FYI, I have sent my own letter, with my full signature (same one as below), to 
Princeton, including cc:ing the dept. chair, the abuse department, and the 
legal department.  I do hope you send yours, and soon, as it would be a good 
1-2 punch.


Anne P. Mitchell,  Attorney at Law
Dean of Cyberlaw & Cyber Security, Lincoln Law School
Author: Section 6 of the Federal CAN-SPAM Law
Board of Directors, Denver Internet Exchange
Professor Emeritus, Lincoln Law School
Chair Emeritus, Asilomar Microcomputer Workshop
Former Counsel: MAPS Anti-Spam Blacklist

> On Dec 15, 2021, at 5:07 PM, yuv via mailop <> wrote:
> On Wed, 2021-12-15 at 08:53 -0700, Grant Taylor via mailop wrote:
>> I feel like the student and the 
>> professor / powers that be which approved this study should be clued 
>> into the costs of the research on the rest of the world.
> +1
> If enough mailops, preferably representing large corporate names that
> donate money to Princeton (hint), are interested to co-operate and
> ultimately co-sign a letter to Princeton's along the following lines, I
> volunteer to circulate and update a draft until there is a reasonable
> mass of signatories / consensus; and to send it on law office
> letterhead to the responsible dean at:
> Office of the Dean of the Faculty
> Princeton University
> 9 Nassau Hall, Princeton, NJ 08544-5264
> Phone: 609-258-3020
> Fax: 609-258-2168
> Email:
> IMHO this is an important issue that transcends this individual
> spamming instance.  The student's dandy attitude did not originate in a
> vacuum and while some universities such as Harvard and Stanford are at
> the forefront of addressing the (lack of) ethics in IT [1], it is
> obvious that others still need some prodding.  The design does not come
> near to the complexity of real IT ethics questions such as who should a
> self driving car sacrifice in case of an inevitable collision with
> predictable casualties.  The ethical questions raised are of the
> traditional kind: how does the researcher interact with the subject of
> their research.  This researcher and his supervisors have failed
> completely, in a way that shines a negative light on Princeton and
> should not go unpunished.
> It is generally uncontroversial that co-opting subjects into academic
> research is unethical.  Where persons capable of consent are the
> intended subject of academic research, it is accepted practice to
> obtain informed consent before enrolling them into the research.  In
> this case, consent was not obtained at all and information was
> intentionally falsified, obfuscated, and withheld.
> * The opt-out is only offered after the involuntary enrollment has
> occured, and on a difficult to find, seemingly unrelated site [2].
> * The researcher has knowingly obfuscated the identity of the sender,
> used false or stolen identities and bogus domains.
> * No meaningful information about the research was provided to the
> unwitting subjects before, during, or after the involuntary enrollment.
> * The information available when trying to investigate, from "official
> source" [2] as well as from the affected community [3] is incomplete at
> best.
> * Apparently the researcher has been made aware and has not done
> anything but further obfuscating between April [3] and December.
> In my view, co-opting websites and email addresses through harvesting
> and spamming is equivalent to co-opting persons capable of consent.
> Behind each and every one of the harvested email addresses there are
> persons and ultimately a responsible individual that had to deal with
> the threatening content of the emails.  Based on annecdotal feedback
> [3], receipt of the email has caused a great deal of uncertainty,
> anxiety and fear in addition to the economic harm of the spam that
> became subject of expert investigation in an attempt to mitigate the
> fallout for our systems and our email recipients[4].  It has a negative
> effect on the operators of email systems signed below; on their user
> communities; and frankly also on Princeton's reputation.  Has the
> Princeton given permission to the use of its name as part of the bogus
> domain names?
> The way this study was designed raises questions about the ethics, but
> also the intellectual integrity of the researcher.  His reaction when
> made aware of the shortcomings was intellectually dishonest.  We trust
> that your investigation in the matter will find whether his supervisors
> were part to this dishonesty, or whether this continued harrassment is
> the result of a single, rogue, element in your university.  In either
> case, in my view those responsible deserve to be disciplined and I do
> not exclude the possibility of a class action if Princeton does not
> take satisfactory corrective and punitive actions.
> Apparently, Princeton's Research Integrity and Assurance (RIA) has been
> recently informed and has said they'll check and get back on the matter
> to the informer. [5] The same informer has received a reply from the
> researcher that points to either the researcher not being aware of
> RIA's involvement, or having been cleared by it [6].  
> The researcher's conduct goes beyond negligence.  He has displayed
> willful blindness when expert system operators alerted him to the
> negative effects of his conduct and tried to engage in constructive
> criticism.  The email's text, the fake identities, the obfuscated
> domains, all point to intentionally raising the fear factor in a way
> unsavoury spammers typically do to force answers from recipients that
> would normally ignore their requests.  While I am myself curious about
> how website operators handle GDPR or CCPA requests from persons that
> are not resident of the legislations' jurisdiction, faking a request to
> elicit an answer is in my view unethical and unacceptable.
> I wont hesitate naming and shaming Ross Teixeira (
> and "[t]he additional members of the study team [...] Professor
> Jonathan Mayer at the Princeton University Center for Information
> Technology Policy and Professor Gunes Acar at the Radboud University
> Digital Security Group." [2];
> nor will I hesitate threatening class action if the researchers do not
> (a) immediately stop the spamming pending your review;
> (b) palliate the anxiety generated by their mails by sending a letter
> of apology, approved by the mailop-community in advance, to all the
> email addresses that were spammed.
> I expect your review to be conducted swiftly and that its outcome will
> be made public within 30 days of receipt of this letter.
> [1] <
> [2] <>
> [3] <
> [4] <>
> [5] <>
> [6] <>
> --
> Yuval Levy, JD, MBA, CFA
> Ontario-licensed lawyer
> _______________________________________________
> mailop mailing list

mailop mailing list

Reply via email to