A lot of people mocking the author or others for being scared and worried are basically blaming the victim here, and I would like them to stop.
The nature of legal practices in the USA is such that the answers to "Are you totally in the clear legally?" and "Will you lose significant amounts of money proving in random courts that you are in the clear legally?" are often both yes.
As a result, any researchers who send out thinly veiled legal threats as a "research experiment" are firmly in the wrong ethically, and should be called out by all the people to whom they have issued these veiled threats. Review boards that approved this experiment should be themselves subjected to an audit and potentially dissolved.
Yep I posted this hoping to raise awareness, but the reaction was not what I expected. In the US even a meritless legal threat will require hiring a lawyer to ensure you are in the clear which requires significant amount of money, in addition to the stress. Researchers should never be putting anyone in that position.
Just going to tag along to my comment above. I can't help but notice the difference in tone of the responses to this article vs. the one yesterday (https://news.ycombinator.com/item?id=29599553) which I did not see. It seems those who participated in the thread yesterday had a quite different opinion.
As the author, I wonder how much me being not quiet but not an asshole about being nonbinary and having furry stickers in the article makes people start hitting the vitriol button.
As a person who has watched this kind of thing happen a lot: I think a lot. I had a bunch of friends on tumblr who wrote and exchanged very similar fiction and art. The ones who were known to be trans, female, enbies, or non-white got harassed a lot. The one who was understood to be a white cis male got left alone. And this is on tumblr, where the ostensible position of a large part of the user base is that white cis males are Bad People by default...
So yeah, pretty sure it's that. I almost never get harassed by people who think I'm cis male, the bulk of the harassment came from people who thought I was transmasc.
Probably the furry stuff too, which is honestly sort of terrifying, do these people not know how much infrastructure relies on stressed and overworked furries?
You obviously don't need anyone to tell you this, but for passersby for whom this has not been on their radar before: this is almost certainly true. HN commenters will on occasion be superior jerks towards anybody, but this is some loud posters' instantaneously adopted position when they see a name that doesn't code as male--for another example, see many `rachelbythebay.com` posts, where you have randos getting sniffy and assuming she's incompetent or junior for some Real Interesting Reasons.
By my estimation it is real, the proprietorship (who I like and appreciate personally, and I think are operating on good faith) of this community has often made noises about how it should be better. It's not, and it should be.
I guess it's the wording. "without my consent" is used to imply a strong violation of the personality rights, at least in some circles [0]. It's also pretty much a repeat of yesterdays post. At least to me, this makes the issue feel a bit overblown.
[0] The irony that the whole problem is based on wording that implies a lawsuit is not lost on me.
Getting “informed consent” is one of the big, guiding principles for research done on humans. My guess is the author deliberately used that language of the scientific community, to make clear that they did not agree to be part of the research.
Yeah, but the idea of “informed consent” is misunderstood broadly. There is no constitutional right to informed consent. Not all human subjects research requires informed consent — or even consent. There are other institutional ethical lapses that are much more dangerous — and there are also ethical attitudes that rest on the researcher, not the institution.
Righteous indignation over something like this is dangerous, not least because it can lead to science being much harder (more bureaucratic and more expensive) to do by all scientists. “More oversight” or “dissolve the irb” all put too much responsibility on the institution.
Sometimes, we should just blame the people who did something rude and stupid not the institution.
> Not all human subjects research requires informed consent — or even consent.
There have been multiple examples of this going horribly, horribly wrong. (Naturally, the worst examples were government-funded and ran during the Cold War.)
As a society, we have since concluded that at bare minimum, people should know they are being experimented on--and even that isn't enough to stop things from going badly.
This is why the IRB exists in the first place. A major part of its purpose is to prevent this sort of thing from causing undue harm, i.e., by forcing people with limited incomes to seek legal counsel because they believe they're about to be sued into the ground. One of the rules generally agreed upon for this is that experiments with human test subjects must inform those humans up-front what they're getting into.
To say that the response to this "can lead to science being much harder" is an ethically wrong defense. We know it makes certain kinds of research harder; that's the point. There are certain kinds of research that directly harm their subjects, and we don't do that to people. More than that, people have a right to decide whether they want to be involved in a study, as they may personally feel endangered by it (i.e., someone who has a PTSD response to being sued may not want to deal with being fake-sued).
To say that calls to dissolve the IRB "put too much responsibility on the institution" is flat-out false. This IS the IRB's responsibility--they approve or reject studies like this specifically to avoid ethical problems like this one. To claim that this isn't the IRB's responsibility is like claiming that it's not the responsibility of the law to revoke a driver's license when someone has been driving drunk, or that it's not the responsibility of the Food and Drug Administration to reject approval for foods that contain dangerous contaminants.
I'd recommend reading up on why not all human subjects research requires informed consent. For instance, there are exceptions for human subjects research that takes place on normal educational practices. This carve out was made because of the difficulty of getting unanimous consent from all parents during normal classroom education. With greater oversight and full informed consent, a lot of educational research simply wouldn't happen.
So, to reframe this: "can you think of scenarios where institutional oversight could cause negative harms on society?" There are tradeoffs in ethical domains —and usually a lot of work has been done to find a middle ground.
The example you gave is not relevant. The researchers in this study are already directly contacting everyone they need consent from, and if an individual declines, the rest of the sample can still be studied (unlike in a classroom setting, where everyone's physically in the same room and it's impossible to study any of them in isolation).
Further, the study would still have worked if the researchers had simply asked for the information as researchers, instead of lying about their identity and making thinly-veiled threats of legal action if the subject doesn't comply.
I'm primarily concerned with the study, since A) that's the topic at hand, B) it involves technology and privacy, which I care about, and C) people keep comparing this to pentesting, just like last time, and I also care about security research.
I apologize for assuming that you were defending the study; I figured that was the topic of conversation, after all.
If there is nuance, but it does not apply to this situation, then it is worth saying that this nuance does not apply to this situation--so that I'm less likely to misinterpret what you're saying.
Wait, your motivating example is keeping parents out of the loop... do you give this example to show that it usually goes really bad when informed consent is missing?
Or do you mean to argue that it's okay to experiment on kids without consent, because the end justifies the means?
Or a third option, that I'm overlooking currently?
Yes, that’s correct. Because conducting experiments on things like “does this approach to teaching fractions work better” is important for society. The ends are good and the means are reasonable. We aren’t injecting kids with chemicals—we can only experiment with “normal” educational practice. It shows why nuance is important— and why requiring informed consent isn’t always the most ethical choice for society.
Ethical action involves nuance! It is very comforting to think that the world is black and white, good and bad. But it isn’t. Why is this so difficult to communicate?
> In the US even a meritless legal threat will require hiring a lawyer to ensure you are in the clear which requires significant amount of money, in addition to the stress.
So what happens when a site receives a CCPA inquiry from an actual person concerned about privacy instead of a researcher under a fake identity? The site still needs to determine if the law applies to them and if so what they must do to satisfy their obligations, so a real inquiry should be as costly and as stressful as a research inquiry.
Does this suggest that privacy laws such as CCPA (and GDPR) which create obligations for sites to deal directly with users on privacy matters are a bad idea? Should such laws instead require users to go through some state agency as an intermediary which would then only contact the site on behalf of the person if the agency determines that the user's data at the site is covered?
It would have been possible to make the requests without a threat of suit. The thinly veiled threat of suit came from a portion of the email that quoted a specific section and used legal verbiage to get people to respond within a certain time frame (as required by the law)
This was taken as a legal threat. The request would have been just as valid without the threat
Though due to the nature of the requests, they were not actually subject to that specific section of the law, and thus the demand of a response within 45 days had no genuine legal foundation.
> So what happens when a site receives a CCPA inquiry from an actual person concerned about privacy instead of a researcher under a fake identity?
They conclude that it's a Princeton research study and throw it in the trash.
This is part of the harm this study has done; because the researchers were not upfront about who they were and what they were doing, they have introduced uncertainty about the CCPA process.
> Should such laws instead require users to go through some state agency as an intermediary which would then only contact the site on behalf of the person if the agency determines that the user's data at the site is covered?
That could be a good idea. It would depend, of course, on that agency being well-staffed and well-trained (both of which are separate from being well-funded, which can help). There's a giant pile of messy problems that can crop up due to negative influences from, say, corporations that want to sell more data.
That said, it would be nice to have an org that can do the minimum legal work necessary to figure out if the claimant has a leg to stand on. That would not only minimize the harm of this sort of ill-advised study, but also make it harder to use threats of legal force to coerce smaller site owners.
This is just FUD. I've yet to meet a lawyer who won't do a cursory evaluation of your case for free. It's in their interest to know if you're bringing them an easy win.
> I've yet to meet a lawyer who won't do a cursory evaluation of your case for free.
You don't get out much, do you?
I've known tons of lawyers that won't look at their watch and tell you the time, unless they get a tenner from it. To be fair, they are used to folks trying to extract highly valuable services from them, for free, so it's sort of a defense mechanism.
I have (and have had) many friends that are lawyers. A few will help me out with quick consults for free. I even have one chap that has gone beyond that, and I'm grateful. I'm quite aware of the value of their services, and always offer (and am willing) to pay; even if they decline to invoice me.
I guess it depends on the lawyer. Not long ago I was shocked when a lawyer (not somebody we know, just a random phone book lawyer) stayed on a call with my girlfriend for a half hour talking about her father's estate and charged nothing for it.
It's also worth noting that under US law, a lawyer who gives you legal advice can be held liable if that advice causes trouble down the line.
This creates even more incentives to have a paywall--one, it keeps people from bugging you for free legal advice that can bite them and you in the ass later, and two, it ensures that the people who do get advice from you have followed your procedures for setting up an account with you.
I think the derision illustrates a low ethical floor in the industry. Intimidating users with legalese is standard business practice, for instance in user agreements. The fearful effect it has on the less knowledgeable, competent, and resourceful among us doesn't even seem to register. It reminds me of abusive sales techniques that victimize seniors, and the salespeople who chortle at the stupidity of those who get taken in.
Abusive sales techniques aren't just for the elderly, if you've ever seen a car dealer sell a Dodge Charger or similar to a gullible US military E2 at 22% interest on an 84 month term...
You're absolutely right. I happened to be thinking about specific distressed elders in my life who I have had to talk down because they are worried about getting scammed, and the emotional toll it's taken on them. Not everybody has enough expertise to navigate potential scams reliably and with minimal stress — such expertise exists on a continuum.
Absolutely agreed. In the present USA legal system, even if you win a resounding "victory" against an absolutely frivolous civil litigant, you are often left with significant legal costs and wasted days of your own time that you could have spent doing something else with your life.
I had similar thoughts when I read this story: how messed up is the legal climate in the US if a person who knows for sure they did absolutely nothing wrong should be scared by obvious nonsense email instead of laughing it off and deleting it? I don't diminish the ethical breach the researchers committed - they clearly shouldn't be inflicting any amount of mental anguish on people that did not agree to be part of any study. But it's not the only - and not the largest - problem here. The climate where this thing is seriously scary to so many people is really messed up.
It’s not obvious they did nothing wrong. The referenced statute creates an obligation to respond to inquiries and not everyone is comfortable making their own decision whether or not it applies to them.
It creates an obligation to businesses selling user data, or ones with revenues over 25 millions. It's not hard to find either: https://oag.ca.gov/privacy/ccpa
The CCPA applies to for-profit businesses that do business in California and meet any of the following:
Have a gross annual revenue of over $25 million;
Buy, receive, or sell the personal information of 50,000 or more California residents, households, or devices; or
Derive 50% or more of their annual revenue from selling California residents’ personal information.
It's not a very hard decision to make, the text is pretty clear. Especially if literally the fifth word of it - "for profit" - makes the further reading unnecessary.
I'm reading that and I can already see things that require me to think hard about whether it might apply.
> any of the following
OK
> Buy, receive, or sell the personal information of 50,000 or more California residents,
"receive" and "50,000" seem like a low bar if the definition of "personal" includes anything caught in typical web logging.
You see? It's not clear cut from reading the thing you just said was very clear and it's hard to be 100% sure it doesn't apply.
"For profit" and "business" and similarly wide nets. Business can include individual sole traders and "profit" could be "accepting donations" or "running AdWords"
As the author of that article, I bet I meet that bar as soon as one of my posts gets on the front page of Hacker News, very easily if I post multiple articles which ended up getting popular like I have this month.
Really I have the nginx logs going to the disk so that I can have prometheus-nginx scrape them for referer patterns (it getting above a certain threshold for a given referer is how I know when my article got posted somewhere), status code rates and overall to make sure that the core functions of the site (such as the RSS feed) are working like I expect. I could probably change it to write the logs to a unix fifo instead of a unix file, but I actually do end up going back to look at the logs for things like people attempting to exploit my code so I can harden my site appropriately.
I just checked the logs and did some reverse IP lookups at random and it turns out nearly all the IP addresses I have are cloudflare IPs. So I don't even have IP addresses logged the way I thought I did! Yay me!
Not OP, but IPs are not always considered personal information. If you never establish the identity of the consumer directly, its not clear that the effort required to convert that address to an identity meets the bar of 'reasonably capable'.
The point of my original comment was that there is gray area here and people dismissing it outright as obviously bogus are not thinking very critically about it. I think this is a good example of that.
It's kind of hard not to log IPs when running a service over the internet. You kind of have to have their IP address in order to know where to send the info they want.
