Monday, June 8, 2020

Update on the Federation of Blenheim Road and Coed Eva Schools

Important update on the Federation of Blenheim Road and Coed Eva Schools' response to corruption allegations

Legal Notices

Written June 7th, 2020

I have yet to hear from Mr. Paul Keane, but I am pleased to report that in response to my letter to him on May 22nd, the Federation has updated the school's website content, shining a little more light on the relationships between the subjects of this blog's allegations and giving us all a good opportunity to brush up on our IT skills...

The Board of Governors Reshuffle?

This is a rather dry video of me scrolling through a hard copy of the schools "Meet the Governors" page saved on my phone as it appeared on May 12th 2020, the earliest date we know Mr. Keane was aware of the allegations made in Part One, and as is identical to a hard copy of the page saved on April 27th, the day before Part One was published. Please don't be alarmed - the background noise is coming from our budgie, and not me.

As of those dates, the page listed the school's governors as including Natalie Hopkins, a strong factor in my decision to make the allegations public. I briefly revisited the page on June 7th and Ms. Hopkins' name no longer featured in that list.

Live version of the "Meet the Governors" page

Print out of Meet the Governors, June 7th

The Governance Papers Reshuffle?

I can also report that since my letter to Mr Keane, in which I advised him that a number of policy documents were missing from the website, those documents are today once again available for public view.

As can be seen from these images, the alphabetically listed policies that were available for download on June 7th were not so easily accessible on May 21st, the day before Mr. Keane received my letter.

Live version of the "Policies" page

The Space-Time Continuum Reshuffle?

It turns out that if you go back in time, something unusual can be seen in how the website was serving content on its pages.

Now I'm not saying that I have gone back in time and reviewed the content of the school website and found something unusual because that would be daft. I'm saying Google Search provides everyone a function to do it.

When you do a search a Google, you sometimes see a small green downward-pointing arrow next to the returned results. This is Google's Cache function, and it allows you to see a snapshot of any pages Google has indexed at a given time. If Google last crawled a page in May, the Cache version lets you look at that page as it was in May. You can see the current version by just clicking on the search result link as you normally would.

As of June 7th, Google's cached version of the school's website does come from May - the policy documents were crawled on May 16th, the governor listings crawled on May 17th, as you can see in the image and .pdf print out that follow.

Print out of Meet the Governors, as cached

The crawled versions of both pages show two things. First, that Google's search engine was able to find the policy documents at least as early as four days after Mr. Keane was aware of the allegations made against the school. Secondly, Natalie Hopkins' had been removed from the governors listings within five days.

Who is "reshuffling" the Federation website?

According to the credit on the site, the website was developed by a company called Bell IT Solutions. Bell is a small IT company run by Victoria Kania and her husband Ben. You can see from the company records that it is indeed very small - its total capital and reserves shrinking from £7,695 in 2018 to just £5,852 in 2019.

Hey, who knew it was so hard for two IT professionals to make a living, right? Maybe they should showcase their excellent work for the Federation on the Bell IT "Website Portfolio" page and get some extra credit for working with the local authority?

Bell IT Solutions' links to the subjects of Corruption Allegations

Before marrying Ben, Victoria was known by her maiden name, Bell. Using Google's "site:" search operator for the torfaen.gov.uk domain, searches for "Bell IT Solutions" and "Victoria Bell" return very little. What does come up is pretty interesting.

For example, the searchable history of Bell IT and Victoria's relationship with TCBC is limited to a nine month period up to January 2014, detailing a grant awarded by TCBC for just over £2400, and Bell IT's involvement with the "Digital Enterprise Festival", a two day self-aggrandizing networking event held in Blaenavon and hosted by TCBC in April 2013.

According to the Welcome page of the official programme

The Festival [was] a celebration of the growing number of digital partnerships in the County Borough, including Wales' flagship data centre, SRS.

