On Wed, 2021-12-15 at 08:53 -0700, Grant Taylor via mailop wrote:
> I feel like the student and the 
> professor / powers that be which approved this study should be clued 
> into the costs of the research on the rest of the world.



If enough mailops, preferably representing large corporate names that
donate money to Princeton (hint), are interested to co-operate and
ultimately co-sign a letter to Princeton's along the following lines, I
volunteer to circulate and update a draft until there is a reasonable
mass of signatories / consensus; and to send it on law office
letterhead to the responsible dean at:

Office of the Dean of the Faculty
Princeton University
9 Nassau Hall, Princeton, NJ 08544-5264
Phone: 609-258-3020
Fax: 609-258-2168
Email: d...@princeton.edu

IMHO this is an important issue that transcends this individual
spamming instance.  The student's dandy attitude did not originate in a
vacuum and while some universities such as Harvard and Stanford are at
the forefront of addressing the (lack of) ethics in IT [1], it is
obvious that others still need some prodding.  The design does not come
near to the complexity of real IT ethics questions such as who should a
self driving car sacrifice in case of an inevitable collision with
predictable casualties.  The ethical questions raised are of the
traditional kind: how does the researcher interact with the subject of
their research.  This researcher and his supervisors have failed
completely, in a way that shines a negative light on Princeton and
should not go unpunished.

It is generally uncontroversial that co-opting subjects into academic
research is unethical.  Where persons capable of consent are the
intended subject of academic research, it is accepted practice to
obtain informed consent before enrolling them into the research.  In
this case, consent was not obtained at all and information was
intentionally falsified, obfuscated, and withheld.
* The opt-out is only offered after the involuntary enrollment has
occured, and on a difficult to find, seemingly unrelated site [2].
* The researcher has knowingly obfuscated the identity of the sender,
used false or stolen identities and bogus domains.
* No meaningful information about the research was provided to the
unwitting subjects before, during, or after the involuntary enrollment.
* The information available when trying to investigate, from "official
source" [2] as well as from the affected community [3] is incomplete at
* Apparently the researcher has been made aware and has not done
anything but further obfuscating between April [3] and December.

In my view, co-opting websites and email addresses through harvesting
and spamming is equivalent to co-opting persons capable of consent.
Behind each and every one of the harvested email addresses there are
persons and ultimately a responsible individual that had to deal with
the threatening content of the emails.  Based on annecdotal feedback
[3], receipt of the email has caused a great deal of uncertainty,
anxiety and fear in addition to the economic harm of the spam that
became subject of expert investigation in an attempt to mitigate the
fallout for our systems and our email recipients[4].  It has a negative
effect on the operators of email systems signed below; on their user
communities; and frankly also on Princeton's reputation.  Has the
Princeton given permission to the use of its name as part of the bogus
domain names?

The way this study was designed raises questions about the ethics, but
also the intellectual integrity of the researcher.  His reaction when
made aware of the shortcomings was intellectually dishonest.  We trust
that your investigation in the matter will find whether his supervisors
were part to this dishonesty, or whether this continued harrassment is
the result of a single, rogue, element in your university.  In either
case, in my view those responsible deserve to be disciplined and I do
not exclude the possibility of a class action if Princeton does not
take satisfactory corrective and punitive actions.

Apparently, Princeton's Research Integrity and Assurance (RIA) has been
recently informed and has said they'll check and get back on the matter
to the informer. [5] The same informer has received a reply from the
researcher that points to either the researcher not being aware of
RIA's involvement, or having been cleared by it [6].  

The researcher's conduct goes beyond negligence.  He has displayed
willful blindness when expert system operators alerted him to the
negative effects of his conduct and tried to engage in constructive
criticism.  The email's text, the fake identities, the obfuscated
domains, all point to intentionally raising the fear factor in a way
unsavoury spammers typically do to force answers from recipients that
would normally ignore their requests.  While I am myself curious about
how website operators handle GDPR or CCPA requests from persons that
are not resident of the legislations' jurisdiction, faking a request to
elicit an answer is in my view unethical and unacceptable.

I wont hesitate naming and shaming Ross Teixeira (r...@princeton.edu)
and "[t]he additional members of the study team [...] Professor
Jonathan Mayer at the Princeton University Center for Information
Technology Policy and Professor Gunes Acar at the Radboud University
Digital Security Group." [2];

nor will I hesitate threatening class action if the researchers do not
(a) immediately stop the spamming pending your review;
(b) palliate the anxiety generated by their mails by sending a letter
of apology, approved by the mailop-community in advance, to all the
email addresses that were spammed.

I expect your review to be conducted swiftly and that its outcome will
be made public within 30 days of receipt of this letter.

[1] <

[2] <https://measurement.cs.princeton.edu/privacystudy/>

[3] <

[4] <https://www.mail-archive.com/mailop@mailop.org/msg14638.html>

[5] <https://www.mail-archive.com/mailop@mailop.org/msg14650.html>

[6] <https://www.mail-archive.com/mailop@mailop.org/msg14656.html>

Yuval Levy, JD, MBA, CFA
Ontario-licensed lawyer

mailop mailing list

Reply via email to