Further, logging an IP address has also been necessary for security--to detect DoS and DDoS attacks, for instance, as both involve many repeated connections from the same IP (though you can offload that to a service now).
Why it is hard? The servers need to know the IP address, for sure, but they do not need to permanently record it. In fact, un-aggregated IP is probably not that useful for statistics either, I can be aggregated e.g. daily and then discarded.
You seem to be confusing temporarily holding information in the database (no matter whether in-memory or on persistent media) for operational purposes (be it networking or threat detection) and permanent storage of the same information way beyond the time it ceased to be useful for the purposes above.
As I understand it, from a legal standpoint, storing it for operational purposes is equivalent to storing it for any other purpose.
Also, even if you only store the information for 24 hours--how many users are on Hackernews in a given hour? How many of them click through the top links? Certainly enough that some sites have crashed under the load, which makes me think that the number is higher than 50K. Congrats, you're now storing 50K IPs, despite having an automated system to delete them in a day.
(I don't even wanna think about the headache it'd cause if you got dragged to court over this. I don't know how many judges will understand that you delete the list every 24 hours to avoid being liable for storing it, not to get rid of evidence.)
I guarantee you that you can send a similarly worded email in Germany to bloggers / small site operators about GDPR/DSGVO and you'll instill similar angst in the recipients.
"Before the courts and on the high seas, we are in God's hands" isn't a proverb for no reason, and it's valid pretty much anywhere.
> A lot of people mocking the author or others for being scared and worried are basically blaming the victim here, and I would like them to stop.
I don't think this is mocking (excluding the few obligatory spammers). It's a known fact that if you have a public e-mail, you will receive a lot of spam and threats. Also, an actual request could've very well taken a similar form - would you have been okay with this if they actually requested their data?
I'm not saying these actions were great. Sending out these mails was definitely not the nice thing to do. And yes, the threat of a lawsuit can be very scary. But, unfortunately, this is something you must be able to handle as a webmaster. It's also not great or nice that people try to log into my ssh server all the time, but this is just something you get when you have an ssh server on the internet. Same thing.
For people to have a vague idea, relatively cheap lawyers in the US charge upwards from $300-500/hour and you have no control of how many hours they'll log in.
Yes I don’t quite understand the need for deception here. I guess they were trying to blind the responses.
If I were on the receiving end, I’d be wary too but on the flip side a simple email from the researchers to ask with a link to the study website would be fine.
Would it not need something written (paper) in the US to start anything? In most european countries you just ignore mails with stuff like this and wont be scared in anyway, just as you are not to be scammed by our beloved nigerian prince.
Not a lawyer, but: Not really. You do have to present the case to the judge in a certain format to start it, but as I understand it, there's no requirement for you to send notice to the guy you're suing in a specific format. Once the suit starts, contacting the other party is taken care of either by the court or by your lawyer.
What specifically is there to fear from an email like this? For one the sender opens by admitting they are not protected by the CCPA, and a quick reading about this law shows it does not apply to an individual's personal blog.
If a Russian were able to file suit in California, wouldn't the defendant have a chance early on to ask a judge to dismiss it?
I'm trying to sound naive because I want some gory details.
> If a Russian were able to file suit in California, wouldn't the defendant have a chance early on to ask a judge to dismiss it?
a particularly foolish or over-confident defendent might represent themselves, but otherwise, I would not budget less than $2000-3000 to hire a lawyer to draft and file a response to statement of claim and show up in court to attempt to get it dismissed before it gets started.
> a particularly foolish or over-confident defendent might represent themselves, but otherwise, I would not budget less than $2000-3000 to hire a lawyer
Foolish, overconfident, or just "never have had $3000 in one place and time in my entire life."
From what I understand, that case wasn't necessarily baseless, but they drew media attention to it by publishing the letters. Arkell withdrew his claims following _that_.
For most people, if you pull them into the spot light, you will quickly shut them up. That does not make their legal threats baseless.
Absolutely, and I'm sure this is very industrially & culturally-specific experience. I don't blame OP for not being able to distinguish. (though I wouldn't have even read the whole email before hitting delete)
Personally I've told some expensive solicitors to get lost successfully, and for some I've engaged my own & spent tens of thousands. I suppose I tended to be aware of legal risks that I was running in my old business.
But lawyers are trying to get a result for their client as fast as possible. So if they've sent you something full of hand-waving jargon, they're either not very good at communicating (& not the kind of lawyer used to taking things further) or they're trying to intimidate because they've not got anything substantial to say.
Also (in my xp) it's rare that a lawyer won't clarify something they've written unless they're being paid to intimidate, and (in the UK at least) a judge will have short shrift with a plaintiff if pre-trial communications were insubstantial and intimidatory. You can't just be summoned to court with no idea what you did wrong.
In light of the current experimental "trial" drug being pushed nowadays, _everyone_ should consider themselves a part of the trial, because even if you do not take the drug, you are part of the control group.
This I think is a typical example of having to hold two opposite thoughts at the same time.
Yes, it's a bad thing to do, it's pretty obvious that it'll scare the bejesus out of some people and even worse, have some chilling effect.
On the other hand the pendulum on ethical boards has gone waaaay in the other direction to the point where a lot of very useful research doesn't get done. The most vivid example being that we don't have human challenge trials with Covid, even now when it's crystal clear that actual risks to young healthy people are close to zero. Another example: https://slatestarcodex.com/2017/08/29/my-irb-nightmare/
So, what's my opinion? Well, an "opinion" would require me to chose one of those two perfectly valid points of view. But if I had to, I'd say the travesty that is "ethics boards" has become a bureaucracy so rotten it doesn't even perform its original function of stopping vaguely unethical research, and has instead gone completely the way of paper pushing. While, of course, still drawing a salary from making sure tens of thousands of people are dying needlessly.
This is an interesting take. What "very useful research" is being blocked by which IRBs?
FWIW, the author of the essay at the link you provided seems deeply ignorant of why IRBs exist. "Mere resident doctors weren’t allowed to do studies on their own. They would probably screw up and start building concentration camps or something. " really?
The irony of calling Scott Alexander "deeply ignorant" :)
Human challenge trials. Hundreds of thousands of dead later, and we're still using statistics to answer questions like "is Omicron ignoring immunity", instead of answering them definitely in a few days with an absolute minimum of risk. I'd volunteer for that, btw, so would literally millions. But it's just not inside the Overton window. This isn't wisdom or caution. It's plain cowardice.
The reason for this isn't "cowardice", though. I've read a lot of things by practicing people in the field on reasons for which they don't think human challenge trials produce reliable enough data. (Basically: You don't get a representative sample, and you get an unrepresentative sample in ways that are very likely to result in you getting bad data.) There's other reasons to distrust them, and I don't think your assumption that "an absolute minimum of risk" is really on the table is even defensible. And on the whole I think we probably should be using them anyway, with caveats -- but your argumentation here is bad.
>My questions are about your process for when I do submit a request.
It's really easy to read this as "I am going to be submitting a request."
>I look forward to your reply without undue delay and at most within 45 days of this email, as required by Section 1798.130 of the California Civil Code.
Random blogger who's not a business does not have any connection to this. It's more like if I tell you I'll sue you for murder, high treason and collusion with the Martian invasion, is it really a legal threat? There's literally no legal way for me to sue anybody like that.
That’s an FAQ for consumers. It’s not legally binding.
>These FAQs provide general consumer information about the CCPA and how you can exercise your rights under the CCPA. They are not legal advice, regulatory guidance, or an opinion of the Attorney General. We will update this information periodically.
I understand that someone can do cursory research and be overly confident in their understanding of a law that spans 46 pages. I hope you can understand that people can be underconfident in their understanding of a law that spans 46 pages, is bound by the entirety of a state’s statutes and case law, and feel overwhelmed by someone asking for a response on their compliance with said law. Regardless of what their interpretation of the original email should or shouldn’t be.
>It's more like if I tell you I'll sue you for murder, high treason and collusion with the Martian invasion, is it really a legal threat? There's literally no legal way for me to sue anybody like that.
Comparing a reasonable fear that one may not be in compliance with a complex legal system to something absurd does not invalidate that fear.
A baseless legal threat is still a legal threat, and that legal threat may well merit the time and energy to hire a lawyer to verify the baselessness of said threat, and to file the motion to dismiss should a lawsuit be filed despite the baseless cause of action, lest one suffer a default judgement on account of a failure to respond.
As someone in another comment thread pointed out, the requirements also put you on the spot if 50,000 Cali citizens have personal data that you've got access to.
And, as someone also pointed out in that thread, being on Hackernews and having IP logging may be enough to trigger that requirement.
Further, with the absolute shitshow that is the US court system, if someone brings a frivolous suit you're looking at thousands of dollars in legal fees, because you're going to need a lawyer (or previous experience in law) to properly explain to the judge why this suit is utterly ridiculous. And there's no guarantee if you'll get compensated for that, even if you file counter-suit--and even if you do get compensation, it's likely going to happen several years later, after the guy who tried to sue you does everything in his power to avoid paying up, because he knows you're eventually going to run out of money.
I wrote the blog post from yesterday’s HN story, and that last paragraph is what worried me. I know I’m not a business, and I don’t make money from my project, and believe I’m not subject to the CCPA because of that. I dread the idea of having to prove that in court, though, and how expensive it might be to (hopefully!) prove I’m not liable for even accidentally violating it.
There’s a reason patent trolls, copyright trolls, ADA trolls, etc. go after small entities: they’re more like to pay a small settlement out of fear than risk taking it to court and being bankrupted.
Patents and copyrights aren't limited to businesses, you can be in copyright or patent violation even if you're a private person - in fact, I'd assume vast majority of copyright violations now are performed by private people without profit motive. That particular law however is clearly written to target specific businesses and exclude private persons.
One of the biggest issues with the Digital Millennium Copyright Act is that it was never designed for a world where Siivagunner[1] exists. On a fundamental level, it was built on the assumption that everyone involved can litigate--which means that the widespread ability to edit, remix, and review things has created some unfortunate exploits and exposed serious oversights in how the DMCA functions.
> I look forward to your reply without undue delay and at most within 45 days of this email, as required by Section 1798.130 of the California Civil Code.
This reads as a thinly vieled command to respond, not a mere request, citing legal code and (incorrectly) asserting it's applicability as a basis for the authority to give such a command, with the implication being the possibility of legal action if the demanded response is not provided.
The last paragraph where it referenced a specific legal code is where it is a threat. Asking someone questions to see if they will incriminate themselves is an easy low cost legal trick that works surprisingly well.
You might claim that it isn't, but if you are just asking me that question out of the blue I'm certainly going to wonder why you're asking and what you're up to. A random individual that goes around asking individuals who have websites if their websites comply with some law can't claim that they're just behaving in a normal everyday manner.
It isn't. Being paranoid about lawsuits against some personal blog shows a lack of legal sophistication and this type of sensationalism promotes an irrational fear of being somehow financially vulnerable to almost any legal predation. That's simply not how the US system works. There have to be actual damages for a court case to go forward to the worst-case expensive end (depending on what most people consider "crippling"). Courts aren't pernicious and are very sensitive to anyone attempting to waste court time on exploitation (except in Texas courts supporting patent trolling, obv).
Any judge would have this resolved by giving the parties a 15 minute sidebar to come to an actionable resolution or sanction both sides in some motivating manner. The US legal system has a vested interest in not taking everything to a long drawn out fight, due to limited court time, even if it is presented differently in media (or the comments in these threads, which are laughable).
> Being paranoid about lawsuits against some personal blog shows a lack of legal sophistication and this type of sensationalism promotes an irrational fear of being somehow financially vulnerable to almost any legal predation.
And yet, many people reacted just like this writer. Perhaps, given that the reaction was widespread, it could and should have been anticipated, instead of expecting every person to have your evident legal knowledge.
And above somebody posted a link to 3 different counsel who took the message seriously (one an inside counsel who did not feel confident about their read and referred it to outside counsel).
Following those questions by citing a statute of the law, however, IS a legal threat. Implicit in citing specific parts of the law is the threat that those parts of the law apply to this situation.
Can someone help me understand the ethical problem here? If I as an ordinary citizen contacted the webmaster with a similar worded email, the result would have been the same. The fact is that this “experiment” did not create any more or additional stress than is created for normal citizens/businesses simply engaging in normal legal activities. If submitting such a request has the potential to cause such undue stress, shouldn't society create protections or disallow such requests?
Edit: It's not that hard to see that there are potentially some social problems here e.g. "the message is easily construed as a legal threat" or "the message was mass mailed in a spam-like nature". However, my comment is in response to the title of the blog post which implies that the webmaster believes there's an ethical problem that this "experiment" was even run in the first place. For the purpose of this thread, assume the email was worded perfectly and the university was very thoughtful and deliberate in who they contacted. I'm interested in discussing the ethics behind how a perfectly legal and reasonable thing can in one case be ethical and another case be unethical simply by virtue of the context in which the action was carried out.
Well for starters they are lying and misreprenting themselves and the basis for their query. They say they are a data subject from Nice and represent that they are going to make a request under the CCPA. In actual practise they are a researcher from Princeton. If you don't think that's an ethical problem then I don't see it's worth discussing further.
When you say "If I as an ordinary citizen..." you essentially make this point. They are not an ordinary citizen making a data request, they are researcher who thinks it's ok to lie to collect data perhaps because they think people would give different responses when faced with a genuine data subject access request than when talking to a known researcher.
