Press "Enter" to skip to content

Tag: rant

“We take your privacy very seriously”

….says the intrusive ‘cookie consent’ popup which requires me to navigate through various pages, puzzle out the jargonerics and fiddle with settings before I can access the content I actually want to read on the site.

Here’s the thing. If your website is infested with trackers, if you are passing my data on to third parties for profiling and analytics, if your privacy info gets a full Bad Privacy Notice Bingo scorecard, then you DON’T take my privacy seriously at all. You have deliberately chosen to place your commercial interests and convenience over my fundamental rights and freedoms, then place the cognitive and temporal burden on me to protect myself. That’s the opposite of taking privacy very seriously, and the fact that you’re willing to lie about that/don’t understand that is a Big Red Flag for someone like me.

If you really took my privacy very seriously, you would use an analytics tool that doesn’t feed a huge surveillance behemoth – for example, Matomo instead of Google Analytics or Quantcast. Or just focus on producing high-quality, navigable content that makes me want to interact with you more without any of that stalkertech.

Your approach to consent would be discreet and respectful, allowing me to enable specific functionalities as and when they are needed, rather than demanding my attention immediately and trying to grab consent for everything straight away. Consent has to be obtained before cookies/trackers are placed/read, yes – but that doesn’t mean you should try and set as many of these as possible as soon as I land on your page.

There are several ‘consent management’ solutions popping up (literally) all over the place, interrupting people’s reading, rendering badly on mobile, requiring lowering of privacy protections to interact with, some even operating in a way which is contrary to law in the first place (I’m looking at YOU, website operators who remove the ‘Reject All’ button from the Quantcast dialogue). Everyone moans about cookie banners and consent dialogues, regarding them as an unwanted intrusion and a pain in the butt. They are both. But here’s the thing – the problem isn’t that site operators are required to inform you about tracking/profiling/mucking about with data on your device, the problem is that this is done at all – on such a large scale by so many and without accountability. Behavioural advertising, demographically-targeted marketing, personal profiling – all these are by nature, inimical to fairness, individual rights and freedoms. There’s a huge industry beavering away in the shadows trying to quantify and categorise and manipulate us for profit; and an even vaster network of ‘useful idiots’ capturing and feeding them the data they grow fat upon. Your data. My data. Your website? Your app?

Now, I accept that this is how much of the world works these days, even though I really don’t like it. I continue to campaign for change by supporting organisations such as the Electronic Frontier Foundation, Privacy International, NOYB, Liberty and the Open Rights Group, by giving professional advice based on ethics as well as risk and technicality (and making it clear which are which) and by doing as much work on educating the general public as I can spare time and energy for. I understand market[ing] forces. What I can’t bear is the slimy, self-justifying PR bullshit that’s spread like rancid butter over the surface of ‘compliance’.

Like saying “we take your privacy very seriously” while actively supporting an ecosystem which is privacy-hostile at best and privacy-abusive at worst. Like saying “we take your privacy very seriously” and then using meaningless copypasta template privacy info which bears no relation to the processing at hand. Like saying “we take your privacy very seriously” and not even bothering to take elementary precautions to limit or protect the personal data being snorted up at every turn.

One lesson I learned from my infosec days is one of distrust – the most likely time for you to hear or read “we take the security of your data very seriously” is in panicked press releases after an avoidable breach of that very data has occurred. Anecdotal, of course, but I see a very strong inverse correlation between loud blustering about how seriously security/privacy is taken, and how rigorously this is actually implemented. Its become a bit of a shortcut to analysis – anyone who feels they have to squawk about it probably shouldn’t be trusted to be actually doing it.

 

When you don’t “take privacy very seriously”, no amount of gaslighting PR camouflage is going to be a convincing substitute. So maybe just stop saying it eh? No-one believes you anyway.

It’d be so refreshing to see a statement like “There is often a compromise to be made between individual privacy and commercial advantage. We do it like this because it is more [cost]-effective for us to achieve our business objectives, even though it may have an impact on you. Here is all the stuff that the law says we have to tell you:…”. A while back, a bunch of privacy nerds were having fun with the #HonestPrivacyInfo hastag on Twitter – while amusing; this is also worth a read because many of the examples are actually much more transparent and accurate than anything you’ll read in a company’s official ‘privacy policy’.

Just be warned….if you’re going to claim you take my privacy seriously, then I will require you to demonstrate that. And I will make a fuss if you don’t.

