You could have placed a bet on it happening. If you had, you’d be quid’s in.
As far back as February, I warned that the UK’s implementation of the EU cookie law opened up a wealth of opportunities for scammers and spammers. I suggested that we were going to have the pathetic scaremongering – which indeed came to pass, and which is still flourishing – wherein “consultants” and software developers could use threats of £500k fines as a revenue stream. We also had the possibility of some of those firms extending the threats to blackmail: pay us to “make you compliant” and we won’t report you to the big bad government.
I hate being proven right.
[tweet https://twitter.com/alex_stanhope/status/230669838757027840]
In the spirit of understanding our enemy, let’s meet the scammers. Take a look at Ezeeaz. In addition to claiming to be the Information Commissioner’s Office (ICO) – the government agency responsible for the EU cookie law’s implementation and enforcement within the UK – they are also using a modified version of ICO’s logo and brand.
It is an appropriate measure of ICO’s success in launching the EU cookie law that scammers pretending to be them can run with the baton. It is also an amusing irony that ICO will have to redeploy the resources they had set aside for cookie law compliance and enforcement to deal with infringement of their own brand on the part of “cookie consultancies”!
Who is behind the scam? At first, it’s hard to tell. Ezeeaz.co.uk’s web site features the middleman outsourcer’s dead giveaway of an “About Us” page which lists no names, pictures, personalities, or CVs. In fact, the only name available to us comes from a Whois search. It shows the person to whom the site is registered, a fellow called Greg Youngberry. Greg Youngberry of – wait for it – Queensland, Australia.
The web site lists the company’s address in an office building in Witney, Oxfordshire. This morning I phoned the leasing company and spoke with the landlord who manages the building. They had never heard of Ezeeaz; they had never heard of Greg Youngberry; and they certainly had no idea that someone claiming to be a UK government agency was operating out of the building. From that, you could presume that the Oxfordshire address was the random result of a Google search for any old office building in the UK. But it’s not. The person behind the scam did not choose Witney by throwing a dart at a map. After all, who hails from Witney? That guy Dave, our current Prime Minister. It is absolute textbook behavior for a grandiose fantasist – one who would shamelessly claim to be a UK government agency – to latch on to the prestige of a public figure or location. Recently we saw a notorious web scammer in Edinburgh listing his “agency” address as what everyone could see for themselves was Harvey Nichols; likewise, I knew someone who took out a post office box at a Mailboxes Etc. on Pennsylvania Avenue in Washington DC because he thought people would associate his “prestigious” address with the White House!
Greg Youngberry runs a business service operation in addition to his cookie law круша. The web sites are similar in terms of their stock template layouts and use of bland, unoriginal, generic clip art. (In fact, a Wayback Machine search shows that the two sites were once identical). If you want to fill your Business Bullshit Cliche Bingo card in record time, have a look at it. Not only does he have a White Guy In A Business Suit Shaking Hands To Seal The Deal, but he’s got oodles of florid prose on why his business model of outsourcing everything to India and the Philippines at third world pay rates is a benevolent fairtrade operation, gracing the poor wee souls of those countries with a chance for employment and three meals a day. It is patronising, paternalistic, and, at some points, smells of a visa scam. Where I come from that sort of mindset is known as calling yourself the Great White Hope. Which, on an ethical scale, is right up there with calling yourself a UK government agency.
So wipe a sentimental tear from your eye, then, when one of his low-wage call centre employees – Queensland via Manila via Witney – phones to threaten you with a £5000 cookie law spot fine. Dear god, won’t somebody think of the children?
Ezeeaz’s web site closes with the following feelgood platitude:
“Privacy is more than just a policy, it’s about gaining trust.”
So says the Australian scammer running threatening sales calls to the UK out of a Filipino phone bank.
Sitepoint – ironically an Australian company – recently explained the EU cookie law to its baffled audience like this:
While this law is aimed at protecting users, it’s scammers who gain the biggest benefit. Is it blackmail? Or is the scammer exercising their right to sell you compliance services before reporting you to the authorities for illegal activities? Put it this way, if you send enough emails, you’ll eventually find someone with enough naivety and cash.
It’s heartening that a company half a planet away from the EU is able to call the cookie law for what it is at first glance. They understand, through all the PR and platitudes, that the rise of the scammers is yet another nail in the EU Cookie Law’s coffin. As I said in my July update presentation, the law is not making people reflect upon their individual privacy choices; it does not address this decade’s privacy threats – social media oversharing and app-based data uploads; and it vandalises web sites at best and destroys web site accessibility at worst. The only people whose lives it seems to be making better are the people who know how to make money off it – whether that’s through well-meaning software development, call centre scamming, or padding their CVs at the Information Commissioner’s Office.
Who, come to think of it, have a few phonecalls to make this morning too.
Let’s use this post to track cookie law scams and spam. Have you received a scam call, email, or letter? Leave a comment.
*Update: a London-based legitimate web consultancy has contacted me to say that the Australian company has copied their site content and business tagline for the scam site. I’m sure Greg will blame it on his “staff” in India.