It really depends on your ethical framework doesn't it? People lie all the time for good reasons. Are those actions unethical? Further, I am struggling to see who was harmed here or how there was any ill intent. On top of that, the results of this study seem like they would be enlightening. It seems like society should want this experiment to be able to take place. Certainly a western liberal understanding of ethics is more sophisticated than “you didn’t tell them you were observing their behavior bzzzzt unethical”?
Put another way, is “right not to be observed (in public)” something we protect? If I write down my observations at a park as I watch humans interact is that unethical simply because I didn’t bring a megaphone and announce my intent? I think the problem is that despite what’s in vogue, I don’t understand how acting in a way that is not illegal even if it impacts somebody else and then observing the results is by default (unquestionably) unethical. Why is that bad? Are there some “case experiments” the research community looks to where humans where harmed that has shaped our modern understanding?
"People lie all the time for good reasons. Are those actions unethical?" is whataboutism of the worst kind. We're not talking about any other hypothetical case where a person might lie for good reasons. We're talking about this case, and the lie/misrepresentation was at the heart of why it was unethical.
Secondly, you say you don't see who was harmed - the person who posted the original blog post was clearly harmed. She had a panic attack she was so stressed about the legal implications of the implied threat. The fact that someone else may perhaps have not found receiving this email stressful doesn't really matter - that was the effect on her and it was harmful on its face. Remember that people have different life circumstances which affect things like this - someone who was short of money may see a legal threat with implied financial consequences such as this as an existential threat.
Secondly the people who paid money for legal advice were very clearly also harmed. Their harm has a specific monetary value.
Your "put another way" extrapolation is just a complete straw man. Noone here other than you is talking about observing people in the park. This is about a research study which sent an email which some people saw as scammy or threatening in order to gather data about how small websites handle data subject access requests.
> We're not talking about any other hypothetical case where a person might lie for good reasons. We're talking about this case, and the lie/misrepresentation was at the heart of why it was unethical.
I don’t find this type of benign use of anonymity/misdirection to be an outright lie of the unethical kind.
> She had a panic attack she was so stressed about the legal implications of the implied threat.
What?! When/where? She said the request stressed her out… come on. If webmasters have panic attacks when encountering spam then perhaps we should outlaw spam (I’d support this).
> Your "put another way" extrapolation is just a complete straw man. Noone here other than you is talking about observing people in the park.
Please… I 100% do not understand the reason why this experiment should be considered unethical and I’m trying to explain what I see as parallels. It’s not a straw man and I’m not the only one.. read down thread.
What I’m looking for is an explanation for why you think that legal normal behavior (even behavior that causes stress) is allowable but legal normal behavior for science is not allowed.
I also believe context motive and intent matter, for the record (which I why I believe censorship imposes a net negative on society, example: comedians are “allowed” to use offensive language). I simply find the intent here to be arguably ethical depending on what your goal is for society.
For example, if the goal is to never have any individual experience 1 ounce more stress than is absolutely required throughout their life, then this behavior is unethical arguably whether it’s an experiment or not but definitely in the case of the experiment because it’s unnecessary. On the other hand, if your goal as a society is to make sure people’s data privacy rights are protected, it seems strictly ethical to conduct such an exercise to raise awareness and document how well institutions comply with the law.
OP of the blog article. I didn't have a panic attack. If you want access to my private medical information and are not my doctor, you will not get it. Do not assume anything further.
Deception is allowed, but should be scrutinized carefully to determine if it is necessary. In this case, it was not necessary. The researcher could have easily just said "we want to know if you are compliant with CCPA for the purpose of doing this research, could you tell us your policy please"
a) Psychologists do not conduct a study involving deception unless they have determined that the use of deceptive techniques is justified by the study's significant prospective scientific, educational or applied value and that effective nondeceptive alternative procedures are not feasible.
b) Psychologists do not deceive prospective participants about research that is reasonably expected to cause physical pain or severe emotional distress.
c) Psychologists explain any deception that is an integral feature of the design and conduct of an experiment to participants as early as is feasible, preferably at the conclusion of their participation, but no later than at the conclusion of the data collection, and permit participants to withdraw their data.
a) -- Hell no
b) -- I can give the benefit of the doubt that they didn't foresee small website owners getting panic attacks from this threat, but their non-empathetic tone in that apology write up is appalling
c) -- Hell no
The more I think about this the more I'm furious that a supposedly top tier institution like Princeton approved all of this and the "researchers" seems to have 0 fucks to give on ethical experiment design.
Are you sure that this is applicable to OP's situation? It appears to be a set of guidelines, not a requirement. And in fact, I'm skeptical that there are requirements, except on a university-by-university basis -- which is to say, the process seems much less formal than people are saying.
For example, I would feel comfortable with this study if at the bottom it said "Just kidding, we're actually researchers. Can you explain what was going through your mind when you read this?" even though it's technically deceptive.
I'm a former pentester, and deceptions like this were run all day, every day, by a dedicated team. It's often phase one of phishing, since you end up assuming you're talking to a trustworthy source. So I'm wondering why we seem comfortable with that, but not this.
Pentesters are hired by companies to use underhanded methods to gain access. Pentesters are not randomly spamming websites with deceptive emails, causing owners to suffer mental anguish and consult expensive lawyers.
University researchers are required to abide by ethical standards to prevent abuse of test subjects. One would assume that this should also include not randomly targeting people with deceptive emails causing them mental suffering and unnecessary legal costs.
>It appears to be a set of guidelines, not a requirement.
I don't know about you but I learned about deception in research and its ethical implications in high school. To me, grown-ass adults working in the field of STEM not knowing ethical research, let alone a god damn researcher failing spectacularly and causing harm to an ungodly amount of people through the use of automated means is woefully beyond "oopsie, I really shouldn't have done that"
>For example, I would feel comfortable with this study if at the bottom it said "Just kidding, we're actually researchers. Can you explain what was going through your mind when you read this?" even though it's technically deceptive.
This is kinda what debriefing is, but it is usually more substantial than this. But that still feels extremely amateurish in my eyes. The stated research objective was to have a measure on CCPA/GDPA compliance and did not require deception whatsoever. Either the researcher was not imaginative, they didn't give a fuck, or they just wanted to try deception just for fun.
>I'm a former pentester, and deceptions like this were run all day, every day, by a dedicated team. It's often phase one of phishing, since you end up assuming you're talking to a trustworthy source.
I don't know about you but I hear news all the damn time where phishing emails go wrong--like I think I just saw a testimonial on reddit where fake phishing emails were so aggressive that it literally just ended up discouraging people from using email entirely to the point where people missed assignments and shit.
Something similar happened in my company as well and a lot of people got furious.
Fake phishing things should also be heavily controlled, like for us, it is entirely voluntary.
As a pentester you’d likely get an OK from the client on which methods were acceptable. Can you phish, etc. An exec would hire you to test their company and you still wouldn’t have carte blanche on methods. I assume you didn’t just YOLO random companies that you thought would be good for your security paper.
Full disclosure: I’ve listened to at least 20 episodes of Darknet Diaries. I’m basically already in your network. ;)
> I'm a former pentester, and deceptions like this were run all day, every day, by a dedicated team. It's often phase one of phishing, since you end up assuming you're talking to a trustworthy source. So I'm wondering why we seem comfortable with that, but not this.
Because pentesters get permission up-front. What the hell kind of pentesting operation are you running where trying to penetrate a site that isn't already one of your clients? You'd be in hot water, legally, if you did that--because the sites affected would have every reason to assume that you're malicious.
This is exactly the thing that was gone over last time, in the U of M case where researchers knowingly submitted exploitable code to see how the Linux kernel team would react. They were also compared to pentesters--but pentesters get permission first, and the U of M people didn't, which is why they were treated as malicious by the kernel team.
If you do not have rules of engagement that were agreed upon by the pentesting team and the client, you are not pentesting, you are committing some form of crime. Stop claiming that pentesters are allowed to phish/exploit things without permission, it makes everyone in that community look bad.
I've been seeing this a few times now. Extremely ignorant computer scientists and STEM folks skipping IRB and claiming "theyve never even heard of getting approval for social research". Pretty gross in my view honestly.
I got one of these letters, and the website in question has $0.00 revenue, and an order of magnitude fewer total users than would invoke the users. The linked story here is about someone who got a letter to their personal blog.
That I agree with. Their collection methodology was clearly inadequate. They should have been more careful who they mailed, even though they did try to be careful it wasn't enough.
I think lying is a reasonably fundamental part of human research, or at least obfuscation. You don't tell the participants what you're testing for, since you don't want the results to be biased, and often obfuscate what you're measuring.
I think the real ethical issue is actually that the email reads like it's coming from a lawyer. It's weirdly formal and cites that a response is legally required within 45 days. As other comments have mentioned, this has the real world consequence of heavy stress where most folks would (and should) lawyer up. This is the biggest ethical issue, since the study is costing its participants nontrivial money, and without consent.
Lying is a reasonably fundamental part of research, but lying to humans can hurt them in various ways, and that's why we have human research ethics rules and standards that require an explicit process for obtaining consent to do something, even if we can't say what in advance, and debriefing and harm mitigation.
Which the IRB missed because they didn't understand that, to ask questions about a website's policy, you must get an answer from a human.
That’s _not_ how it works. The fact that information comes from a human does not make something a human subject experiment. The information has to be about a human. Here the information is about a process for handling CCPA requests. We can argue about whether, in a single site operator case that also qualifies as information about a human since there’s no clear organizational policy, but I want to make it clear that information simply coming from a human does not make an experiment a human subject experiment.
> The fact that information comes from a human does not make something a human subject experiment. The information has to be about a human.
The experiment is collecting more information than just survey results about CCPA policies. They're also collecting and evaluating information about how humans respond to their legal threats vs how they respond to less pointed inquiries from academics. If this study was merely ordinary survey methodology with questions that aren't asking about humans, it wouldn't be human subject research. But they have actually gone outside the bounds of a mere survey with the deception and threats.
So what I find fascinating in the academic sense is that the law is being followed naturally here and so any costs incurred are incidental and arguably not the result of this experiment but rather actually the result of the law existing in the first place so ethically it’s not clear to me whether the experiment is creating this stress or in fact the law and modern society itself creates this new possibility of stress. If it’s a problem that lawyers can get involved in response to request for information about a possible CCPA request, then perhaps the law needs rework so that it cant be construed so easily as some threat requiring you to lawyer up.
In short, if lawyers asking people to follow laws are an ethical problem, then maybe we need to address that and not get enraged about a totally legal request for information about a website’s CCPA process.
Also, the text on the page reads as tone-deaf enough for me to wonder if it's deliberately written to misrepresent the nature of the study activities to people on the IRB who are unfamiliar with technology. A quick Googling for everyone on the Stanford IRB Committee [1] shows Kyle Jamieson [2] as the only CS person – everyone else seems to be a clinician, scientist, or administrator.
> As part of the study, we are asking public websites about their processes for responding to GDPR and CCPA data access requests. We attempt to identify a website's correct email address for data access requests through an automated system.
You cannot "ask a website" and a website doesn't have a "correct email address". Given the targeted nature of the emails, I have trouble believing that these phrases were written in good faith by someone who understands that they are emailing the webmaster for a website, and expect an answer within a reasonable timeframe.
The police does that quite often to catch criminals. Sometimes they also target innocent people, is that ethical?
People on HN don't usually lie, I hope, but most "misrepresent" themselves using anonymous accounts, sometimes claiming to be more than they actually are (I know, shocking).
Emails you receive are more likely to be scams than not. If you're like the author and freaks out at legally-sounding emails (or phone calls, discussion forum comments etc) received from random people, you're going to be a really stressed, anxious person your whole life.
"Hard to get approved" my ass. The attacks on the Linux code review process with real harm code and zero safeguards against successfully hijacking a production kernel got approved and the review board even reaffirmed its decision when confronted about it, as far as I remember by claiming that the study wasn't focused medical issues. Did this study focus on medical issues? If not then at least one review board out there would rubber stamp it.
Because one IRB makes a bad decision doesn't mean, in general, deception studies are easy to get approved. Furthermore, this study used an "no human subjects" exemption to avoid a full review - which should not have happened. The Linux code attack study has also roundly criticized in the research community because it was such an abnormal failure of IRB.
> The Linux code attack study has also roundly criticized in the research community because it was such an abnormal failure of IRB.
So how is the board doing? Did its members face any consequences at all or are they still there ready to rubber stamp the next study with full approval and flimsy excuses?
Someone on the Internet is lying and misrepresenting themselves? Nooo!
(The rest isn't a response to seanhunter's comment, but a comment on the discussion in general)
If we take a step back from the discussion; I'd have to say that this is in a gray area that kind of ends up being mostly in the "ok" region - or possibly in the "probably not worth giving a shit about" region. There is a simple litmus test you can make: how would people have reacted if this had been limited to large corporations you do not like? The response would have been very different.
Let us at least be honest enough to admit that to ourselves.
That this is part of academic research doesn't really change anything.
It also needs to be said that people tend to be too uptight about perceived small infringements on what they see as their inalienable rights. If we are going to label subjects of what is at best described as akin to consumer research as victims we are watering out the term to the point where every person who has accessed the web is essentially a victim.
Hence the victim blaming someone tried to call out in a comment, is needless douchebaggery and drama. There are real victims of real transgressions and this is belittling.
