It really depends on your ethical framework doesn't it? People lie all the time for good reasons. Are those actions unethical? Further, I am struggling to see who was harmed here or how there was any ill intent. On top of that, the results of this study seem like they would be enlightening. It seems like society should want this experiment to be able to take place. Certainly a western liberal understanding of ethics is more sophisticated than “you didn’t tell them you were observing their behavior bzzzzt unethical”?

Put another way, is “right not to be observed (in public)” something we protect? If I write down my observations at a park as I watch humans interact is that unethical simply because I didn’t bring a megaphone and announce my intent? I think the problem is that despite what’s in vogue, I don’t understand how acting in a way that is not illegal even if it impacts somebody else and then observing the results is by default (unquestionably) unethical. Why is that bad? Are there some “case experiments” the research community looks to where humans where harmed that has shaped our modern understanding?

"People lie all the time for good reasons. Are those actions unethical?" is whataboutism of the worst kind. We're not talking about any other hypothetical case where a person might lie for good reasons. We're talking about this case, and the lie/misrepresentation was at the heart of why it was unethical.

Secondly, you say you don't see who was harmed - the person who posted the original blog post was clearly harmed. She had a panic attack she was so stressed about the legal implications of the implied threat. The fact that someone else may perhaps have not found receiving this email stressful doesn't really matter - that was the effect on her and it was harmful on its face. Remember that people have different life circumstances which affect things like this - someone who was short of money may see a legal threat with implied financial consequences such as this as an existential threat.

Secondly the people who paid money for legal advice were very clearly also harmed. Their harm has a specific monetary value.

Your "put another way" extrapolation is just a complete straw man. Noone here other than you is talking about observing people in the park. This is about a research study which sent an email which some people saw as scammy or threatening in order to gather data about how small websites handle data subject access requests.

OP of the blog article. I didn't have a panic attack. If you want access to my private medical information and are not my doctor, you will not get it. Do not assume anything further.

Sorry. I read another article on here on the same topic where the person did and conflated the two.

...and actually checking again the person said they "verged on" a panic attack, which is clearly less bad

https://blog.freeradical.zone/post/ccpa-scam-2021-12/

The formal ethics of research on humans requires informed consent of participants.

You can take framework of sales or management where lie is just being smart, but it is not applicable here.

Deception is allowed, but should be scrutinized carefully to determine if it is necessary. In this case, it was not necessary. The researcher could have easily just said "we want to know if you are compliant with CCPA for the purpose of doing this research, could you tell us your policy please"

https://research.oregonstate.edu/irb/research-involving-dece...

quotes:

a) Psychologists do not conduct a study involving deception unless they have determined that the use of deceptive techniques is justified by the study's significant prospective scientific, educational or applied value and that effective nondeceptive alternative procedures are not feasible.

b) Psychologists do not deceive prospective participants about research that is reasonably expected to cause physical pain or severe emotional distress.

c) Psychologists explain any deception that is an integral feature of the design and conduct of an experiment to participants as early as is feasible, preferably at the conclusion of their participation, but no later than at the conclusion of the data collection, and permit participants to withdraw their data.

a) -- Hell no

b) -- I can give the benefit of the doubt that they didn't foresee small website owners getting panic attacks from this threat, but their non-empathetic tone in that apology write up is appalling

c) -- Hell no

The more I think about this the more I'm furious that a supposedly top tier institution like Princeton approved all of this and the "researchers" seems to have 0 fucks to give on ethical experiment design.

Are you sure that this is applicable to OP's situation? It appears to be a set of guidelines, not a requirement. And in fact, I'm skeptical that there are requirements, except on a university-by-university basis -- which is to say, the process seems much less formal than people are saying.

For example, I would feel comfortable with this study if at the bottom it said "Just kidding, we're actually researchers. Can you explain what was going through your mind when you read this?" even though it's technically deceptive.

I'm a former pentester, and deceptions like this were run all day, every day, by a dedicated team. It's often phase one of phishing, since you end up assuming you're talking to a trustworthy source. So I'm wondering why we seem comfortable with that, but not this.

Pentesters are hired by companies to use underhanded methods to gain access. Pentesters are not randomly spamming websites with deceptive emails, causing owners to suffer mental anguish and consult expensive lawyers.

University researchers are required to abide by ethical standards to prevent abuse of test subjects. One would assume that this should also include not randomly targeting people with deceptive emails causing them mental suffering and unnecessary legal costs.

>It appears to be a set of guidelines, not a requirement.

I don't know about you but I learned about deception in research and its ethical implications in high school. To me, grown-ass adults working in the field of STEM not knowing ethical research, let alone a god damn researcher failing spectacularly and causing harm to an ungodly amount of people through the use of automated means is woefully beyond "oopsie, I really shouldn't have done that"

>For example, I would feel comfortable with this study if at the bottom it said "Just kidding, we're actually researchers. Can you explain what was going through your mind when you read this?" even though it's technically deceptive.

