Unencrypted website? Prepayment for translation - alarm bells are ringing!

Recently, a case arose in my family circle where I immediately wondered that there was something strange about it after all.

It was about the fact that a person from my family, documents in the Czech Republic must be translated, thereby the person from my family (seems strangely written, but I want to keep the identity of the person secret 😉 ), found various translation agencies.

These were then contacted by email and asked for prices. Of course, you have to be careful here and check if this company even exists, has a good reputation and a longer history of reviews.

There were 3 companies, one company is internationally known for translations, but also costs the most and has unrealistically high price expectations.

The other company wants to be paid more than 200€ in advance.

The last company seems to be a woman, which is registered as a company, but no written offer and without invoice, a court accepted seal for translation as a sworn translator.

One can think with the last case that here someone, who is sworn, would like to work under the hand (black work), in order not to have to pay taxes. We have rejected that.

Then only the 2nd company remains, this one wants to be paid in advance.

But not only that one is to pay here in advance and not even an offer/invoice for it gets and only the invoice details by e-mail, there one can already become suspicious.

But then, as an IT guy and a web developer, I noticed some other issues:

  1. The email that responded was an @gmail.com address, not a domain from the company, which boasts of being in existence for 28 years.
  2. Looking at the website, one notices that the design is out of date, according to analysis created with Frontpage Editor 6.0 (was last released in 2003, one can conclude that this website is running with 20 years old technology), Apache 2.4.10 is used, this version is from 2014, so 9 years, accordingly also without security updates.
  3. No HTTPS / SSL encryption of the connection

And at the latest after the 3rd point it became already too Bunt for me, a web page, which is operated by a today's enterprise, and documents receives, which have high privacy requirements, are uploaded without HTTPS?

So I took a look at the upload form, and just dug around to see what could be found there. And it turns out that this form does not belong to the website at all, but to a third party provider, yes, perfect, the site uses a form for uploading highly sensitive documents from a third party provider, without SSL and not even a notice or cookie banner. No privacy policy or notice that you are using a third party service provider for uploading documents here.

Jotformeu.com is the domain that provides the JS for the form in the iFrame, which is then rendered in the user's browser, and although the "eu", suggests that it might have something to do with the European area after all, I thought and was once again proven wrong, trust is good, control is better:


As you can see from the IP Tracer, the server IP where the domain resolves to is not in Europe, but in the USA, in Kansas City.

So we actually have here a major accident of the GDPR, which as an EU law also has to be applied in the Czech Republic.

  1. Not informing the user that he/she is using a third-party service to transmit highly sensitive documents to the translation agency
  2. No privacy policy on what happens to the data or how it is handled
  3. Transfer of highly sensitive personal data and documents to the USA without the user's consent

In summary:

The website is 20 years old, has no imprint, no privacy policy, no cookie info, is not SSL/HTTPS encrypted, uses a provider for uploading sensitive documents and personal information, which is located in the USA, without informing the user with which services the translation agency shares this data and whether the user agrees. And then, without a formal offer and invoice, Plain Text is supposed to be paid in advance via email.

Wow, you don't find something like that every day, and in Germany the data protection authorities would be up in arms about it, with lawyers' letters flying in.

In the end, we did not choose this service. The answer of the company with the presentation of this analysis was that they think it is so good, the website is old and this is an advantage and that they get fraudulent requests every day (I am surprised that this site was not already hacked, but okay) and they do not want cooperation with us.

In this sense, be careful who you entrust your documents to.

You like this article? Share it!

Posted by Petr Kirpeit

All articles are my personal opinion and are written in German. In order to offer English-speaking readers access to the article, they are automatically translated via DeepL. Facts and sources will be added where possible. Unless there is clear evidence, the respective article is considered to be my personal opinion at the time of publication. This opinion may change over time. Friends, partners, companies and others do not have to share this position.

Leave a Reply