A Weak Ending

Hi,

Sorry I haven’t been in touch. Let’s recapitulate on events so far. My wife K. took out home-contents insurance with UIA Insurance a couple of years ago, in the names “K. —” and “J. —”. When it came to cancel the insurance, you refused to let my wife do so, saying there was a contract with both her and “J. —”, and that everyone on the insurance had to get in touch separately to cancel it. Shortly afterwards you took more money out of our account, because the direct debit was set up to automatically renew every year. I emailed UIA’s generic feedback email address, disparaging your pointless security theatre and voracious debiting; you ignored my email, replying instead by paper letter, explaining what we had already made clear to you we knew, and refunding the debit.

Thanks for the refund, but no thanks whatsoever for (a) not responding to my email correspondence in kind, leading me to reasonably assume for some time that everyone there must have died of swine flu or (b) crafting a response which manages to miss the essential faults in UIA’s security procedures and ignores some of the points I raised in my email. I would have replied to your letter sooner—although no particular reply was required—but as we were in the middle of moving house we had to ration the amount of time spent explaining things to simpletons.

First of all, let me explain the distinction between “security” and “security theatre” to you. Security theatre is essentially a set of complex and inconvenient procedures, established by people who have read the letter of, for example, compliance regulations, but don’t really understand the spirit of them, so that from a distance the measures look like real security. Typically they won’t actually address issues of security—some will even introduce extra “attack vectors” in the process, weakening the overall security of the system—but they will permit organizations to confirm with e.g. regulators that procedures have been put in place. They’re back-covering exercises, basically, put together to make the consumer’s life difficult so that companies can avoid any risk and make it more likely that people will just give up and give them money.

With that distinction in mind, let me pose a few questions:

  1. Is it UIA’s policy to not reply to emails with emails, if only to confirm that the email had been received and the communication was being escalated to print? Did it not occur to anyone there that it might demonstrate a basic level of human respect to just send a quick, non-automated email to me, rather than to give me the impression I was being utterly ignored for days? And given how anodyne your printed reply to me was, could it not have been sent over email anyway? Wouldn’t using email have meant that you’d have been less likely to ignore points I made, and was that actually the point of a printed letter?
  2. To our knowledge UIA has never had any direct communication with the person you know as “J. —”. I mentioned this in my email (or did I; but see later for that) but you conveniently ignored it in your printed reply; to reiterate, this means it’s not at all clear to me how you’ve established any kind of legal contract with them. How do you know they exist? How did they give their consent to enter into the contract? Nobody ever explained—on the phone, in your letter, and certainly not over email, which you seem incapable of using—what the contract consisted of, or how it was made with someone who never communicated with uIA directly. Can you confirm that no such document exists which establishes a contract with a real person? Does UIA regularly enter into legally binding contracts with people who might not exist?
  3. You received an email from someone at “j—@gmail.com”. On the basis of this email alone you cancelled a contract with a person who might not exist called “J. —”. As you claim UIA takes security seriously, how did you (a) establish that “j—@gmail.com” existed and was a real person, and (b) confirm to the satisfaction of all parties involved that “j—@gmail.com” was the same person as “J. —”? Was there in fact anything going through your brain at all, other than “oh, shit, we’ve got one here that won’t actually take our crap?”
  4. Given the above, what procedures does UIA have in place to prevent the following:
    1. “K. —” setting up a fake email address that looks like it might belong to “J. —”, and cancelling a contract using it?
    2. Anyone setting up a fake email address that looks like it might belong to “J. —”, and cancelling a contract using it?
    3. “K. —” asking any male acquaintance to contact UIA by telephone and pretending to be “J. —”, to cancel the contract?
    4. “K. —” waiting until she had a bit of a cold, then doing a deep voice and pretending to be “J. —”, to cancel the contract?
  5. Given how hard UIA made it for us to cancel our “contract”, and yet how easy they made it for us to accidentally give them more money, the only explanation for all of this which shows your company in a good light is that there exists an overarching and incredibly subtle security policy, hidden from mere mortals and your customer-proles, which ties all of this together, and somehow makes it not a ridiculous pile of security-theatrical tosh sketched in by people who don’t know actual security and contract law from a hole in the ground.

    However, in the absence of any evidence for this policy, I think I’m on safe ground if I assume that (a) UIA’s email policies exhibit insultingly bad netiquette in only replying to certain emails—ones from people who actually don’t take any crap—via a printed letter (b) UIA’s grasp of contract law is laughably weak and poorly understood internally beyond set procedures employed by human robots (c) UIA’s so-called security policies only exist to tick boxes and make it harder for the consumer to cancel their insurance, and not merely don’t prevent security breaches but introduce new and inventive ways for people to spoof identity. If you provide any evidence I reserve the right to publish it here in full, so that you might rebut these claims.

    Yours sincerely,

    Small Beds (or maybe I’m “J. —”, or maybe “j—@gmail.com”, or maybe all three, or none! How can you tell?)

    [edited 2010-01-18 to include the company’s name]

    Advertisements
This entry was posted in commerce, correspondence, dickheads, insurance, opinion, rants, society, technology. Bookmark the permalink.

One Response to A Weak Ending

  1. K says:

    Well said. The only word I would query is “accidentally [give you more money]”. It wasn’t accidental that they ended up with money we didn’t want to give them.

    Before the contract was due to expire, they had a call from me cancelling it. They told me that they needed separate confirmation from the other policyholder; I told them this would be on its way but he was a busy man who couldn’t spare infinite time for their bullshit, so they might have to wait a week or two.

    Then the contract expired, and they decided that a phone call saying “please cancel” from the person who set up the policy constituted “no evidence that you didn’t want to renew the contract”. So they chose to renew the policy without asking us first and they chose to inform us of that renewal in a letter. Sent to the wrong address. During a postal strike. They might as well have wrapped the letter round a dead toad and buried it at the crossroads for three weeks.

    I don’t blame them for the postal strike, but there was nothing accidental about them helping themselves to our money and hanging on to it until we kicked up a fuss.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s