Over the two days, Bell IT delivered it's "Improving your website" and "Website design for micro-businesses" seminars. In good company, Bell IT apparently shared the platform with such industry heavyweights as Microsoft, and during day two - somebody was running a drop-in session for introductions to the Cisco Accreditation programme. Whilst unconnected to my allegations, I think it is interesting to note that at the time, Cisco Systems Inc.'s Head of Mobile Networks for Europe, the Middle East and Africa, Neil Smith, served on the board of Bron Afon Community Housing Limited.

Bell IT Solutions and Torfaen Business Voice

Again, I'm not suggesting that some historical factor is linking the developers of the school website to my current allegations of corruption. I am suggesting that the developer's current association to Torfaen County Borough Council's business club, Torfaen Business Voice, is far more relevant.
Also present at the Digital Enterprise Festival, Torfaen Business Voice was originally managed by the Economic Development team at TCBC when it occupied the old County Hall site in Croesyceiliog. Business Voice is now managed by an entity known as Torfaen Economy & Enterprise, which according to the business club website's Privacy Notice, is part of Torfaen County Borough Council.

In addition to its close ties with TCBC, Torfaen Business Voice lists among it's current members Bell IT Solutions and such esteemed subjects of my corruption allegations as Bron Afon Community Housing and Rubin Lewis O'Brien.

So, did Bell IT "reshuffle" the school website?

As interesting as that look at Bell IT was, it does deviate somewhat from the task at hand: identifying what happened with the Federation of Blenheim Road and Coed Eva Schools website.

You may have noticed that in this post, Bell IT are referred to as the website's developer. From what I can see, their role was to provide a WordPress theme as a basis for the school to add content as and when required. It is a common business model in IT: modify a standard framework, charge a fee, and then provide the client with a username, password and a dummy sheet. Of course, as a community school under the jurisdiction of Torfaen County Borough Council, the Federation's IT requirements - including adding and removing content - are overseen by, you guessed it... Shared Resource Services.

A quick look at how we see content from the school website

Note: See Wikipedia for a more detailed introduction of the "Client-server model".

When I visited the Policies page on the school website, my internet browser sent a request to the computer hosting the actual webpage, saying "Hey, can I look at the Policies page and show it on screen?". The computer receiving the request must've said yes, and served the content to my browser. Easy.
The computer hosting the webpage served the content as HTML source-code, which is computer-readable code that was arranged by my browser in a human-readable form - nicely laid out as you would want a webpage to be and readily printed out for use later.

The source-code shows that some of the content of the webpage was served from a different computer to the one hosting the school website. This was done by using an iframe, which acts kind of like a picture frame, displaying content on a page that resides somewhere else.
Take another look at the images or PDF print outs from the Board of Governors, Governance Papers and Space-Time Continuum Reshuffle sections at the start of this post. Any content served by the computer hosting the school webpages that is included through an iframe - i.e. originates from a third computer - is contained within the area bordered by a purple, dashed line.

As you can see, whenever I have browsed the "Policies" and "Meet the Governors" pages on the school website, the actual content has come from a third computer. If we take a look at the "Policies" page as it was served to me on June 7th, on line 260 of the source code there is an instruction for the computer hosting the website to display an iframe which gets it's content from a shared Google Drive. The content is an embedded folder, which lists all the links to the individual files as they appear - within the iframe - on the "Policies" page.

You can see the list independently by following the link to the Google Drive directly: type in or copy into your browser's address bar the URL (without the quotes) "https://drive.google.com/embeddedfolderview?id=1lKW_bQut025rao1M6iPJpWp6ftFS7EZ3#List" and the same policies listed on the school's "Policies" page can be viewed independently, as a simple list. Examining the individual file links, all of the policy documents are themselves hosted on a shared Google Drive.

