The Fox Report
Barry Fox’s technology column
A farcical system
W
hy do companies – like
the telecom giants – make it
look very easy to complain
about their goods and services, even
though the actual complaints process
can be grotesquely difficult? Because
they are under orders to do so.
Since 2015, UK businesses have been
bound by the Complaints Handling Rules
to offer customers the opportunity to
complain. Companies must tell customers that if they are not satisfied with the
outcome of a complaint, they can (after
eight weeks of trying and within six
months of failing) escalate matters to
the Legal Ombudsman, which was set
up in 2010.
Ofcom table
It all looks wonderful on paper. Early
this year, Ofcom, the body tasked with
controlling telecoms, published league
tables for complaints received about the
UK’s major home phone, broadband,
mobile and pay-TV firms.
The number of complaints, said Ofcom,
had fallen to ‘all-time low levels’ with
‘pay-monthly mobile complaints ... at
the same historically low level as the
last quarter.’ Fergal Farragher, Ofcom’s
Consumer Protection Director proudly
proclaimed: ‘Complaints have fallen to
a record low, and we expect providers
to keep working to achieve the highest standards.’ Perhaps it’s because the
complaints process can be a waking
nightmare of pass-the-buck confusion.
Working on the principle that a few
documented facts are worth a lorry load
of moans, I documented my experience of
using Ofcom’s complaints procedure. As
with my documented experience of trying to complain to the ASA (Advertising
Standards Authority) about smart meter
adverts (see last month) the documents
are available to anyone who has the clout
to act on them. Again, if anyone wants
to copy this article to their MP, feel free.
The essential basics
As previously reported in PE, I tried to
complain on two counts about mobile
provider Three. The company’s website
had continued to advertise its bargainpriced 321 Pay As You Go service (3p
per minute speech, 2p per text and 1p
per minute data) for at least three months
after prices were hiked fivefold.
When I used my password-protected
account with Three to query this, a series
of staffers in Three’s Customer Services,
apparently based in India and with very
poor ability to write understandable
English, repeatedly and incoherently
insisted on full disclosure of just the
kind of security sensitive PII (Personally
Identifiable Information) that the public
is continually warned against revealing.
Three was demanding (sic): ‘Password
that you have Set on the Account as
memorable place and memorable name.
As you can verify your account with
the password only, For security of your
account. So that we can help you get a
better outcome on the account. Three will
do its best to help you with a resolution.
We would need below detail so that I can
look into this query, please reply to us
with your: Password (Memorable name
or Memorable place)’
My reminders that I had only been able
to contact Three’s Customer Relations by
using my Account password fell on deaf
ears. So did my concern that employees
were requiring open email reveal of
Personally Identifiable Information (PII),
such as Mother’s Maiden Name. And so
did my attempts at reminding them that
once PII has been revealed it cannot be
changed, unlike made-up passwords
which can be endlessly changed.
This is of course why most companies
and banks now ask only for partially revealed PII. For example, when I recently
contacted telecoms company EE, the Help
Line requested: ‘For security, please can
I take characters 1 and 4 from your customer services password on the account?
Please do not supply your password in
full.’ That’s the way to do it, Three. Take
lessons from your competitors.
Executive decision
Using the recommended complaints
system, I pursued the matter through to
Three’s Executive Office, providing datestamped captures of Three’s out-of-date
web page and raising concern over Three’s
forced reveal of PII security data. Three’s
Executive Office claimed, ‘We have access to archives, and I have checked our
Die-cast enclosures:
standard and painted
Learn more: hammfg.com/small-case
More than 5000 standard stocked enclosure designs
uksales<at>hammfg.com • 01256 812812
10
Practical Electronics | October | 2022
website (and) see no reference to 321.
Is it possible this was on another site?’
Three’s Executive Office also supported
its Customer Relations demands for PII
personal data as ‘correct’ and ‘couldn’t
have been avoided. We ask customers
for two passwords and suggest these
should be a memorable name and place.
For now, this won’t change...there is (sic)
no shortfalls in our process’.
And so, to the Ombudsman
So, I took the officially recommended
next step and lodged a complaint with
the Telecoms Ombudsman, filing copies
of my correspondence with Three about
PII security, along with captures of Three’s
web site when it was displaying woefully
out-of-date pricing.
The Ombudsman does not communicate directly by email; correspondence
is posted on a secure noticeboard and
alerts sent by email. While the system
may be secure and easy to use for those
who use it every day, it is far from intuitive. Complainants are asked to upload
evidence in support of their case to this
online board. Bizarrely, the list of file
types that can be uploaded does not
include HTML web page captures. So,
the complainant must convert HTML
files to another format such as pdf, which
not only requires IT skill and specialist
software but also will often alter the date
of the capture, thereby undermining its
value as evidence.
Fortunately, some of my captures were
PNG files, which the Ombudsman’s system does accept. These show the capture
date – but only if someone knows the
simple method of revealing date metadata
(Right Click, File Information or Properties, Details).