Bad Privacy Notice Bingo!

Snark attack!

Having spent many, many hours reviewing privacy notices lately – both for the day job and for my own personal edification – I’m discouraged to report that most of them have a long way to go before they meet the requirements of Articles 13 and 14 of the GDPR, let alone provide an engaging and informative privacy experience for the data subject.

Because I am a nerd who cares passionately about making data protection effective and accessible, but also a sarcastic know-it-all smartarse, I created this bingo scorecard to illustrate the problems with many privacy notices (or “policies” as some degenerates call them) and splattered it across social media. Hours of fun.

Bingo scorecard showing things that don't belong in a privacy notice

I am not just about the snark

However, I am also a geek who would much rather there was no need for my hissy fits of piss-taking and so in that spirit, I shall deconstruct here; why the items on the bingo scorecard are Bad Things to find in a privacy notice.

Bad Things

“We may….”

A privacy notice is a communication that needs to convey useful information, not a guessing game. If you say you ‘may’ do something, I’m left in the dark as to whether you’re actually doing it to MY data, and when that might be, if so. If you’re going to do something, say you do it. If you’re going to do something but only under particular circumstances, then describe those circumstances. If you’re not going to do it, don’t even mention it.

“Personally Identifiable Information”

This is not the same thing as personal data, it’s a subcategory of personal data. When I see this in a privacy notice, it immediately says to me that either the organisation is either oblivious to the premise and requirements of EU privacy law, or that they are trying to pull a fast one by doing all kinds of stuff with de-identified personal data that they don’t want me to know about. More about the differences between “PII” and ‘personal data’ here:

“EU citizens”

You will not find the word “citizens” anywhere in the text of the GDPR. Feel free to do a search on the text if you don’t believe me. That’s because data protection rights are human rights, and residency status is not a variable for ascertaining humanity. It’s about data subjects located in the EU, Data Controllers carrying out activities in the EU or Data Controllers who are offering goods and services to people located in the EU, or who are monitoring the activity of people located in the EU. People. Not just citizens. If a citizen of the EU goes to a third country, they lose the protection of EU law.

“by <….>, you consent to this processing”

Consent must be informed, freely-given, specific and unambiguous. That means the data subject needs to take some kind of positive action to indicate their consent to processing which has been described to them, in circumstances where they have a genuine choice and where the consent for processing is not tied to an unrelated activity. By browsing a website and reading the privacy notice, I consent to……nothing at all. By wearing my socks on my ears, I have nice warm ears and look a bit daft but am still not consenting to anything at all.

If I were to provide my email address on a company’s website to enter into a prize draw, I would be consenting to having my email addressed used to select and notify the winner of the prize and that’s all. If the company wants to use my email address to send me marketing then they have to get entirely separate consent from me to do so.

More about consent for data processing here:

“General Data Protection Regulations

Just one Regulation. A big beast, to be sure – but a singular one. If an organisation can’t even get that right, what are the chances that they’ll be paying proper attention to what it actually says? Not great, I reckon.

ICO logo

You’re not allowed to use the ICO’s logo without their permission. If a website owner uses the ICO’s logo without permission then they are acting unlawfully by breaching copyright. If they are willing to act unlawfully in regard to intellectual property, what makes you think they will be any more ethical or diligent about processing your personal data, eh? At best, they are clueless. At worst, they are being deliberately deceptive. Either way, their privacy notice is not to be trusted and neither are they.

Refers to the DPO as the “Data Controller”

A Data Protection Officer is an individual who performs the functions described in Articles 37-39 of the GDPR for an organisation (either in-house or on an outsourced basis). A Data Controller is the organisation which determines the purpose and means of the processing of personal data. Even if the Data Controller is a sole trader, there would probably be a conflict of interest disqualifying them from being the DPO anyway (there’s one for the DP geeks to gnaw on). If an organisation doesn’t even know the difference between DPO and Data Controller, then the chances of them knowing enough about data protection obligations and rights to be able to process your personal data fairly and lawfully, are pretty slim.

“We keep your personal data as long as necessary”

See also; “as long as required by law”. More guessing games. How long is that then? Unless it’s something outrageous, unexpected or high-risk; why even bother to tell me about it? What is “necessary” and how do you justify it?