People need to take themselves a bit less seriously. You are part of human subject research studies every time you use the web. And yet you come back for more every day.
Half of you probably contribute code and time to an industry that turns human behavior into numbers that the is translated into cash. And proudly so. Hypocrisy just makes us all look like douchebags.
> how would people have reacted if this had been limited to large corporations you do not like?
Those large corporations we do not like have lawyers on retainer specifically to deal with this situation (probably by suing the pants off of whoever sent the email).
It is acceptable to react differently when the victim is defenseless. That is why we would have a different reaction to a large corporation being struck by this, versus an individual who may not be able to afford legal counsel (and who certainly can't afford to pay legal counsel when the threat turns out to be baseless).
So you are making the argument that one should apply different rules to different people depending on how much money they have. Well, no way that could go wrong.
Interesting how you also make the tortured argument that privacy laws create victims.
I am making the argument that a company that already has lawyers on retainer for this occasion is not suffering the same harm that someone who does not have a lawyer on retainer does. Similarly, someone who can't afford a lawyer at all is disproportionately likely to be harmed compared to a company that has competent legal staff.
Also, "privacy laws create victims" is--to use your own phrase--a very tortured version of what's going on here. The people affected by this study were threatened with legal action. That is what they are victims of. Regardless of what law was used as an excuse, threatening someone with frivolous legal action is as bad as threatening someone with SWATting.
Perhaps you're making an assumption that "normal citizens" receive legal threats regularly? I can count the legal threats I've received on one hand, and I can assure you the days following them were, unfortunately, quite unpleasant (fortunately nothing came of it).
Stress aside, part of the problem is the very real possibility of a subject wasting money on hiring a lawyer.
Does this qualify as a legal threat? It just seems like a reminder of existing laws, like one sees in all manner of contracts or Terms of Service. Like the "you are obligated to pay within X days" you see on your credit card statements.
Or even if there is a legal threat, do you take it seriously unless you know the source? People regularly get calls saying they are in violation of tax law and must pay.
Maybe not "officially", if such a bright line exists. But in practice, a "reminder" of a law including a legal citation and phrases such as "without undue delay" will be interpreted as a threat in many circles. Whether or not it will be seen as a credible threat is a function of the recipient's risk tolerance, prior experience, familiarity with legal processes, etc. Hiring a lawyer ($$$) isn't out of the question if the recipient is unsure or has a low risk tolerance (as, perhaps, an individual blogger might have). It is a little cruel for a researcher to assume every recipient will respond neutrally.
I've received legit legal threats over email from very serious people. I'm certain they would have escalated to more "official" channels if the situation wasn't resolved to their satisfaction (if you're curious, it was a contractor billing issue that was being ignored by my HOA. I was caught in the crossfire).
The fact that random scammers are calling folks claiming they're violating tax law isn't a justification for researchers to engage in similar acts. Do you agree?
> People regularly get calls saying they are in violation of tax law and must pay.
This is an interesting point you bring up, which merits diving into a bit further.
I think it's precisely because CCPA is so new that this experiment is more unethical than if they were just calling up people saying "you owe money to the IRS, send me gift cards". The IRS spends a ton of money every year telling people that these calls are scams; but Christine or the operator of freeradical.zone likely had no such public service announcements from the State of California. On the other hand, they probably did hear news items about this new data privacy law that California passed, and thought the emails were from actual individuals.
> It just seems like a reminder of existing laws, like one sees in all manner of contracts or Terms of Service.
An email purportedly from an individual is not the same as a contract or terms of service issued by a corporation from which I am getting a service. If I, as an individual, were to send you an email asking, for example, if you are paying all the taxes you legally owe, am I just giving you "a reminder of existing laws"? Or are you going to start wondering who I am and why I am asking and wonder if something is going on behind the scenes?
> People regularly get calls saying they are in violation of tax law and must pay.
Yes, that's true. And people who make such calls are regularly considered unethical scammers who do not deserve any consideration. So why should we treat researchers who send similar emails any differently?
Unless one is socially inept, it reads as a veiled threat. When someone asks one a question, it is likely to the point of certainty that social humans will consider (1) who is asking (2) why are they asking (3) what is the tone and (4) what is the text of the question. Failing to understand this or refusing to acknowledge it just means that one is bad at humans.
To be clear, I find the ability for anybody to threaten anybody else with a lawyer to be problematic for many reasons. The legal system in the US sucks and I would love to see some sort of social remedy to this type of lopsided interaction and abuse of power. If that happened in this case that’s part of my question: perhaps there’s noting wrong with the “experiment” itself but rather with wording that might imply legal consequence?
However I’m dubious that there was even a threat of a lawyer. The request simply asked for a prompt response as required by law. That’s quite a stones throw from “I’ll sue you and take you for everything you own if you don’t reply”.
BTW, if you are actually being threatened by a lawyer then they send certified mail or show up at your door. And in terms of the webmaster almost contacting one, no lawyer is going to take your money before talking for 5-15 min to even figure out what the issue is. And even if you paid for 30 min of a lawyer's time, then they would promptly inform you that you can ignore such requests since you’re not a business.
> I’m dubious that there was even a threat of a lawyer.
The usual legal standard is whether a reasonable person could interpret the email as potentially threatening legal action.
> The request simply asked for a prompt response as required by law.
And such a request reads exactly like something written by a lawyer. Lawyers don't usually explicitly threaten a lawsuit in their first communication. They write something very similar to the email the researchers sent. I can easily see how a reasonable person could interpret those emails as potentially threatening a lawsuit if the request were not complied with, or if the sender did not think the response was sufficient.
> The request simply asked for a prompt response as required by law. That’s quite a stones throw from “I’ll sue you and take you for everything you own if you don’t reply”...BTW, if you are actually being threatened by a lawyer then they send certified mail or show up at your door.
I think you are expected random people operating websites to share your knowledge of the legal system. I know you're right, but most people who operate a website likely don't, and these emails make them spend unnecessary time, money figuring that out; not to mention mental distress.
I find this not dissimilar from a standard "I'm in prison, but know where a million dollars are buried, send me money" email scam; and if researchers were sending those around as tests to see who was gullible, they would be promptly end up on several blocklists. I don't see how this is different; and therein lies the ethical problem. Quite a few people seem to agree.
> I think you [are] expected random people operating websites to share your knowledge of the legal system. I know you're right, but most people who operate a website likely don't, and these emails make them spend unnecessary time, money figuring that out; not to mention mental distress.
But if you're hosting a website, you should have that knowledge. I can't run a business and expect not to be asked about taxes, either. Honestly, as an EU citizen, if I wasn't aware of the GDPR in regards to my websites, I'd have bigger problems than some research study.
That being said, I fully agree that this mail wasn't nice and I can absolutely understand why people became nervous. But things like this are expected and the issue seems exaggerated in that light. Quite a few people seem to agree to this, too ;-)
> BTW, if you are actually being threatened by a lawyer then they send certified mail or show up at your door.
Sure, but if you haven't lawyered up by that point you're going to have a bad time. Doubly so if you aren't familiar with the amount of info-gathering and record-keeping involved in winning a suit--if you don't know what needs to be written down for when you do have to call a lawyer, waiting until the last second can easily shoot your entire case in the foot.
And if you do lawyer up, you're spending massive amounts of money--money that some people just don't have.
Completely agree here. There was no reason the people running this couldn't have been clear about what they were doing and why up front. I've dealt with GDPR requests before and it is a hassle. Especially when someone does it for the purposes of causing that hassle.
And I don't see what's threatening about pointing out that you have a very nice windshield, and that it would truly be a shame if anything happened to it... And that I sell windshield insurance.
Also, while not a legal threat, "My questions are about your process for when I do submit a request." strongly implies an intent to submit a legal CCPA request in the future. Using "if" instead of "when" would have somewhat mitigated this, although it still comes across as somebody trying to find a loophole.
Then they’re not very good cease and desist letters. A C&D should state exactly what you are asking them to stop doing and exactly what will happen if they don’t. That way the other party can’t claim they didn’t understand later.
Search C&D samples on google and see for yourself.
“Your failure to abide by your Agreements will result in [redacted] pursuing any and all available remedies, including but not limited to injunctive relief and monetary damages.”
So, I don’t consider this very specific (you may, and that’s fine but then our disagreement is about something different).
Yes, language like that. Put it this way, a cease and desist should contain an IF THEN. If you don’t stop copying my CD then I will sue you for injunctive relief and monetary damages.
Contrast that to the subject email. There’s no if you don’t respond then I will sue you. It’s not a threat, it’s a request and the requestor’s reference to a statute that they think might apply.
I’ve been on the internet since before Al Gore invented it. I’ve seen more crappy stuff from lawyers all the time. Remember, in the US, you do not need a reason to sue someone. A friend just got sued by a guy who tried to by his house for some BS reason. Trust me, stupid stuff happens.
EDIT: Some grammar, and minor clause clarification in second-to-last paragraph.
Yes, frequently. And throwaway.
About once a week, I pick an account in my LastPass collection, and initiate the following process:
1. Initiate a CCPA data request using a form or email, and I always include language about the timeline. I am not a lawyer, I'm just a person.
2. Then, once I have the data, I delete the account.
I'm trying to purge my web presence before I move out of California. I have about 200 accounts left, and have done this with 50.
Admittedly, these are all large businesses, so far. Think Google, where I've worked myself, so I know they are equipped to handle it. But, I will be working my way down to small businesses eventually, and I am surprised to find out that simply quoting the statute (which is what I do) is considered anything but vaguely legally threatening. If the website doesn't fall under CCPA, or hell, if it does, I just expect it to be ignored. I mean no ill will.
I'm personally pretty conflicted, since I actually fully agree with this [1] about the study being unethical, but if I send an email as an individual to a website with my data, quoting a California law, that doesn't seem wrong to me, even if it causes $10k in legal costs, since my request is truly genuine and not intended to cause harm.
I would agree that there is a distinction at the study level, but I'm not exactly sure why.
The distinction is super clear to me. You as an individual are exercising genuine data subject access rights granted to you by law. They are a researcher prentending to be a data subject exercising rights in order to gather data for their study.
Even if what you are doing is "legal" it seems abusive as hell to me, especially if it is ever targeted at a smaller company or person like in the OP's case. Why are being so difficult? Why don't you find something more useful to do with your time instead of making others jump through idiotic hoops out of some misplaced sense of justice?
I imagine that for some companies it is difficult, and to the extent that I feel a 'sense of justice' about it, I would hope that my efforts help the organization (or single person, acknowledging that) set up a process to handle this.
I'm *genuinely* not trying to be abusive though. It's *extremely important* that consumers have the ability to exercise their data and privacy rights.
I'm not that old (mid 30s), but genuinely much of the data I have on the internet was put there when I was an actual child. And it's still there. This is actually one of the first times I've posted in *years* online. I really want to delete *almost everything*. Note in my OP, I said I worked at Google. I quit, because although I actually think ad targeting and the surveillance network are actually okay-ish, I wanted to opt-out myself, on both ends. So far, this decision has cost me 250k USD personally (if I calculate out the opportunity cost since I quit, just so far). And for the websites/apps I do still use, I donate some amount of money per year. OK, maybe I'm a freak, I really do think this stuff is important.
What would you suggest I do? Leave all my data online? As I said, in my cases, I was an actual child (those COPPA things did nothing to stop me), and this is, so far, a really effective way at getting places to delete my data. Maybe it's because they're "scared" of the law, but you know, then the law is working. Before, nobody responded to my deletion requests, and many websites had no option to delete. As a libertarian-ish person, this is a clear win for the consumer in terms of "coercive power of the state being used to create a framework that increases net freedom".
I am open to being wrong though! Let me delete all of my data first though so I don't have to do this again.
Responding to throwaway, I think the critical difference here is that you're making the requests in good faith. The researcher was making these (could be interpreted as vague) requests deceptively.
Yeah, I think that's right. But it does raise an interesting point. The meta-point of the study was a good one, I think, which is to "study privacy on the internet".
I'm soooo behind that (one reason I am disappointed in the ethical lapses here)—I've often considered publishing the steps I take for each website on a substack or whatever, to help other people. Sometimes, it can be hard to figure out (1) if your data can be requested-to-be-deleted, and (2) how to even do it.
Clearly, the deception was bad; I guess, just thinking out loud, how could this study have been done ethically? Perhaps, sign up real people to request the data, and transparently include a notice that this was part of a study?
The last bit is the tricky one; including that might skew the results in favor of websites being compliant.
If I understand correctly the sentiment is that the study is not in “good faith” by virtue of being a study. That’s where I’m genuinely ethically confused. It’s not like the study is bad faith (like they’re trying to trick websites into something illegal then sue them). At worst it’s neutral faith. But why is that unethical?
>Perhaps you're making an assumption that "normal citizens" receive legal threats regularly?
I consider myself a normal citizen and I receive "legal" and "illegal" threats regularly, the very vast majority being scam attempts of course.
Recently e.g. scammers keep telling me that my website's imprint is not up to code[0], either threatening to sue or outright claiming they are in fact a law firm and want a cease-and-desist and compensation for their law work, of course.
I also noticed how the Indian and Pakistani "security researcher" scammers[1] telling me about "major vulnerabilities" in my website - aka missing DMARC/DKIM headers (which are not even missing) - also started telling me how one can be fined under the GDPR for "bad security".