They also note, with even more irony, that Ezeewhatever are not registered as a data processor with…ICO.
Postscript: In September 2012 this blog enjoyed its single biggest day of hits ever courtesy of over 700 visits to this post alone from the call centre in the Phillipines which was doing the outbound calls for their Australian sugar daddy. The scammers also attempted to leave a comment on this post pretending to be Alex Stanhope, who first alerted me to the scam on Twitter, using a fake Google mail address and illiterate Filipino English. You can only imagine what they were thinking as they read this post for the 300th, 400th, and 500th time: “What you mean we’re not working for the UK government? We’re not going to get an Australian visa?”
[tweet https://twitter.com/idea15webdesign/status/245639026411986944]
Heather Burns is digital law specialist in Glasgow, Scotland. She researches, writes, publishes, consults, and speaks extensively on internet laws and policies which affect the crafts of web design and development. She has been designing and developing web sites since 1997 and has been a professional web site designer since 2007. She holds a postgraduate certification in internet law and policy from the University of Strathclyde.
Well said!
Great article!
“cookie law круша” has me stumped though….
It’s Russian for an organised crime protection racket targeting businesses. Some concepts work better in their own language.
Ah….that fits.
I had Googled it – it’s also Bulgarian for Pear…
Looking at this blog’s analytics, I can tell you that the EU in Brussels is monitoring this post closely. I can also tell you that ICO has never read any of the six posts I have written on the issue, nor responded to any of my tweets.
In my July presentation I discussed how a new set of EU data privacy directives are currently in draft form. This set aims to consolidate all 27 national data protection laws into one law imposed from above. ICO has claimed that the EU is looking to the UK’s implementation of the cookie law as the ideal standard for Europe.
But we have to assume that the EU is looking at how ICO manages this law’s rollout and enforcement as much as they examine its implementation. And right now, with scammers infringing their brand, a 10-page cookie complaint form used solely for data gathering rather than enforcement, and a web site that gives an infinite redirect error without express cookie opt-in (thus making citizens’ access to statutory legal information conditional), ICO are not looking like the standard-setters for the proverbial in a brewery, much less a role model for all of Europe to follow.
“..and it vandalises web sites at best and destroys web site accessibility at worst. The only people whose lives it seems to be making better are the people who know how to make money off it..” – This is one of those stupid EU laws that is going to get ignored, then go away. Ever heard of any one getting sued because their site was bad for screen readers?.. no, me either.
This morning I wrote directly to the External Communications Manager at the Information Commissioner’s Office regarding this scam. I asked her to clarify:
a) Why ICO has deliberately ignored communications about this issue
b) Why ICO has failed to issue an advisory to the public about the scam
c) What their communication strategy is regarding this scam and future scams which will inevitably arise as a result of their botched deployment of the EU Cookie Law within the United Kingdom.
I now give you her response in full.
Dear Heather,
Many thanks for your email and apologies for any delay in responding to your communications.
I can confirm that the ICO is aware of the matter and is taking action. An important part of our role is providing guidance to consumers, businesses and public authorities, and our helpline staff are fully briefed and able to advise anyone concerned.
The misuse of the Commissioner’s logo and contravention of any of the conditions set out in our copyright conditions is taken very seriously and is dealt with by our Central Legal Department.
I hope this information is useful.
So what have we learned from that?
One – ICO does not monitor inbound communications on social media or conduct any sort of brand reputation management. Today was the first day that any staff member from ICO has ever looked at this blog post, or any blog post I have written on the issue (thank you, cookie-less analytics).
Two – When it comes to cookie law scams, ICO are being strictly reactive. Her email suggests that if you phone them to clarify whether that call you got was legitimate, they’re happy to help. As for proactively monitoring for scams, they’re not doing that.
Three – ICO’s stance towards monitoring and evaluating the implementation of the law is being led with the same attitude they brought to pre-compliance instruction and guidance. Basically: they don’t have a clue, and we are on our own.
PC Pro has used Freedom of Information to uncover this amusing little nugget about ICO.
http://www.pcpro.co.uk/news/376354/ico-not-ready-to-probe-cookie-complaints
Could your business get away with project management like ICO has displayed, before, during, and after cookie law implementation? Could you? No, you’d have been out on your arse last year.
I wouldn’t describe them as scammers, but one or two of my clients have received, shall we say, rather grave emails from respectable firms – such as accountants and solicitors – warning of heavy ICO fines for failure to implement an ‘opt-in’ solution, even when those clients already have clearly linked cookie policy pages on their sites. Needless to say if the client took the bait they would be paying close to £1000 for consultants to implement an opt-in widget. As I say, these are well established companies: clients won’t have been following the detailed discussions web designers have been having on the cookie law, and I imagine many – not mine fortunately – have taken their warnings at face value, and gone ahead and paid out.
Speculative invoicing. There was a big case about that two or three years ago. Do I even need to get you to guess which government agency had to issue a judgement on it?