Oh, and if you’re saying there’s a law that requires you to do something with my personal data, please cite that actual law. Making a statement saying “we comply with the law” gets you no Brownie points – the whole point of the law is that you have to comply with it. You might as well make sure you say “We don’t chop off annoying people’s heads with axes” too.

One loooooong page/doc

The harder it is for me to read your privacy information, the more likely it is that I will suspect you’re up to no good and make the effort to scrutinise it. Now, that’s just me because I’m a suspicious-minded nitpicking smartarse, but even for people who don’t spend their leisure time examining privacy notices, the point of the whole exercise is – as I mentioned above – to effectively communicate information to people about what’s going on in relation to their personal data. The GDPR even says in Recital (39) that “The principle of transparency requires that any information and communication relating to the processing of [..] personal data be easily accessible and easy to understand”. Making me scroll through acres of dense small print until my brain turns to mulch, is basically doing the opposite of what the GDPR requires.

(NB: If you want to see an absolutely beautiful privacy notice, have a look at this. Seriously. It’s the best bit of UX I have ever seen. I am a little bit in love……and probably need to get out more)

“From time to time…”

This is a phrase which conveys absolutely nothing in the way of useful information. Which times would those be? 3 times a year? Once a week? Under what circumstances? Every time I [example redacted in the interests of good taste and public decency]?

It reeks of ‘we couldn’t be bothered to think about this too hard’….or even ‘we daren’t tell them what’s really going on’. Either way – not a good look. A waste of pixels/printer ink.

Lists purposes separately to legal basis

This might keep auditors happy when they review your privacy notices so they can tick the ‘Article 13 requirements” boxes, but unless there is a clear narrative for the data subject to follow in relation to their personal data; it’s not actually going to meet the obligations of transparency. I want to know what’s happening with my data, under which circumstances, and why you think that’s allowed. Separate lists will not allow me to do that. Tell me that you’re going to use my postal address to send me news about your latest offers and that you reckon this is in your legitimate interests. Tell me that you have to keep Gift Aid declarations for 6 years because the Tax and Finance Act (or whatever) says you have to. Don’t tell me that there are a number of potential purposes for processing my personal data then make me have to try and figure out which one of the potential legal basis you’ve listed somewhere else is being used to justify the processing activities that you’ve described in yet a third separate list. Not transparent. Not helpful.

“administration purposes”

Administration is an activity not a purpose. It is not an end unto itself. No-one gets up in the morning and goes “ohhh, my whole reason for living is to administrate!” What is the administration activity and why is it being carried out? Perhaps you need to make sure my contact details are up to date so that you can chase me for my membership dues, which are a requirement of my agreement with you. Maybe you need to make sure that your event tickets are not sold to more people than the venue can accommodate. Obviously, there are some legal obligations your organisation must fulfil. So please tell me about them rather than skulking behind the diaphanous skirts of “administration”

“including, but not limited to….”

If it’s worth mentioning, it’s worth telling me all of it. Examples are helpful but they do not replace the legal obligation to describe the processing, the purposes and the legal basis for the processing. If your organisation doesn’t actually know what you’re going to do with my data then I don’t want you to have it. If you know but you’re worried about telling me, then I really don’t want you to have it!

Looks and sounds like a contract.

Privacy information, a privacy notice or privacy policy (if you must) is not a legally-binding agreement. It’s not a deed or a contract. It’s a piece of marketing material that just happens to need to be scrupulously honest as well. A good privacy notice not only has to make you feel OK about how your data is being used (while not obfuscating, concealing or outright lying), it should make you want to read it because it is helpful and engaging! Privacy notices written by lawyers hoping to outsmart other lawyers are easy to spot – they’re the ones you’d rather scoop your eyes out with a spoon than spend any time reading (unless – perhaps – you’re THAT kind of lawyer). And don’t event get me started on the American convention of PUTTING REALLY IMPORTANT STUFF IN CAPITAL LETTERS OSTENSIBLY TO ‘DRAW ATTENTION TO IT’ BUT THEREBY RENDERING IT UTTERLY INCOMPREHENSIBLE TO ANYONE.

“Military-grade encryption”

Oh, do piss off.

Encryption is a tool to mitigate a particular type of risk. It is not always the appropriate tool and like any other tool, is only as good as the implementation and competence of the people using it. You could be using 3DES to protect the negotiation for your public key exchange, with your own CA in a bulletproof box, but if your sysadmin’s password is “Password” or you’ve mixed up your public and private keys, then you wasted a lot of time and money (rather like buying a rocket launcher then using it to bash your own head in).

