[HN Gopher] Princeton researcher apologizes for GDPR/CCPA email ...
___________________________________________________________________
Princeton researcher apologizes for GDPR/CCPA email study
Author : Mizza
Score : 165 points
Date : 2021-12-22 15:40 UTC (7 hours ago)
(HTM) web link (privacystudy.cs.princeton.edu)
(TXT) w3m dump (privacystudy.cs.princeton.edu)
| anon946 wrote:
| I would be very much interested in seeing the IRB
| submission/application that was submitted for this study. I
| wonder whether or not it was mischaracterized to the IRB, or
| written in such a way as to diminish the problematic aspects.
| nightpool wrote:
| From TFA: We submitted an application
| detailing our research methods to the Princeton University
| Institutional Review Board, which determined that our study
| does not constitute human subjects research. The focus of the
| study is understanding website policies and practices, and
| emails associated with the study do not solicit personally
| identifiable information.
|
| This came up during the Linux security patch debacle as well.
| IRB guidelines are focused on a narrow set of harms based in
| historic abuses of medical research, and don't necessarily
| condemn the types of deception available here. As TFA points
| out, "secret shopper" methods are common in academic research
| of business practices.
| dcow wrote:
| This is exactly what I don't understand about the whole
| thing. People are arguing that this was unethical but the
| researchers literally proposed the study to their review
| board which said "go ahead it's not a human subjects research
| study and does not need consent and is not by that virtue
| unethical". Perhaps the review board was wrong, people make
| mistakes, whatever. But assuming the review board was correct
| in its analysis of the situation (and who are we really to
| challenge that unless there's a glaring negligent tier
| mistake), I have yet to hear an argument that dissects the
| ethics of this case and clearly lays out what ethical
| quandary we have on our hands and where the line was crossed.
|
| It really seems to me that people are conflating "annoying"
| with "unethical". Sure, spamming people is annoying. But how
| is it unethical? I had the same questions about the linux
| kernal security patches issue. Annoying waste of a few
| maintainers time, arguably yes for some definition of waste.
| But unethical? How so and can someone link me to literature
| detailing the ethical framework that disallows otherwise
| legal activity in good faith pursuit of knowledge because
| _someone_ got annoyed in the process? I think that would be
| an interesting read.
| powersnail wrote:
| Especially in the area of CS/programming, it's so easy for
| experts to fool the IRB because they can hide behind words
| like "website", "data", "policy", as if they are dealing
| exclusively with machines.
|
| > who are we really to challenge that
|
| We are not obligated to make the same ethical judgement as
| the IRB. We are all entitled to challenge that.
|
| Making bogus legal threats is unethical, when being sued
| can realistically lead to completely altered life. Yes,
| it's an annoyance, _after_ the subjects determined that the
| threat is bogus, but it could be legitimately distressing
| (even costly) when they first received the threat.
|
| The researchers made no efforts to contain the negative
| impact of their email, either. The email contains no
| information about it being a bogus threat. The subjects
| weren't told in advance that they might be lied to. The
| subjects had given no consent to being scared.
|
| It doesn't seem "good faith" to send mass threatening
| emails with deliberately misrepresented laws.
|
| Remember that the Milgram experiment also involved no
| illegal actions, and were done in pursuit of knowledge.
| matkoniecz wrote:
| > Sure, spamming people is annoying. But how is it
| unethical?
|
| Spamming is unacceptable, unwanted, illegal and unethical
| for quite obvious reasons, namely
|
| (1) negative effects do not justify benefits (2) spammer
| gets benefits at cost of others (3) it is annoying (4) its
| is not needed.
|
| Rare exceptions may apply, it is not one of them.
| [deleted]
| jmull wrote:
| The emails purported to come from individuals, but were (1)
| written in an aggressive, legalistic style, and (2)
| directed at individuals who were not subject to CCPA and
| not equipped to deal with regulatory demands of it.
|
| This caused significant anxiety on the part of the
| individuals who received this email, since it implied they
| would be subject to legal action if they did not provide a
| sufficient reply. It caused them to take significant action
| -- e.g., to research the law (that they aren't subject to),
| to determine if/how they could comply with a CCPA data
| access request if they had to, to consider retaining legal
| representation, etc.
|
| It came off as some kind of scam or mistake, but one that
| had to be taken seriously.
|
| You could read some of the blog posts from people who
| received these emails to understand the effect it had on
| them. It might also help you to read the email they
| received and imaging receiving the same for a site for a
| personal blog or one-man shop.
| yjftsjthsd-h wrote:
| People aren't upset about it being annoying. People are
| upset that it read as a threat and resulted in people
| spending money to hire a lawyer because they thought they
| were about to get dragged into court.
| bryan0 wrote:
| I think you bring up a good point: that some of the blame
| going to the researcher really should be directed at the
| review board itself. It's their responsibility to catch
| cases like this. The fact that some people who were
| included in the study without their consent are upset and
| angry, means they failed this responsibility.
|
| I think what you are missing though, is that just because
| something passed a review board, that does not make it
| ethical. Review boards, like everything else, will make
| mistakes.
| najqh wrote:
| If you can screw somebody over just for asking to comply with a
| legal request, the problem is the law.
| [deleted]
| kstrauser wrote:
| It's more complicated than that. The email I received was wrong
| about my legal obligations to respond. First, I received the
| email regarding a tiny personal site I operate for the fun of
| it, and I don't meet the CCPA deadlines. Second, nothing in the
| CCPA said I have to reply to random information-gathering
| requests anyway. And yet, the email gave me a deadline to
| respond and cited a specific law, claiming that I owed them a
| response.
| netizen-936824 wrote:
| Not the legal system which requires the steep cost of
| representation?
| Terry_Roll wrote:
| I don't know whether the problem is the law or not. Interesting
| to see some people have seen GDPR as a security risk, but its a
| great way for people to see what is being used to help an
| entity carry out its function.
|
| I sent this to my politician and am still waiting for a
| response but I'm more than interested in what they use tech
| wise, and I think it covers everything!?!
|
| GDPR Request: Everything you have on me, please highlight what
| you or your 3rd party's consider to be for law enforcement
| purposes or for scientific purposes and therefore can not
| deleted, and please detail all & any 3rd party's who may be
| required to handle my data that enable you to perform your
| function of MP when dealing with me. Examples will include Anti
| Spam and Anti Virus software vendor(s), system's backup
| companies, cloud infrastructure provider's, network
| infrastructure provider's, computer equipment provider's,
| external national or regional department's, private assistant's
| or secretaries, mobile phone company's, data analytics'
| company's that have (in)directly identified me in order for you
| to get into office. This list of examples is not exhaustive.
| After I have received & reviewed the data, I will inform you of
| what can be deleted.
| jhgb wrote:
| It seems to me that your politician needs to be a data
| controller to do that. It's unlikely that he is one.
| Terry_Roll wrote:
| In order to communicate via email with British politicians,
| you have to include your name and address.
|
| I also sent a GDPR request, to GCHQ, MI5, various police
| constabulary's where I have lived or passed through and the
| Police national database because a Police constabulary dont
| have to pass information to the central national database.
|
| Its quite interesting knowing what they know about you and
| would urge all Europeans to do the same ie GDPR your
| security services & police forces!
|
| I dont have a mortgage, but in theory you could also use
| GDPR to do this if you have the deeds to your mortgaged
| property, you could DSAR your mortgage lender and then ask
| them to remove all your data from their system as its not
| scientific or law enforcement purposes and you should also
| time it so that all the credit data agencies like equifax
| and experian also remove all trace of your mortgage at the
| same date and time. In theory you should end up with a
| mortgage free property but I cant try this as I dont have a
| mortgage.
|
| Hacking isnt just restricted to Computers, you can exploit
| the law as well. :-)
| M2Ys4U wrote:
| I'd argue the opposite - they _are_ likely to be one,
| especially if they 've run a successful campaign.
|
| Candidates and parties will canvass the electorate to
| identify who is (likely) to vote for who so they can put
| resources in to the right things and make sure likely
| supporters turn out to vote etc.
|
| That's not to mention that any (prior) correspondence with
| the politician (or their office) will almost certainly also
| contain personal data.
| jhgb wrote:
| OK, that would make sense. That's more likely a party
| thing where I live (so you wouldn't contact a random MP
| but someone in an administrative position in the party),
| but I imagine it's not necessarily the same thing
| elsewhere.
| curiousgal wrote:
| They did not screw anyone over, their email specifically says
| that it is not a data request. I remember one person saying
| they had a panic attack reading the email. Like come on, let's
| be real.
| kstrauser wrote:
| I got the email and I nearly had a panic attack. The email
| wasn't completely generic: it referred to my specific site.
| It also read an awful lot as if it was coming from someone
| who would be looking for the slightest mistake in my response
| so that they could sue me. Similar things happen[1]. And
| finally, it lied and said I was compelled to respond, quoting
| a law that said no such thing (and which wouldn't apply to my
| zero-revenue personal project website anyway).
|
| The stress wasn't from the email. It's that it gave every
| indication that I was being contacted by a legal troll, and
| that I might have to defend my hobby project in a courtroom.
| I couldn't afford the costs of doing that, even if I
| ultimately won, and the idea of "well, there goes the college
| fund because of a stupid lawsuit on my hobby" was awful.
|
| [1] https://tucson.com/business/group-barred-from-filing-
| disabil...
| cosmojg wrote:
| Thank you for sharing your experience; you're shedding more
| light on the situation than anyone else is right now. Out
| of curiosity, would you be willing to copy and paste the
| email contents here?
|
| Edit: Ah, I found your blog post[1].
|
| [1] https://honeypot.net/post/dealing-with-princetons-
| flawed-pri...
| mgamache wrote:
| I received one of these emails (I think). I can post it if people
| think it's informative (I didn't respond as it felt sus).
| mgamache wrote:
| Here it is:
|
| _Email To Whom It May Concern:
|
| My name is XXXX XXXXXXX, and I am a resident of Roanoke,
| Virginia. I have a few questions about your process for
| responding to General Data Protection Regulation (GDPR) data
| access requests:
|
| 1. Would you process a GDPR data access request from me even
| though I am not a resident of the European Union?
|
| 2. Do you process GDPR data access requests via email, a
| website, or telephone? If via a website, what is the URL I
| should go to?
|
| 3. What personal information do I have to submit for you to
| verify and process a GDPR data access request?
|
| 4. What information do you provide in response to a GDPR data
| access request? To be clear, I am not submitting a data access
| request at this time. My questions are about your process for
| when I do submit a request.
|
| Thank you in advance for your answers to these questions. If
| there is a better contact for processing GDPR requests
| regarding allisonelearn.com, I kindly ask that you forward my
| request to them.
|
| I look forward to your reply without undue delay and at most
| within one month of this email, as required by Article 12 of
| GDPR.
|
| Sincerely, XXXX XXXXXX_
| NohatCoder wrote:
| Does anyone have the text of such an email?
| MattSteelblade wrote:
| https://joewein.net/blog/2021/04/21/questions-about-gdpr-dat...
