Re: [mailop] Ethics Complaint to Princeton (was: Privacy research spam apparently from a grad student at Princeton)

2021-12-19 Thread L. Mark Stone via mailop
Except that, now that they are listed in Spamhaus, those emails won’t be 
delivered to the recipients—unless they are sent from a Princeton.Edu domain. 

___
L. Mark Stone
Sent from my iPhone

> On Dec 19, 2021, at 3:02 PM, yuv via mailop  wrote:
> 
> On Sun, 2021-12-19 at 09:51 -0600, Larry M. Smith via mailop wrote:
> > There has been another update, and appears to be well worth a read.
> 
> Indeed it is. I have complimented Jonathan for his leadership. His
> note is what counts.
> 
> I had used some of my snowy/rainy/slushy weekend to research US law. 
> Obligatory disclaimer: I am not licensed to practise US law, this is
> unfamiliar territory, the following is for information purpose only, is
> possibly wrong, I am not the lawyer of any reader of this information,
> do not rely on this information.
> 
> With the disclaimer out of the way, I have found out the legal ground
> on which the IRBs make the determination if the research is human-
> subject research or not. The rest (thinking of the consequences on the
> humans or not) follows from that determination. 
> 
> Subpart A of 45 CFR Part 46. To my horror I found §46.102 (e)(1)
> extends protections to humans only when the information extracted is
> about them. The moment researchers are not extracting data about the
> human itself, the IRB does not even have to consider the effect that
> the research will have on any human. My understanding of the law as
> written is that it white-washes a researcher who coerce information
> about a third party from a human!
> 
> The flow chart is at [1].
> 
> No-one considered that the mechanisms of the law exercised an abnormal,
> in my view intolerable amount of pressure on the human recipients of
> the emails, in addition to their scammy/spammy character. Even if
> unintentional, the end-effect was morally wrong, a lack of respect for
> persons as envisioned by the Belmont Report [2].
> 
> 
> To me, this was a dead-end. The research was in my view morally wrong,
> but legally right and I had no leverage other than appealing to the
> researchers' morality because the law is flawed. And the IRB has
> simply done its job as expected by the law, so again, no leverage
> whatsoever. Leveraging the spam issue and putting the kids in the same
> class as the phishers and other scammers that infest the internet would
> have been heavy-handed and probably also inconclusive, putting them on
> the defensive and achiving nothing more than the shields of the anti-
> abuse tools were not already achieving.
> 
> Dilemma: how to advance on the issue? Sure, there is that ethical
> middle ground, the Belmont Report [3], but it required goodwill on the
> other side. Jonathan has shown goodwill.
> 
> This is no longer on-topic for nitty gritty email system operators, so
> I will stop annoying mailop with this.
> 
> I want to thank everyone who has contributed little bits of evidence to
> the case, whether it is point out to anti-spam resources clearly
> showing that the emails were spam; or describing their experience. You
> have all helped the researchers understand that what they did was
> morally wrong.
> 
> [1] <
> https://www.hhs.gov/ohrp/regulations-and-policy/decision-charts-2018/index.html#c1
> >
> 
> [2] <
> https://www.hhs.gov/ohrp/regulations-and-policy/belmont-report/read-the-belmont-report/index.html#xrespect
> >
> 
> [3] <
> https://www.hhs.gov/ohrp/regulations-and-policy/belmont-report/index.html
> >
> 
> -- 
> Yuval Levy, JD, MBA, CFA
> Ontario-licensed lawyer
> 
> 
> ___
> mailop mailing list
> mailop@mailop.org
> https://list.mailop.org/listinfo/mailop
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop


Re: [mailop] Ethics Complaint to Princeton (was: Privacy research spam apparently from a grad student at Princeton)

2021-12-19 Thread yuv via mailop
On Sun, 2021-12-19 at 11:53 -0800, Jay Hennigan via mailop wrote:
> The most obvious and frequently asked question isn't answered or
> even acknowledged in their FAQ.