As for the "illegal" threats... I, according to scammers at least, watch a lot of "bad" porn[2] and they know about it because they hacked me, and recorded me on my own webcam. But if I paid them some BTC/monero/whatevercoin ("Follow this link to learn how you can easily buy <coin>"), they wouldn't rat me out to my family/friends or the police. I guess I will just have to pay them, but then again I have a HUGE payday coming from that nice Nigerian prince and another from that fantastic Singaporean economic attaché... once I send them some bucks to cover processing fees, of course[3].
All joking aside tho, I get how some people may be scared by things like the CCPA emails, or the kind of emails I mentioned (if those didn't work enough times, scammers would have stopped by now). When I just read that particular email in the article, I didn't see a legal threat, but that's just me of course. Other people might read it differently, and I cannot fault them for that. I remember being concerned myself the first time one of those "imprint" scam emails made it through the spam filter.
[0] In Germany, commercial websites are legally required to have an imprint, and everybody can basically sue you if you mess that up, that much is true. It's also true that courts regularly rule that if you profit even from a private website, e.g. by displaying ads, then your website is in fact commercial and requires that imprint.
[1] This isn't to denigrate all Indian or Pakistani people, of course. It's just that the "security researcher" scammers I encountered thus far all operated from these two nations.
[2] Ranging from "homosexual" to "child". I wouldn't consider adult gay porn "bad" myself at all (just not interesting to me), that's their definition. It's quite interesting to me to see how they try to phish for closeted gay people more often than for pedophiles, at least anecdotally from what makes it to my spam folder. My guess is that the number of people who actually watch gay porn and are ashamed of it largely exceeds the number of people watching child abuse porn.
[3] I received those "huge money - pay fee" scam emails more than 20 years ago, and I still receive them today. Cannot argue with success, I guess?
I've received plenty of voicemail from scammers who claim that I owe some agency money and that there will be penalties if I do not comply. That feels like a threat
Ah, okay, thank you - now I also see the "Update 2"; for some reason my browser had been returning a cached older version with just the Update 1 / FAQ added.
I noticed the "FAQ" doesn't include the question "will you be paying out money to people who read your email and spent money on a lawyer checking it out?"
It is unethical because you are lying to people in an effort to manipulate their natural state. As a researcher, you have to balance the good in a research study versus the bad, and you can’t always predict how bad the outcome will be. There are review boards in place to make theses decisions.
Here’s an example. Your doctor calls to talk to you about you sexual health. You discuss at length about all the issues you’ve been having lately, and you break into tears when your doctor tells you it’s permanent. At the end of the call, your doctor explains that he/she was joking, and that you just have low vitamin levels. You find your anecdotal story in the front page of a medical journal the next year.
You can imagine similar situations where someone calls to tell you have cancer and observes for a month. Or that your significant other died in a car crash this morning. Or if someone claims they are suing you for a large amount of money. In all those cases, the person contacted may have a mental breakdown or worse.
Human subjects research guidelines are very clear as to where the line is. If your research is gathering information about a person, then the subject is a human and additional steps must be taken to ensure responsible conduct (this applies in your first example case which is clearly ethically problematic because the subject was not informed). If the information you are collecting, is about a process or procedure or general data, even if it is provided by a human, the subject of the research is not a human and it’s at least not by default ethically problematic.
In regards to lying, I find such use of misdirection to be arguable ethical because 1) pseudo identities are entirely normal and expected on the internet so encountering one should not cause anybody undue stress, 2) it is not fraud, so it’s legal and does not cause harm, 3) because the experiment would not be possible without the appearance that the request came from an individual and not a research team, and 4) because if submitted to a corporation none of this discussion would even be happening. And 5) because California law requires organizations/websites to provide this information (in cases the law outlines) when it is requested which to me indicates these type of requests are supported/good/normal.
The text says: “this is not a CCPA request I just have some questions about the logistics if I were to file one” and includes a reminder that there’s possibly a legal obligation to provide these details. It’s not asking for personal details or information about a person.
I don’t agree with the definition of “human research” you are using. For example, Cornell IRB defines it as 1) extracting data from humans OR 2) collecting private information. The email collects information from a human, therefore, by 1) it is human and subject to IRB review. My understanding of the intent of IRB is to govern any research actions that directly or indirectly interact with a human. Even simple surveys or scraping reddit needs IRB.
For the deception, you have to weigh the pros and cons. The harm isn’t very high but 1) it undermines public trust of research and 2) includes the participant in a study they did not consent for. The participant is not getting paid for their time and is in fact getting indirectly threatened/coerced with legal action.
The IRB board of course makes all these calls. But it’s not “obvious” that the research is ethical. For example, research can be unethical _with participant consent_ if participants are offered too much money, because people will do _very_ bad things for large sums of money, so it’s basically coercion. In this case, there is an implication of legal action if the participant does not participate and they may not have an option to withhold their participation.
Consider the alternative: “Hi, I am a researcher from Princeton. For your time answering these 4 questions, you will receive $50 and an opportunity to advance our understanding of ____.”
> Can someone help me understand the ethical problem here?
The ethical problem is that you can't do research on people without their consent. The fact that the researchers knew they were doing research, not actually asking a question as an ordinary user of the website, makes a difference. Intent matters.
> The ethical problem is that you can't do research on people without their consent.
But can you do research on a business without the businesses consent? Or do I need a businesses consent before sending out identical resumes except one has a stereotypical minority name to attempt to judge discrimination?
Because websites aren’t people. Websites are businesses. A lot don’t make money or fail. They may have a small staff managing them. They may not be ‘for profit’ but they are still businesses.
That’s my issue with the complaints about the study. They blow up and claim to be unwitting participants of human subject research, drawing mental parallels with the Tuskegee experiment when it’s a closer parallel to research performed against companies who were never notified like when researchers sent out identical resumes except for their names.
The researcher definitely could have worded the email better so it didn’t come across as an ominous legal threat. There are valid criticisms against the research. But claiming to be an unwitting subject of a human research experiment is incredibly misleading.
If your study is simply "how do the servers of various websites respond to my HTTP requests", that doesn't require informed consent, because it's not involving humans.
Once your study moves into the realm of "how do the operators of websites respond to me legal requests", that requires informed consent, because website operators are humans.
It's really very, very simple. If you need responses from human beings, that's human subjects research, and it requires informed consent and greater scrutiny from the IRB.
Websites are one or more servers that respond to the HTTP and/or HTTPS protocols with something a web browser can show. They may have a business involved. They do not necessarily have one involved.
They may be a personal site, such as, well, https://christine.website. Which is a blog and a list of projects done by one person.
They may even be a front-end for a dynamic application but still not a business - I run a small Mastodon instance and it's just "a place for me and my friends to talk", not "a business"; having it grow to the size where I'd have to deal with stuff like the CCPA or the GDPR is something I absolutely do not want.
From my perspective, the problem isn't that they ran an experiment, the problem is that they lied to site owners, making them think they needed to deal with a tricky legal request. In many cases, the sites reached out to lawyers in answering those requests, which is pretty expensive.
The experiment aspect is only a problem in as much as it being an experiment caused the researchers to do something they wouldn't normally have done, or been okay doing.
Lying about your identity and failing to reveal that the reason for your inquiry is that it is part of an academic research project would be the ‘unethical’ part.
It is unacceptable to do something to a person so you can study the way they behave, without first obtaining their consent to participate in such a study.
You can observe how people behave when they are subjected to the same stimulus naturally; you can ask them if it’s okay to subject them to a stimulus to see how they react; but you can’t just do something to them and write down what happens.
The researcher invented false identities, and then used them to imply a legal requirement to expend labor and respond without notifying the recipient that they were just doing a study for academia. There are plenty of things you are allowed to do as an ordinary citizen that are considered unethical in an academic context.
As an absurd example of something that is highly unethical, but perfectly legal: research into whether certain images or colors on protest signs are likely to elicit a response. You choose military funerals as the protest site. In the US the right to protest at a funeral has been confirmed by the courts. This would still be an unethical action.
Many companies, including ones that I’ve worked for, that received a message like this would take it VERY seriously and expend some expensive resources (lawyers and programmers) to discover that ccpa does not apply and that they aren’t required to respond.
A more ethical way to gather this data would have been to be honest about identity and purpose, Notify the recipient that their response would be anonymized and never used against them, and to inform them that a response is not required.
The first ethical problem is that it is lying and deceitful. Is the bar so low that this is considered acceptable behavior for a moral and reputable person or institution?
Scientific history is filled with awful experiments involving human subjects, and ones with terrible and long-reaching impacts: consider the effect of the Tuskegee experiments on Black reticence in taking the covid vaccine. Not to mention what the Nazis did. In response to this bleak history, in the mid-1960s, scientific organizations and universities began requiring Internal Review Boards (or IRBs) which would independently review proposed experiments and block them if they failed to meet ethical standards.
The bar is very high, and with good reason: you're experimenting on humans. One of the foremost requirements is the notion of informed consent: you can't experiment on people who don't know or understand, or who didn't give you permission.
This experiment very clearly involved human subjects and very clearly violated informed consent. If the student involved did not realize this, certainly his advisor did or he'd have to be considered incompetent. And if the experiment was indeed placed before the IRB and was given an exemption, as was implied, then Princeton's IRB made a glaring and incredible error.
Had this student simply sent out a questionnaire from his Princeton email address, rather than conduct an experiment, he might have reasonably obtained IRB exemption or permission. But as I understand it, he (1) hid behind aliases so they did not know they were being experimented on, and (2) threatened legal deadlines in responding to his questions. There is no way this was ethical by IRB standards.
One thing that really bothers me is that people are attacking the blogger for using the word "consent", suggesting it's hyperbole in the sense of date rape or whatnot. This is terrible: "consent" is the standard and correct term used in human subjects research, and is a factual description of exactly what occurred.
I don’t think it’s accurate to say that any experiment where a human is simply involved qualifies as a human subject experiment. The IRB guidelines are pretty clear about the distinction between simply gathering data from a human and gathering data about a human.
> The study aims to understand how websites would respond to real users, while accommodating websites that may have less capacity to respond.
That is, they're not interested in what the website's policies are via questionnaires. They're prodding them under false pretenses to see what would happen. This is definitely human subjects research.
> The fact is that this “experiment” did not create any more or additional stress than is created for normal citizens/businesses simply engaging in normal legal activities.
Are you sure about this? Didn't these requests get sent to entities that didn't even fall under the categories in the statutes? Meaning they would in fact not have been normally dealing with these kinds of requests on a regular basis (if at all)?
The unethical part is not that the experimenters sent these messages to the owners of the websites.
It's that they:
a) did not get the people's informed consent to participate in human subjects research,
b) misrepresented themselves as being potentially-litigious parties interested in the handling of their own data under the CCPA, who further were misrepresenting the degree to which the CCPA applied to them, and
c) misled their IRB into believing this was not human subjects research, so that they did not get stopped from doing (a). (That, or the IRB itself is culpable for this aspect of the unethical behavior; I haven't seen specific information one way or the other.)
And to be clear about these requirements:
You may recall stories about psychological experiments during the Cold War, like the Milgram Experiments (where the participants were told to administer electric shocks to people), and the Stanford Prison Experiment (where they assigned a bunch of undergrads to be prisoners and guards). Due to wildly unethical experiments like those, the scientific institutions of our country developed the system of Institutional Review Boards (the aforementioned IRB), which have fairly clear standards that they hold researchers to (though, granted, those standards will naturally vary somewhat from institution to institution).
One of the primary purposes of IRBs is to ensure that all human scientific research participants give informed consent to participate in the study. That means, among other things, they have to be informed of the risks of the study—and those risks, by design, must include the mental distress that can be caused by the experiment. (That, after all, was the primary negative outcome of the Milgram Experiments and the Stanford Prison Experiment: they caused serious psychological distress.)
I don't work at Princeton, so I can't speak to the specifics of how they consider such things, but I do work for the psychology department of a university with a strong tradition of research—in fact, I built the web-based system the IRB here now uses to manage their workflow, so I've worked closely with them for over a decade now—and I can tell you with some certainty that letters like these would not in any way be considered acceptable without a signed informed consent form. They are very clearly designed to evoke an emotional response in the recipients—a fear response, specifically—and that absolutely requires the full scrutiny of the IRB.
I see the issue being the email was formulated in a way that is easily perceived as a legal threat. I don't see how it is ethical for a study to be sending out legal threats to see how someone responds. Now if the goal is to understand how websites respond to the CCPA/GDPR then it shouldn't be too difficult to ask how they would respond to a request and note that it is part of a voluntary study.
Going back to study homepage here https://privacystudy.cs.princeton.edu/ there is another update, now from the lead investigator, that includes the following paragraph:
"Second, our team is prioritizing a possible one-time follow-up email to recipients, identifying the academic study and recommending that they disregard the prior email. If that is feasible, and if experts in the email operator community agree with the proposal, we will send the follow-up emails as expeditiously as possible."
Did this study send automated emails in such volume that they can't work out how to send an apology without triggering spam protections? Or did they send email and not record it? What is he saying here?
Option #1 con: we will be spamming people a second time. If the first round of spamming puts us in legal/ethical jeopardy, then this second round of spamming could make it worst
We have not performed Option #1 yet. We do not know whether we should perform Option #1 or not. We are taking the temperature of the 'email operator community' to see whether we should performed Option #1 or not. If Option #1 gets the green-light then we'll do it ASAP."
> My name is Maya Mishina, and I am a resident of Novosibirsk, Russia.