| throwaway918279 wrote:
| I'm accessing this researcher's website from the EU [1].
|
| They don't have a gdpr banner asking me for consent but I can see
| analytics tools including Google analytics and fastly[2].
|
| Is this website complaint with GDPR regulations?
|
| [1] https://www.cs.princeton.edu/people/profile/jrmayer
|
| [2]
| https://builtwith.com/?https%3a%2f%2fwww.cs.princeton.edu%2f...
| UncleMeat wrote:
| You can reach out and ask.
|
| Mayer is among the most influential people out there pushing
| for improved privacy via technology and legislation, and has
| been doing so for years.
| yifanlu wrote:
| I have a blog hosted on GH Pages generated with Jekyll. I got
| this email from the researcher:
|
| > To Whom It May Concern:
|
| >
|
| > My name is Tom Harris, and I am a resident of Sacramento,
| California. I have a few questions about your process for
| responding to General Data Protection Regulation (GDPR) data
| access requests:
|
| >
|
| > Would you process a GDPR data access request from me even
| though I am not a resident of the European Union?
|
| > Do you process GDPR data access requests via email, a website,
| or telephone? If via a website, what is the URL I should go to?
|
| > What personal information do I have to submit for you to verify
| and process a GDPR data access request?
|
| > What information do you provide in response to a GDPR data
| access request?
|
| > To be clear, I am not submitting a data access request at this
| time. My questions are about your process for when I do submit a
| request.
|
| >
|
| > Thank you in advance for your answers to these questions. If
| there is a better contact for processing GDPR requests regarding
| yifan.lu, I kindly ask that you forward my request to them.
|
| >
|
| > I look forward to your reply without undue delay and at most
| within one month of this email, as required by Article 12 of
| GDPR.
|
| >
|
| > Sincerely,
|
| >
|
| > Tom Harris
|
| I honestly thought it was one of those legal trolls who sent the
| same email to everyone hoping to find someone to sue but I
| responded anyways explaining how statically generated sites
| worked and that I'm willing to provide the information, being
| that the information is that I have none...
|
| The last paragraph in particular made it sound like a veiled
| legal threat (or that they're hinting that they're willing to go
| down that road). I felt that I had to respond just to establish
| some record.
| dmingod666 wrote:
| It was specifically crafted to sound like there will be legal
| consequence - this internet tough-guy goes into the same bucket
| as deceptive 'microsoft technicians' asking you to buy gift
| cards - not as scammy or nefarious, but in a similar vein
| nevertheless.
| kstrauser wrote:
| That's similar to what I got, and I had the same thoughts about
| it. I responded more publicly though:
| https://blog.freeradical.zone/post/ccpa-scam-2021-12/ .
| arbuge wrote:
| Part of the problem here was the smug tone of his student
| initially going on Twitter to make the dubious claim that the
| response to this study had been "overwhelmingly positive", when
| it was already abundantly clear that it was anything but.
| arbuge wrote:
| ps. The tweet in question is still there, with no apology yet
| from this individual:
|
| https://twitter.com/RossTeixeira/status/1471249559879929861
| eli wrote:
| I've been very critical of this study from the start, but credit
| to the research team for acknowledging their errors and
| apologizing.
|
| I think the goal is a good one and I hope they're able to find a
| better way to accomplish it.
| ummonk wrote:
| They don't deserve any credit until they set up a fund a to pay
| the legal costs of websites that had to consult counsel in
| response to these emails.
| addingnumbers wrote:
| Their apology really doesn't address one of their most
| egregious wrongdoings.
|
| I see them boasting that the IRB determined "our study does not
| constitute human subjects research."
|
| I don't see them acknowledging that they slipped under the
| IRB's radar by consistently referring to human subjects as
| "websites."
| eli wrote:
| I think the IRB should investigate how they reached that
| conclusion and probably issue their own apology. Hard to say
| without seeing the actual application and not being familiar
| with Princeton IRB rules.
| kodah wrote:
| What is it about an apology that makes you seek them?
|
| I prefer action, charitable interpretation, and progress. I
| found this update rather encouraging:
|
| > Third, I will use the lessons learned from this
| experience to write and post a formal research ethics case
| study, explaining in detail what we did, why we did it,
| what we learned, and how researchers should approach
| similar studies in the future. I will teach that case study
| in coursework, and I will encourage academic colleagues to
| do the same. While I cannot turn back the clock on this
| study, I can help ensure that the next generation of
| technology policy researchers learns from it.
|
| Instead of wasting time by making another person or entity
| go through the humiliation gauntlet, let them improve their
| surroundings.
| eli wrote:
| Yes, a good apology always explains what is being done to
| prevent the wrong from happening again. I think we're
| saying the same thing.
| kodah wrote:
| Potentially. What I explicitly dislike is the mea culpa
| portion (and subsequent apology grading, where people try
| to derive some intent) Rather, I like "responses" with a
| plan. Is that the same as an apology to you, even without
| explicitly saying "I'm sorry"?
| kortilla wrote:
| Well an apology is usually the first step in admitting
| wrong-doing and changing a formal process like IRB
| reviews.
| volta83 wrote:
| This might be an error on both sides.
|
| They want to study how websites handle GDPR and CCPA, and
| that's probably what they submitted.
|
| The IRB reasoned that "websites are not people", which is
| true, but failed to reason that "websites are operated by
| people", and therefore certain measures should be taken.
|
| The IRB bears some responsibility for this.
| vhold wrote:
| I don't think they even realize that is what happened. You
| can see the flawed thinking throughout the entire description
| of the experiment. They anthropomorphized websites, imagining
| them to have the abilities that the humans behind them have.
|
| That's probably the big thing that people should learn from
| this, I think this is a pretty common misconception.
| double_nan wrote:
| That is a very generous way of thinking about (no doubt)
| very smart people.
| endisneigh wrote:
| Hot take: the researcher did nothing wrong. Some random person
| could make the same legitimate requests. If you dislike what this
| person did then really you just dislike that portion of the law.
|
| You cannot simultaneously believe anyone can request their data
| via these laws and then get mad that people do it, research or
| not.
|
| It's literally designed this way.
| eclipsetheworld wrote:
| I'm honestly baffled about the response, especially from the
| pro-privacy crowd on HN. This is simply the reality of GDPR. If
| you host and operate a website that serves EU visitors you must
| comply with GDPR. Of course this is a burden on small operators
| and it may come off alarming the first time you receive a GDPR
| request, however, this is GDPR working as intended. It is
| intended to force operators to explicitly decide which user
| data they are going to collect (incl. on how to inform users,
| correct, delete, export, etc. this data).
|
| I do agree that there might be ethical concerns on how this
| study was conducted, however, the email messages do not suggest
| pending legal action. They're pretty standard GDPR requests.
| mrtranscendence wrote:
| The emails were sent to websites that do not process personal
| information and are thus not subject to GDPR, so the
| recipients were in some cases confused about what their
| responsibilities would be. And though the emails did not
| suggest that legal action was _pending_ , they do suggest a
| willingness to resort to legal action in a relatively short
| time frame. This caused anxiety for apparently many small-
| time, non-profit bloggers.
|
| Is it unethical? I dunno. But it's nuanced, at least.
| s1artibartfast wrote:
| You can believe that users should be able to request this
| information legitimately, but arbitrary third parties should
| not.
|
| The idea is that the burden and stress of response is
| outweighed by benefit to the legitimate user. In this case
| there is no legitimate user.
|
| This is similar to the concept of standing in the courts.
| Someone who is harmed can bring a suit for compensation or
| redress, but an uninvolved third party cannot.
| endisneigh wrote:
| How would a legit user make the request without inquiring
| what their policies are?
|
| Keep in mind the experiment wasn't even making requests.
| s1artibartfast wrote:
| They could send an identical email, but it would be coming
| from a legitimate user.
| endisneigh wrote:
| The answers to the questions don't depend on whether or
| not the user is legitimate or not. Not to mention cases
| where the user isn't even sure of their account
| information or lost email, etc.
| s1artibartfast wrote:
| I agree the answer does not depend on the legitimacy, but
| that doesn't matter. The answer to where were you last
| Tuesday night does not depend on who asks it, but only
| some have the right to ask that question and demand an
| answer.
| endisneigh wrote:
| Your example isn't relevant at all to the actual
| situation we are talking about.
|
| A more relevant example would be your right to go into a
| restaurant and see their food safety certificate.
| s1artibartfast wrote:
| I guess there in is the disagreement. Is the request more
| like one case or the other. It seems that most people
| feel the intent of the law is (or should be) to allow
| users to request information no, not any unrelated third-
| party
| endisneigh wrote:
| Indeed, but the experiment wasn't about requesting
| information, it was about requesting their policy around
| handling user data.
|
| Seems reasonable to me - for example you're a prospective
| user and want to know how they handle requests, just in
| case you want to do it in the future after being a user.
| s1artibartfast wrote:
| Which is itself a request for information. I think a
| request for policy information is reasonable if they they
| didn't make up false identities and claim to be users.
| endisneigh wrote:
| I don't understand why you think it matters lol. Must you
| be a paying patron of a restaurant to merely ask for a
| menu?
| s1artibartfast wrote:
| Clearly there are some situations where requests which
| are reasonable and others which are not. This is not in
| dispute.
| bpfrh wrote:
| I think the argument would be that they send those request
| knowing that the sites do not have information stored.
|
| I think a ethical good study would be if they requested users
| to request their data from sites they use.
| varjag wrote:
| Anyone can yell on you on the street so it's fine I yell on you
| for research purposes.
| endisneigh wrote:
| That is not the same thing. The process for GDPR involves
| sending an email very similar to the one sent.
|
| The action you should take doesn't depend on whether or not
| the email you've received is for research purposes.
|
| If someone doesn't understand this then they have no business
| running a public website.
| tverbeure wrote:
| It only takes a quick scan of the comments in this thread
| to see that there were people who received this email while
| hosting a static github.io website with their personal
| blog. That's a public website. Do you honestly think that
| anyone running a personal blog has no business doing so
| unless they are knowledgeable about the details of European
| and California website privacy rules? What a brilliant way
| to stifle public speech.
|
| Your answer will probably be: "personal blog don't fall
| under these regulations, so it's a non-issue" but that's
| exactly the point: these researchers scared a bunch of
| people into spending time to research a law that doesn't
| even apply to them, yet the chance that some random from
| Europe would send a GDPR request to their blog is
| essentially zero, because even privacy crusaders are
| smarter than these Princeton research to know that it makes
| no sense to do this.
|
| Even if the general principle were ethical (not that I
| agree), the Princeton researches should have used a curated
| list of websites that could reasonably be expected to
| receive GDPR requests.
| endisneigh wrote:
| Being a personal blog isn't really relevant here, and yes
| people should know the law, and now they do.
|
| Stifling free speech is ridiculous hyperbole - no one was
| silenced by this. At worst people needlessly wasted time
| consulting a lawyer.