When lawyers or snake-oil sellers are involved, FAQ stands for
fictionally asked question.  And when lawyers of snake-oil sellers are
writing it, it is a lose phonetic contraction of a popular English
language four-letters world that too frequently draw censure and that
the reader of the text is probably going to utter as many times as
there are questions and answers in the text.

--
Yuval Levy, JD, MBA, CFA
Ontario-licensed lawyer


___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop


Re: [mailop] Ethics Complaint to Princeton (was: Privacy research spam apparently from a grad student at Princeton)

2021-12-19 Thread Jaroslaw Rafa via mailop
Dnia 19.12.2021 o godz. 14:52:58 yuv via mailop pisze:
> 
> To me, this was a dead-end.  The research was in my view morally wrong,
> but legally right and I had no leverage other than appealing to the
> researchers' morality because the law is flawed.

Again: this may be the right moment to get media involved. Pressure from the
media can often help where law can't.
-- 
Regards,
   Jaroslaw Rafa
   r...@rafa.eu.org
--
"In a million years, when kids go to school, they're gonna know: once there
was a Hushpuppy, and she lived with her daddy in the Bathtub."
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop


Re: [mailop] Ethics Complaint to Princeton (was: Privacy research spam apparently from a grad student at Princeton)

2021-12-19 Thread yuv via mailop
On Sun, 2021-12-19 at 09:51 -0600, Larry M. Smith via mailop wrote:
> There has been another update, and appears to be well worth a read.

Indeed it is.  I have complimented Jonathan for his leadership.  His
note is what counts.

I had used some of my snowy/rainy/slushy weekend to research US law. 
Obligatory disclaimer:  I am not licensed to practise US law, this is
unfamiliar territory, the following is for information purpose only, is
possibly wrong, I am not the lawyer of any reader of this information,
do not rely on this information.

With the disclaimer out of the way, I have found out the legal ground
on which the IRBs make the determination if the research is human-
subject research or not.  The rest (thinking of the consequences on the
humans or not) follows from that determination.  

Subpart A of 45 CFR Part 46.  To my horror I found §46.102 (e)(1)
extends protections to humans only when the information extracted is
about them.  The moment researchers are not extracting data about the
human itself, the IRB does not even have to consider the effect that
the research will have on any human.  My understanding of the law as
written is that it white-washes a researcher who coerce information
about a third party from a human!

The flow chart is at [1].

No-one considered that the mechanisms of the law exercised an abnormal,
in my view intolerable amount of pressure on the human recipients of
the emails, in addition to their scammy/spammy character.  Even if
unintentional, the end-effect was morally wrong, a lack of respect for
persons as envisioned by the Belmont Report [2].


To me, this was a dead-end.  The research was in my view morally wrong,
but legally right and I had no leverage other than appealing to the
researchers' morality because the law is flawed.  And the IRB has
simply done its job as expected by the law, so again, no leverage
whatsoever.  Leveraging the spam issue and putting the kids in the same
class as the phishers and other scammers that infest the internet would
have been heavy-handed and probably also inconclusive, putting them on
the defensive and achiving nothing more than the shields of the anti-
abuse tools were not already achieving.

Dilemma: how to advance on the issue?  Sure, there is that ethical
middle ground, the Belmont Report [3], but it required goodwill on the
other side.  Jonathan has shown goodwill.

This is no longer on-topic for nitty gritty email system operators, so
I will stop annoying mailop with this.

I want to thank everyone who has contributed little bits of evidence to
the case, whether it is point out to anti-spam resources clearly
showing that the emails were spam; or describing their experience.  You
have all helped the researchers understand that what they did was
morally wrong.