This is kinda what debriefing is, but it is usually more substantial than this. But that still feels extremely amateurish in my eyes. The stated research objective was to have a measure on CCPA/GDPA compliance and did not require deception whatsoever. Either the researcher was not imaginative, they didn't give a fuck, or they just wanted to try deception just for fun.

>I'm a former pentester, and deceptions like this were run all day, every day, by a dedicated team. It's often phase one of phishing, since you end up assuming you're talking to a trustworthy source.

I don't know about you but I hear news all the damn time where phishing emails go wrong--like I think I just saw a testimonial on reddit where fake phishing emails were so aggressive that it literally just ended up discouraging people from using email entirely to the point where people missed assignments and shit. Something similar happened in my company as well and a lot of people got furious.

Fake phishing things should also be heavily controlled, like for us, it is entirely voluntary.

As a pentester you’d likely get an OK from the client on which methods were acceptable. Can you phish, etc. An exec would hire you to test their company and you still wouldn’t have carte blanche on methods. I assume you didn’t just YOLO random companies that you thought would be good for your security paper.

Full disclosure: I’ve listened to at least 20 episodes of Darknet Diaries. I’m basically already in your network. ;)

> I'm a former pentester, and deceptions like this were run all day, every day, by a dedicated team. It's often phase one of phishing, since you end up assuming you're talking to a trustworthy source. So I'm wondering why we seem comfortable with that, but not this.

Because pentesters get permission up-front. What the hell kind of pentesting operation are you running where trying to penetrate a site that isn't already one of your clients? You'd be in hot water, legally, if you did that--because the sites affected would have every reason to assume that you're malicious.

This is exactly the thing that was gone over last time, in the U of M case where researchers knowingly submitted exploitable code to see how the Linux kernel team would react. They were also compared to pentesters--but pentesters get permission first, and the U of M people didn't, which is why they were treated as malicious by the kernel team.

If you do not have rules of engagement that were agreed upon by the pentesting team and the client, you are not pentesting, you are committing some form of crime. Stop claiming that pentesters are allowed to phish/exploit things without permission, it makes everyone in that community look bad.

As a researcher, I find this fascinating. Would you mind citing the requirements that all human research requires consent?

I agree with it, and I feel it's my duty to be well-informed on this. So I thought I'd ask you.

Everything I can find is only applicable for medical research, and not social research.

Most universities require all social science research to go through IRB. https://sociology.unc.edu/graduate-program/graduate-research...

I've been seeing this a few times now. Extremely ignorant computer scientists and STEM folks skipping IRB and claiming "theyve never even heard of getting approval for social research". Pretty gross in my view honestly.

> The formal ethics of research on humans requires informed consent of participants.

How do you explain research on placebos then?

Participants are informed about and agree to the chance of a placebo.

it's not research on humans as such. it was intended to be research on organizations, websites large enough to be subject to the law.

I got one of these letters, and the website in question has $0.00 revenue, and an order of magnitude fewer total users than would invoke the users. The linked story here is about someone who got a letter to their personal blog.

The researchers did no (or very poor) screening.

That I agree with. Their collection methodology was clearly inadequate. They should have been more careful who they mailed, even though they did try to be careful it wasn't enough.

I think lying is a reasonably fundamental part of human research, or at least obfuscation. You don't tell the participants what you're testing for, since you don't want the results to be biased, and often obfuscate what you're measuring.

I think the real ethical issue is actually that the email reads like it's coming from a lawyer. It's weirdly formal and cites that a response is legally required within 45 days. As other comments have mentioned, this has the real world consequence of heavy stress where most folks would (and should) lawyer up. This is the biggest ethical issue, since the study is costing its participants nontrivial money, and without consent.

Lying is a reasonably fundamental part of research, but lying to humans can hurt them in various ways, and that's why we have human research ethics rules and standards that require an explicit process for obtaining consent to do something, even if we can't say what in advance, and debriefing and harm mitigation.

Which the IRB missed because they didn't understand that, to ask questions about a website's policy, you must get an answer from a human.

That’s _not_ how it works. The fact that information comes from a human does not make something a human subject experiment. The information has to be about a human. Here the information is about a process for handling CCPA requests. We can argue about whether, in a single site operator case that also qualifies as information about a human since there’s no clear organizational policy, but I want to make it clear that information simply coming from a human does not make an experiment a human subject experiment.

> The fact that information comes from a human does not make something a human subject experiment. The information has to be about a human.

The experiment is collecting more information than just survey results about CCPA policies. They're also collecting and evaluating information about how humans respond to their legal threats vs how they respond to less pointed inquiries from academics. If this study was merely ordinary survey methodology with questions that aren't asking about humans, it wouldn't be human subject research. But they have actually gone outside the bounds of a mere survey with the deception and threats.

So what I find fascinating in the academic sense is that the law is being followed naturally here and so any costs incurred are incidental and arguably not the result of this experiment but rather actually the result of the law existing in the first place so ethically it’s not clear to me whether the experiment is creating this stress or in fact the law and modern society itself creates this new possibility of stress. If it’s a problem that lawyers can get involved in response to request for information about a possible CCPA request, then perhaps the law needs rework so that it cant be construed so easily as some threat requiring you to lawyer up.