| tverbeure wrote:
| I love the casualness about somebody wasting hundreds of
| dollars consulting a lawyer for something that isn't
| relevant to them.
|
| As for the personal blog: it is relevant, because the
| email was send to owners of personal blogs.
|
| You claimed that the recipients of this email, such as
| personal blog owners, had no business running a website
| if they didn't know the details a law that doesn't apply
| to them. That's stifling plain and simple.
| endisneigh wrote:
| It's not relevant because personal blogs could actually
| be collecting data.
|
| Also in the usa most lawyers offer a free initial
| consultation.
| powersnail wrote:
| My door bell is designed to be pressed. But I do have a problem
| with someone who run down the street pressing every doorbell,
| because they want to gauge home owner's response time.
|
| Spamming and wrong intentions can make an otherwise legitimate
| action unethical.
| detaro wrote:
| They sent requests to people where their fake person would not
| have had any basis to make the requests.
| jhgb wrote:
| In that case the response should have been just that,
| presumably. Nothing prevents you from making requests, they
| just might not be answered.
| detaro wrote:
| People to whom the law doesn't apply are not necessarily
| very familiar with the details of this, and thus are going
| to be cautious if presented with what appears to be a legal
| threat. For a pro, this is easy to reply to, for random
| hobbyists it's not.
| jhgb wrote:
| Maybe that's just me being an EU citizen but I fail to
| see the supposed threat. Is that a US thing to see a
| legal threat in everything?
| kstrauser wrote:
| Context is everything here.
|
| "Please respond quickly."? Fine.
|
| "The law says you have a month to reply."? A little
| aggressive, but OK.
|
| "According to such-and-such code, section 45, part b,
| subsection 3, you have 87 hours from the time I sent this
| -- that is, from 12:43:56 PM Eastern time on this date --
| to give your on-the-record response."? They've got a
| lawyer, and this is going to be a pain in the ass.
|
| These particular emails were somewhere between the second
| and third options.
| jhgb wrote:
| Asserting your rights (which you even say is "a little
| aggressive, but OK") as per specific regulation is far
| from being a legal threat where I live. That's just
| asserting your rights. A legal threat would be far worse.
|
| > They've got a lawyer
|
| ...but this would suggest to me that this _is_ cultural,
| since this thought would never occur to me.
| kstrauser wrote:
| I'll have to take you at your word as I don't have
| experience where you live. Here, friendly requests tend
| to be much less formal. As a further example, suppose my
| dog was in my back yard barking, and this annoys my
| neighbor. They approach me about it:
|
| > "Hey, neighbor, your dog is bothering us. Could you
| take it inside?"
|
| Typical response: "Oh, sorry! Sure. Come here, pooch!"
|
| > "Hello neighbor. According to county code section 23,
| 'Nuisances', paragraph 3, 'Pets', your dog can't bark for
| more than one minute without violating the ordinance and
| being subject to a fine of not more than $85."
|
| Typical response: "Get off my property, and if your kid
| ever throws a baseball at my house again, I'm going to
| launch it through your front window."
|
| Normal-person requests are usually formulated like "hi,
| can you do this thing for me?" even if the person being
| asked is obligated to do it. Citing law is considered an
| aggressive escalation.
| jhgb wrote:
| A communication between two entities who are not friends
| is not "friendly". This is clearly a formal request of a
| type that is even regulated by a law. You're almost
| certainly not asking your neighbor about something like
| this. You're almost certainly asking someone you've never
| met in your life. Not sure what about it needs to be
| "friendly" any more that asking a government bureau using
| some formalized process (like filling out a form) needs
| to be "friendly".
| kstrauser wrote:
| And yet, it usually is.
|
| I've gotten requests from people asking me to delete
| their account, sent from the email address they used to
| register it, along the lines of:
|
| "Hi, I've forgotten my password, but I don't really use
| my account anyway. Could you delete it for me?"
|
| And of course I comply, because I want to be helpful.
| They asked nicely; I replied nicely. It's a pleasant and
| productive interaction from all involved. This is the
| social norm here.
| jhgb wrote:
| But the example you outlined is not regulated by any law
| as a formal procedure. That's an ad-hoc request. Of
| course it could also be phrased as an GDPR erasure
| request, but I bet you'd definitely expect that to be
| more formal and more specific. After all, that _would_ be
| a (formally) legal request, and not just something you
| may decide to do or not to do depending on how you slept
| last night.
| desmosxxx wrote:
| How is this not a threat in the EU or anywhere? Yes it's
| made worse by the litigious nature of the US, but that's
| beside the point IMO. The sender is clearly implicating
| that there will be consequences for not responding. _Even
| if this is the law and the sender is within their rights,
| it 's still a threat._
|
| The entire thing is even worse because most of these
| websites were _not_ under any obligation to reply but
| didn 't know as much as they weren't experts in the law
|
| In your view, what purpose does informing someone of a
| law related to their compliance serve?
| jhgb wrote:
| Saying on the basis of which regulation you're asking for
| something just isn't considered a threat where I live,
| period. People who want to make threats actually make
| threats.
|
| > In your view, what purpose does informing someone of a
| law related to their compliance serve?
|
| Well, obviously, in this case, it was about the time
| period expected. If you have reasonable assumption that
| your request is not common (for example businesses may
| plausibly receive far fewer GDPR requests then they
| receive product warranty requests), then communicating
| the expectation seems like a prudent thing to do since
| the other party is less likely to be familiar with it.
| [deleted]
| desmosxxx wrote:
| > time period expected.
|
| A legal expectation, no?
| endisneigh wrote:
| Yes, actually.
| dmingod666 wrote:
| Everything except these 2 lines was okay
|
| "I look forward to your reply without undue delay and at most
| within one month of this email, as required by Article 12 of
| GDPR."
| endisneigh wrote:
| I know it can sound scary but those lines are meaningless. At
| worst it just tells you why they're entitled to make the
| request they're making.
| bpfrh wrote:
| Edit: wrong comment, responded to the top comment instead
| addingnumbers wrote:
| It's not meaningless to imply that inaction is illegal.
| endisneigh wrote:
| How exactly did it imply that?
| addingnumbers wrote:
| I can't imagine any other purpose for citing a law that
| carries penalties for failure to respond while you invite
| a response.
| endisneigh wrote:
| Yes, but whether or not it's explicitly stated doesn't
| really change the law.
|
| Ultimately I don't really get the big deal. It takes 5
| minutes to reply to this, and if you don't unless you're
| some huge organization no one is going to waste resources
| bringing you to court.
|
| It's not that they're implying that it is illegal - it's
| that _it is_.
| thisiszilff wrote:
| If anything, it seems like this was an effective means to
| introduce a lot of people to possible liabilities they have
| under GDPR/CCPA (or why they are not applicable to them).
| kstrauser wrote:
| Fine, but I had no desire to be introduced to the
| intricacies of the CCPA that afternoon. I was off minding
| my own business and didn't ask for an "Are You Compliant
| For Dummies" course to be dropped in my lap.
| kazinator wrote:
| Did these researchers talk to a lawyer, who recommended
| apologizing like this?
|
| It seems like a rather imprudent thing to do.
| UncleMeat wrote:
| Mayer _is_ a lawyer.
| kstrauser wrote:
| More important:
|
| > We have also received consistent feedback encouraging us to
| promptly discard responses to study email. We agree, and we will
| delete all response data on December 31, 2021.
|
| I wrote one of the blogs posts that got linked here on HN, and I
| have some strong feelings about that. None of them are joy,
| though. I think it's good and appropriate that the study is
| deleting all the data; since it was collected by misleading
| methods, I don't think it was valid. I'm not happy that a study
| covering an important subject, and led by researchers who had
| good motivations, went so far off the rails in the first place
| that it had to be axed.
|
| Edit: I wrote more about my response to this whole situation at
| https://honeypot.net/post/dealing-with-princetons-flawed-pri... .
| gpm wrote:
| Ignoring the ethical concerns, all the data they collected was
| completely worthless, because many of their subjects were
| contacting eachother and responding to it with the knowledge
| that it was a mass email sent with a variety of presumably
| fraudulent names.
| hellojesus wrote:
| It's bizarre to me that anyone would respond to what would
| surmount to a legal request which was delivered via email.
|
| Unless the gov has a supeona that was verifiably delivered to me
| physically, an email will be either totally ignored, or I'll
| respond telling them to go pound sand.
| dahfizz wrote:
| Is that how you would respond to any GDPR-related request? GDPR
| legally requires you to respond to requests within a month. If
| someone making a request points that out to you, you may feel
| like you've been threatened. That doesn't change the law.
| hellojesus wrote:
| Yes, that is how I would respond to a request inquiring as to
| what my GDPR practices are.
|
| The requestor here isn't asking for access their information
| for GDPR reasons. They are asking what my private business
| operations are, which are not part of what I'm required to
| disclose, so far as my understanding goes.
|
| Separate from the above, if I run a US based business, why
| would I care if the EU wanted to try and sue me for breaking
| a law that has no jurisdiction over me?
| jhgb wrote:
| As per the law, a GDPR data access request may be sent by
| e-mail, or even delivered verbally. So the form is actually
| irrelevant.
| hellojesus wrote:
| Yes, but the researchers aren't asking about _their_ data.
| They are asking about internal business policies, which they
| are not granted under the law.
|
| From the OP's links's FAQ:
|
| """ Why does this study involve contacting websites?
|
| Very few websites post details of their processes for
| handling GDPR and CCPA requests. Both the GDPR and the CCPA
| contemplate users and intermediaries reaching out with
| questions about data rights processes, and we are using that
| opportunity to understand current website policies and
| practices. """
|
| From the sites I've seen discussing responsibilities,
| internal business processes for how GDPR requests are handled
| are not covered under GDPR.
|
| https://docs.microsoft.com/en-
| us/microsoft-365/admin/securit...
|
| """ Data subject rights
|
| The GDPR establishes data subject rights, which means that,
| with respect to their personal data, customers, employees,
| business partners, clients, contractors, students, suppliers,
| and so forth have the right to: Be informed
| about their data: You must inform individuals about your use
| of their data. Have access to their data: You
| must give individuals access to any of their data that you
| hold (for example, by using account access or in some manual
| manner). Ask for data rectification: Individuals
| can ask you to correct inaccurate data. Ask for
| data to be deleted: Also known as the 'right to erasure',
| this right allows an individual to request that any of their
| personal data a company has collected is deleted across all
| systems that use it or share it. Request
| restricted processing: An individual can ask that you
| suppress or restrict their data. However, it is only
| applicable under certain circumstances. Have
| data portability: An individual can ask for their data to be
| transferred to another company. Object: An
| individual can object to their data being used for various
| uses including direct marketing. Ask not to be
| subject to automated decision-making, including profiling:
| The GDPR has strict rules about using data to profile people
| and automate decisions based on that profiling.
|
| """
| jhgb wrote:
| I was referring purely to the "Why would anyone respond to
| an e-mail" part -- because there's no requirement for such
| a request to not be an e-mail for it to be valid.
| hellojesus wrote:
| Got it.
