Just a few hours after I posted my last article on AiNet and called out IAF for allowing fake certificates to appear in CertSearch, I got this email limiting my free access. As you can see, it says I was “running low” after only verifying TWO certificates, because the limit is three.
A second (yes, as in one-sixtieth of a minute) later, I got this email, saying my limit had been consumed. I am not sure how I “consumed” another search hit in just one second, especially since I hadn’t used the IAF site in that mere second, but whatever.
I think what happened here is the clumsy dolts at Quality Trade toggled on the mandatory payment stack of the IAF site all at once, so I am betting everyone who ever used CertSearch more than a few times got this email. It wasn’t a conspiratorial jab at me; it was that I had hit their (confusing) limits a long time ago, and by toggling on the email alerts yesterday, the system just started pumping out these email alerts.
But there’s still a lot to unpack here.
Search Limit Confusion
First, the IAF site is entirely inconsistent on how many searches you get for free. Here is this statement, on their FAQ page:
A public user will be able to search and validate up to 3 certifications per day and 30 verifications for free if they have created an account and identified themselves.
However, the page that describes the various subscription plans says something entirely different for the “free” tier. There, it says you are limited to 36 total certificate searches (called “verifications“), which caps out at three per month. Not “3 certifications per day” as it says in the FAQ. It then treats verification of a company as a separate thing (called “certified entity profile access” here, but then called a “company” search on your user dashboard), and that has its own limit of six per month, or 72 total per year.
What’s the difference? In my testing, if you search for a company (like I did for “AiNET” during the recent dustup), that counts as a “company” search. It will show all the ISO certificates issued to that company. That is capped at six per month. Meanwhile, you might also search for a specific certificate (say, by certificate number); that counts towards your “certification” limit, or three per month.
If you search by company and then click on a specific certificate, that counts as a verified certificate hit, too. So it triggers both your counters. Confused yet?
Here is what my dashboard currently reports for company searches. Yes, their blue slider bar is broken. It says I used “2/6” searches, but then on the left, it says I actually used “4”, so some idiot at Quality Trade can’t do simple subtraction. (I have two left, not two used, dummies.)
And here is what my dashboard reads for certificate searches:
Elsewhere in my dashboard, I see this, which suggests my annual total will reset in December, I guess:
But the grift doesn’t stop there. IAF also limits how many times you can click to see if a certificate you’ve already searched for is still valid. So, let’s say you click a cert on Monday to verify it. If you click it again on Tuesday, it triggers a hit on yet another counter called “verification access.” In the shot below, you can see my recent searches for specific certificates. For the top entry, I did a search for a company, then clicked on one of their certificates, and it registered a hit as a certificate verification. Now, I guess I have another few days to click that cert again to check if it’s still valid.
You’d think if you consumed a point to verify a cert, you’d be able to verify that cert for as long as it exists … but no, IAF wants you to buy a paid service if you dare check to see if the same cert is still valid. Or something. I guess this is to sell the “watchlist” feature which — I’m guessing — alerts you when a cert expires or something. Don’t quote me on that part, as it’s also not at all clear if that’s a feature.
As for the paid plans, from what I can tell (and it’s not easy), the “Basic” plan (currently $31/month) gives you a total of 300 company searches and 240 certificate searches, and you don’t get capped by month — only by year. The “Standard” plan (currently $62/month) gives a total of 1,500 company searches and 1,200 certificate searches per year. The “Premium” plan ($312/month) removes all limits entirely.
It’s a very strange set of arbitrary cutoffs. For instance, if the “Free” plan limits you to 72 company searches per year, but you want to search, say, 73 (one more), then you have to buy a plan that will jump you up to 300 searches. This massive gulf between the free plan (72 searches) and the cheapest Basic plan (300 searches) doesn’t make any sense.
It’s also not clear when your monthly caps reset. I assume it’s on the first of the month, but it’s not stated anywhere.
Workaround One
There are workarounds. For one, the search bar auto-populates as you search. So, you can get a sense of whether there is a company or certificate in the database before you click on anything, and thus not consume any of your limited searches. Here, I search for the string “pep,” and a few companies come up before I’ve clicked:
But it will only report the exact string. Here, I add an “s” and make the search “peps” and I get this, instead:
And here is what I get when I search “pepsi“:
But this is where it gets weird. That search above was from my dashboard page, which has the same search header as every other page. But if I switch to another page, and use the same search bar at the top, I get different results. Here is the search for “peps” when using the search bar that appears above the subscription plan page. It’s entirely different and not even close to being accurate.
I don’t know how badly you need to code your website to get different search results depending on where the search bar is placed, but Quality Trade managed to achieve that level of badness.
Still, this “search bar” bug may help you get a quick idea of whether a company is included in CertSearch or, more importantly, if not. But since CertSearch is so woefully underpopulated with data, you may get a lot of false negatives. That means the company could be entirely certified, but their AB and CB are ignoring the mandate to update data into CertSearch, so they don’t appear at all.
