Yeah, I think that's right. But it does raise an interesting point. The meta-point of the study was a good one, I think, which is to "study privacy on the internet".
I'm soooo behind that (one reason I am disappointed in the ethical lapses here)—I've often considered publishing the steps I take for each website on a substack or whatever, to help other people. Sometimes, it can be hard to figure out (1) if your data can be requested-to-be-deleted, and (2) how to even do it.
Clearly, the deception was bad; I guess, just thinking out loud, how could this study have been done ethically? Perhaps, sign up real people to request the data, and transparently include a notice that this was part of a study?
The last bit is the tricky one; including that might skew the results in favor of websites being compliant.
If I understand correctly the sentiment is that the study is not in “good faith” by virtue of being a study. That’s where I’m genuinely ethically confused. It’s not like the study is bad faith (like they’re trying to trick websites into something illegal then sue them). At worst it’s neutral faith. But why is that unethical?
EDIT: Some grammar, and minor clause clarification in second-to-last paragraph.
Yes, frequently. And throwaway.
About once a week, I pick an account in my LastPass collection, and initiate the following process:
1. Initiate a CCPA data request using a form or email, and I always include language about the timeline. I am not a lawyer, I'm just a person.
2. Then, once I have the data, I delete the account.
I'm trying to purge my web presence before I move out of California. I have about 200 accounts left, and have done this with 50.
Admittedly, these are all large businesses, so far. Think Google, where I've worked myself, so I know they are equipped to handle it. But, I will be working my way down to small businesses eventually, and I am surprised to find out that simply quoting the statute (which is what I do) is considered anything but vaguely legally threatening. If the website doesn't fall under CCPA, or hell, if it does, I just expect it to be ignored. I mean no ill will.
I'm personally pretty conflicted, since I actually fully agree with this [1] about the study being unethical, but if I send an email as an individual to a website with my data, quoting a California law, that doesn't seem wrong to me, even if it causes $10k in legal costs, since my request is truly genuine and not intended to cause harm.
I would agree that there is a distinction at the study level, but I'm not exactly sure why.
The distinction is super clear to me. You as an individual are exercising genuine data subject access rights granted to you by law. They are a researcher prentending to be a data subject exercising rights in order to gather data for their study.
Even if what you are doing is "legal" it seems abusive as hell to me, especially if it is ever targeted at a smaller company or person like in the OP's case. Why are being so difficult? Why don't you find something more useful to do with your time instead of making others jump through idiotic hoops out of some misplaced sense of justice?
I imagine that for some companies it is difficult, and to the extent that I feel a 'sense of justice' about it, I would hope that my efforts help the organization (or single person, acknowledging that) set up a process to handle this.
I'm *genuinely* not trying to be abusive though. It's *extremely important* that consumers have the ability to exercise their data and privacy rights.
I'm not that old (mid 30s), but genuinely much of the data I have on the internet was put there when I was an actual child. And it's still there. This is actually one of the first times I've posted in *years* online. I really want to delete *almost everything*. Note in my OP, I said I worked at Google. I quit, because although I actually think ad targeting and the surveillance network are actually okay-ish, I wanted to opt-out myself, on both ends. So far, this decision has cost me 250k USD personally (if I calculate out the opportunity cost since I quit, just so far). And for the websites/apps I do still use, I donate some amount of money per year. OK, maybe I'm a freak, I really do think this stuff is important.
What would you suggest I do? Leave all my data online? As I said, in my cases, I was an actual child (those COPPA things did nothing to stop me), and this is, so far, a really effective way at getting places to delete my data. Maybe it's because they're "scared" of the law, but you know, then the law is working. Before, nobody responded to my deletion requests, and many websites had no option to delete. As a libertarian-ish person, this is a clear win for the consumer in terms of "coercive power of the state being used to create a framework that increases net freedom".
I am open to being wrong though! Let me delete all of my data first though so I don't have to do this again.
I'm soooo behind that (one reason I am disappointed in the ethical lapses here)—I've often considered publishing the steps I take for each website on a substack or whatever, to help other people. Sometimes, it can be hard to figure out (1) if your data can be requested-to-be-deleted, and (2) how to even do it.
Clearly, the deception was bad; I guess, just thinking out loud, how could this study have been done ethically? Perhaps, sign up real people to request the data, and transparently include a notice that this was part of a study?
The last bit is the tricky one; including that might skew the results in favor of websites being compliant.