For whatever reason, when I visited the site on May 21st the content displayed through the iframe was not available, which is why my browser showed a pixellated "sad face" inside the purple dashed border but showed the rest of the page content as usual. The iframe could have been instructed to retrieve the content from the shared Google Drive, a different folder on the web, a different folder on the computer serving the content, or no where at all. Wherever it was supposed to come from, it wasn't delivered to my browser.

When I browsed the site on June 7th, the same principle also applied to an iframe displaying a list of two available copies of archived Governors Meetings minutes from March and November 2018:

A quick look at why we don't all see content the same - and why you need to pay attention to Privacy Notices!

When I visited the school website and my browser sent the request to the computer hosting the webpage, before it said yes and served the content, the computer almost certainly asked my browser for some additional information.

What exactly gets asked depends on the configuration of the computer serving the webpage content, but take a look at the Privacy Policy on any site you tend to visit regularly and you'll likely see that by using that site you will be agreeing to provide the site operator with such information as:

Device identifiers
Including things such as it's unique MAC address, your internet connection's IP address, which operating system and the version of it you have, which browser you are using, etc.
Your site usage
Which page you visited, what search terms you used, the address of any page you were on previously and clicked a link to your current page, what day and time you visited the page, how long you stayed on that page, etc.

The collection and storage of this information is used for all sorts of legitimate purposes, either for the security and performance of a website or for the convenience and experience of the user. Whenever a webpage is viewed, the computer serving the content collects and retains the information. If a given page is very popular, the total amount of data collected can become very large. If a given page is relatively unpopular, say like the pages on the Governance section of the Federation of Blenheim road and Coed Eva Schools' website, then the total amount will be very small.

It only takes some very simple programming on the computer serving the content to utilise the information for more illegitimate purposes. If you use a Samsung mobile to view the internet - a very popular device - you may be familiar with the occassional pop-up appearing on websites saying something like:

"Congratulations! You are the 10,000th Galaxy user to visit our site! Click here to claim your special prize...
which of course is not true; it's just bait to get you to click the link.

In some instances, "personally identifiable" information is provided, most often in the form of a user account ID. As well as enabling us to use services more suited to our preferences, personally identifiable information can expose users to some pretty bad behaviour by individuals with access to it. In 2017, Amazon apologised to a customer who was emailed what he felt were coded death threats from the firm that were in fact sent by a disgruntled call centre worker, after recieving recommendations for such book titles as "Death", "Follow You Home", "The Denial of Death", "Death Made Me" and "Suicide's An Option".

When the amount of device information collected is very small - like the data generated by visits to a school website's Governance section - it can be very easily turned into "personally identifiable" information. An unpopular device such as mine can be quickly identified, especially if matched to emails received about a complaint (whenever you send an email your message is accompanied with machine-readable information about what application you used and what operating system the application is installed on). It is then as simple as adding a few lines of code to the configuration files of the computer serving the content to show different content to different viewers, to the effect of:

"Browser A" = Any browser
"Browser B" = A specific browser (or MAC address, operating system etc)

If "Browser A" visits "Page X" show "Content 1"
If "Browser B" visits "Page X" show "Content 2"


Why any "reshuffle" matters

Whatever has or hasn't happened with a few pages on a school website isn't being considered in isolation here - this is in response to allegations of serious corruption made against senior executives of a Local Authority and against a regional Police Force involving the misuse of information technology resources. It matters.

Any attempt to alter the content, before or after my allegations were made public, if done so to my disadvantage, was criminal. I don't know what content was available to what audience at what time - nobody will know unless and until there is an independent investigation into my allegations. Luckily for me I have sufficient technical knowledge to understand how any anomaly or "reshuffle" might have occurred, so can have patience, sit back and observe.

So, for my money, I'd say that any "reshuffle" came from SRS. And that is infuriating, especially since the anomalies occurred after raising my allegations of corruption with two of the senior project partners, Torfaen County Borough Council and Gwent Police, who respectively - as of June 7th - have still not assigned the investigation of my allegations to Internal Audit, or referred my complaint to the IOPC.

No comments:

Post a Comment