On Fri, 2021-12-17 at 15:21 -0500, John Levine via mailop wrote: > They don't seem very good at recognizing that at the other end > of each e-mail there is a person, and that person will be affected.
can you blame them? most ordinary people deal >95% of the time with <5% of the websites in the world, and those happen to be the one that have automated customer service. Discerning a legal demand (as GDPR/CCPA should be understood) from a regular customer service email is also not immediately clear to lay people who are probably not familiar with the obligations and sanctions provided in the law. Based on the conversation with the researchers so far, I suspect that they disingenously represented to the IRB their data collection practice so as not to alert the IRB that humans would be affected. I also suspect that the IRB process is biased in favour of approving research, as this is the interest of the university. How long has it taken for animal rights activists to achieve representation at IRBs of the interest of animals? The same will have to happen for IT users, because the researchers, who were the ones best placed in the process to alert the IRB that person will be affected, had absolutely no interest to do so; and in a common law tradition and in an adversarial, litigious society such as the US are not obligated and should not expected to. Their FAQ is up at <https://privacystudy.cs.princeton.edu/> and it all looks like a lawyers-approved shield to try to justify what they have done. They know they have pushed too far. The question is whether they will learn from this and whether the learning will flow into a fairer IRB. I will follow up with Jonathan. -- Yuval Levy, JD, MBA, CFA Ontario-licensed lawyer _______________________________________________ mailop mailing list mailop@mailop.org https://list.mailop.org/listinfo/mailop