|
| I took the fact that the request was outside the scope of
| GDPR to mean that the researchers were trying to thinly
| veil their request as an official government request akin
| to a supeona, which is why I originally stated I wouldn't
| accept electronic delivery of supeonas.
|
| _Note: I also would freely ignore real GDPR requests
| because I 'm US-based, and the EU has no jurisdiction
| over me._
| jaclaz wrote:
| Personally I would like to know the exact numbers of e-mails
| actually sent.
|
| Hypothesis out of 1,000 mails:
|
| 5% were never read (because of spam filters/whatever)
|
| 10% were discarded manually or ignored
|
| 50% were replied to taking 30 minutes to write an accurate reply
|
| 30% were replied after consulting someone else (in the office or
| friend) let's say 1 hour
|
| 5% were replied after consulting a lawyer or consultant, let's
| make this 4 hours
|
| 500x1/2=250 300x1=300 50x4=200
|
| Every 1,000 e-mails roughly 750 hours of people's work has been
| lost, that is at (say) 40 US$/hour some 30,000 US$ "burned".
| hapanin wrote:
| Perhaps the lab (and the IRB) should collectively perform 750h
| community service.
| [deleted]
| kbenson wrote:
| That's one way to look at it. Another is that people spent some
| time to understand a law which may or may not affect them, but
| if it does, they should probably already have known about it.
| "Should" in the sense that it would be good for them it they
| did, not in the sense that I think they were negligent, as
| honestly I think there's a bunch of laws that affect people
| like this that that most of us are unaware of.
| matkoniecz wrote:
| I do not consider acceptable to be threatened about
| California law that does not apply to me.
|
| I do not appreciate learning about any law by being
| threatened with it in fake spam email.
|
| And sending threatening email to humans and having chutzpah
| to comment "our study does not constitute human subjects
| research" is just insulting.
|
| I received numerous spam from universities about "research"
| but never one that was blatantly lying, threatening me with
| inapplicable law and with legal documentation claiming that I
| am not a human.
|
| I send a complaint to them, and will consider further
| complaining.
|
| Does anybody have any idea why it "does not constitute human
| subjects research"?
|
| Is threatening people online not counted because it is
| online? Or have they lied to review board?
| jonas21 wrote:
| Even if the California law doesn't apply, if you operate a
| website with EU citizens as users, you're subject to the
| GDPR (and unless your website is extremely small or you
| explicitly block them, you've probably got some users from
| the EU). The GDPR has similar provisions to the CCPA, and
| some people do exercise their GDPR rights by sending emails
| like the ones the researchers sent.
|
| Which isn't to say that what the researchers did was
| acceptable -- just that it can still be a valuable
| educational experience for anyone unprepared to handle such
| a request.
| michaelmrose wrote:
| Nobody in America is going to know about or expect to be
| bound to the laws of 100 different jurisdictions because
| in theory someone could visit from that country.
|
| Kind of like visitors from Spain don't bring with them
| Spanish laws when they visit Nevada.
| matkoniecz wrote:
| > some people do exercise their GDPR rights by sending
| emails like the ones the researchers sent.
|
| Legitimate mails are OK. Mass send spam with illegitimate
| threats is still not.
|
| I am in large part irritated because it gives arguments
| to people who would want to get rid of such laws, makes
| harder to handle legitimate requests and spreads false
| info about such laws.
|
| > it can still be a valuable educational experience for
| anyone unprepared to handle such a request.
|
| And being robbed or having your country invaded also can
| be valuable lesson, which is not making it in any way
| acceptable or welcome.
| joecool1029 wrote:
| If they aren't an EU website, GDPR effectively doesn't
| apply. EU can word the law however they want but at least
| in the US without a treaty to enforce such a law, it
| lacks the force of law here. Europeans have an extremely
| hard time understanding this and I'm not quite sure why.
| I see this assertion again and again across the web.
| kstrauser wrote:
| I've seen that too. I'm in the US, and not subject to the
| GDPR. I _like_ the GDPR and totally approve of its goals.
| As a Californian, I 'm glad we have the CCPA which is
| similar to it. I say this, then, as someone who supports
| the GDPR and appreciates it: I'm still not subject to it
| because I'm not inside its jurisdiction.
|
| Similarly, I'm certain I've broken laws in other
| jurisdictions, such as by criticizing fragile-egoed
| governments who make that illegal. Doesn't matter, they
| don't apply to me either.
| Beldin wrote:
| Slightly more nuanced: you do not foresee (and have no
| intention of) being anywhere where the laws you broke
| hold sway.
|
| There are laws that apply to anyone anywhere*; if you
| never have to worry about the consequences of breaking a
| law, you could choose to ignore it.
|
| * Belgium has one on warcrimes if memory serves; the GDPR
| might also apply to anyone handling an EU citizen's data
| (but IANAL).
| tremon wrote:
| This is a bit pedantic, but I'll make my point anyway:
| whether a law can _apply_ to you is orthogonal to whether
| it can be _enforced_ on you. The GDPR is very clear about
| its application, and it is explicitly extraterritorial
| [1]. Of course, it does have secondary provisions about
| company size and non-commercial activity (mainly recitals
| [13] and [18]) which limits its applicability, but from a
| legal definition point of view, "I don't live in the EU
| so the GDPR does not apply to me" is too simplistic.
|
| [1] https://gdpr-info.eu/art-3-gdpr/
|
| [13] https://gdpr-info.eu/recitals/no-13/
|
| [18] https://gdpr-info.eu/recitals/no-18/
| kbenson wrote:
| > I do not consider acceptable to be threatened about
| California law that does not apply to me.
|
| I think that's a bit much. Someone asking how they would
| submit a request if they needed to, and specifically saying
| in the message "I am not submitting a request, just
| wondering how" isn't exactly threatening you. It's sort of
| like someone going door to door ina neighborhood asking
| people what they think of the new water conservation law
| that requires sprinklers to be run after a certain time of
| day (which my city has, and recently went into effect). If
| I'm not in compliance, or don't even know if I'm in
| compliance, could that person have possibly seen my out of
| compliance and that's why they're asking? Maybe. If I knew
| about the law and was actually in compliance, I would know
| it's not a problem. One thing is not in question though,
| which is that if I'm subject to the law it's my
| responsibility to know about it and be in compliance,
| legally. Someone asking me about it is only a problem if
| I'm failing to do that in some way.
|
| If they ask me about a law for some other county or state?
| I could look that up and determine I'm not subject to it.
| There's plenty of information on it.
|
| > Is threatening people online not counted because it is
| online?
|
| Your entire comment and all points therein relies on the
| assertion that the email is threatening. You haven't shown
| this. Some people might read that email as threatening, but
| I'll note, the only people that would do so are those that
| don't actually know whether they are subject to those laws
| and have ignored what's been going on and were blindsided
| by the question.
|
| This whole thing is blown up because people are upset at
| being called out on their disregard to the current state of
| the internet and the laws being passed to regulate it.
| That's not to say the study was carried out without problem
| (it wasn't), but there actual harm to people of the type
| described in this thread was of their own negligence.
| Whether you think these laws are good or not, it is your
| responsibility to know whether you are affected, or have
| some assurance from others whether you are or not (even if
| it's just a hosting platform telling you what it thinks
| your responsibilities are). You can ignore this
| responsibility if you like. People do that all the time
| about laws that affect them. I'm sure everyone does it to
| some extent. Just don't act like you're a blameless victim
| when asked about them.
| kstrauser wrote:
| People got these requests _to their personal blogs_. The
| complaints aren 't that someone at Apple had to reply to
| a fake request, but that people who are literally just
| hosting tiny websites for the fun of it are getting these
| letters.
|
| If a random teenager sets up a Wordpress site because it
| looks fun, I contend that they shouldn't have to wonder
| whether it's legal. Down that path lies insanity.
| dcow wrote:
| Why shouldn't random teens care about the law?
| kbenson wrote:
| My point is that some of these people are subject to the
| law, and could get an honest to god actual legal request
| to do something, not just explain their procedures, just
| as easily. People should know whether they have
| responsibilities under the law or not.
| smoe wrote:
| I don't think anyone is claiming that the "I am not
| submitting a request, just wondering how" is threatening
|
| What they refer to is the final paragraph of the mail
|
| "I look forward to your reply without undue delay and at
| most within 45 days of this email, as required by Section
| 1798.130 of the California Civil Code."
| kbenson wrote:
| Is asking someone to follow the law a threat?
|
| I know people like to take it that way, but it's
| literally saying (whether true or not) "you are required
| to do this, so do this." I'm a bit more lenient of things
| that could be classified as implied threats when it boils
| down to "follow the law" and the threat is only relevant
| for those _not_ following the law.
| asdfasgasdgasdg wrote:
| Yes, it is a threat, since it suggests that legal action
| will follow without compliance. It's not an _explicit_
| threat, but it communicates a threatening meaning. It is
| a coercive statement.
|
| Now threats aren't necessarily a bad thing when
| justified. A threat is just, "if you do/don't do this I
| will/won't do that." But this particular threat was bad
| in several ways. First, it was directed at targets not
| actually bound by the relevant law. Second, even if it
| was directed correctly, many would probably view it as a
| frivolous use of that law.
| kbenson wrote:
| > Now threats aren't necessarily a bad thing when
| justified. A threat is just, "if you do/don't do this I
| will/won't do that."
|
| I agree it's a thread, and what you state here was
| actually going to be my response to that.
|
| > First, it was directed at targets not actually bound by
| the relevant law.
|
| Yes, that's the worst thing about this. At the same time,
| I think those people should be prepared to answer things
| like this. The world we live in means anyone can send
| them the same request at any time, for real reasons (even
| if that person might be incorrect in what they are
| requesting).
|
| > Second, even if it was directed correctly, many would
| probably view it as a frivolous use of that law.
|
| From what I read of the statute, it appears to be
| _exactly_ what that section of the law is for. To my
| (layman 's) eyes, this is part of what the "request to
| know" verbiage in the law is for.
|
| _(1) Right to Know About Personal Information Collected,
| Disclosed, or Sold._
|
| _b. Instructions for submitting a verifiable consumer
| request to know and links to an online request form or
| portal for making the request, if offered by the
| business._
| fastaguy88 wrote:
| Regarding the last section -- you might want to think
| about how you would answer the question: "When did you
| stop beating your wife."
| aero-glide2 wrote:
| I agree, I still don't see what was unethical about this.
| kbenson wrote:
| To be clear, I'm not saying the study was conducted
| ethically, which I think is a complex question (but also
| one I think influenced quite a bit by the wording of
| accusations, as "human subject research" has some
| historical connotations even if an accurate description),
| but that attributing all lost time/money to a cost the
| study imposed on others might be taking too much of a leap.
| nickff wrote:
| How would you feel about getting threatening e-mails out of
| the blue, then finding out you were being used for the
| author's personal benefit?
| bennysomething wrote:
| I'm assuming you've never had something that approaches a
| real life legal threat? It's extremely stressful.
