"We expect to deploy a new solution in the coming weeks which will address your concerns"
Translation: GDPR took us so completely by surprise that it's taken us a good 18 months to react to it.
A strong grasp of data privacy is key for anyone wanting a job at the UK's Information Commissioner's Office (ICO), according to the blurb on its microsite. Just one catch: the site itself enables hundreds of cookies – seemingly without consent. The gaffe was first spotted by a Reg reader who told us he'd never seen so much …
By "solution", I assume they mean some wanky so-called "consent" form, that probably actually won't work "properly" unless you permit third-party scripts and cookies (and which will still phone home to all of those third party sites: all that these lousy forms do, if they work at all, is tell the third-party spyware sites to "disregard" the information that they harvest about your id; I am sure that they are still collecting the information, regardless (I very much doubt that the tracking companies will actually have amended their back-end systems to not collect the data for that particular id as the tracking script gets called, as that would involve actual significant work on their part - far easier for them just to add an "ignore_me" field to their database instead?)).
That's not the solution. The solution is not to have any third-party spyware on the site in the first place.
It's a job application site: applicants will be submitting their CV or similar information, which contains a lot of personal data, much of which is also fairly confidential.
We know that sites such as Facebook start to analyse what you type, actually as you type: how can we possibly trust that any of the adware/spyware scripts running on the job application site are not only merely tracking your presence at a particular URI, but are also doing exactly the same thing ("to improve the relevancy of your advertising experience")? (It really would not surprise me if it turned out that Google Analytics scripts, and similar, also tap keyboard input in this way, too: has anyone ever audited those scripts to check what they really do?)
The only organisation who should know the details of what job applicants are uploading or typing into the website should be the ICO. It's bad enough that they are using a sleazy "recruitment agency" (is there actually any other sort?) to process applications.
Given their overall effectiveness is worse than a chocolate fireguard, I wasn't at all surprised either.
The day someone whose data has been spaffed gets a penny recompense, is the day I'll take the ICO as seriously as they fail to take themselves.
In the meantime, we all know that "data security" is a joke for the UK. Much like the Swiss navy.
Unless it's a big player and gets in the news they don't want to know. Instead, when you report companies they point you in the direction of the company you're reporting on, telling you to speak to them first.
But they are fucking ignoring reports hence going to the fucking ICO. After a few reports like that, I gave up reporting.
The "Japanese solution" then.
Meaning that back in the 1990s, we found the only way to get Japanese companies to secure their networks was to hand the details to Japanese media, who would happily mug the high ranking directors on national TV.
Contacting regulators or the admins would result in utter silence, or being blocked entirely.
There's enough media interest in GDPR breaching that ongoing public naming/shaming wouldn't go amiss - and the repeated opportunities for the ICO to avoid being interviewed would be telling all by itself.
Why do they need any advertising cookies?
Cookies that tell the site that I was the person who completed the previous page of the application form, I have no problems with that, and neither does the GDPR.
Cookies that let advertisers send ads along the lines of "I see you are looking for a job. Would you like to apply for a job as a money transfer agent laundering money for a phishing gang?" They can go in the hazardous waste bin.
Adverts on the job-finding site already know that piece of information and don't need cookies for it.
Adverts that those same advertisers plaster* over OTHER sites saying "I see you recently looked for a job, perhaps this pyramid scheme would interest you" can bugger off.
*with the consent of the site-owner.
When I use recruitment agencies, I expect my information to be handled with the utmost respect for confidentiality and privacy (don't laugh, I need to say this to develop my argument - and there are a few good recruiters). If that's done then the company can potentially get a decent commisson as a reward for a professional job. What in the name of all that's clueless were they thinking, deciding to use 100s of privacy busting tracking cookies to rake in a few extra quid on the back of web traffic? Hays do a lot of IT recruitment, and IT people are wise to why this sort of shit is bad, and I don't think that the few extra quid is going to compensate for the potential loss of custom from IT clients who might decide to give them a miss after reading about this story.
Certainly from where I sit in a completely different industry; it appears that many corners of the bigger players work to an ethic of promoting people to the Peter Principle and then promote them one more time for luck.
The problem is that with so many promotions, it is inevitable that there are also department moves, so a Head of Department has never done the job of either their management team or indeed of the rank and file troops.
So it does not take long for their young Graduate who (albeit not all grads can be tarred with the same magnum of Champagne) to be edicting absolute crap in the name of "I run the department."
Source: recently left one such department.
This matches my experience. It often shows up in subtle ways. IMO, countless man-hours are lost by such things as having to explain to higher-ups that the weekly report can't be printed in color on the department's B&W printer.... And having to explain this to the same higher-ups every week.
Sorry to use technical terms, but this is generally called "negligence". Under the GDPR (and lots of other legislation) outsourcing does not absolve from compliance with the law. If your outsource provides you with an unlawful service or product and you accept and deploy it, you're liable just as much as if you'd created it yourself. However in my professional experience most businesses (and here even a regulator) seem to believe they don't have to verify the legality of the services they subcontract.
"I have just discovered that the Information Commissioner's Office jobs microsite, which talks about the importance of GDPR and Data Privacy, and which is currently advertising the new Director of Regulatory Strategy role, sets approximately 204 advertising and tracking cookies, all without consent.
Does GDPR require people to set their browsers to "ask to accept a cookie"? Why do people insist that they have their browser "automatically accept cookies" when they are trying to force sites to ask? Clearly, sites are not always able to "ask for consent", so why are the browsers set to automatically accept? I have been seeing this setting in all my browsers for over two decades, so people saying they don't know about it is hogwash.
Ghostery reports 0 trackers, and Firefox reports only 2 cookies set by Hays.
Caveats:
1/ Javascript is switched off (my default, via add-on "JavaScript Toggle On and Off")
2/ I did not do a Before&After count of Total # of Cookies, so it may have set 3rdparty cookies