>It appears to be a set of guidelines, not a requirement.
I don't know about you but I learned about deception in research and its ethical implications in high school. To me, grown-ass adults working in the field of STEM not knowing ethical research, let alone a god damn researcher failing spectacularly and causing harm to an ungodly amount of people through the use of automated means is woefully beyond "oopsie, I really shouldn't have done that"
>For example, I would feel comfortable with this study if at the bottom it said "Just kidding, we're actually researchers. Can you explain what was going through your mind when you read this?" even though it's technically deceptive.
This is kinda what debriefing is, but it is usually more substantial than this. But that still feels extremely amateurish in my eyes. The stated research objective was to have a measure on CCPA/GDPA compliance and did not require deception whatsoever. Either the researcher was not imaginative, they didn't give a fuck, or they just wanted to try deception just for fun.
>I'm a former pentester, and deceptions like this were run all day, every day, by a dedicated team. It's often phase one of phishing, since you end up assuming you're talking to a trustworthy source.
I don't know about you but I hear news all the damn time where phishing emails go wrong--like I think I just saw a testimonial on reddit where fake phishing emails were so aggressive that it literally just ended up discouraging people from using email entirely to the point where people missed assignments and shit.
Something similar happened in my company as well and a lot of people got furious.
Fake phishing things should also be heavily controlled, like for us, it is entirely voluntary.
I don't know about you but I learned about deception in research and its ethical implications in high school. To me, grown-ass adults working in the field of STEM not knowing ethical research, let alone a god damn researcher failing spectacularly and causing harm to an ungodly amount of people through the use of automated means is woefully beyond "oopsie, I really shouldn't have done that"
>For example, I would feel comfortable with this study if at the bottom it said "Just kidding, we're actually researchers. Can you explain what was going through your mind when you read this?" even though it's technically deceptive.
This is kinda what debriefing is, but it is usually more substantial than this. But that still feels extremely amateurish in my eyes. The stated research objective was to have a measure on CCPA/GDPA compliance and did not require deception whatsoever. Either the researcher was not imaginative, they didn't give a fuck, or they just wanted to try deception just for fun.
>I'm a former pentester, and deceptions like this were run all day, every day, by a dedicated team. It's often phase one of phishing, since you end up assuming you're talking to a trustworthy source.
I don't know about you but I hear news all the damn time where phishing emails go wrong--like I think I just saw a testimonial on reddit where fake phishing emails were so aggressive that it literally just ended up discouraging people from using email entirely to the point where people missed assignments and shit. Something similar happened in my company as well and a lot of people got furious.
Fake phishing things should also be heavily controlled, like for us, it is entirely voluntary.