|
| It's one thing wanting people to know about laws, it's
| another thing to induce emotional distress just because you
| think some individual should know.
|
| Personally I think it was a horrible thing to do to an
| innocent person. Totally thoughtless and uncalled for.
| karaterobot wrote:
| With respect, it just doesn't matter whether you think the
| researchers were doing a service or not. What I mean is, the
| researchers are (depending on jurisdiction and funding
| source) bound to abide by certain standards when doing human
| subjects research, and informed consent for participation is
| one of those standards. Even if receiving the email was 100%
| beneficial to everybody, and had no risks at all, the
| participants would still need to been told about those
| benefits _before_ participating. They get to make the choice
| to participate or not. The IRB process exists to make sure
| those practices are followed in every case, to take the
| personal opinion of a researcher out of it. These standards
| were developed in response to researchers who did very
| harmful things to subjects without their consent, in many
| cases because they thought it was for the greater good.
| kbenson wrote:
| > With respect, it just doesn't matter whether you think
| the researchers were doing a service or not.
|
| I wasn't making a case that the study was fine and had no
| problems. I was making a comment on, broadly, "money wasted
| because of this". Whether the study was problematic or not
| (it seems like it was), everyone scared by this email was
| only scared because they'd stuck their head in the sand
| with regard to laws that have been enacted that put certain
| requirements on some people, and whether they are affected
| or not.
|
| As I see it, there are a few possible general outcomes of
| the email:
|
| One, you know what your requirements are, if any, and you
| respond appropriately.
|
| Two, you don't know what your requirements are, and you
| look up your requirements, and respond or take further
| action at that time. For the majority of people, that fall
| into this case, that's probably "do nothing".
|
| Three, you don't know, go immediately to a lawyer, and burn
| a lot of time and money with that lawyer, for them to
| either tell you it doesn't affect you or to ask you WTF
| you're doing operating something like you are without
| knowing the simplest of things that could affect you.
|
| In all those cases, you are left off either with the same
| or more knowledge about your legal responsibilities online.
| In the cases where you waste resources using a lawyer (in
| some cases a lawyer would not be a waste, but possibly
| something you should have done previously), I think that's
| people overreacting to their own (possibly longstanding)
| negligence in understanding their own situation.
|
| For what it's worth, whether the study was conducting in a
| way that was acceptable is irrelevant this specific
| question. Any individual could email asking a similar
| question entirely legitimately.
| anamax wrote:
| Cool, so it's acceptable to send the analogous e-mail
| regarding immigration status to lots of people.
| kbenson wrote:
| I mean, that probably makes you an asshole if you do it,
| like the people that ran this study, but honestly,
| everyone should know their immigration status, right? If
| some _random person_ emails you asking your immigration
| status, I think most people should know how to deal with
| that.
|
| I don't think it would be acceptable to impersonate any
| sort of official in that exchange, but that wouldn't be
| analogous to this situation either.
| belorn wrote:
| From work experience, only a small amount of website contact
| information work to actually contact the person in charge of
| the website.
|
| My very rough estimated would put it more like:
|
| 40% of email addresses is no longer valid or has an mail box
| that does not get read.
|
| 30% reaches the web design shop which built the website many
| years ago under a different brand. They blindly forward it to
| their customer if they still have that information. The contact
| information is many years old and likely a dead end.
|
| 20% has auto-reply and do not get read.
|
| 1-2% has algorithmic reply that links to a FAQ.
|
| 5% actually reach a human being. Those 5% however are still a
| good enough reason to not do this!
| alistairSH wrote:
| $40/hour? That seems super low, unless all the emails were
| processed by mid-level admins. If a web admin, engineer, etc
| processed it, you probably need to double that. If it went to
| counsel, the value could be tripled or more.
| pessimizer wrote:
| I'm shocked that your hypothesis assigns 0% to "Admin spent 30
| seconds pasting a form letter, or a link to a page on the site,
| that describes their handling of user info and the process for
| deleting or requesting it."
| matkoniecz wrote:
| Presumably this focuses on experience of operators of small
| hobby websites.
|
| Which do not have dedicated admins or form letter prepared by
| legal department.
| yk wrote:
| I fail to understand what the problem is. They send a mail asking
| the procedure of GDPR in a way that implies they consider using
| their rights. Now there is outrage to the extend that the
| researchers scrap their study, which is probably everything
| anybody needs to know about the state of the GDPR in practice.
| yjftsjthsd-h wrote:
| > in a way that implies they consider using their rights.
|
| ... No, in a way that implied that they were about to take
| legal action, including against people who never had any legal
| obligation in the first place.
| Cerium wrote:
| I guess it is good for the researcher to apologize, but I would
| rather be reading a postmortem from the Princeton IRB.
| chaircher wrote:
| This is why I lost interest in a career in accademia and set
| myself up in industry. I saw one too many situations like this
| where people assumed they'd be stopped by the institution if
| they took things too far and they were not.
| h2odragon wrote:
| > [the system] sends up to several emails that simulate real user
| inquiries about GDPR or CCPA processes. This research method is
| analogous to the audit and "secret shopper" methods that are
| common in academic research, enabling realistic evaluation of
| business practices.
|
| That was the whole problem. An open "we're researching responses"
| would've been fine. A murky "we're someone who looks fake talking
| about nebulous legal consequences" Isn't going to be welcomed
| anywhere, is it?
|
| This is a better response than I expected, and I wish them luck
| and success in communicating the lessons they've learned here
| more widely.
| jhgb wrote:
| > An open "we're researching responses" would've been fine.
|
| That seems to be highly unscientific/prone to skewing the
| sample. It probably would have rendered the results useless.
| yjftsjthsd-h wrote:
| If you can't study something ethically, the conclusion is not
| that you get to ignore the ethical problem, the conclusion is
| that you can't study it.
| jhgb wrote:
| Yes, perhaps they should have hired real people to do real
| requests. That would have been a bulletproof way of
| studying this ethically so your conclusion is moot.
| dogleash wrote:
| >That seems to be highly unscientific/prone to skewing the
| sample.
|
| I'd argue the emails they did send are MORE prone to skewing
| the sample.
|
| If I had no CCPA plan and got an email from someone
| introducing themselves as researchers, I'd tell them I
| haven't gotten around to it, and that I intend to comply but
| haven't had anything prompt me to put in effort regarding
| CCPA.
|
| If I got the email they did send, that would be exactly the
| request that makes me go do the legal research, and my
| response would as narrow as possible.
| sebow wrote:
| harpiaharpyja wrote:
| Probably all they had to do was be transparent about the reason
| for sending out the emails, who they were, and probably throw in
| a link to that page (i.e. https://privacystudy.cs.princeton.edu).
| Seems like a silly thing to overlook but it does seem the impact
| on people is serious and I guess they know better now...
| jonnybgood wrote:
| Would people respond the same way if they knew it wasn't a real
| request i.e. take it less seriously?
| kstrauser wrote:
| Possibly, but I'd bet the results would be way more accurate.
| If I got an email from a university I'd heard of, phrased
| like:
|
| > Hi! We're trying to study CCPA compliance of random sites.
| Could you help us by answering a few questions?
|
| then I absolutely would have replied, and would have replied
| honestly. People generally like to be helpful.
| wayne-li2 wrote:
| That's the problem though -- it will skew the data towards
| friendly and helpful people like yourself. But it doesn't
| capture reality.
|
| To be honest, I don't know how you get this sort of
| analysis done without poisoning the intent _and_
| maintaining integrity.
| kstrauser wrote:
| Good point, and I don't know. But in the end, if it's not
| possible to conduct the study while acting ethically,
| then the study shouldn't be done.
| godzillafarts wrote:
| My org received one of these emails. I was the engineer pinged on
| the support ticket.
|
| This request is neither threatening nor burdensome. This is a
| pretty standard run-of-the-mill GDPR request. We get them all the
| time.
|
| It took less than 60 seconds of my time to provide our support
| team with the information they needed to respond to the request.
| In fact, we already have a canned response to these requests -
| the person on the support team is a new hire and was unaware.
|
| If your org has users/customers in the EU, you need to have a
| GDPR playbook. Your support team needs to be briefed on these
| requests and how they should respond.
|
| I have a difficult time believing that any "controller"
| complaining about this is properly prepared to respond to GDPR
| access requests.... Which is kind of the whole point of the
| study, no?
| kortilla wrote:
| The fact that this came to you via a ticketing system might
| mean you're a little out of touch with the personal blog
| operators this freaked out.
| jacquesm wrote:
| For professional organizations this is a non issue. For a small
| operator it can be both their first request, and their first
| request from someone who is just shooting off random requests
| to parties that they know have zero data on them, which is an
| abuse of the process. To add vaguely worded legal threats to
| that is way beyond where it should have gone. Anyway, the
| researcher seems to have realized this by now.
| smarx007 wrote:
| The study methodology apparently involved a sample of high-
| traffic websites from https://tranco-list.eu. I have a hard
| time believing that the operators did not have to deal with
| such requests before. I always add the 30 day statements in
| my GDPR requests, mostly to make sure the support people set
| a calendar reminder to reply before the date. The next step
| if no reply is received is to complain to the data privacy
| watchdog in the country of the website operator or in your
| country if the website is operated outside EU (though I
| always begin with an email follow-up). Nobody would go to
| court after 30 days of a GDPR request without going through
| the govt data protection agency first. And to be clear, only
| requests are entitled to a 30-day reply and the email said
| that no formal request is being filed at the time [1].
|
| But yes, that was clearly human research and the IRB should
| have grilled the PI about that.
|
| [1]: https://christine.website/blog/princeton-
| study-2021-12-17
|
| Edit: as you can see from the replies below, not only the
| study ethics is questionable but also the technical details
| about its methodology.
| kstrauser wrote:
| As I've said elsewhere, I'm on that list and I'm nowhere
| _near_ what I 'd consider a "high-traffic website". The
| site in question is a zero-revenue personal project, is is
| several orders of magnitude too small by any metric to be
| subject to the CCPA (which is the law the letter I got
| referred to).
|
| They absolutely did not survey only large websites.
| adrianhon wrote:
| You better believe it, because I got one of these emails
| about my personal site and I had never had to deal with it
| before.
|
| I also received an email for a domain that I had absolutely
| nothing to do with. It seems their system identified my
| email's domain (i.e. not my email!) because it was in the
| last link on that domain's homepage - something that a
| human would have spotted easily.
| jacquesm wrote:
| I've read more than one response from people saying they
| are operating their website all by themselves and they
| definitely did not seem to be high traffic.
| tzs wrote:
| Your message implies an organization that has at least two
| engineers and at least two support people. Many of the site
| owners who were seriously bothered by it seem to have been one
| person operations running non-commercial personal sites and it
| never occurred to them that they needed to look into what if
| any obligations they might have under laws like GDPR and CCPA.
|
| Maybe the default index.html that gets created when you first
| set up a site should include a notice that if your site is
| going to be public facing you might be subject to laws like
| GDPR and CCPA and link to resources you can use to figure out
| if you are in fact subject to them.