Workaround Two
The other workaround is, of course, to use a burner email to make a new account whenever you consume your free credits. As far as I can tell, the limits are applied to your email address, not via cookie session or IP address. So if you fall into that purgatory zone where you want to check more than three certs in a given week but will not have any need to check the hundreds of certs you will get with the cheapest paid tier, you simply jump over to ProtonMail, make a new burner account, and sign up again.
The IAF is gonna love it when their database is filled with these burner accounts, which is absolutely inevitable. But it’s the obvious solution to a self-made, unforced error driven by their greed and tendency towards grift.
You can expect the clumsy bungleheads at Quality Trade to put in cringe-worthy, 1990’s-style blocks to stop this. I bet they eventually try to block certain IP addresses (like those used by VPNs), certain email providers (like ProtonMail), or maybe even some weirdo geoblocks against entire countries. That latter one would make no sense since they rely on people from all countries to access the site.
Speaking of which, can you imagine any third-worlder paying the insane pricing for IAF CertSearch at all? Do you really think some machine shop in Pune or Guadalajara will toss money at IAF for this thing? Of course not; this will only be used by rich companies, if at all.
It’s Grift
I suspect there are three main user groups of CertSearch:
- One-off users, who may check a cert once and then not use the site at all for a few years.
- Casual users, like me, who verify a few certs but nowhere near the amount required for any paid tier
- Bulk users, like large companies, who want to use the service to vet their entire supply chain.
That latter group is where IAF and Quality Trade are betting their money on. But given how impossibly bad CertSearch is, any large company would be out of their minds to spend money on this product, which looks like a pre-alpha release, is barely filled with the data it should have, and then features fake certificates anyway. Despite this, IAF claims — impossibly — that “50% of Fortune 500 companies” are using CertSearch, which I call bullshit on. But they can say anything they want like that, it’s not like anyone can check.
Which creates more problems for IAF. Not only is this a grift, but it puts what should be open-source information behind a paywall that will only allow it to be used by the wealthy. If you’re a poor student in Pakistan and doing a paper on whether the bottled water companies in your region are really ISO certified, you’ll be out of luck.
A journalist doing an investigative piece on, say, Grenfell or AiNET (like I was)? You will be forced to sign up for an “annual” plan despite the fact that once you write your article, you will never need to use the service again.
To be clear, the ability to verify ISO certificates must be open-source, free, and entirely open to the public. CertSearch shows just how IAF is one huge scam, all designed to put money in the pockets of Victor Gandy and Elva Nilsen and a few others, without any actual concern over ensuring trust in the accreditation scheme.
They Know the Data is Fake
One final point. Here is what IAF says on the CertSearch FAQ page itself (emphasis added by me):
IAF CertSearch is a global database that allows users to verify the authenticity of management system certificates issued by certification bodies that are accredited by members of the International Accreditation Forum (IAF) who are IAF MLA signatories.
and:
This information helps users to verify the authenticity of a certificate and ensure that the organization has been audited and certified by an accredited certification body, and that certification is valid
and:
The data validation process from the three primary sources of information enables reliable authentication of each and every certificate in the database.
Those are just a few examples. Clearly, IAF insists you can trust the information in CertSeach and use it to (as they say) “verify the authenticity” of the company or certificate.
But what do the Terms and Conditions say? The opposite:
IAF Database LLC has not verified any such data or any Content on the Website and cannot and does not provide any assurances or warranties whatsoever regarding the accuracy or completeness of any such data or Content
and:
You acknowledge that the IAF Database LLC has no control over such third party content and shall not be responsible or liable for any content, products or services made available
and:
The information provided in this website is a guide only and may not be complete for your purposes. The IAF Database LLC does not warrant the accuracy of any information on this website and recommend that you confirm it with in your own right or via third party.
and:
… we make no guarantees that the information is accurate, reliable, current or error-free.
In case you think this is specific to this company called “IAF Database LLC,” that’s still the IAF itself. Per the IAF’s annual tax returns, the company IAF Database LLC is a “disregarded entity” under the IAF’s sole control. Per IRS, a disregarded entity is a single-person LLC that then processes its taxes through the mother company. I don’t know who the sole person is behind IAF Database is, as it was formed in Delaware, which hides this information from the public. But the T’s and C’s still apply to IAF itself.
Christopher Paris is the founder and VP Operations of Oxebridge. He has over 30 years’ experience implementing ISO 9001 and AS9100 systems, and helps establish certification and accreditation bodies with the ISO 17000 series. He is a vocal advocate for the development and use of standards from the point of view of actual users. He is the writer and artist of THE AUDITOR comic strip, and is currently writing the DR. CUBA pulp novel series. Visit www.drcuba.world