Sorry I haven’t been in touch. Let’s recapitulate on events so far. My wife K. took out home-contents insurance with UIA Insurance a couple of years ago, in the names “K. —” and “J. —”. When it came to cancel the insurance, you refused to let my wife do so, saying there was a contract with both her and “J. —”, and that everyone on the insurance had to get in touch separately to cancel it. Shortly afterwards you took more money out of our account, because the direct debit was set up to automatically renew every year. I emailed UIA’s generic feedback email address, disparaging your pointless security theatre and voracious debiting; you ignored my email, replying instead by paper letter, explaining what we had already made clear to you we knew, and refunding the debit.
Thanks for the refund, but no thanks whatsoever for (a) not responding to my email correspondence in kind, leading me to reasonably assume for some time that everyone there must have died of swine flu or (b) crafting a response which manages to miss the essential faults in UIA’s security procedures and ignores some of the points I raised in my email. I would have replied to your letter sooner—although no particular reply was required—but as we were in the middle of moving house we had to ration the amount of time spent explaining things to simpletons.
First of all, let me explain the distinction between “security” and “security theatre” to you. Security theatre is essentially a set of complex and inconvenient procedures, established by people who have read the letter of, for example, compliance regulations, but don’t really understand the spirit of them, so that from a distance the measures look like real security. Typically they won’t actually address issues of security—some will even introduce extra “attack vectors” in the process, weakening the overall security of the system—but they will permit organizations to confirm with e.g. regulators that procedures have been put in place. They’re back-covering exercises, basically, put together to make the consumer’s life difficult so that companies can avoid any risk and make it more likely that people will just give up and give them money.
With that distinction in mind, let me pose a few questions:
- Is it UIA’s policy to not reply to emails with emails, if only to confirm that the email had been received and the communication was being escalated to print? Did it not occur to anyone there that it might demonstrate a basic level of human respect to just send a quick, non-automated email to me, rather than to give me the impression I was being utterly ignored for days? And given how anodyne your printed reply to me was, could it not have been sent over email anyway? Wouldn’t using email have meant that you’d have been less likely to ignore points I made, and was that actually the point of a printed letter?
- To our knowledge UIA has never had any direct communication with the person you know as “J. —”. I mentioned this in my email (or did I; but see later for that) but you conveniently ignored it in your printed reply; to reiterate, this means it’s not at all clear to me how you’ve established any kind of legal contract with them. How do you know they exist? How did they give their consent to enter into the contract? Nobody ever explained—on the phone, in your letter, and certainly not over email, which you seem incapable of using—what the contract consisted of, or how it was made with someone who never communicated with uIA directly. Can you confirm that no such document exists which establishes a contract with a real person? Does UIA regularly enter into legally binding contracts with people who might not exist?
- You received an email from someone at “j—@gmail.com”. On the basis of this email alone you cancelled a contract with a person who might not exist called “J. —”. As you claim UIA takes security seriously, how did you (a) establish that “j—@gmail.com” existed and was a real person, and (b) confirm to the satisfaction of all parties involved that “j—@gmail.com” was the same person as “J. —”? Was there in fact anything going through your brain at all, other than “oh, shit, we’ve got one here that won’t actually take our crap?”
- Given the above, what procedures does UIA have in place to prevent the following:
- “K. —” setting up a fake email address that looks like it might belong to “J. —”, and cancelling a contract using it?
- Anyone setting up a fake email address that looks like it might belong to “J. —”, and cancelling a contract using it?
- “K. —” asking any male acquaintance to contact UIA by telephone and pretending to be “J. —”, to cancel the contract?
- “K. —” waiting until she had a bit of a cold, then doing a deep voice and pretending to be “J. —”, to cancel the contract?
Given how hard UIA made it for us to cancel our “contract”, and yet how easy they made it for us to accidentally give them more money, the only explanation for all of this which shows your company in a good light is that there exists an overarching and incredibly subtle security policy, hidden from mere mortals and your customer-proles, which ties all of this together, and somehow makes it not a ridiculous pile of security-theatrical tosh sketched in by people who don’t know actual security and contract law from a hole in the ground.
However, in the absence of any evidence for this policy, I think I’m on safe ground if I assume that (a) UIA’s email policies exhibit insultingly bad netiquette in only replying to certain emails—ones from people who actually don’t take any crap—via a printed letter (b) UIA’s grasp of contract law is laughably weak and poorly understood internally beyond set procedures employed by human robots (c) UIA’s so-called security policies only exist to tick boxes and make it harder for the consumer to cancel their insurance, and not merely don’t prevent security breaches but introduce new and inventive ways for people to spoof identity. If you provide any evidence I reserve the right to publish it here in full, so that you might rebut these claims.
Small Beds (or maybe I’m “J. —”, or maybe “j—@gmail.com”, or maybe all three, or none! How can you tell?)
[edited 2010-01-18 to include the company’s name]