More artificial stupidity

I was recently struck with another denial of service caused by bad assumptions in programming the rules underlying a business Web site.

The problem

I have used Pretty Good Privacy (PGP) since the days of Version 2.6.3; currently, I’m using Version 6. Because I strongly support PGP, I decided I would upgrade to Version 8 for the modest fee (about $40) listed on the PGP Web site: http://www.pgp.com

The problem was that PGP’s Web site is programmed so that customers can go through all the forms required to order and pay for a license for PGP, the credit card can be debited – and then the site can refuse access to the download if it cannot do a reverse-IP lookup on what it receives as the customer’s IP address.

The following message appeared on my screen when I clicked on the “download” button: “In accordance with current US Export restrictions, PGP 8.0 products may be downloaded by individuals throughout the world except those in the following countries: Cuba, Libya, Iran, Iraq, North Korea, Sudan, and Syria. If you are in one of these countries, you may not download PGP software.”

I was downloading from Vermont using my StarBand account. I tried again after disabling my firewall – no luck.

The customer service agent was very nice and obviously embarrassed about this situation and admitted that there are no measures in place for dealing with such a technical glitch. She diffidently suggested that I try to download the product again using a different ISP or Internet access point.

Some workarounds

I suggested that the company might deal with such glitches in several ways.

They could check the IP address BEFORE the user fills out all the forms and the credit card gets debited.

They should ask customers for strong evidence that they are in fact living in the U.S. For example, the company could use Caller ID to see the phone number of the caller who asks for help on this problem, and then cross-check to see that it matches the number given in the order and is in fact listed in a telephone directory (available online) as corresponding to that person’s name and address. They could also have the user send a fax from the appropriate U.S. fax machine phone line with a U.S. driver’s license showing the same address as the one used in the order.

They could also simply send the user a CD-ROM to the U.S. address listed in the order. They could even charge postage (although if I were in charge of customer service, I would not do so).

Lessons for Web designers

If you are in charge of design for your Web site’s e-commerce system, you might want to remember that the automated measures are for the convenience of your customers above all. Telling a customer to try troublesome methods to overcome an error in the assumptions of your system is not a reasonable approach to customer service. If an automated system cannot handle a particular exception, then be sure that you have prepared manual procedures that allow the transaction to be completed at minimal cost to the customer and reasonable cost to you. Otherwise you are likely to generate bad feeling and – sometimes – bad publicity that can cost you a great deal more than the costs of an occasional manual transaction.

Of course, I canceled the charge on my credit card. Someday (but not soon), I’ll try to order and download the product from my university access point and – if the university firewall does not conceal my IP address – maybe I’ll succeed in being allowed to give my money to these people in return for an upgrade to their product.

In the meantime, I’ll just continue using my PGP Version 6.5.8.