|
| Same for whatever blogging software is common on these sites.
| I'd guess that they usually include a sample entry so you can
| verify that your installation is working? If so, include
| privacy law information in the sample entry.
| kevinpet wrote:
| My org is prepared to failover to our disaster recovery site,
| but that doesn't mean we want to or that it isn't work.
| dang wrote:
| The past major threads on this. Others?
|
| _I was part of a human subject research study without my
| consent_ - https://news.ycombinator.com/item?id=29611139 - Dec
| 2021 (360 comments)
|
| _CCPA Scam - Human subject research study conducted by Princeton
| University_ - https://news.ycombinator.com/item?id=29599553 - Dec
| 2021 (331 comments)
|
| _Princeton-Radboud Study on Privacy Law Implementation_ -
| https://news.ycombinator.com/item?id=29599154 - Dec 2021 (10
| comments)
| tjalfi wrote:
| Here's one more thread.
|
| Ask HN: Is this CCPA-related spam? -
| https://news.ycombinator.com/item?id=29539266 - Dec 2021 (4
| comments)
| kevinpet wrote:
| This is a non-apology apology. It's "I'm sorry you feel that
| way."
|
| I don't think I'm reading too much into it either: "I am dismayed
| that the emails in our study came across as security risks or
| legal threats."
|
| "explaining in detail what we did, why we did it, what we
| learned, and how researchers should approach similar studies in
| the future."
|
| Nothing about how it impacts their unwilling subjects. Nothing
| about failing to indicate they were doing an academic study.
| Nothing about the falsity of their legal threats.
| matkoniecz wrote:
| Also "our study does not constitute human subjects research".
|
| Since when threatening people does not involve humans? Or is it
| some "technically, this legal term does not apply - according
| to our lawyer"?
| jessriedel wrote:
| You are misrepresenting the statement. The full quote is
|
| > I am dismayed that the emails in our study came across as
| security risks or legal threats. The intent of our study was to
| understand privacy practices, not to create a burden on website
| operators, email system operators, or privacy professionals. I
| sincerely apologize. I am the senior researcher, and the
| responsibility is mine.
|
| He stated the negative impact they had on study subjects
| (including the interpretation as legal threats), accepted
| responsibility, and apologized without reservations. How can
| you possibly claim he wrote "nothing about the falsity of their
| legal threats"?
|
| Researchers don't have to indicate they are doing an academic
| study. Ethical actions things don't become unethical simply
| because it's part of research.
| throwawyaaccoun wrote:
| [Throwaway for privacy.]
|
| I know this was hashed out on the other threads a bit, but can
| someone please explain to me why folks are so up in arms about
| this, compared to, say, studies that scrape user data without
| consent (something the IRB allows _all the time_ by saying that
| no human subjects are involved)? Is it simply because there is no
| visibility into this practice (i.e., no email sent?) Scraping
| user data from public profiles, aggregating it into a model, and
| publishing a paper or whatever -- that seems demonstrably more
| invasive to individuals, storing and keeping their user data,
| than an email quoting a statute.
|
| I _agree_ that the deception was unnecessary, but that 's it. It
| doesn't feel any wronger than that.
|
| Especially because these researchers really were acting in "meta"
| good faith trying to probe the privacy ecosystem, I fear there
| may be a chilling effect. Consumers deserve privacy rights and
| privacy knowledge in the asymmetric surveillance economy we find
| ourselves in, IMO.
|
| I'm open to being wrong.
| halpert wrote:
| Your question is essentially whataboutism. Both things can be
| wrong. We can care about this instance without diluting the
| conversation talking about something else that is also bad.
| throwawyaaccoun wrote:
| It's not _intended_ to be whataboutism (sorry about that, I
| edited this in to clarify) -- I agree that the deception was
| wrong. But there seems to be something about this particular
| event that is riling people up, and that 's what I am getting
| at. I am not trying to whatabout, to be super clear.
| runnerup wrote:
| To clarify. I don't think people would be riled up about
| individuals sending out these emails. Individuals are
| required to be legal, not 'ethical'.
|
| The people who are riled up believe that University studies
| _should_ be performed ethically. They know that IRB 's
| exist to prevent researchers from doing unethical, but
| legal, things. In this case, they feel the harm caused
| should have been prevented.
|
| Scraping data silently doesn't cause stress/harm to the
| participants directly, as they are unaware of any potential
| threat.
|
| It's not "human experimentation should be banned" its
| "human experimentation should be heavily scrutinized to
| prevent harm to participants as much as possible. And
| definitely never cause harm to unwilling / unwitting
| participants".
| dcow wrote:
| What bothers/riles me is that there doesn't seem to be a
| consistent ethical framework applying to these complex
| situations. Of course things _should_ be ethical but
| ethics aren 't defined as "whatever people on HN and
| Twitter feel like isn't slimy".
| tylermenezes wrote:
| Because the end of the email (wrongly in most cases) demanded a
| response by law and implied they were open to legal action,
| which caused a bunch of people to hire lawyers to check into
| their liability.
| dahfizz wrote:
| Maybe the problem is the laws which create unknown liability
| for anyone hosting websites.
| eli wrote:
| In this case the law wasn't the issue. The email message
| asserted a legal obligation that does not exist.
| dahfizz wrote:
| >The controller shall provide information on action taken
| on a request under Articles 15 to 22 to the data subject
| without undue delay and in any event within one month of
| receipt of the request[1]
|
| The legal obligation may not have applied in this case,
| but it absolutely exists. If someone submits a request to
| you for their data, you are legally obligated to respond.
|
| [1] https://gdpr-info.eu/art-12-gdpr/
| kstrauser wrote:
| The request I got was about the CCPA. It said:
|
| > I look forward to your reply without undue delay and at
| most within 45 days of this email, as required by Section
| 1798.130 of the California Civil Code.
|
| First, the CCPA doesn't apply to my site. It's non-
| commercial, has many fewer users than required to invoke
| the CCPA, and zero revenue. No provisions of the CCPA
| require _me_ to do anything.
|
| Second, the questions were about how I'd _handle_ a CCPA
| request, and weren 't actually a request at all:
|
| > 1. Would you process a CCPA data access request from me
| even though I am not a resident of California?
|
| > 2. Do you process CCPA data access requests via email,
| a website, or telephone? If via a website, what is the
| URL I should go to?
|
| > 3. What personal information do I have to submit for
| you to verify and process a CCPA data access request?
|
| > 4. What information do you provide in response to a
| CCPA data access request?
|
| The CCPA doesn't obligate anyone to explain their
| internal processes. It obligates covered entities to
| respond to the requests themselves, but not to random
| drive-by questions.
|
| So basically, that sentence was completely wrong. The
| CCPA doesn't apply to me, and even if it did, the law
| doesn't say what the researchers claim it did.
| dcow wrote:
| Why isn't _this_ the story? It doesn 't even have to be
| about ethics which nobody can seem to agree on. Sounds
| like the researchers were simply wrong.
|
| So then the problem actually is that they misinterpreted
| the law. If someone misinterpreting the law can cause
| such stress and waste such time, shouldn't society
| safeguard against this?
| Isthatablackgsd wrote:
| More like researchers needs to take classes on law
| jurisdictions. They seemingly to believes that both laws
| have jurisdictions over everyone in the world, including
| countries and states that don't have such laws which causes
| people to be confused with it since it have legal
| statement.
|
| The researchers created this issue because they don't
| understand (or tried to understand) the laws nor they do
| not screen their statements. The liability is not on the
| law, the liability falls on the researcher especially with
| "human subject" comment. Therefore, the researchers are
| likely to be in violation with their university IRB. The
| legal statement is forcing people (that are not applicable
| to them) to respond which in turn violated the ethics of
| IRB because they did not consent to this research. By
| 'forcing' them to respond to the research that they don't
| have people consent to do so will run afoul with IRB.
| adolph wrote:
| "meta" good faith != good faith
|
| > why folks are so up in arms about this
|
| The implicit legal threat is similar to the harm described in
| the Prenda saga: https://arstechnica.com/tag/prenda-law/
|
| It is wronger than the deception because the PI "Jonathan
| Mayer" is not just a run of the mill academic focused on
| "publishing a paper or whatever." This is an activist with an
| ax that won't grind itself. Reviewing his work mentioned in
| Wikipedia I'm impressed and appreciate the contributions Mayer
| has made. Mayer can't be not aware of the problems with the
| approach.
| UncleMeat wrote:
| I personally know Jonathan and hugely respect his work.
|
| I could believe that because he is an actual lawyer it was
| harder to imagine the panic that recipients who have no
| understanding of the law would experience. But I think that
| more likely is that the response was a bit of a fluke. _Way_
| stranger stuff has been done by security and privacy
| researchers with the go-ahead from their IRB. This feels to
| me like this is a methodology that isn 't universally agreed
| on but is not especially uncommon that tripped a response
| from the internet. The conclusion is more that people should
| not necessarily take the existence similar research as
| indication that the broader community is okay with these
| methodologies.
| adolph wrote:
| I suspect Meyer's work is in part preparatory to lawfare in
| order to force websites to pay for lawyerly services. The
| letter is akin to a fire insurance company knocking on
| doors while carrying a torch.
|
| "Of all tyrannies a tyranny sincerely exercised for the
| good of its victims may be the most oppressive."
|
| https://quoteinvestigator.com/2019/12/19/intentions/
| UncleMeat wrote:
| Frankly, that's stupid.
|
| He's got a PhD and a JD from Stanford and has chosen a
| faculty position and has done a nontrivial amount of
| unpaid work for various privacy rights organizations. He
| obviously isn't motivated by money.
| adolph wrote:
| Frankly you are great at knocking a strawman down.
| Jonathan Mayer likely has some motivation for those
| efforts. I made no claim to the motivation being
| remunerative or not.
|
| Do you have an alternative hypothesis of a motivation
| other than preparation for a "public-interest" lawfare
| campaign?
| UncleMeat wrote:
| Actual legitimate research to understand existing privacy
| legislation, which can be used by policymakers to iterate
| and ensure that legislation is effective without being
| wasteful.
| [deleted]
| rubylark wrote:
| Demanding a subject to actively participate in your study upon
| pain of vague and mostly incorrect legal threat is ethically
| wrong. Passive participation (like scraping) without consent is
| morally wrong, but since it doesn't cause undue distress to the
| subjects, it is not as big of a story.
|
| The IRB in this case didn't consider this ethically suspect
| because "websites aren't people". And yet the study
| disproportionately targeted small websites where there is, in
| many cases, only one person involved.
| _jal wrote:
| The issue here was not primarily about deception. It seems
| mainly to be that (a) at least one recipient interpreted their
| mail as a legal threat, and (b) it was a mass-mailing. Spend a
| minute thinking through the implications if that were true, and
| you get a firestorm.
|
| I suspect visibility plays a role in the comparison you're
| making; out of sight, out of mind and all that. But much more
| importantly, someone sending you what you think is a legal
| threat is a lot more salient.
