Press "Enter" to skip to content

NPA says they do not monitor. Today my logs say otherwise.

By Kieron JH on October 15, 2025 7:21 pm
Eddie Snowie at the door holding a clipboard that reads “Guest List, Evidence Only,” under a “No Clown Fiesta” sign, turning away a queue of clown-nosed lawyers in suits with briefcases labeled Threats and Spin.
Eddie Snowie on the door. Evidence only. Clown fiestas turned away.

Last updated on October 16, 2025

By Kieron JH, 15 October 2025, Europe/London

The short version

  • Hours after I posted a status update about NPA misrepresentation, traffic from ASN 197320 hit my site repeatedly.
  • Those are corporate visits, proven by ASN and the IP block 195.20.155.xxx.
  • A separate mobile session 82.132.232.xxx appeared around the same times and walked the same pages. That is correlation, not identity.
  • NPA ASN access is logged instantly and sent to my phone. Multiple layers of redundancy captured every visit.

New evidence – two confirmed corporate hits

Below are two verified captures from 15 October 2025. These represent only a fraction of today’s activity. The Edge Tracker system automatically captured multiple hits from ASN 197320 (National Pharmacy Association Ltd) across different times and endpoints. The following screenshots show the confirmed 14:44 and 16:53 events.

1. 14:44 – Misrepresentation Status Access
NPA ASN 197320 request log showing access to the /npa-misrepresentation-article-status/ page on The Reasonable Adjustment.
Corporate NPA ASN access recorded at 14:44 visiting the misrepresentation status post. Captured automatically by Edge Tracker.

2. 16:53 – IPS Pharma Access
NPA ASN 197320 request log showing access to the /ips-pharma-represented-by-national-pharmacy-association/ page on The Reasonable Adjustment.
Corporate NPA ASN access recorded at 16:53 visiting the IPS Pharma coverage page. Captured by Edge Tracker.

These logs alone confirm direct corporate traffic from the National Pharmacy Association’s network. However, they did not trigger one of the higher layers of my monitoring stack, a layer that normally activates for all standard traffic patterns. This strongly suggests that NPA’s access was carried out in a way designed to avoid detection, whether through custom routing, browser sanitisation, or intentional fingerprint evasion. In other words, they knew where they were going, and they did not want to be seen doing it.

While the corporate ASN connections are now confirmed, the absence of a trigger on that particular detection layer is telling. It shows an awareness of my system’s depth and a conscious attempt to slip below it. That is not random curiosity, that is deliberate behaviour.

What happened today, in timestamps

All times UK. Evidence retained, hashed, and archived.

TimeNetworkIPUser agentPath highlights
09:26ASN 197320 (NPA corporate)195.20.155.xxxWindows, Edge 141/
14:41 to 14:44ASN 197320 (NPA corporate)195.20.155.xxxiPhone, Mobile Safari/, /policy-hub/, /wp-json/iawp/search, /2025/09/10/npa-statement-invitation-to-comment/
14:44 to 14:50Consumer mobile network82.132.232.xxxiPhone, Mobile Safari/, /ips-pharma-represented-by-national-pharmacy-association/, /2025/10/15/npa-misrepresentation-article-status/, /2025/10/15/the-law-is-not-a-vibe-npa-misrepresentation-rebuttal/
16:53 to 16:54ASN 197320 (NPA corporate)195.20.155.xxxiPhone, Mobile Safari/ips-pharma-represented-by-national-pharmacy-association/, /2025/10/06/state-of-play-october-2025/, /wp-json/6e9ef3/v1/14e5/f7837c4d

What they looked at

  • Homepage and the new status post about the NPA misrepresentation claim.
  • Policy Hub, where corporate NPA traffic is routed after a short delay.
  • Prior coverage, including the IPS piece and the September statement and invitation to comment.
  • JSON and search endpoints, likely to surface mentions and metadata.

How corporate access is proven

  • Every corporate hit resolved to ASN 197320, National Pharmacy Association Ltd.
  • Source IP block 195.20.155.xxx with GB location and London PoP.
  • Requests targeted pages directly related to NPA coverage.