[1] <
https://www.hhs.gov/ohrp/regulations-and-policy/decision-charts-2018/index.html#c1
>

[2] <
https://www.hhs.gov/ohrp/regulations-and-policy/belmont-report/read-the-belmont-report/index.html#xrespect
>

[3] <
https://www.hhs.gov/ohrp/regulations-and-policy/belmont-report/index.html
>

-- 
Yuval Levy, JD, MBA, CFA
Ontario-licensed lawyer


___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop


Re: [mailop] Ethics Complaint to Princeton (was: Privacy research spam apparently from a grad student at Princeton)

2021-12-19 Thread Larry M. Smith via mailop

On 12/18/2021, yuv via mailop wrote:
(snip)

Their FAQ is up at  and it all
looks like a lawyers-approved shield to try to justify what they have
done.  They know they have pushed too far.  The question is whether
they will learn from this and whether the learning will flow into a
fairer IRB.  I will follow up with Jonathan.


There has been another update, and appears to be well worth a read.  The 
part that is of interest to me is;



Second, our team is prioritizing a possible one-time follow-up email to 
recipients, identifying the academic study and recommending that they 
disregard the prior email. If that is feasible, and if experts in the 
email operator community agree with the proposal, we will send the 
follow-up emails as expeditiously as possible.



While I'm not really a fan of more spam; I do not have the experience to 
comment on what damage may have been done, nor what their best path 
forward should be -- as such this plan seems acceptable to me.


--
SgtChains

___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop


Re: [mailop] Ethics Complaint to Princeton (was: Privacy research spam apparently from a grad student at Princeton)

2021-12-18 Thread Larry M. Smith via mailop

On 12/18/2021, Larry M. Smith via mailop wrote:

On 12/18/2021, yuv via mailop wrote:
(snip)

Their FAQ is up at  and it all
looks like a lawyers-approved shield to try to justify what they have
done.  They know they have pushed too far.  The question is whether
they will learn from this and whether the learning will flow into a
fairer IRB.  I will follow up with Jonathan.


I find this bit interesting;



Heh, I also note the following addition to the HTML;


___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop


Re: [mailop] Ethics Complaint to Princeton (was: Privacy research spam apparently from a grad student at Princeton)

2021-12-18 Thread Larry M. Smith via mailop

On 12/18/2021, yuv via mailop wrote:
(snip)

Their FAQ is up at  and it all
looks like a lawyers-approved shield to try to justify what they have
done.  They know they have pushed too far.  The question is whether
they will learn from this and whether the learning will flow into a
fairer IRB.  I will follow up with Jonathan.


I find this bit interesting;


* When are you contacting websites for this study?

We sent emails to websites through December 15, 2021. We are not 
currently sending additional emails for this study.



Originally this was scheduled to run though "spring of 2022," so my 
question is; Did Princeton stop it, or did AmazonSES cut them off?


--
SgtChains
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop


Re: [mailop] Ethics Complaint to Princeton (was: Privacy research spam apparently from a grad student at Princeton)

2021-12-18 Thread Jaroslaw Rafa via mailop
Dnia 18.12.2021 o godz. 10:01:18 yuv via mailop pisze:
> Based on the conversation with the researchers so far, I suspect that
> they disingenously represented to the IRB their data collection
> practice so as not to alert the IRB that humans would be affected.  I
[...]
> Their FAQ is up at  and it all
> looks like a lawyers-approved shield to try to justify what they have
> done.  They know they have pushed too far.  The question is whether

If this is the case (ie. they know the are doing wrong and they insist on
it), maybe it's a good idea to involve media in the case and get all this to
the news? Good media coverage of something ofter has better effect,
especially on big and stubborn organizations, than any legal action...  But
of course someone would have to explain to the media people first why what
the researchers were doing is wrong...
-- 
Regards,
   Jaroslaw Rafa
   r...@rafa.eu.org
--
"In a million years, when kids go to school, they're gonna know: once there
was a Hushpuppy, and she lived with her daddy in the Bathtub."
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop


Re: [mailop] Ethics Complaint to Princeton (was: Privacy research spam apparently from a grad student at Princeton)

2021-12-18 Thread yuv via mailop
On Fri, 2021-12-17 at 15:21 -0500, John Levine via mailop wrote:
> They don't seem very good at recognizing that at the other end
> of each e-mail there is a person, and that person will be affected.

can you blame them? most ordinary people deal >95% of the time with <5%
of the websites in the world, and those happen to be the one that have
automated customer service.

