Re: [mailop] Ethics Complaint to Princeton (was: Bizarre GDPR/CCPA scam spam from Princeton researchers)
Greg - On 22.12.2021 16:58, Grant Taylor via mailop wrote: On 12/22/21 2:27 AM, Raymond Dijkxhoorn via mailop wrote: Yes they do communicate but they are now sugesting to spam everybody once more with some explanation. ... I wonder if they will learn anything if they see a non-trivial number of systems are now rejecting their messages. during the last two years, I have lost my faith a bit wrt. the reactive learning capabilities of quite a portion of people... Let's see. Seasonal greetings, -C. ___ mailop mailing list mailop@mailop.org https://list.mailop.org/listinfo/mailop
Re: [mailop] Ethics Complaint to Princeton (was: Bizarre GDPR/CCPA scam spam from Princeton researchers)
On Wed, Dec 22, 2021 at 09:57:54AM -0700, Anne P. Mitchell, Esq. via mailop wrote: > P.S. These two notes from Jonathan Mayer are appended to the > https://privacystudy.cs.princeton.edu/ site; the newest is from yesterday. > > Note from Jonathan Mayer, the Principal Investigator (Saturday, December 18 @ > 11:30pm) He also tweeted about it. https://twitter.com/jonathanmayer/status/1472427321047101442 The audience has of course let him have a piece of their mind. -- Atro Tossavainen, Chairman of the Board Infinite Mho Oy, Helsinki, Finland tel. +358-44-5000 600, http://www.infinitemho.fi/ ___ mailop mailing list mailop@mailop.org https://list.mailop.org/listinfo/mailop
Re: [mailop] Ethics Complaint to Princeton (was: Bizarre GDPR/CCPA scam spam from Princeton researchers)
Hi! P.S. These two notes from Jonathan Mayer are appended to the https://privacystudy.cs.princeton.edu/ site; the newest is from yesterday. Our top priority has been issuing a one-time follow-up message that identifies our study and that recommends disregarding prior email. We are sending those messages. 'Our top priority is to spam the same userbase again' Oh well... Bye, Raymond ___ mailop mailing list mailop@mailop.org https://list.mailop.org/listinfo/mailop
Re: [mailop] Ethics Complaint to Princeton (was: Bizarre GDPR/CCPA scam spam from Princeton researchers)
P.S. These two notes from Jonathan Mayer are appended to the https://privacystudy.cs.princeton.edu/ site; the newest is from yesterday. Note from Jonathan Mayer, the Principal Investigator (Saturday, December 18 @ 11:30pm) Hi, my name is Jonathan Mayer. I’m the Principal Investigator for this academic research study. I have carefully read every single message sent to our research team, and I am dismayed that the emails in our study came across as security risks or legal threats. The intent of our study was to understand privacy practices, not to create a burden on website operators, email system operators, or privacy professionals. I sincerely apologize. I am the senior researcher, and the responsibility is mine. The touchstone of my academic and government career, for over a decade, has been respecting and empowering users. That’s why I study topics like web tracking, dark patterns, and broadband availability, and that’s why I launched this study on privacy rights. I aim to be beyond reproach in my research methods, both out of principle and because my work often involves critiquing powerful companies and government agencies. In this instance, I fell short of that standard. I take your feedback to heart, and here is what I am doing about it. First, our team will not send any new automated inquiries for this study. We suspended sending on December 15, and that is permanent. Second, our team is prioritizing a possible one-time follow-up email to recipients, identifying the academic study and recommending that they disregard the prior email. If that is feasible, and if experts in the email operator community agree with the proposal, we will send the follow-up emails as expeditiously as possible. Third, I will use the lessons learned from this experience to write and post a formal research ethics case study, explaining in detail what we did, why we did it, what we learned, and how researchers should approach similar studies in the future. I will teach that case study in coursework, and I will encourage academic colleagues to do the same. While I cannot turn back the clock on this study, I can help ensure that the next generation of technology policy researchers learns from it. Fourth, I will engage with the communities that have contacted me about this study, which have already offered valuable suggestions for future directions to simplify, standardize, and enhance transparency for GDPR and CCPA data rights processes. I very much appreciate the earnest outreach so far, and I will be reciprocating. If you have questions or concerns about the study, please do not hesitate to reach out. I gratefully acknowledge the feedback that we have received. Thank you for reading, and again, my sincere apologies. Update from Jonathan Mayer, the Principal Investigator (Tuesday, December 21 @ 7:40pm) Thank you to the website operators, email system operators, privacy professionals, academic colleagues, and all others who have reached out about our privacy rights study. I am writing to provide an update about how we are acting on the feedback that we have received. Our top priority has been issuing a one-time follow-up message that identifies our study and that recommends disregarding prior email. We are sending those messages. We have also received consistent feedback encouraging us to promptly discard responses to study email. We agree, and we will delete all response data on December 31, 2021. Please do not hesitate to reach out with further questions or concerns, and I again offer my heartfelt apologies for the burdens caused by this study. ___ mailop mailing list mailop@mailop.org https://list.mailop.org/listinfo/mailop