If i received such an email, I would mark it as spam and move on with my life. Why did this blogger take it seriously? Does she take other forms of spam so seriously?
I do feel for her stress and anxiety, but I also have to question her mental ability to filter noise. Life must be quite stressful for her overall.
I see emails from cranks all the time and similarly have a do-not-respond policy to any of them, but at the same time, something like this is very slightly worrisome because it seems to be presenting the non-zero chance that some random person will sue you in your local court system.
Which even if it is completely nonsensical and has no basis in law, could cost thousands of dollars to hire a lawyer and file a response to a statement of claim.
If you have ever seen the experiences of people who have been sued by sovereign citizens/freeman-on-the-land/"this is an admiralty flag" people, it would help to better understand the context I'm viewing it in.
Recommend you don’t spend “ thousands of dollars to hire a lawyer and file a response” on something that you find very slightly worrisome.
Again, I think you, too, are being suckered into spam. Plenty of people fall for spam scams. It is nothing to be ashamed of. Think of all the people who fall for the fake IRS phone calls.
But learn from it: keep your guard up when you get emails, phone calls, or text messages from strangers.
Anything legally binding in the US will come to you via snail mail.
> Anything legally binding in the US will come to you via snail mail.
It doesn't need to be legally binding to be worrisome. Imagine I told you "I'm going to sue you. You don't need to do anything until you get the formal notice" and you found the statement credible. Would you go on with your life as normal, or would you be stressed and hire counsel if affordable?
My job involves DMCA pass through compliance and I have several hundred of such threats from a myriad of sources sitting in an inbox right now which say otherwise.
Perhaps you've never had thousands of people torrenting movies using you as a service provider before.
Note that the threats are not directed at me, but at my customers.
And I consider DMCA notices to fall within the category of a certain specific type of legal threat. There are also some in the queue right now that don't read like typical DMCA notices such as you might receive for downloading the mandalorian, but look more like straight out attempts at extortion (pay us right now so that we won't sue you for torrenting backdoor sluts volume XII, etc).
As to what the ultimate end user recipients consider them to be, that's up to them and their counsel.
You are wrong, and I fear the only way you and others like you will learn is if you personally receive an email from an attorney, tell them you’re going to ignore it because you didn’t get the notice via the post, and suffer adverse consequences.
I don’t know where you “learned” this false information, but I would recommend going to whatever authority figures are spouting this nonsense and correcting them.
> Recommend you don’t spend “ thousands of dollars to hire a lawyer and file a response” on something that you find very slightly worrisome.
I call a lawyer any time I have a legal question for which I am not confident about the answer. If it’s not a real problem, a lawyer will be able to answer it a fraction of an hour’s worth of billable time.
What is your point? It doesn't take many resources to pick up the phone and call people. Initiative is something both privileged and unprivileged people alike can (and do) have.
And to those unaware that this is a possibility, disseminating this knowledge is our collective responsibility. Be part of the solution.
Fully agreed. I'm shocked she gave a random unsolicited emailer the time of day. Most problems are ones we create for ourselves.
Responding to spam and then feeling like you've been the victim of some injustice that the spam didn't say "hey, I'm not really spam, I'm grad-student flavored spam" is quite a take.
Here's a tip for anyone not running a business: If your response is legally required, it'll come in the physical mail. Don't take legal advice from spam, me, or your sysadmin.
Certified mail or trash, there's no way to even know if an email was really delivered to a recipient anyway. I'm aware of read receipts but they aren't reliable.
Not until you're collecting data at the scale where you'd have a legal@yourdomain team to forward anything that vaguely smells like a legal inquiry. Which is why my tip applied for "non-business" cases.
Is it reasonable to expect people to know that? If I'm below that level, what are the odds of me knowing the law well enough to know that it doesn't apply to me?
Do you think this applies in general to questions of legal liability, or is this one unique? If it's unique, why should anyone think that this case is unique? If you think in general it's "not hard" to know things about legal liability, either you're Elle Woods or you're an extremely overconfident fool.
I'm sorry but how can you make the assumption that "life must be quite stressful for her overall."? We know almost nothing about her life or what kind of situation she is in... It seems a little weird to make such large assumptions about anyone who you don't personally know!
This week only I've been threatened to have videos taken from my webcam released - unless I pay a ransom - and I was asked to pay due bills in the attached zip file twice. And that's only what my spam filter did not catch.
Given that they were targeted here, this person has a public mail address, so it's
very likely they receive similar spam. Given that and the observation that they seem to be stressed by spam, this seems like a plausible assumption.
Its just too small of a sample size to make any real judgments. One short article isn't enough information to make any meaningful comments her stress levels.
Ah I see what your saying! I personally took it more of a judgmental thing (especially with their second response) but I have no idea what the true intention was. Although I don't think my response was rude or anything, next time I will try to assume the best!
Key word is "probably"! We just don't have enough information to make any judgments about her. For example from your two comments I could say you are a judgmental individual. However, I think that would be both rude and inaccurate! One article or two comments is just too small of a sample size to get any meaningful insight on someones character!
Well of course I have, but not anything so closely resembling a spam email. If an email, allegedly from a person in Russia, asking about a law in California with regard to your small personal blog creates a measurable level of stress then what happens in an actually stressful event like say having a flat tire on the highway or having a credit card stolen.
I was contacted by my system administrator about this email, even though we chat roughly once a year; we get a lot of spam too but a legal threat is something you need to keep an eye on.
The things I would look for in an illegitimate email are not there. Where are the typos? The poor use of language? It is a very well-crafted email. The address is maybe a little off, but tons of my legitimate clients have weird emails like this.
It would have gotten my response... probably an hour of my time explaining how our policies work and how, yes, we would comply with their request even if the laws don't technically protect them. There isn't really a prefilled template you can respond to questions like this (if you actually care about responding inquiries like this) so I would have genuinely spent time thinking about the questions and giving them more than a yes and no.
I am sorry I am a different person than you and as such have different reactions to this. It looked plausible to me and the geoIP lookup on the mail server said it was in California, AFAIK this is all you need for someone to be a CCPA subject. I do not want to fuck with the legal system.
In the modern scam era we live in, it somehow seems more legit because it mentions something in a specific article of legal code, and isn't demanding payment of your IRS taxes in iTunes gift cards.
Isn’t that kind of the point? Your experience isn’t the relevant experience. Treating this email as spam is the obvious thing to do to you, but it is demonstrably not the case for others, the author included. Others don’t have access to your experiences.
The start with some Russian woman saying "hello, I'm Masha from..." triggers all sort of mental spam filters. Adding random legal codes from who knows where reminds me of "according to the CANSPAM law 134/38 this cannot be considered spam" that every spam mail used to have.
Seriously, just a few lines in this mail raises all sorts of flags.
Gives you a pause when you realize smart people probably wouldn't believe an email saying their SSN was arrested and they need to buy $500 in Amazon gift cards and send to this address to avoid being arrested by the FBI - but they totally believed a random person in Novosibirsk has rights to demand their attention and them performing various time-consuming tasks because some California law says so. I can't say such reputation for California laws is totally unearned (look up prop 65 if you want to know more on how insane it is).
Perhaps, but some people do reply to emails, for whatever reason. But that does not alter the fact that the study was conducted in an unethical manner.
Customers say weird shit in correspondence all the time and you have to fill in a lot of blanks. This would have easily imprinted “oh she lived in California at one point and wants to know if we’ll still comply with her requests” in customer service mode.
We're operating in reality where the answer to "is this even a customer" is often "unsure - to be determined", not an imagined scenario where software with 100% accuracy tells us when someone isn't.
But spam exists for a reason - it works! Some percentage of people really do respond to spam emails. It’s not ok to take advantage of those people or dismiss them.
While I have no stake in the "furry" game, the fact that you seem to think that a person should be disregarded because they're a "furry" is only very slightly above outright calling them a slur.
The Institutional Review Board doesn't seem to be much of an "ethical board" given they don't consider the stress this causes the human side of the website operators. How did they conclude this doesn't count as "human subjects research" given the expectation is to measure a human response to an email (framed as from a person)?
1. does not disclose that this is a research survey;
2. does not inform the recipient that they can decline to participate without any adverse consequence (as they state in their study FAQ), instead doing entirely the opposite - ending the mail with an assertion (untrue for most recipients) that they have a legal duty to respond;
3. lies about the origin of the email, inventing a fake persona;
4. lies about what the responses will be used for.
You are the first person in this thread to concisely state the major ethical failings. These 4 things are universally required in human subjects research (or IRB-exempt HSR) and it's black-and-white unethical to omit them.
Yeah this is the big one for me. Coming from the context of medical research it is shocking to me how many commenters think this is okay. If this happened to be a disguised medical research survey the ethics board would never have let this past. And if they did it would bring down some serious bureaucracy on their heads.
I guess software and law just think they can test whatever they want and get away with it. Who cares if a few people end up emotionally scarred?
5. which caused people harm, in the form of time, stress, and in apparently a fair number of cases, money spent consulting a lawyer in the belief that they were about to be sued.
> The Institutional Review Board doesn't seem to be much of an "ethical board"
YES! I know you intended this as an insult, but it is actually one of the most insightful comments in the thread. An IRB is not supposed to be an ethical board. They have a much more limited scope of overseeing human subject research.
> How did they conclude this doesn't count as "human subjects research" given the expectation is to measure a human response to an email (framed as from a person)?
Because there's a precise definition of "human subject research" which is actually a lot more limited than many people think.
Then it sounds like the blame is solely on the researchers for thinking IRB approval == greenlight to do whatever the hell we want. Or we have a mismatch in the social contract of research.
> Because there's a precise definition of "human subject research" which is actually a lot more limited than many people think.
We've had two different cases now where that disconnect has led to studies which cause stress and other harm to human subjects, because the study was classified as "not human subject research" despite directly involving humans at every step of the way. Perhaps that definition needs to be rewritten.
"In order to be considered a covered business, the organization needs to have annual gross revenues in excess of twenty-five million, possess the personal information of 50,000 consumers, or derive 50 percent or more of its annual revenue from selling consumers' personal information."
Most blogs don’t have consumers’ personal information, do they? How many blogs have you registered with? I can’t remember the last time I did that. If I read a blog, the most they can do is cookie reading/writing, which is not PII.
You've made several claims in your comments that don't hold up to even a few minutes of basic research. You can Google the definition of PII in the CCPA. You can Google whether emails can be legally binding.
If you don't bother to check whether the things you're saying are true, you burden everyone else with the effort of correcting you.
> (v) (1) “Personal information” means information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household. Personal information includes, but is not limited to, the following if it identifies, relates to, describes, is reasonably capable of being associated with, or could be reasonably linked, directly or indirectly, with a particular consumer or household:
> (A) Identifiers such as a real name, alias, postal address, unique personal identifier, online identifier, Internet Protocol address, email address, account name, social security number, driver’s license number, passport number, or other similar identifiers.
> (aj) “Unique identifier” or “Unique personal identifier” means a persistent identifier that can be used to recognize a consumer, a family, or a device that is linked to a consumer or family, over time and across different services, including, but not limited to, a device identifier; an Internet Protocol address; cookies, beacons, pixel tags, mobile ad identifiers, or similar technology; customer number, unique pseudonym, or user alias; telephone numbers, or other forms of persistent or probabilistic identifiers that can be used to identify a particular consumer or device that is linked to a consumer or family. For purposes of this subdivision, “family” means a custodial parent or guardian and any children under 18 years of age over which the parent or guardian has custody.
The problem I have with saying this is a threat is that a best the threat of a lawsuit is at best hypothetical--if and only if some response is required by that law, and that response is not given, then you could see it as a threat. And most people writing that would have no reason or resources to dedicate to some frivolous lawsuit as a result. Obviously no one would sue for getting a response a couple days late, it would take at least months for it to be remotely worth it.
I wouldn't be surprised if most boilerplate CCPA request templates out there included the same wording. It's like when I send a FOIA request and put at the bottom, "this law says you are supposed to respond in X days," everybody knows that's the law already its just there to sound a bit more formal and like I actually care about the outcome. Obviously there is not going to be time or money for the vast majority of such technical violations to go to court. Would a study not be able to send out FOIA requests and study how long the responses took after including that verbiage because it's a "legal threat"?
It reads to me like the first message as a toehold in the door, from somebody who intends to litigate frivolously against the person they're sending it to.
Every lawsuit threat, including "I'm suing your ass next Tuesday", is hypothetical.
It takes being used to communication that randomly quotes the law, or extreme lack of social skills to not consider randomly quoting the law a threat. Individuals don't often randomly quote the law for the funsies.
We could, of course, argue all day whether they should have just immediately dismissed it as junk email, but coming from what looks like junk email just lowers the expected threat.
It is sadly common for university CS groups to dismiss the ethical implications of their work as "anyone else could do this too" or "there aren't any ethical considerations because we're just doing stuff on a computer".
When the legislators pass a law that is one of the balances they're trying to strike.
State funded research groups sending dishonest messages using intimidating references to the law to induce a response was presumably outside of the threat model.
I have a not at all popular and rarely used blog. I still get dozens of stupid spam emails and comments a day and often some phone calls too. This would not have caught my attention for more than 10 seconds, if I even read it at all and it did not get filtered out by various spam tools.
I am quite perplexed at the people who panicked over this. It would probably rank 4th in the scariest things I have received today and seems on par with a call from the tax man claiming you owe them money and need to send them iTunes gift cards.