Discerning a legal demand (as GDPR/CCPA should be understood) from a
regular customer service email is also not immediately clear to lay
people who are probably not familiar with the obligations and sanctions
provided in the law.

Based on the conversation with the researchers so far, I suspect that
they disingenously represented to the IRB their data collection
practice so as not to alert the IRB that humans would be affected.  I
also suspect that the IRB process is biased in favour of approving
research, as this is the interest of the university.  How long has it
taken for animal rights activists to achieve representation at IRBs of
the interest of animals?  The same will have to happen for IT users,
because the researchers, who were the ones best placed in the process
to alert the IRB that person will be affected, had absolutely no
interest to do so; and in a common law tradition and in an adversarial,
litigious society such as the US are not obligated and should not
expected to.

Their FAQ is up at  and it all
looks like a lawyers-approved shield to try to justify what they have
done.  They know they have pushed too far.  The question is whether
they will learn from this and whether the learning will flow into a
fairer IRB.  I will follow up with Jonathan.

--
Yuval Levy, JD, MBA, CFA
Ontario-licensed lawyer

___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop


Re: [mailop] Ethics Complaint to Princeton (was: Privacy research spam apparently from a grad student at Princeton)

2021-12-18 Thread yuv via mailop
On Fri, 2021-12-17 at 08:08 -0800, Dave Crocker via mailop wrote:
> this particular decision seems bizarre.

bizarre decisions are typical of the evolution of any decision-making
body.  Nobody is perfect.  We all have our blind spots and their blind
spot happens to be your spotlight, which is why you find the decision
bizarre.


> Beyond concern for this IRB repeating the error, it occurs to be that
> it could be replicated by other IRBs.

I am sure it occurs to them as well.  For ages, decision-making bodies
have dealt with this concern about (in)consistencies of decision across
neighbouring jurisdictions.  Or in tech terms: replication/syncing of
reasoning over space and time.  The judicial system has a tried and
tested way to propagate updates and synchronize across jurisdictions --
even hostile jurisdictions -- that has worked for centuries and keeps
working very well, even when accelerated by technology.

The spatial organization in autonomous entities has many reasons.  Some
are related to the reach of the decision-making authority.  Others are
of technical nature and include the speed of propagation of the
authority's orders.  Then there are sovereignty considerations, and
this is where each university will defend its own IRB.  And that's
good, because it adds an important feature: competition.  Competition
drives innovation, even in decision-making, and the synchronization
between parallel spatial organizations (jurisdictions) occurs through a
common appeal process to a higher authority.  Those universities are
subject to state and federal rule.

On the downside for this case is the fact that a decision has already
made in the case and probably the time to appeal is over.  Possibly,
there is not even a possibility to appeal against the research as the
purpose is to allow science and appeals are most likely designed to
give researchers a second chance, not the other way around.  However,
there is surely also a body that writes the policies along which the
IRBs are making decisions, and this is where we need to bring our
argument that humans are affected; that the safeguards proposed by
researchers are not enough; that more oversight is required.


> That makes me wonder about the possible benefit of 
> independently-developed guidance that might be circulated among
> them.  Possibly from a respected anti-abuse organization?

I am skeptical of every such organization.  They invariably represent
more or less cover behind the scene influences.  What if this IRB takes
guidance from one "respected anti-abuse organization" and another IRB
takes guidance from another "respected anti-abuse organization" that is
of a different opinion?  In my view, the opinion of the IRB is enough
opinion.  Additional opinions of additional entities only helps snake-
oil sellers sell more snake-oil.