Re: [mailop] Ethics Complaint to Princeton (was: Bizarre GDPR/CCPA scam spam from Princeton researchers)
> > Yes they do communicate but they are now sugesting to spam everybody once > more with some explanation. ... And here is that follow-up spam (below), note that the novatormail.ru is the domain from which our client originally received the email, obviously the domain will change depending on from where the first spam originated. It's interesting to note they have started using .ru and such domains, the two that I personally received were from yosemitemail.com and potomacmail.com. When I first received those if you went to the sending domain there was almost nothing there (it certainly didn't point to any useful information about the sender). *Now* these domains, including novatormail.ru, point to https://privacystudy.cs.princeton.edu/, which has been substantially updated. Here's the follow-up spam: Hello, You may have recently received an email from novatormail.ru regarding your process for responding to General Data Protection Regulation (GDPR) or California Consumer Privacy Act (CCPA) data requests for the following domain(s): cybergreen.net. Please disregard that email. The email was sent as part of an academic research study on GDPR and CCPA, which we have concluded. We will delete all responses received on December 31, 2021. We sincerely apologize for any burdens caused by our study. If you would like more information about the study or to contact our research team, please see: https://privacystudy.cs.princeton.edu. Sincerely, Princeton-Radboud Study on Privacy Law Implementation --- Anne --- Anne P. Mitchell, Attorney at Law CEO Get to the Inbox by SuretyMail, Your outsourced email deliverability team Author: Section 6 of the Federal Email Marketing Anti-Spam Law (CAN-SPAM) Author: The Email Deliverability Handbook Board of Directors, Denver Internet Exchange Dean Emeritus, Cyberlaw & Cyber Security, Lincoln Law School Chair Emeritus, Asilomar Microcomputer Workshop Former Counsel: MAPS Anti-Spam Blacklist ___ mailop mailing list mailop@mailop.org https://list.mailop.org/listinfo/mailop
Re: [mailop] Ethics Complaint to Princeton (was: Bizarre GDPR/CCPA scam spam from Princeton researchers)
On 12/22/21 2:27 AM, Raymond Dijkxhoorn via mailop wrote: Yes they do communicate but they are now sugesting to spam everybody once more with some explanation. ... I wonder if they will learn anything if they see a non-trivial number of systems are now rejecting their messages. -- Grant. . . . unix || die smime.p7s Description: S/MIME Cryptographic Signature ___ mailop mailing list mailop@mailop.org https://list.mailop.org/listinfo/mailop
Re: [mailop] Ethics Complaint to Princeton (was: Bizarre GDPR/CCPA scam spam from Princeton researchers)
Hi! FYI sigh. Inline with the feedback we got from them. Yes they do communicate but they are now sugesting to spam everybody once more with some explanation. ... Bye, Raymond - SURBL ___ mailop mailing list mailop@mailop.org https://list.mailop.org/listinfo/mailop
Re: [mailop] Ethics Complaint to Princeton (was: Bizarre GDPR/CCPA scam spam from Princeton researchers)
FYI sigh. d/ Forwarded Message Subject:Re: [IP] Bizarre GDPR/CCPA scam spam from Princeton researchers Date: Tue, 21 Dec 2021 14:10:45 -0800 From: Edward Hasbrouck Organization: The Practical Nomad To: i...@ip.topicbox.com I got through today to the grad student involved in the scam spam project, Ross Texeira -- his phone number is on his Web site. He was unapologetic and unhelpful. He said he was "unable" (meaning unwilling) to send a copy of the Princeton IRB application or approval, or the algorithm used to identify e-mail addresses "designated for CCPA or GDPR subject access request". He said the criteria included the appearance of the words "privacy", "GDPR", or "CCPA" on Web pages. So any e-mail address on a site that talks about these issues might be swept in. Most interestingly, he said that they sent e-mail to between 200K and 300K e-mail addresses, scraped from Web sites on a list of the "top" 1M. That's small compared to the numbers of messages sent by many for-profit spammers, but still a huge commandeering of other people's time, especially given the baseless claim that a response was "required". Do the math: If each recipient spent an hour on deciding whether and how to respond, and then doing so, at minimum wage of $15/hour, that's $3M. Since they apparently expect other US-based nonprofit entities not subject to the GDPR or CCPA to have procedures in place for responding to subject access requests, I asked if they have such procedures themselves, or how I can find out what info about me they have scraped up. He wouldn't answer. He said to expect another update on their Web site later today, and that all other questions would be answered "when we publish our case study". He's still hoping to get publication credit for a paper out of this! He referred all other questions to the principal investigator, Jonathan Mayer, who has not responded to my e-mail and voicemail messages. Peace, Edward Hasbrouck ___ mailop mailing list mailop@mailop.org https://list.mailop.org/listinfo/mailop