If you couldn’t make head or tail of that last paragraph, then don’t worry – the people who write “military-grade encryption” into a privacy notice don’t know what any of it means either.

“We take data protection very seriously”

See previous comment on boasting about not axe-murdering people.

In conclusion

A privacy notice isn’t there to cover your arse. Yes, it’s a legal requirement but the purpose of that is not simply to make you jump through hoops like a Peke at Crufts. The purpose of the legal requirement to provide privacy information is not to give you something to point to to tick off the ‘transparency’ principle, it is the transparency principle. The data subject has the right to be informed. If all you’ve done is obfuscate, bore, deceive or puzzle them then you have achieved the exact opposite of what GDPR requires and must now go all the way back to the beginning and start redrafting your privacy info.

 

GDPRubbish

Unless you’ve been living under a rock, you’ll have noticed that there are lots of people talking about GDPR – which is a good thing.
However, there is lots of nonsense being talked about GDPR – which is a bad thing.
My Twitter timeline, LinkedIn feed and email inbox are being deluged with advertising for GDPR compliance “solutions” and services – which is fine as long as the product in question is treated as a tool in the toolbox and not a magic instant-fix-in-a-box spell for instant transformation
Based on some of the twaddle I’ve seen being talked about GDPR lately, and my own experience in supporting data protection within organisations, here is a list of markers which, should they appear in an article, advertisement or slideshow, should be a warning to treat the rest of the content with a hefty pinch of salt.
  1. Banging on about fines. Yes; there is a big maximum fine. No, it’s unlikely to be enforced except for the most egregious cases of reckless negligence. The ICO has never levied the maximum penalty for any breach ever. Based on the evidence available, fines alone are not really a convincing justification for compliance.
  2. Obsessing about consent. Consent is only one of a number of possible legal basis for processing of personal data. It may not the most appropriate, desirable or “compliant” basis to select and insisting on consent where there is a statutory or contractual requirement for processing personal data; or where the individual has no real choice whether to give consent may result in “unfair processing” which could draw regulatory enforcement or litigation.
  3. Focusing on infosec and infosec tech. Information security (the “confidentiality and integrity” principle) is just 1 of 7 principles and doesn’t even start to fulfil obligations around rights or fairness. While it is important, focusing on infosec to the exclusion of the other principles is just as likely to cause serious problems as forgetting it altogether.
  4. Claiming that encryption is a mandatory requirement. Yes, it is mentioned specifically in a few places (Recital 83, Article 6, Article 32, Article 34) it is referenced as an example of a tool with which to mitigate risk. Whether you need it depends on the “scope, nature and context” of processing. Just having encryption will not make you “compliant” and not having encryption on ALL TEH THINGS will not mean that data is at risk of exposure.
  5. Making it all about “compliance”. A finding of “compliance” in an audit is merely a snapshot of a point in time, assuming that the audit itself was sufficiently robust. A compliance-focused attitude often leads to ‘gaming the system’ (as anyone who has ever had an argument about scoping for PCI-DSS or ISO2700x can attest). Ticking boxes does not produce the intended outcome on its own -the paperwork must match reality. GDPR requires your reality to uphold principles, obligations, rights. If you’re not doing this in practice, no amount of audit reports, certificates or checklists will save you when it all goes wrong. Think “maturity” and “assurance”, “quality” and “effectiveness” rather than “compliance”
  6. Insisting that only lawyers can be DPOs. There are some very good data protection lawyers out there in the wild, but an awfully large majority of lawyers who know almost nothing about privacy law. There are many experienced and competent data protection professionals who know privacy law inside-out but do not have a law degree. The only reason for insisting on having a lawyer as a Data Protection Officer or DP Lead is if the lawyer is *already* a DP specialist with business, communications & technical skills. The “lawyer” part is incidental.
  7. Marketing GDPR stuff by breaching other laws (PECR) or in breach of DPA/GDPR itself (were you given a privacy notice about the use of your information for marketing purposes? Is it a fair use of your personal data?)
  8. Calling it the “General Data Protection Regulations”. Seriously, people. It’s Regulation (EU) 2016/679, singular (even though there is a lot of it).
OK, those are the “approach with caution” signs. But how to find good advice on GDPR? Here’s some advice for spotting people who probably know what they’re talking about:
A competent privacy practitioner will tell you
  • There is no magic spell; time, effort, decision-making and resources will be required to adapt to GDPR requirements
  • There is no single tool, audit framework, self-assessment template, cut-n-paste policy or off-the-shelf training module that will make you “compliant”. You need to address systems, process AND culture at all layers and contexts.
  • Records management is just as significant as infosec (if not more so)
  • It’s not about paperwork – it’s about upholding fundamental human rights and freedoms (OK, that last one might be a step too far for many DP pro.s, but it is significant both to the intent and the implementation of GDPR.)
A few more handy tips for your Privacy Team lineup
Domain-specific knowledge is vital and valuable – but remember that specialists specialise, and so it is unlikely that someone who has only ever worked in one area of information governance (e.g. information security, records management) or context (HR, marketing, sales) will be able to address all of your GDPR needs.
The same consideration applies for lawyers – commercial, contract and general counsel-type lawyers are probably not as familiar with privacy law as with their own areas of expertise.
In summary, to find good GDPR advice, you should:
  • Get a rounded view
  • Consider risks to individuals’ privacy not just organisational impact
  • Instil and maintain privacy-aware culture and practices
  • Be deeply suspicious of any/all claims of one-stop/universal fixes