About the iPhone session

A separate mobile session from 82.132.232.xxx appeared minutes after the corporate hits and followed the same trail of pages. That is consistent with internal sharing or parallel checking. It is not proof of the same person or device. It is correlation supported by timing and sequence.

Redundancy, alerts, and why nothing slipped through

  • ASN tripwire: any visit from ASN 197320 is tagged and pushed to my phone instantly.
  • Edge Tracker: logs request IDs, CF-Ray, UA, PoP, and routing details.
  • Passive Fingerprint Tripwire: uses multiple entropy sources to preserve continuity even when identifiers change.
  • Visitor and session IDs: bind flows across page transitions to show real navigation paths.
  • Behavioural telemetry: page depth, timing, and endpoint requests are matched against edge data to confirm pattern consistency.
  • Controlled interaction: corporate NPA visitors are redirected via a short interstitial before reaching the Policy Hub, ensuring recorded notice.

The interstitial corporate NPA visitors will always see

// Simplified concept, production is hardened
if (isNPAASN && url.pathname !== "/policy-hub/") {
  const delaySeconds = 30;
  const target = "/policy-hub/";
  return new Response(`
    <html><head>
      <meta http-equiv="refresh" content="${delaySeconds};url=${target}">
      <title>Welcome NPA</title>
    </head><body>
      <h1>Welcome to The Reasonable Adjustment</h1>
      <p>Detected: National Pharmacy Association Ltd (ASN 197320).</p>
      <p>Redirecting to the Policy Hub in ${delaySeconds} seconds.</p>
    </body></html>
  `, { status: 200 });
}

Why this matters

NPA say they do not monitor my site. Their corporate network visited repeatedly on the day I announced a rebuttal and toured the precise pages that matter. One detection layer that normally activates for all visitors did not trigger, which points to deliberate evasion rather than coincidence. A separate mobile session mirrored the same trail. Corporate access is proven. The mobile session is correlation. Combined, the pattern speaks for itself.

The receipts, trimmed for privacy

2025-10-15 09:26  ASN 197320  IP 195.20.155.xxx  UA Edge/141  Path /
2025-10-15 14:41  ASN 197320  IP 195.20.155.xxx  UA iPhone Safari  Path /
2025-10-15 14:41  ASN 197320  IP 195.20.155.xxx  UA iPhone Safari  Path /policy-hub/
2025-10-15 14:41  ASN 197320  IP 195.20.155.xxx  UA iPhone Safari  Path /wp-json/iawp/search
2025-10-15 14:45  Consumer Mobile  IP 82.132.232.xxx  UA iPhone Safari  Path /2025/10/15/npa-misrepresentation-article-status/
2025-10-15 16:53  ASN 197320  IP 195.20.155.xxx  UA iPhone Safari  Path /ips-pharma-represented-by-national-pharmacy-association/
2025-10-15 16:54  ASN 197320  IP 195.20.155.xxx  UA iPhone Safari  Path /wp-json/6e9ef3/v1/14e5/f7837c4d

Fair notice, right to reply

I will publish any substantive NPA response in full, including corrections if I have erred. Contact: [email protected]. Please reference the date and request IDs when you respond.

Statement of method

  • Source: Cloudflare edge logs and custom telemetry with live alerts.
  • Timezone: Europe/London.
  • Dates: all 15 October 2025.
  • Hashing: SHA-256 applied to raw lines, retained privately.
  • Personal data: trimmed in this public post to protect unrelated third parties.

Closing line

Corporate hits are proven. The mobile trail is correlation. One layer went silent when it should not have. That silence speaks volumes. The Reasonable Adjustment stack runs deep. Silly buggers say they are not watching. The logs say they are.

Published in Accountability, Articles, Cyber, Food For Thought, IPS Pharma, Kieron and Transparency

More from AccountabilityMore posts in Accountability »
More from ArticlesMore posts in Articles »
More from CyberMore posts in Cyber »
More from Food For ThoughtMore posts in Food For Thought »
More from IPS PharmaMore posts in IPS Pharma »
More from KieronMore posts in Kieron »
More from TransparencyMore posts in Transparency »

Be First to Comment

Leave a Reply

Your email address will not be published. Required fields are marked *