emails with the ICO and Baby’s Days over the past few weeks regarding my subject Access Requests.  It seems to me that Baby’s Days are getting confused about how to handle the requests, and getting the requests mixed up and at one point have continually referred to my son by some other name?!

Slightly alarming when they are handling so much data.  But never the less, I’ve tried to make sense of this info, but it seems to me that Baby’s Days are either deliberately muddying the waters so to speak or they are getting themselves in a right muddle.

Can anyone make sense of the following?  It seems to me that on the 17th Feb, the ICO told my co-minder that Sys IQ Ltd had confirmed to them that her daughters data had been deleted.  Here is the email from the ICO so you can see it for yourself.

ico say AA data has gone

But then on the 18th Feb, a day after the email from the ICO my co-minder was contacted by Sys IQ Ltd directly, who stated, “your subject data request is now closed and we will be unable to provide you with any data for *childs name*”. Email below.  Surely they couldn’t continue with the request because they had already deleted the data?  So why have they sent this confusing email?

BDs close AA request

Baby’s Days seem to be fast becoming confused by the situation, despite it being very simple.  The cancelled the subscription, they with held the data, we would like it back.

What do these emails look like to everyone else?  Would you ever have imagined it would be this hard to retrieve work that most minders believe to be “theirs”?

PS.  You may have missed the last few posts as the email sent to subscribers doesn’t seem to have been working.  You can check them out here, one about Baby’s Days not being ISO Accredited, and another about the ICO.