Human Error

To err is human…..to forgive, divine..

…(but to really screw things up, you need a computer….!)

One can’t help noticing a recurring theme in the spate of data breach news reports these days. The phrase “human error” is coming up an awful lot. I’d like to take a closer look at just what that phrase means, and whether it is at all a helpful description at all.

What do you think when you hear that something happened due to a “human error”? Do you think “aww, the poor person that made a mistake; how awful for them, I hope someone gives them a hug, a cup of tea and consolation that humans are fallible frail creatures who can’t be expected to get stuff right all the time” or do you – like me – think to yourself “h’mm, what this means is that something went wrong and that humans were involved. I wonder whether systems, processes and training were designed to robustly identify and mitigate risks, whether management support and provision of resources were adequate and whether this is just a case of someone getting unlucky while dodging around policies in a commonly-accepted and laxly-monitored way”

Premise; I fully believe that the statement “the breach was down to human error” is a total copout.

Why?

Let’s start with “error”. The dictionary definition says:

  1. A mistake
  2. The state or condition of being wrong in conduct or judgement
  3. A measure of the estimated difference between the observed or calculated value of a quantity and its true value

The first definition is probably the one that is called to mind most often when an occurrence is described as an “error”. Mistakes are common and unavoidable, everyone knows that. I believe that the phrase “human error” is used consciously and cynically to create the perception that information incidents are freak occurrences of nature (rather like hiccups or lightning) about which it would be churlish and unkind to take umbrage; and unreasonable to demand better.

But in my humble and personal opinion, (based on nothing more than anecdote and observation) the perception thus created is a false one – in fact, breaches that occur solely as a result of genuine mistakes are rare. Even if a “oops” moment was the tipping-point; the circumstances that allowed the breach to take place are just as significant – and usually indicate a wider systemic failure of risk management which could – and should – have been done better.

Risky behaviour that leads to a breach though, is not usually a sincere mistake – it is either a calculated decision of the odds, a failure to understand the risk or ignorance of the possibility that a risk exists. Risky behaviour is *not* an unavoidable whim of Mother Universe (setting aside the philosophical implications, otherwise we’ll be here all day), but the output of a deliberate act or decision. We should not regard ‘risky behaviour which led to a realisation of the risk and unwanted consequences’ in the same way that we do ‘inadvertent screwup due to human frailty’ and to lump them together under the same heading of “human error” does a disservice to us all, by blurring the lines between what is forgivable and what we should be demanding improvements to.

The human bit

Since we’re not yet at the stage of having autonomous, conscious Artificial Intelligence; it must follow therefore that errors arising from any human endeavour must therefore always be “human errors”. Humans design systems, they deploy them, they use (and misuse) them. Humans are firmly in the driving seat (discounting for the moment that based on the evidence so far, the driver is reckless, probably intoxicated, has no concept of risk management and is probably trying to run over an ex-spouse without making it look obviously like a crime). So; whether an information security or privacy breach is intentional, inadvertent or a state in which someone got caught out doing something dodgy, describing the cause as “human error” is rather tautological and – as I’ve noted above – potentially misleading.