| throwawyaaccoun wrote:
| Interesting. Ok, so let's say the deception wasn't the
| problem, suppose for the moment. Would the study have been
| more palatable if the researchers had more properly vetted
| the email list to ensure, say, >95% or perhaps even 100% were
| corporations that did fall under the law?
| nightpool wrote:
| The requirements to be subject to the CCPA are any of: have
| a gross annual revenue of over $25MM; buy, receive, or sell
| the personal information of 50,000 or more California
| residents; derive 50% of more of your annual revenue from
| selling California residents' personal information. Yes, I
| believe that if they emailed only sites for which that was
| true, I would have no issues with the study.
|
| The requirements to comply with the GDPR are much, much
| stricter and have a much more outsized effect on small,
| non-commercial site operators. There are no exceptions to
| the GDPR for non-profits or non-corporate entities. (except
| a limited carveout for "household processing" that AIUI has
| been interpreted very narrowly by the courts). I do not
| think the GDPR is strict enough in this instance, and I
| think it would have outsized harms on small and non-
| corporate operators to email them in this way if your only
| criteria is "could technically be subject to the GDPR in
| some possible world".
| joshdata wrote:
| I operate a website that likely meets one of the
| requirements to be subject to CCPA that received the
| emails from the research study. We have basically no
| revenue or staff. I didn't appreciate being lied to
| (about who was sending the message), being threatened
| (with legal enforcement), wasting my time (the study was
| scrapped), and being used for research without consent
| (the fact that this happens all the time doesn't excuse
| it). If they wanted to know our CCPA/GDPR policies, they
| could have simply asked. I also received emails from the
| study at two other domains I own and one that mentioned a
| domain I don't even own, but which probably don't matter
| for CCPA - all of which made me think that this was a
| scam and legal trap to take seriously.
| _jal wrote:
| Unless you're studying how people react to online legal
| threats, why would you not try to avoid this problem with
| your study entirely?
| yjftsjthsd-h wrote:
| Yes; if they had ensured that 100% of their targets were
| corporations then I would have very little concern about
| it.
| matkoniecz wrote:
| 5% of emails going to hobby websites would be unacceptable
| and unethical.
|
| If it would went solely to major corporations - more OK.
|
| Another part: do not lie that study does not involve human
| subjects.
| s1artibartfast wrote:
| Deception is a necessary part but not the key. The key is
| potential for distressing a real human being. The problem
| is that we live in a legal Society where everyone is at
| risk of life-altering legal consequences.
| throwawyaaccoun wrote:
| Oh, our society, especially America's, is overly
| litigious. I agree.
|
| But, pushing back a bit (in good faith), do you think
| asking an entity for your data, or asking them to delete
| it, should really be considered unusual and panic
| provoking? I said in another comment the same thing, but
| do you think this could be a moment of cultural learning?
| rcpt wrote:
| > America is overly litigious.
|
| I recall seeing Ralph Nader speak at a fundraising event
| 20 years ago and asking the crowd "how many people have
| actually tried to sue someone?" and in a room of hundreds
| only a few hands went up.
|
| And a year ago when I took my landlord to small claims it
| was insane how complex the process was and how many
| paperwork pitfalls are in the way to disqualify you. I
| remember sitting on the half-day zoom call and watching
| case after case get thrown out because plaintiffs "forgot
| to file proof of service" or whatever. I'm generally good
| with paperwork and still nearly missed out.
|
| There may be some people in America who are overly
| litigious but for the general population the legal system
| is wholly inaccessible.
| kortilla wrote:
| It doesn't matter. This isn't a case where an individual
| would be suing. This is the government regulation coming
| down on someone after being flagged by "a victim".
| s1artibartfast wrote:
| In a perfect world, I do not think it should be
| stressful, but we don't live in that world. I think a
| stress response is reasonable, given the risk of legal
| consequences.
|
| Perhaps it is a learning moment, but I think the lesson
| should be to consider the impact of these kinds of
| studies.
|
| I'm sure it is a learning experience for bloggers as
| well, and some of them will learn that hosting a Blog is
| not worth the legal risk and take it down
| s1artibartfast wrote:
| The fact that everyone violates the law in some form, and
| anyone with sufficient will and resources could ruin a
| life with legal proceedings is why we have the concept of
| standing in American law. It acts as a filter so that
| only someone with skin in the game can bring suit. It is
| one protection against abuse, and why laws like that give
| anyone standing Texas abortion ban and forthcoming
| California gun legislation are problematic.
| mint2 wrote:
| Scraping dating is not imposing work, worry and cost on
| additional people.
|
| The victims of scraping are not going to do any additional work
| unless the scraped data is used irresponsibly, but that is
| separate from the act of scraping.
|
| This email required people to do work and caused worry due to
| the legal threat that the email tried to lead people to believe
| was applicable to them. They may have had cost if they called a
| lawyer and it definitely took their time.
|
| Scraping -> no work forced upon victims. That email -> work
| forced on unwilling victims.
|
| Is there something I'm missing? People including that poster
| aren't reaching this same conclusion but it seems very apparent
| so am I missing something?
| nightpool wrote:
| Well, the argument of the GP is that "extra work" is not the
| only form of harm that is possible. When comparing the harm
| of extra work and stress due to this email to the harm of
| have your privacy violated by large, publicly-scraped
| datasets that include your personal information. For example,
| once your twitter post is collected in a "posts of Twitter
| users about X political event" dataset, it's now impossible
| for you to ever delete that post, which could be harmful for
| you in the future. it's unclear whether one type of harm is
| categorically worse then the other.
| mint2 wrote:
| public posts on the internet being aggregated is not out of
| the ordinary, if one group doesn't do it, another may.
|
| Scraping private posts would be wrong or gaining access to
| posts under false pretenses. This would be wrong, although
| different than the email.
|
| The email forced work on people and made legal threats
| causing work and other effects that would not otherwise
| happen.
| btown wrote:
| In US legal code there is actually a definition of a _human
| subject_ in https://www.hhs.gov/ohrp/regulations-and-
| policy/regulations/... (EDIT: to clarify this is a guideline
| for federal researchers and to my knowledge is not legally
| binding on private institutions, but seems to be used as a
| basis for private IRB policies):
|
| """
|
| (e)(1) Human subject means a living individual about whom an
| investigator (whether professional or student) conducting
| research:
|
| (i) Obtains information or biospecimens through intervention or
| interaction with the individual, and uses, studies, or analyzes
| the information or biospecimens; or (ii) Obtains, uses,
| studies, analyzes, or generates identifiable private
| information or identifiable biospecimens.
|
| (2) Intervention includes both physical procedures by which
| information or biospecimens are gathered (e.g., venipuncture)
| and manipulations of the subject or the subject's environment
| that are performed for research purposes.
|
| (3) Interaction includes communication or interpersonal contact
| between investigator and subject.
|
| (4) Private information includes information about behavior
| that occurs in a context in which an individual can reasonably
| expect that no observation or recording is taking place, and
| information that has been provided for specific purposes by an
| individual and that the individual can reasonably expect will
| not be made public (e.g., a medical record).
|
| """
|
| The argument is that scraping of public data, already recorded
| by data systems for general (e.g. not specifically medical)
| purposes, is neither intervention, interaction, nor private
| information.
|
| On the other hand, IMO the researchers here clearly interacted
| with their subjects. While the email was sent to a privacy@
| address, not only are emails different from HTTP GET in how
| likely they are to be read by humans, but this went a step
| further and implied legal action would be forthcoming unless a
| human replied to the message. That's interaction. That makes
| the recipient a human subject.
|
| (IANAL and the above is not legal advice.)
|
| EDIT 2: I've had the pleasure to meet one of the researchers
| here. They are a staunch defender of online privacy, and I
| believe the team sincerely wanted to measure how effectively
| businesses are adapting to the changing winds beyond their
| legal obligations. But I also think the team, and the Princeton
| and Radcliffe IRBs, should have done more to consider the
| impact on the people who operate these businesses themselves.
| I'm sad and disappointed that the systems in place didn't catch
| this.
| kstrauser wrote:
| Part of it was that the did no (or poor) screening. They got
| their list of target sites from a research list of the popular
| websites. I got a letter, and my little not-for-profit, not
| advertised, purely for fun website was around number 350,000 on
| that list. First, I sincerely doubt my site is even _that_
| popular. Second, if _I_ got the mail, so did _lots_ of people
| in a similar situation.
|
| They weren't spamming Fortune 500 companies. They were spamming
| a huge number of single-person sites that aren't subject to the
| CCPA at all and who certainly don't have legal departments to
| ask about it.
| throwawyaaccoun wrote:
| I mean this all in good faith:
|
| What is the difference between 100,000 individuals emailing
| 3-5 websites on that list, with their real identities, asking
| for things to be deleted (such that all 350k are covered)?
| Where is the meaningful difference between this situation and
| the one here, ignoring the deception for a moment (unless
| that is the only issue)?
|
| Could this be a moment of cultural learning for everyone?
| That's kind of how I am looking at it, frankly, but I am open
| to being wrong. That is, perhaps small entities will learn,
| in one or two instances, to just ignore this kind of thing?
| rectang wrote:
| You seem extremely unconvinced that any harm was done to
| the people who were sent scrambling by this alarm. It's as
| though no matter how convincing the email was, no matter
| how much of the recipient's time was wasted, no matter how
| many thousands of dollars they spent on lawyers, you
| ascribe all blame to the recipient for not having realized
| they were being deceived -- and ascribe no blame whatsoever
| to the email's author for being deceitful.
|
| This whole discussion was had in the old thread, and there
| was one person who used the same rhetorical device of
| belaboring the same question over and over again. It was
| tiresome.
| throwawyaaccoun wrote:
| I should have been more clear, so let me correct that. I
| am convinced. I agree that harm was done, and suffer from
| generalized anxiety disorder myself, so I empathize with
| the panic attacks that people received.
|
| It is _because_ I believe that harm was done, but also
| because I am a privacy nut myself, that I am trying to,
| for my own sake, characterize how I should approach
| sending emails like this in the future. The study may not
| go on, but individuals still will send these emails as
| long as CCPA /GDPR exist. (Just to add some color: It's
| my anxiety which is causing my to want to delete
| everything from the internet. If there's minimal info
| about me online, I can rest easy. It's why this is a
| throwaway that I will abandon shortly.)
|
| Reading everyone's thoughts is what changed my mind. I
| now understand to have underestimated the emotional and
| legal effects CCPA/GDPR requests could have on small
| website operators, and will be more judicious in the
| future (like this study should have been) in pre-
| filtering and my wording. Reactions like kstrauser's
| (elsewhere in thread) were initially surprising to me
| (perhaps because of the faceless nature of the internet),
| so I hope you take my about face as genuine.
|
| Where do you think this balance lies? I still believe
| consumers, in general, should have right to ask those
| with their data about their processes; to give it to
| them; and, to upon request, delete it. And further, in
| general, I think these interactions are the kinds of
| things that researchers might legitimately want to study.