Three told the Ombudsman: ‘We have
also checked our archive website and can
see no record that the incorrect prices
were advertised’.
The Ombudsman duly rejected my
complaint. The Investigative Officer
wrote: ‘You have provided screenshots
which have been copied and pasted from
Three’s website. These do not show the
date these were grabbed.’
Could it really be true that the Ombudsman does not know how to check
evidence file date metadata? The clue
may be in the way the Ombudsman’s
Investigative Officer then got himself in a
monumental muddle over the timescale
for filing an appeal against what looked
like a technically flawed judgment.
Pass the buck
After failing to respond to queries the
Investigative Office ‘extended the decision
Practical Electronics | October | 2022
window’ to a week earlier than the previously set deadline. I duly appealed the
Ombudsman’s decision, explaining how
to reveal the creation date of a graphics
file (JPEG or PNG). The Ombudsman then
reversed its decision, but on technicalities
rather than the main issues, saying only
equivocally ‘I find it more likely than
not that it (Three) failed to update the
information regarding its price change
in a timely manner’ and adding ‘we are
not able to impose any punitive fine or
punishment as this action is outside of our
remit and is the responsibility of Ofcom.’
The Ombudsman also backed Three’s
right ‘to request a password in order to
verify an individual’ – which was never
in dispute – adding that the Ombudsman
‘cannot conclude whether an act or omission of a business constitutes a breach of
the General Data Protection Regulations
(GDPR). This is for the ICO (Information
Commissioner’s Office).
Ofcom’s website also refers complainers to the ICO as well as the Telecoms
Ombudsman.
In fact, I had already complained to the
ICO as well as the Ombudsman. But –
again side-tracking onto an issue that was
never in dispute – the ICO brushed off PII
data concerns by saying ‘we can confirm
that the use of passwords for verification
purposes is industry wide and is not a
breach of the data protection framework.
We suggest you contact the Ombudsman
Service (as the most appropriate regulatory body) for further advice.’
So, the Ombudsman is referring complainants to Ofcom and the ICO, and
Ofcom is referring them to the Ombudsman and the ICO, while the ICO is
referring them to the Ombudsman. You
couldn’t make it up. Actually, yes you
could, if you were writing a Yes Minister
script (https://en.wikipedia.org/wiki/
Yes_Minister). I also filed a complaint
with the ASA about Three’s out-of-date
advertising. This triggered a request by
the ASA for permission to identify me
to Three as complainant, which I gladly
gave. But then – in line with the ASA’s
(previously described) new streamlined
and customer-unfriendly procedure – I
heard nothing further and was left to
guess that someone, somewhere deep
inside the ASA did not think the issue
was worth pursuing.
Make a non-apology
The Ombudsman had reversed its decision on technicalities, so Three was told
to apologise. I had asked for Three ‘to
acknowledge mistakes, apologise and
make a donation to an agreed apolitical charity.’ The apology which Three
offered contained no admission of any
mistakes made and no commitment to
make any changes, such as employing
Customer Relations staff who are competent in the English language and stop
requiring customers to compromise their
data security by revealing PII secure
data even after successfully entering
their password.
I quote Three’s offered apology: ‘I’m
sorry for the issues you had .... This will
be used for feedback into the business to
prevent further instances of this’.
You may think this inconsequential
cotton wool does not add up to a meaningful ‘apology’. But the Ombudsman
thinks otherwise and confirms it ‘meets
the remedy requirements.’ For the sake
of completeness, so that I would have
fully documented evidence to show
Ofcom, I used the Ombudsman’s own
complaints system to complain about the
Ombudsman’ handing of my complaint.
Curiously, this process is conducted by
conventional email, so is far easier to
use. The Ombudsman’s Senior Customer
Complaints Executive decently offered
a ‘sincere apology’ and admitted that
the Ombudsman ‘could have handled
things better’. The Ombudsman also
says it will now investigate its inability
to accept HTML evidence. You may perhaps wonder why it needs a journalist
to tell the Ombudsman’s IT people that
if it is investigating complaints about
websites, it should be able to accept
HTML files as evidence. To tie things
up, I asked Ofcom’s Fergal Farragher
whether he has ever actually tried using
his telecoms complaints system himself,
and whether he would like to see my
carefully documented experience of
what happens when real-world people
try to use it. Despite reminders, Ofcom’s
Fergal Farragher never got back to me
and no-one at Ofcom has asked to see the
detailed evidence which shows what a
Mad Hatter’s pantomime its complaints
system is in practical reality.
But soon after my ignored offer, Ofcom’s
designated Consumer Protection Director
– still Fergal Farragher – issued another
public assurance that, ‘the overall level
of complaints has been consistently low
over recent months’.
And Ofcom still misleadingly refers
to ‘the number of complaints made to
Ofcom’ when in the same breath Ofcom
says crystal clearly that ‘Ofcom cannot
resolve individual complaints, you should
complain to your provider first (and) if
you are unhappy...take the complaint to
an independent ombudsman’. It’s another
of those ‘you couldn’t make it up’ farces
which UK officialdom does so well.
11