I believe that the phrase “human error” is a technically-accurate but wholly uninformative description of what is much more likely to be better described as human recklessness, human negligence, human short-sightedness, human malice or simple human incompetence. Of course; no organisation is going to hold their hands up in public to any of that, so they deploy meaningless platitudes (such as “we take data protection very seriously – that’s a diatribe for another day!), of which “the breach occurred due to human error” is one.

Take for example, the common ‘puts all addresses in the To: field of an email instead of BCC’ screwup which was the cause of an NHS Trust being issued with a Civil Monetary Penalty after the Dean Street clinic incident in 2015. Maybe the insertion of the email addresses into the wrong field was down to the human operator being distracted, working at breakneck speed to get stuff done, being under stress or simply being blissfully unaware of the requirements of data protection law and email etiquette. But they should not carry all of the culpability for this incident – where was the training? Where were the adequate resources to do all the work that needs to be done in the time available? Most of all, where the hell was the professional bulk-emailing platform which would have obfuscated all recipient emails by default and therefore be a much more suitable mechanism to send out a patient newsletter? (provided of course, that the supplier was carefully chosen, UK-based, tied to appropriate Data Processor contract clauses and monitored for compliance…etc etc). The management would seem to have a lot more to answer for than the individual who sent the email out.

So the next time you read of a data breach, privacy abuse or in fact, any other type of incident at all, and see the phrase “human error”, stop and ask yourself: “What was the error”? Was it lack of appropriate training for staff? Cutting corners to cut costs? Failure to provide the appropriate tools for the job? Mismatch between the outputs demanded and the resources provided to deliver them? None of these are inevitable Acts of Nature, the way that occasional “Oops” moments would be.

And as long as organisations are allowed hide behind the illusion of unavoidability; the less likely they are to tackle the real problems.

How To Not Be An Arse

(a.k.a the futility of compliance-for-the-sake-of-it programmes)

Imagine there was a law* that says “don’t be an arse to other people” which contains a list of 8 general requirements for avoiding arse-ness, including (among others) “be fair”, “be honest”, “don’t be reckless or negligent” and “don’t deny people their rights”.

Then hundreds of thousands of hours, billions of beer tokens and litres of sweat from the brows of assorted lawyers and auditors later; there were produced a number of standards and frameworks, guidance documents and checklists for helping everyone to ensure that whatever they’re doing, they’re avoiding being an arse.

At which point, everyone’s efforts get directed towards finding some technical way to acquire a clean, shiny glowing halo; ticking all of the boxes on the checklists, generating reams of ‘compliance’ paperwork, churning out Arse Avoidance Policies…….but actually ending up as almost *twice* as much of an arse because despite all of the shouting and scribbling and hymn-singing, what they are actually doing on a day to day basis looks remarkably arse-like (despite being called a “Posterior-Located Seating and Excretion Solution”; not the same thing at all) – since as it turns out, arsing around is lucrative and being well-behaved is not so much.

And then the questions is no longer “how do we avoid being arses” or even “what do we need to do to make sure we are not accidentally not arses?” but becomes “what is the bare** minimum we have to do in order not to appear to be arses?”

And that becomes the standard that (nearly) everyone decides to work to, writing long, jargon-filled statements explaining “why we are definitely not arses at all”, insisting that you must all complete a mandatory, dry-as-dust, uninformative half-hour “Anti Arse” e-learning module once a year (and calling it a “training programme” – hah!), hiring armies of lawyers to define the boundaries of “arse” and generally forgetting what it was that the law was trying to achieve in the first place. All of that costs quite a lot of money and – surprise surprise – doesn’t actually fulfill the intent of the law in the first place.

If you have to hide, obfuscate or misdirect from what you are really doing, then it’s quite likely that you are not achieving compliance with the law, no matter how much paperwork you generate or how shiny your halo looks.

It’s quite simple……just don’t be an arse.

 

(*in case you didn’t get it; that would be the Data Protection Act…..)

(**yes I had to get a ‘bare’ reference in there somewhere)

WARNING - this site sets cookies! Unfortunately, I am unable to disable some of the inbuilt tracking without killing the site content. tell me more

The cookie settings on this website are set to "allow cookies" to give you the best browsing experience possible. If you continue to use this website without changing your cookie settings or you click "Accept" below then you are consenting to this.

Close