| I found your other comments to be thoughtful, so I am
| curious what you think explicitly.
| rectang wrote:
| What I hope to see is a popularization of business models
| where no personal data is kept, because that is less
| expensive in terms of compliance costs, more beneficial
| to the consumer, and hopefully more attractive to the
| consumer as well. We can see the dawn of a new age in
| other comments in this thread where people talk about not
| collecting any data on their blog visitors!
|
| Right now it is difficult to build businesses under such
| models because most institutions, frameworks, and tools
| shunt you towards hoarding all data. Over time, I hope
| that better tools will emerge so that building better
| businesses becomes easier.
|
| There are people elsethread bemoaning not only the
| unfortunate artificial costs created by this email
| experiment, but the compliance costs of privacy-
| protecting legislation in general. But businesses
| _should_ be paying those compliance costs, because it 's
| an iron law at this point that business-collected
| personal data will leak yet _individuals_ bear the costs
| when the data leaks.
|
| To my mind, this experiment went awry in the same way
| that privacy-abusing businesses go awry: the organization
| reaped a benefit while the externalized costs were borne
| by outside individuals.
|
| However, I'm inclined to forgive the researchers, as I
| think they will learn from this and find ways to collect
| data which cause less alarm and imposition. Similarly, I
| would hope that individuals pursuing their rights under
| privacy legislation would start off gently but firmly,
| giving small entities time to adapt. But simultaneously,
| I have an appreciation for those with bulldog tenacity
| who go after recalcitrant businesses (e.g. the heroes who
| have gone after Equifax in small claims court).
| adolph wrote:
| > how I should approach sending emails like this in the
| future
|
| Don't.
|
| It's that simple.
|
| _I look forward to your reply without undue delay and at
| most within 45 days of this email, as required by Section
| 1798.130 of the California Civil Code._
| jwagenet wrote:
| Based on reading
| https://news.ycombinator.com/item?id=29611139 the other
| day, my impression is for a small website operator the
| email template used some potentially threatening language
| in the line "I look forward to your reply without undue
| delay and at most within 45 days of this email, as
| required by Section 1798.130 of the California Civil
| Code."
|
| There is some discussion that for large websites or gov
| entities this kind of language may be necessary to
| communicate your sincerity with the request, but lone
| operators doing their best probably dont have any sort of
| legal to ensure they follow the letter of the law. From
| my perspective maybe its best to approach a small website
| with a more casual tone that you just want your data gone
| and "make it serious" if the request is ignored or the
| response is noncompliant.
| blululu wrote:
| First, this is an altogether improbably scenario (the odds
| of winning the lottery are good compared to this scenario
| ever happening). Site traffic follows a power law. A site
| at 200k down the list is almost never going to get such
| attention. It is not someone's full time job. A uniform
| density of information requests is incredibly unlikely and
| places a very unfair burden on the smaller sites. Second,
| the difference is pretty obvious: 100,000 individuals
| seeking a legal right implies a potential benefit to a
| large number of people. 1-5 people abusing the system
| implies a bad faith actor whose benefit is pretty minimal.
| s1artibartfast wrote:
| Is about the impact on the humans involved. Imagine the
| study where are you put police lights on your car and drove
| behind people on the highway to see how they would respond.
| kstrauser wrote:
| Thing is, I would cheerfully process a deletion request,
| even though I don't have to because I don't meet the
| criteria to be subject to the CCPA. For me, part of the
| deception was quoting a law and incorrectly saying it
| obligated me to reply to their information request by a
| certain deadline. The law says no such thing, and getting a
| letter from someone who quotes specific legal codes almost
| never ends with "...and then they went out for dinner,
| newly found lifelong friends."
| Luc wrote:
| I am having a learning experience right here about reading
| the meandering thoughts of throwaway accounts.
| ineedasername wrote:
| Ethical guidelines on research exist to prevent an adverse
| impact on participants. This study had adverse impacts: fear,
| stress, time & money in consulting lawyers. It was therefore
| defacto an unethical research study. Speculation as to why the
| protocol slipped through the IRB cracks are that the language
| used in the study proposal (at least the part made public)
| dehumanized the protocols by referring to "websites" rather
| than humans that would be responding to the inquiries.
|
| The IRB ruled this was not a human subject piece of research,
| but that is contradicted by the deception protocol. Deception
| was justified as necessary because people's behavior might
| change if they knew it was a research request. That
| acknowledgement made it implicit that human behavior and
| potential changes to it due to the experiment was a core factor
| in the study-- ergo, it had human subjects. Behavioral research
| on human subjects is required to go through a much more
| rigorous IRB oversight process precisely to anticipate and
| mitigate potential adverse reactions.
|
| Some people are focussing on the deception, but that is, under
| some circumstances, allowed by research ethics. The more
| serious problem was adverse impact which, again, is the primary
| motivator for why we now have laws and regulation-mandated IRB
| processes to make sure it doesn't become an issue.
| belorn wrote:
| I wonder if IRB ruled in this way because of the assumption
| of algorithmic response for requests like DMCA take down
| notices. I can imagine that even for GDPR/CCPA requests,
| there is still no human involved for website like Google,
| facebook, youtube and other major sites that is primarily
| operated through automation. If there is no humans involved
| then there is no humans to have an adverse impact on.
|
| But as you said, researchers however must have suspected that
| responses would be made by humans or else the email would
| have included the fact that it was a study.
| kortilla wrote:
| Because it comes across as a vague legal threat to a website
| operator! That's in no way like scraping databases.
|
| This cost real legal resources (there are Twitter threads of
| internal legal counsel hiring outside firms to evaluate this).
| eli wrote:
| You shouldn't lie to people to trick them into collecting data
| for you without at least considering the impact on those
| people.
|
| That's nothing like web scraping. (Though IMHO web scrapers
| should also use an honest User Agent so if website owners have
| a problem or question or want to block it, they can)
| codazoda wrote:
| The post here on hacker news mentioned the down sides for one
| receiver. That person was stressed out thinking that they were
| about to be sued. They considered retaining council, which
| could have cost them a few thousand dollars, in order to get
| ahead of the threat. It didn't come to that, so it's a "what
| if", but I could see myself trying to retain council too.
| Hopefully, a lawyer would have talked me down and advised me to
| wait it out. On the flip side, they may have offered to respond
| on my behalf (which would cost money).
|
| I would not respond to such an email myself, ignoring it until
| I was able to defer to an attorney.
|
| I publish a simple personal blog and I worry about the
| _worldwide_ legal implications of doing so. As one example, I
| have some old information about making model rocket fuel at
| home. At the time I had carefully reviewed U.S. law and knew
| how much I could legally make and have in my possession. Then I
| got questions from people in other countries and I got spooked.
| What if I break a law somewhere else?
| wruza wrote:
| _What if I break a law somewhere else?_
|
| Who knows? I can imagine that an innocent picture of
| uncovered legs may be illegal in some religious states, but
| do you have to worry about it? Is that even a thing?
|
| (I'm aware of the chances that you may visit that country
| some day and find out that you're a wanted criminal, but not
| sure if that applies to non-felonies world-legal-wise)
| nautilius wrote:
| In that case I'd be mostly worried about breaking law in the
| U.S. by making rocket knowledge available to foreigners https
| ://en.wikipedia.org/wiki/International_Traffic_in_Arms_...
| kstrauser wrote:
| I assume that I'm breaking other countries' laws all the
| time, say be criticizing the actions of their governments. I
| don't worry about that. I'm much more worried about, say,
| CCPA compliance while living and working in California. (Not
| that I'm especially worried it. My personal projects don't
| meet any of the criteria which would make it apply to me.)
| matkoniecz wrote:
| The problem for people outside USA is that this country
| repeatedly demonstrated ability to enforce law for example
| in Europe.
|
| I would not be worried about say Sri Lanka
| privacy/blasphemy law but USA court can take down my email,
| website, important accounts, less important accounts
| starting from HN, gmail and github accounts.
| codazoda wrote:
| Yeah, me too. I don't collect stats on visitors anymore
| (using Google Analytics for example) because I now
| understand the privacy implications of doing so. I do use a
| simple impression counter but I capture no information (not
| IP, not browser, nothing). I definitely think about the
| CCPA and ADA laws, but I'm relatively sure they don't apply
| to me. Still, I certainly think about them.
| dhimes wrote:
| I go as far as saying in the TOS that my sites are for
| users in the US.
| phonebanshee wrote:
| Why? What would make you think this has any impact?
| kstrauser wrote:
| I personally use a self-hosted analytics app so I can
| still get some useful feedback without sharing my
| visitors' data. I get pretty graphs, and my visitors get
| to keep their privacy.
| otrahuevada wrote:
| The wording on the main driver of the experiment, their
| especially bad emails, leads website operators to think there
| is a problem where there is none. This, on top of the research
| being entirely devoid of consent between the human parties
| involved, makes it a _very_ bad study, one that could well
| cause both the university and the research team to lose money
| if some of the 'subject' parties actually had to go get a
| lawyer to have a look at their shoddy emails.
|
| In better studies what is supposed to happen is, you propose
| taking part in the experiment, you get a signed agreement of
| some sort, and only then actually start experimenting. What
| happened here is more like some kind of youtube prank than a
| useful information gathering procedure.
| sennight wrote:
| Scraping public data doesn't result in compelling another
| person to work under a false premise. Sure, you could argue
| that scraping introduces load that _may_ draw an operator 's
| attention... but the comparison is a pretty big stretch.
|
| How these things pass board review I don't know... it seems
| pretty obvious to me that creating work for somebody who didn't
| volunteer to it is, at best, antisocial behavior.
| mindslight wrote:
| I believe the real issue isn't the research ethics per se, but
| rather pent up frustration on the larger topic. I posted this
| in one of the original threads:
|
| https://news.ycombinator.com/item?id=29607123
| rantee wrote:
| (disclaimer: non-practicing lawyer here, not yours or theirs,
| off-the-cuff very hot take)
|
| What part of 'A consumer shall have the right to request...' in
| the CCPA isn't clear? Nothing about "A fake user may request..."
| Looking forward to another ballot initiative to further clarify
| the law!
|
| The secret shopper thing is a big red herring - at least the
| secret shopper actually buys something, and in real non-academic
| life is usually hired by the company (or marketing company by
| extension).
|
| Disappointing to see the lack of judgment from a researcher who's
| otherwise done great work, and the IRB failure to boot. Good to
| see some acknowledgement but it feels like "let's build a tool to
| do the work and hope for good data." Not sure where this could've
| led other than a name-and-shame conference paper.
| abhv wrote:
| I am an academic and I am against this type of study. My main
| objection is that it wastes the valuable time of the website
| operator for little benefit. It is immoral to waste people's
| time.
|
| Many IRBs are unaware that these kinds of "public surveys" unduly
| burden respondents and cause them unnecessary stress.
|
| The little benefit will be a series of graphs indicating how site
| operators respond, which could be interesting, but does not
| justify the burden.
___________________________________________________________________
(page generated 2021-12-22 23:01 UTC)