Imagine I dig a dangerous deep pit in my front lawn by the sidewalk.
99 out of 100 people are going to safely avoid it. 1 in 100 fall in and get severely injured.
I'm still at fault even though the injury only happens rarely. And a "rare" effect can harm a lot of people when you scale up the exposure far enough.
Those scam emails also cost a lot of people time and we rightfully outlaw them. In this case, it didn't fit the modality of the common scam messages, it looks a lot more like a professional litigant trying to set the recipient up for a lawsuit.
But in retrospect you guess this was spam would have been incorrect. It was a carefully crafted action by a researcher. Maybe their intuition was actually better?
We got this email at my startup. We freaked out too, we're not from California (or even the US), we're not end-user facing so usually privacy stuff goes to our customers. We'd never received a mail like that. We responded with a kind reply, but had a lot of internal discussion. Our nice response included questions which never got answers. Because screw real people, right?
Experiments like these are training well-meaning people to ignore real privacy requests.
If there were a contratial agreement before the start of the study, the participants could have negotiated the monetary re-imbursement for the work done. (including data processing fees and the legal consultation).
By coercing the participants into study the university has in fact waived own negotiation rights. The university should compensate the participants for the actual work done, at the a fair market rate, and reimburse the legal fees.
I have pretty mixed feelings on this. On the one hand, I agree that the researcher's actions (particularly the use of a false identity) were inappropriate. I am hesitant to engage in "victim blaming" by calling the targets of the email naive. But I hope this has been a learning experience for everyone, as it seems to have revealed a lot of knowledge gaps that were surprising to me.
I am not at all surprised that it was not subject to IRB review, but only because I've had a bit of involvement in the IRB process before and know that the specific legal mandates that drive IRBs (45 CFR 46) have a surprisingly narrow definition of human subject research that is driven primarily towards medical interventions, so generally speaking any research that consists of just asking questions and then anonymizing the results for reporting gets waved past IRBs (45 CFR 46.104). You might disagree with the situation (there's plenty of reasons to) but it's the law of the land. IRBs were developed pretty specifically in response to a spate of incidents in the mid-century, but especially the Tuskegee trials, involving non-consensual drug and toxin trials. The IRB process is directly designed to address these kinds of medical research, and so IRBs I've dealt with are not even very interested in looking at proposals coming from departments other than life sciences. The idea that IRBs are a general-purpose ethics review seems to be a pretty recent idea and it's not something the IRBs themselves are that into, at least from my experience hearing professors gripe about having to go through a stack of pre-reviews for information assurance studies on the off chance they qualify as human subject research.
On the other hand, though, I operate several websites for small organizations, admittedly in a politics and public policy-adjacent space, and receive emails of this type as a matter of course. I'd be surprised if there are many people operating websites that get a meaningful amount of traffic that don't get an email of this type from time to time. It's sort of background noise if you're doing anything that's of much public interest. In some of these situations I benefit from having retained legal counsel that probably wouldn't even bother to bill for this kind of thing, but it would still be a rare situation that I referred such an email to counsel unless it was something about a more obscure corner of city political financing regulations, which I have gotten once before.
The "legal threat" here honestly doesn't read to me as much of a threat. Part of this is because in my hobby work I write emails very much like this one on a weekly basis... mostly citing FOIA or similar state sunshine/open records/open meetings laws. Many guides on transparency laws coming from this same community clearly advocate a similar sentence citing the response deadline, and I wouldn't be surprised if this researcher copied and pasted that from such a "consumer rights" guide. It's considered a best practice to state the deadline and citation with this kind of request. There are basically two reasons for this: first, some people, especially smaller organizations, may be totally unaware of the deadline and you will be telling them about it for the first time. They may not believe you on it if you don't provide some sort of backing. The second is that there's a perception (from my experience I'm skeptical this is frequently true but I'm sure it is occasionally) that especially federal offices may be aware of the deadline but feel comfortable ignoring it if they don't think the requester knows. So providing the deadline and citation is sort of a "savvy customer" indication that encourages them to at least issue an extension letter on time (even then it's very common, even before COVID but especially now, for federal agencies to run past the deadline without any response. Oddly, state and local agencies are usually much better about this).
Another part of why I have a hard time taking it as a threat is because it is the first in a rather long chain of actions that would lead to legal action. It does indicate that the requester is aware of the law but it's quite a few steps from the requester's intent to file a lawsuit. Most people that include a line like that never even bother to follow up with a nag when the deadline passes. What was in the email is basically a "I copied and pasted this from an online howto" level of effort, and there's a pretty big ramp from there to filing a lawsuit (especially from a far away place). Really, in my experience, people who are a serious legal risk (i.e. lawyers and people who use them) cite statute less often than slightly crazy internet randoms do.
So I suppose what I mean to say, is that I feel bad for the people who were alarmed by this, but I hope it has been a learning experience: when you operate a website, you are putting yourself out in public and exposing yourself to both legal obligations and dealing with random people that have weird ideas about your legal obligations (there tend to be more of the latter than the former). There are a lot of risks and responsibilities entailed in running a website, most of them fairly minor, and this kind of thing is one of them... just something you have to deal with when you make the decision to be a public entity.
Or maybe a better takeaway is this: if you get at all involved in politics, government, civil rights, or the public sector in general you will get a lot of stuff like this (and some of it will actually require action, but usually not especially difficult action). One result of increasing online privacy concerns is that just operating a website is starting to enter the civil rights realm, so I suppose over time every website will get more of this.
It is very much about experience. Now that I’m an old man in my late 20’s I can tell when it’s BS, but I empathize with the fear of the less-experienced. The first time I had a personal legal experience, I was confident about what the law was, and then got blown the fuck out. The second one was someone threatening some sort of criminal action to which I responded, “have the prosecutor reach out so we can put our lawyers in touch.” My heart beat irregularly for a few weeks whenever I thought about it; first because, despite having done nothing criminal, I was scared, but second because I didn’t actually have lawyers. It turned out to be nothing. They never contacted me again.
Maybe a “scam” email about CCPA would have been a better learning experience ;)
Same experience here, I can't understand someone who's reaction to a totally random email without any credentials or actual lawsuit is to spend thousands of dollars on lawyers. Maybe I was lucky to not have the privilege to even consider paying for lawyers when I got my first ones of these and always defaulted to just emailing the person back which in 100% of cases cleared the issue.
I must've read the phrase "thinly veiled threat" at least a dozen time in this thread, yet honestly don't understand where the threat was.
Maybe the last sentence where they put a deadline on it, but that part was strange anyways since they explicitly said this is NOT a CCPA request, so that deadline doesn't even apply to this email.
The person seems to just be asking questions about the process and came off to me more as curious than threatening. Whatever veil there was most definitely was not thin in my opinion.
> Maybe the last sentence where they put a deadline on it, but that part was strange anyways since they explicitly said this is NOT a CCPA request, so that deadline doesn't even apply to this email.
That's the threat, yeah. And yes, it's not technically correct--but, as many others have pointed out, you don't need to have a correct legal claim to inflict thousands of dollars of legal fees on a target. Hell, part of what those legal fees pay for is an expert to explain whether or not that deadline applies.
More than that, most people simply do not have the time to memorize laws, or to get the legal background required to understand whether a law applies. This is partly a problem with laws being complex and having their own jargon--but that doesn't excuse what's going on here.
Yeah this one is weird to me. How many "I sent GDPR requests to all the services I use and this is what happened" blog posts did we read when GDPR first went into effect?
Should academic research be held to a high bar? Yes. Did this cross a line? From the response and subsequent apology, clearly. But the outrage here feels at least a little disproportionate.
There is a logic error in this email. If this is not a request they cannot claim 45 days to response. So refernce to CCPA 1798.130 was clearly just to scary.
The study was disgusting; I've commented about it in another thread. But I think there's something else here that explains the strong reactions people are having to this.
We as software engineers are not used to being told by a government how to build our code. If China passes some law saying that you can't directly search a database without routing the call through a government server, I don't care. I'm not going to research their laws and make sure my code conforms to that. It's not my problem. It's the people of China's problem. If a company I'm working for has a legal team that says they need to accommodate that, they'll tell me they need to write some code to do it. I'm free to write it for the money, or tell them to fuck the CCP and themselves.
But if I happen to know that a client is using my code in China without meeting some regulation there, it's not my obligation to inform them. Best of luck. I'm not personally liable for that.
And so what happened here is, they went after developers and small self-coded sites. They intentionally went after the people writing the code, not the companies that have legal compliance departments.
So the big question it presents, that I think has some people hopping mad and other people too sanguine, is: Does this herald a wave of assault and blackmail against developers, where bad actors (or dumb actors, like Princeton undergrads) will use supposed infractions of local laws to try to extort settlements from makers of software? I mean, show me a piece of software, and I'm sure it would be illegal somewhere. But the question of threatening small developers this way is new - it's a new form of trolling, like patent trolling but potentially even worse. The novelty of it and the potential for abuse is why I think a lot of people have been outraged by it, more than the question of whether someone should have just ignored this particular email. It presents an entirely new chilling effect that changes the bar for anyone looking to start a website, among other things. If any newbie coder had to make sure their code conformed to every legal requirement around the planet before putting it online, their chances of being successful with new code would be nil, and our livelihoods and creative capacities would be severely diminished. Our entire culture of making things would be crushed. An entire category of artistic creativity and originality that most of our lives are based upon could be shut down completely by a blizzard of emails like this one. I don't think it's overreacting to be alarmed by it, nor to be furious at this approach being pioneered by a supposedly liberal institution.
"our clients have spent around $10k aggregate trying to understand what these requests related to, and whether this was a coordinated mass phishing attempt"
An attorney in Switzerland: "Wir wurden von Mandantinnen und Mandanten gefragt, wie sie auf diese E-Mails mit Fragen nach ihrem Umgang mit datenschutzrechtlichen Anfragen reagieren sollen." ("We have been asked by clients how they should respond to these emails with questions about how they handle privacy-related inquiries." (DeepL))
Three *different* attorneys in this thread report having clients reach out to them:
(1) "As outside privacy counsel, these are so frustrating. First one I saw cited being a CA resident so more alarming. Now for those interested\able to learn it's more time and education as they think any request must be scams now. Plus how many clients won't reach out next time?"
(2) "As in-house counsel, my initial gut instinct was that it was someone who was trying to entrap us - hoping we would make a mistake so they could sue. (I don't have much faith in human nature, I suppose.) So I sent it to outside counsel to be safe. Waste of time and resources."
(3) "Same here. We deal with a lot of professional litigants and I was looking for the angle (it was GDPR not CCPA, so was worried about a private right of action being brought)"
One more attorney (I'm past the edit limit for the parent comment):
"I got this. It took time out of my day, but thankfully my French employer hired an American lawyer with CCPA experience (*cough* me) so it just ended up being a brief distraction."
> Wanna know why there's no comments on this blog? I don't want to have to deal with storing user data and doing moderation!
I've thought about starting a blog a few times, and I had the exact same thought. While it's very easy to make a static website and store in on a CND to make it scale to billions of requests, it's very hard to create a moderation system that scales.
Interesting - we received the same email but requester was a resident of Roanoke, Virginia. And the request was in regard to GDPR.
It smelled like SPAM enough for me to check the email headers - SPF and DMARC passed and was sent from potomacmail.com servers.
Another odd thing was - the request was for a customer using our SAAS application - so their targeting is not exactly accurate. I wanted to ignore it but we get emails all the time meant for our clients - so we simply replied that they should direct the request to the party in question.
I think you need some basic legal understanding to sort that kind of stuff into valid, unsure and invalid. It then depends on your confidence level if you require legal advise. Easier said than done.
From my point of view 45 days is plenty of time to read into the topic. On the other hand: Referring to 45 days was shooting way beyond the target here and unnecessary.
Scaring the author was wrong and by definition always happens without consent. That's what the author can blame the researchers for. This was turned into a 'without consent' situation and I find this to strong. The email is rather clear but is also weird enough to feel like scam.
As has been pointed out elsewhere: "Consent" here is the correct term. This was a study, and studies are supposed to gather consent from participants before they start (barring certain very specific examples).
This really feels like the long consequences for "it's just a prank bro" and "it's a social experiment (to totally misguide you into a behavior and claim it's a prank")".
Author of the article, I replaced an actual IP address with 127.0.0.1 because I didn't want to list some random AWS IP on my blog without knowing who it is related to.
Apology from the PI, permanent suspension of sending emails, possible follow up emails telling people to disregard the original emails, and commitment to a formal research ethics study: https://twitter.com/jonathanmayer/status/1472427321047101442
Would it make sense to pursue a class-action claim against Princeton and the researchers to recover everyone’s legal costs and business disruption costs? Probably wouldn’t be that difficult to get the contact information of every business that was contacted during discovery, right?
I wonder if there really is a case. I don't think you can sue anyone for your needs of fulfilling your legal obligations. After all, if these people had fulfilled their legal obligations they could have given response with minimal cost.
Not a lawyer, but I'd imagine the most useful point to make is that the researchers misrepresented their identity while sending these threats. Lying about who you are while trying to sue someone is a pretty big no-no.
At this point all outgoing email from Princeton should be flagged as potentially malicious. Their ethics committees seem to have no problems with using deception against non consenting test subjects, or actively trying to sabotage software projects, because 'using a computer' seems to be their catch-all for 'approved'.
Maybe then their executives will seriously review what their researchers are doug9.