In short, if lawyers asking people to follow laws are an ethical problem, then maybe we need to address that and not get enraged about a totally legal request for information about a website’s CCPA process.

Also, the text on the page reads as tone-deaf enough for me to wonder if it's deliberately written to misrepresent the nature of the study activities to people on the IRB who are unfamiliar with technology. A quick Googling for everyone on the Stanford IRB Committee [1] shows Kyle Jamieson [2] as the only CS person – everyone else seems to be a clinician, scientist, or administrator.

> As part of the study, we are asking public websites about their processes for responding to GDPR and CCPA data access requests. We attempt to identify a website's correct email address for data access requests through an automated system.

You cannot "ask a website" and a website doesn't have a "correct email address". Given the targeted nature of the emails, I have trouble believing that these phrases were written in good faith by someone who understands that they are emailing the webmaster for a website, and expect an answer within a reasonable timeframe.

----------------------------------------

[1] https://ria.princeton.edu/Human-Research/Committee

[2] https://www.cs.princeton.edu/~kylej/

> they are lying and misreprenting themselves

The police does that quite often to catch criminals. Sometimes they also target innocent people, is that ethical?

People on HN don't usually lie, I hope, but most "misrepresent" themselves using anonymous accounts, sometimes claiming to be more than they actually are (I know, shocking).

Emails you receive are more likely to be scams than not. If you're like the author and freaks out at legally-sounding emails (or phone calls, discussion forum comments etc) received from random people, you're going to be a really stressed, anxious person your whole life.

> The police does that quite often to catch criminals. Sometimes they also target innocent people, is that ethical?

This should tell you something about your police, not about ethics.

Academic research has a well established and formal set of ethics rules.

These rules are not as established or strict for other professions.

specifically, deception studies are really hard to get approved - and for good reason. looks like this wasn't properly reviewed.

Because one IRB makes a bad decision doesn't mean, in general, deception studies are easy to get approved. Furthermore, this study used an "no human subjects" exemption to avoid a full review - which should not have happened. The Linux code attack study has also roundly criticized in the research community because it was such an abnormal failure of IRB.

> The Linux code attack study has also roundly criticized in the research community because it was such an abnormal failure of IRB.

So how is the board doing? Did its members face any consequences at all or are they still there ready to rubber stamp the next study with full approval and flimsy excuses?

>The police does that quite often to catch criminals

Your country should crackdown on police behaviour.

> They say they are a data subject from Nice

Huh? Are we reading the same article? Because what I see is this:

> My name is Maya Mishina, and I am a resident of Novosibirsk, Russia.

There were multiple emails with multiple fake identities from these domains:

  envoiemail.fr
  novatormail.ru
  potomacmail.com
  princetondmarcstudy.org
  princetonprivacystudy.org
  yosemitemail.com

They also send different messages, e.g. fake California residents asking about GDPR, not CCPA.

The article the article linked said Nice https://blog.freeradical.zone/post/ccpa-scam-2021-12/

Someone on the Internet is lying and misrepresenting themselves? Nooo!

(The rest isn't a response to seanhunter's comment, but a comment on the discussion in general)

If we take a step back from the discussion; I'd have to say that this is in a gray area that kind of ends up being mostly in the "ok" region - or possibly in the "probably not worth giving a shit about" region. There is a simple litmus test you can make: how would people have reacted if this had been limited to large corporations you do not like? The response would have been very different.

Let us at least be honest enough to admit that to ourselves.

That this is part of academic research doesn't really change anything.

It also needs to be said that people tend to be too uptight about perceived small infringements on what they see as their inalienable rights. If we are going to label subjects of what is at best described as akin to consumer research as victims we are watering out the term to the point where every person who has accessed the web is essentially a victim.

Hence the victim blaming someone tried to call out in a comment, is needless douchebaggery and drama. There are real victims of real transgressions and this is belittling.

People need to take themselves a bit less seriously. You are part of human subject research studies every time you use the web. And yet you come back for more every day.

Half of you probably contribute code and time to an industry that turns human behavior into numbers that the is translated into cash. And proudly so. Hypocrisy just makes us all look like douchebags.

> how would people have reacted if this had been limited to large corporations you do not like?

Those large corporations we do not like have lawyers on retainer specifically to deal with this situation (probably by suing the pants off of whoever sent the email).

It is acceptable to react differently when the victim is defenseless. That is why we would have a different reaction to a large corporation being struck by this, versus an individual who may not be able to afford legal counsel (and who certainly can't afford to pay legal counsel when the threat turns out to be baseless).

I am making the argument that a company that already has lawyers on retainer for this occasion is not suffering the same harm that someone who does not have a lawyer on retainer does. Similarly, someone who can't afford a lawyer at all is disproportionately likely to be harmed compared to a company that has competent legal staff.

Also, "privacy laws create victims" is--to use your own phrase--a very tortured version of what's going on here. The people affected by this study were threatened with legal action. That is what they are victims of. Regardless of what law was used as an excuse, threatening someone with frivolous legal action is as bad as threatening someone with SWATting.