FYI, I have sent my own letter, with my full signature (same one as below), to Princeton, including cc:ing the dept. chair, the abuse department, and the legal department. I do hope you send yours, and soon, as it would be a good 1-2 punch.
Anne Anne P. Mitchell, Attorney at Law Dean of Cyberlaw & Cyber Security, Lincoln Law School Author: Section 6 of the Federal CAN-SPAM Law Board of Directors, Denver Internet Exchange Professor Emeritus, Lincoln Law School Chair Emeritus, Asilomar Microcomputer Workshop Former Counsel: MAPS Anti-Spam Blacklist > On Dec 15, 2021, at 5:07 PM, yuv via mailop <mailop@mailop.org> wrote: > > On Wed, 2021-12-15 at 08:53 -0700, Grant Taylor via mailop wrote: >> I feel like the student and the >> professor / powers that be which approved this study should be clued >> into the costs of the research on the rest of the world. > > +1 > > https://dof.princeton.edu/policies-procedure/policies/research-misconduct > > If enough mailops, preferably representing large corporate names that > donate money to Princeton (hint), are interested to co-operate and > ultimately co-sign a letter to Princeton's along the following lines, I > volunteer to circulate and update a draft until there is a reasonable > mass of signatories / consensus; and to send it on law office > letterhead to the responsible dean at: > > Office of the Dean of the Faculty > Princeton University > 9 Nassau Hall, Princeton, NJ 08544-5264 > Phone: 609-258-3020 > Fax: 609-258-2168 > Email: d...@princeton.edu > > IMHO this is an important issue that transcends this individual > spamming instance. The student's dandy attitude did not originate in a > vacuum and while some universities such as Harvard and Stanford are at > the forefront of addressing the (lack of) ethics in IT [1], it is > obvious that others still need some prodding. The design does not come > near to the complexity of real IT ethics questions such as who should a > self driving car sacrifice in case of an inevitable collision with > predictable casualties. The ethical questions raised are of the > traditional kind: how does the researcher interact with the subject of > their research. This researcher and his supervisors have failed > completely, in a way that shines a negative light on Princeton and > should not go unpunished. > > It is generally uncontroversial that co-opting subjects into academic > research is unethical. Where persons capable of consent are the > intended subject of academic research, it is accepted practice to > obtain informed consent before enrolling them into the research. In > this case, consent was not obtained at all and information was > intentionally falsified, obfuscated, and withheld. > * The opt-out is only offered after the involuntary enrollment has > occured, and on a difficult to find, seemingly unrelated site [2]. > * The researcher has knowingly obfuscated the identity of the sender, > used false or stolen identities and bogus domains. > * No meaningful information about the research was provided to the > unwitting subjects before, during, or after the involuntary enrollment. > * The information available when trying to investigate, from "official > source" [2] as well as from the affected community [3] is incomplete at > best. > * Apparently the researcher has been made aware and has not done > anything but further obfuscating between April [3] and December. > > In my view, co-opting websites and email addresses through harvesting > and spamming is equivalent to co-opting persons capable of consent. > Behind each and every one of the harvested email addresses there are > persons and ultimately a responsible individual that had to deal with > the threatening content of the emails. Based on annecdotal feedback > [3], receipt of the email has caused a great deal of uncertainty, > anxiety and fear in addition to the economic harm of the spam that > became subject of expert investigation in an attempt to mitigate the > fallout for our systems and our email recipients[4]. It has a negative > effect on the operators of email systems signed below; on their user > communities; and frankly also on Princeton's reputation. Has the > Princeton given permission to the use of its name as part of the bogus > domain names? > > The way this study was designed raises questions about the ethics, but > also the intellectual integrity of the researcher. His reaction when > made aware of the shortcomings was intellectually dishonest. We trust > that your investigation in the matter will find whether his supervisors > were part to this dishonesty, or whether this continued harrassment is > the result of a single, rogue, element in your university. In either > case, in my view those responsible deserve to be disciplined and I do > not exclude the possibility of a class action if Princeton does not > take satisfactory corrective and punitive actions. > > Apparently, Princeton's Research Integrity and Assurance (RIA) has been > recently informed and has said they'll check and get back on the matter > to the informer. [5] The same informer has received a reply from the > researcher that points to either the researcher not being aware of > RIA's involvement, or having been cleared by it [6]. > > The researcher's conduct goes beyond negligence. He has displayed > willful blindness when expert system operators alerted him to the > negative effects of his conduct and tried to engage in constructive > criticism. The email's text, the fake identities, the obfuscated > domains, all point to intentionally raising the fear factor in a way > unsavoury spammers typically do to force answers from recipients that > would normally ignore their requests. While I am myself curious about > how website operators handle GDPR or CCPA requests from persons that > are not resident of the legislations' jurisdiction, faking a request to > elicit an answer is in my view unethical and unacceptable. > > I wont hesitate naming and shaming Ross Teixeira (r...@princeton.edu) > and "[t]he additional members of the study team [...] Professor > Jonathan Mayer at the Princeton University Center for Information > Technology Policy and Professor Gunes Acar at the Radboud University > Digital Security Group." [2]; > > nor will I hesitate threatening class action if the researchers do not > (a) immediately stop the spamming pending your review; > (b) palliate the anxiety generated by their mails by sending a letter > of apology, approved by the mailop-community in advance, to all the > email addresses that were spammed. > > I expect your review to be conducted swiftly and that its outcome will > be made public within 30 days of receipt of this letter. > > > [1] < > https://www.nytimes.com/2018/02/12/business/computer-science-ethics-courses.html >> > > [2] <https://measurement.cs.princeton.edu/privacystudy/> > > [3] < > https://joewein.net/blog/2021/04/21/questions-about-gdpr-data-access-process-spam-from-virginia/ >> > > [4] <https://www.mail-archive.com/mailop@mailop.org/msg14638.html> > > [5] <https://www.mail-archive.com/mailop@mailop.org/msg14650.html> > > [6] <https://www.mail-archive.com/mailop@mailop.org/msg14656.html> > > -- > Yuval Levy, JD, MBA, CFA > Ontario-licensed lawyer > > > _______________________________________________ > mailop mailing list > mailop@mailop.org > https://list.mailop.org/listinfo/mailop _______________________________________________ mailop mailing list mailop@mailop.org https://list.mailop.org/listinfo/mailop