> am i missing something? i don't see anything about research or studies in the original email.
That is, in fact, the entire problem. The researchers doing the study lied about who they were and where they were from (in another case, they claimed to be from France; in this case, from Germany) and did not tell anyone it was a study until after some subjects contacted lawyers.
Also the CCPA isn't supposed to apply to hobby/no-revenue sites, but one of the things that qualifies you for CCPA is having PII from 50k Cali residents, so if you log IPs in just the 'right' way and Hackernews finds your site you may end up qualifying overnight.
i see. it appears the post has been updated. last night it had its title and a short reference to the university of minnesota kernel security study, but no actual reference (unless i missed it!) to the fact that this was a princeton study.
i never read the freeradicals blog post until just now so was ultimately quite lost in terms of what was going on.
> I go out of my way to ensure that this website handles as little user data as possible. I have gone so far to do this that the only unique identifiers I deal with are IP addresses…
This page uses Cloudflare so they’re offloading data collection but it’s still being done, right?
I use Cloudflare because I've gotten DDOSed over my blog before. Being openly not male on the internet is a great way to get people DDOSing you and sending nasty letters to your employer about your moral character. Sorry I have to do this, but I don't really want to be DDOSed over my tech writing.
On the one hand, I think this research is done with bad ethics. Proper science requires consent of the people involved in experiments. An organisation like this should know better. I think that's the reason this research needs to stop and go back to the drawing board.
On the other hand, anyone in California could send such an email legitimately. If you're offended by the contents of the email rather than by the research itself, I have bad news for you: the text itself is perfectly fine. Someone can, and should be able to, exercise their rights regarding data collection. That goes for Big Tech which these laws are aimed at, but also for any other party our there collecting data. If you're afraid of someone exercising their digital rights, you should probably not host anything public.
The real problem here is not the research itself and not even the laws the research is about, but about the litigious nature of some countries. Bad research happens, turning this research attempt into a spam campaign. Everyone gets spam, it's not a reason for panic. It's only a problem when you think any email you receive can actually be the basis of a life-altering lawsuit.
If you are someone who got spooked by such an email, I can't help but think you might not want to publicly host anything. Attaching any kind of data collection to the web has come with legal implications for years now, even before the GDPR was a thing. This time it was a malevolent researcher; next time it might be someone who demands that their IP be purged from your logs. Look at this shoddy research as a training exercise, and consider if you're prepared when a real version of this email comes in, before it's too late to do anything about it!
No question, but I just want to sympathize with your distress over receiving the original email. It's impossible to say for sure because I didn't receive one, but I think I would have reacted the same way. I am also very frustrated on your behalf with the way people in these comments are talking about you and others who read this email as a legal threat.
It's telling about many HN users' capacity for empathy that they think their reaction, real or hypothetical, has anything to do with whether this was a bad thing. Regardless of how any of us would react, it's clear from the many people who lawyered up or experienced anxiety because of the emails that this study had victims. Not seeing them as victims because you would have disregarded the email reveals what I'd consider a solipsistic mindset that causes them to regard others' experiences as less valid than their own.
Hey Xena, I’m glad your post is getting seen, too. I’m dismayed at how many people seem unable to imagine why you and I freaked out when we got letters from someone who sounded like they were a professional litigant. I’m glad to see the researchers, lawyers, and such talking about the ethical implications.
This is a messed up situation, but it’s comforting to know I’m not alone in it (although I wish for your sake that you weren’t involved).
I got 2 of these emails. One CCPA and one GDPR, but the exact same boilerplate. So I knew it was sketchy. But I still wasted an hour of my time deciding whether to reply. Several of my colleagues in other small comapnies also received these emails. Multiply that by the thousands of emails they must have sent and that is a lot of time wasted. I believe some people even paid laywers to respond. So potentially a lot of money wasted as well.
The senders either they didn't realize the sort of time and waste of money this would cause, in which case they are idiots, or they did, in which case they are arseholes.
How did this get past the Princeton ethics board?
What if every researcher started spamming thousands of businesses without their consent?
Depends on where you got it. For business email it is unlikely to be personal data. Unless it is something like name.surname. And even then I think this is reasonable use case. So not really problem with GDPR.
What are the legal requirements for a blog run out of American servers by an American to be GDPR compliant these days?
I'm sort of wondering whether you can get away with responding to such a request these days with "I am not in a jurisdiction that is obligated to comply with that law, and if you choose to charge me with violating it I am not under obligation to defend myself in court nor render myself for judgment?"
As long as you’re not collecting the personal data of Europeans, there’s basically nothing you need to worry about.
Your location and jurisdiction are mostly irrelevant - you’re obliged to comply with that law when you offer a your website in Europe. Of course the only possibility of enforcement is also in Europe, so there’s not much going to happen.
I suppose if you ran a rogue business then in theory credit card funds from European customers could get frozen by a court or something - but let’s be clear, GDPR is aimed at regulating big business primarily. Nobody is coming after your blog
That's what I'm thinking. If you're not European, it basically boils down to the realpolitik of whether your home country would render you up to European judgement or other private businesses you deal with would choose not to deal with you because you don't bother to say whether or not you comply with the GDPR.
I don't know about US, but GDPR request in EU is something totally common and nothing to worry about as long as not you locally data protection officer get's involved ;)
I do detailed GDPR requests from time to time, especially to companies that annoy me with personalized marketing, just to mock them.
Note from Jonathan Mayer, the Principal Investigator
Hi, my name is Jonathan Mayer. I’m the Principal Investigator for this academic research study. I have carefully read every single message sent to our research team, and I am dismayed that the emails in our study came across as security risks or legal threats. The intent of our study was to understand privacy practices, not to create a burden on website operators, email system operators, or privacy professionals. I sincerely apologize. I am the senior researcher, and the responsibility is mine.
The touchstone of my academic and government career, for over a decade, has been respecting and empowering users. That’s why I study topics like web tracking, dark patterns, and broadband availability, and that’s why I launched this study on privacy rights. I aim to be beyond reproach in my research methods, both out of principle and because my work often involves critiquing powerful companies and government agencies. In this instance, I fell short of that standard. I take your feedback to heart, and here is what I am doing about it.
First, our team will not send any new automated inquiries for this study. We suspended sending on December 15, and that is permanent.
Second, our team is prioritizing a possible one-time follow-up email to recipients, identifying the academic study and recommending that they disregard the prior email. If that is feasible, and if experts in the email operator community agree with the proposal, we will send the follow-up emails as expeditiously as possible.
Third, I will use the lessons learned from this experience to write and post a formal research ethics case study, explaining in detail what we did, why we did it, what we learned, and how researchers should approach similar studies in the future. I will teach that case study in coursework, and I will encourage academic colleagues to do the same. While I cannot turn back the clock on this study, I can help ensure that the next generation of technology policy researchers learns from it.
Fourth, I will engage with the communities that have contacted me about this study, which have already offered valuable suggestions for future directions to simplify, standardize, and enhance transparency for GDPR and CCPA data rights processes. I very much appreciate the earnest outreach so far, and I will be reciprocating.
If you have questions or concerns about the study, please do not hesitate to reach out. I gratefully acknowledge the feedback that we have received.
Thank you for reading, and again, my sincere apologies.
I received one of these as well, but the wording was different. From reading this, it sounds like the one I received was the one they send when they aren’t confident they have the correct email address. I didn’t respond. Here’s the email (I redacted my domain name and replaced it with [mydomain].)
To Whom It May Concern,
We are researchers at Princeton University conducting a study of how websites are implementing the EU and UK General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA). We are reaching out to you because this email address is provided as a contact on the website [mydomain].
Your website may be required to implement one or both of GDPR and CCPA, and we would appreciate if you would answer a few brief questions about your privacy practices.
1) Does [mydomain] implement GDPR or CCPA? If not, could you please explain why? If you are uncertain about whether [mydomain] is required to implement these laws or answer questions like ours, we have included informative resources at the end of this email.
2) If you implement GDPR or CCPA, do you process data access requests from individuals who are not residents of the EU or UK (for GDPR) or who are not residents of California (for CCPA)?
3) If you implement GDPR or CCPA, do you process data access requests via email, a website, or telephone? If via a website, what is the URL?
4) If you implement GDPR or CCPA, what personal information must a user submit for you to verify and process a data access request?
5) If you implement GDPR or CCPA, what personal information do you provide in response to a data access request?
Thank you in advance for your answers to these questions. If there is a better contact for questions about privacy practices on [mydomain], I kindly ask that you forward my request to them.
Sincerely,
Ross Teixeira
----------
We offer these resources about GDPR and CCPA for your convenience. Please note that we cannot provide legal advice about whether [mydomain] is required to implement these laws or respond to our questions like ours about GDPR and CCPA practices.
The researchers have already publicly announced that they've halted all emails and the continuation of the study permanently.
What is more likely is that they have multiple templates to try to determine if there were different responses depending on whether the request was known to be for research.
I don't see anything unethical about sending an email asking website operators how they comply with their obligations under various privacy laws. If you are not subject to those laws, you can reply as such. And if you are subject to those laws - it is a valid question!
If you find the prospect of receiving this email so horrifying, perhaps your real problem is with the laws themselves?
No not really. Might have been better to hire someone in these legislations to send the email, but I don't think that would really have changed the ethics. These unethical businesses have not followed the laws and now are crying...
Lmao I periodically troll my friends by sending them GDPR and CCPA notices.
If you did this to my blog, I’d let you take me to small claims or whatever. The probability of you making it all the way to prosecution and the total harm is so low that I’m not going to CCPA or GDPR enforce on my blog.
> The probability of you making it all the way to prosecution and the total harm is so low that I’m not going to CCPA or GDPR enforce on my blog.
I hope this line would get included in discovery; I would... actually pay money to watch you explain to a judge that you explicitly decided to ignore the law.
(IANAL, but I'm pretty sure the real defense would be that the law actually doesn't apply to you)
With GDPR you can't even take it to court. That is not your option. And the agencies have lot bigger things to do. So unless you did some extremely blatant I would evaluate risks to be non-existent.
I don't really see any issues with this. If you are subject to any of these rules you and your business should be ready. If not they shouldn't be a concern. Absolutely nothing unethical going on here. Apart from crap business not wanting to follow the legistlation.
It's not clear that anyone was breaking laws, and it's absurd to suggest a random person with a website in the middle of nowhere is going to have insight into the laws of 165 different national jurisdictions.
My take: yes, a researcher misrepresented who they were. But that misrepresentation had nothing to do with the alleged harm. I see no reason to believe that the writer's reaction would have been any different if the request had been a completely legitimate one, which it very well could have been. The actual substance of the request was polite, non-threatening, and potentially legitimate. If the writer had bothered to do even a few minutes of research, she would have realized that the cited law did not apply to her and the requester was simply wrong when they said that it was. A panic attack was IMHO an extreme overreaction. Solicitations are sent out under false pretenses all the time by people with far more sinister motives. I think it's reasonable to expect adults in today's world to be able to take such things in stride and not freak out about them (or at least do a little bit of homework before freaking out).
Why did the university not disclose this is a research study? For their own gains, on the back of their research subjects. This is a shitty thing to do, even if it might be legally allowed. You cannot expect everyone to take that email easily.
This is going to be disagreeable, but as someone who was blocked from starting a COVID surveillance program at my uni due to the IRB constraints on "human subjects" - would need to buy special, expensive software in order to prevent test results from being 'deanonymized' - I think this space is too regulated already. In some cases, people with apparently legitimate ethical issues should have been told to shove it, in my opinion. Innovation is being destroyed to protect people's feelings.
I'm with the other reply, genuinely curious what was submitted for review. I'm glad you were prevented from starting a study without the fundamentals in place.
I've been on the IRB submission side for Iowa State, and I can tell you it was a rigurous process, though the training emphasized why things are the way they are.
If participants are concerned about their results becoming deanonymized, the basic trust we have that there will not be negative ramifications for the participant and that participants will be genuine in their responses and participation go out the window. That's a fundamental aspect of conducting good research that is valid and as broadly applicable as possible.
Deanonymized results may not seem like a big deal, however we have to also consider future impacts on the participant. What if discrimination based on that test result was permissible and they couldn't find a job? What if later analysis shows conclusions we couldn't imagine right now that would hurt the participant? What if your boss found out you were participating in a drug trial for PrEP, outing you as likely gay? What if social norms change and new standards are applied to old data?
I'm also curious about the expensive software they were wanting. The standards shift over time, but in my experience we might have a paper key for participants to participant number until _x_ months after the study is completed, at which time it would be destroyed. The key would probably only exist on paper and would be stored separately from the data, behind a separate differently keyed locks (or encrypted separately if electronic). All of this would be explicitly defined in the documents provided to the IRB.
For surveys, Qualtrics was an approved vendor, so we would often try to do all data collection in Qualtrics.
Calculus: Having campus-wide COVID surveillance running (before any alternative testing options had sprung up) is more important than preventing ANY RISK of someone experiencing stigma for having had COVID. I think this calculus holds up and is not that dehumanizing. I'm not saying we should get rid of all protections, but that pendulum is too far on the regulatory side right now.
In that case, just cut out the middle man and start reading their medical records. Who needs privacy?
(... And then people rationally respond to such an invasion by no longer going to the doctors and lying about their medical history...)
We can't interpret people's desire for privacy as damage and route around it. There's decades of history of scientists interacting with the public to show why that has negative consequences for society.