Traditionally, courts (or boards) take their guidance from expert
witnesses, which are called by one of the parties in the process to
inform the process.  This admits that there is no such thing as
"independently-developed" and every such expert organization has an
agenda.  It is better to acknowledge partisanship and deal with it in
the open than to investigate backroom influences (typically financial
donation).  So the party that argues that this is abuse will bring in
its expert; the party that argues that this is not abuse will bring in
its expert; and the board will make the decision that will then become
part of its precedent and as such applied to future decision.  The
experts are then only required for the marginally new, with the body of
guidance enshrined as law in precedent ruling, that can, with effort,
be overrulled when new developments come to light.

But I am digressing.
Yuv

--
Yuval Levy, JD, MBA, CFA
Ontario-licensed lawyer


___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop


Re: [mailop] Ethics Complaint to Princeton (was: Privacy research spam apparently from a grad student at Princeton)

2021-12-17 Thread John Levine via mailop
It appears that Dave Crocker via mailop  said:
>> * On the big issue, the ENROLLMENT OF HUMAN SUBJECTS WITHOUT CONSENT
>> into the study, I have been told that "[t]he IRB determined that our
>> study does not constitute human subjects research."
>
>I haven't gone through an IRB process.  So I've no idea what the 
>dynamics, practical criteria, or typical outcomes are from them.

Apparently this is pretty common.  IRBs were invented to in response
to things like the Milgram experiments where the subjects were
tricked into thinking that they were administering dangerous
electric shocks to other people.

They don't seem very good at recognizing that at the other end
of each e-mail there is a person, and that person will be affected.

R's,
John
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop


Re: [mailop] Ethics Complaint to Princeton (was: Privacy research spam apparently from a grad student at Princeton)

2021-12-17 Thread L. Mark Stone via mailop
I'm not an attorney but have worked closely with attorneys on many M and 
other financing transactions, before getting in to the MSP and email hosting 
business.

§1037 (a) says "affecting... commerce" It does not say that only the sender 
stands to benefit from commercial gain.  The recipients here, because they 
incurred costs, I would as a lay person say met the definition of having their 
commerce affected.  Further, I would say that if the researchers received a 
promotion, tenure, raise, job offer, or critical acclaim from publishing their 
findings, they will have benefitted commercially by dint of having their career 
reputations enhanced.

Perhaps there is case law that says otherwise; I no longer have ready access to 
Shepardize things like this.

In any event, it appears that Spamhaus has listed in their SBL the AWS IPs used 
by the researchers, so AWS surely has knowledge of their activity. See:
https://www.spamhaus.org/sbl/query/SBL538716 (with links to other IPs) and
https://www.spamhaus.org/sbl/listings/amazon.com

Thanks for everyone's constructive actions in trying to help the researchers 
understand why how they are doing what they are doing is suboptimal (if not 
illegal).

Hope that helps, 
Mark 
_ 
L. Mark Stone, Founder 
North America's Leading Zimbra VAR/BSP/Training Partner 
For Companies With Mission-Critical Email Needs

- Original Message -
From: "mailop" 
To: "yuv" , "mailop" 
Sent: Friday, December 17, 2021 10:32:09 AM
Subject: Re: [mailop] Ethics Complaint to Princeton (was: Privacy research spam 
apparently from a grad student at Princeton)

Yuval this is awesome, and an awesome result!

FWIW, this is what I told Jonathan (after two previous replies/re-replies), 
yesterday morning, in part - cc:ed to the chair of the compsci department, and 
the Princeton legal department:

He wrote:

> Thank you for reaching out about our research on the European Union General 
> Data Protection Regulation (GDPR) and the California Consumer Privacy Act 
> (CCPA). A component of the study involves requesting information from 
> websites about how they have implemented the consumer data access provisions 
> of the GDPR and the CCPA. Both the GDPR and CCPA provide for these types of 
> information requests. We would be glad to answer any questions you have about 
> the study goals, methods, and safeguards, and we welcome any additional 
> feedback you would like to provide.

I responded:

That GDPR and CCPA provide for such requests is immaterial (not the least of 
which because neither is controlling law here).  You are in violation of U.S. 
Federal law, namely CAN-SPAM, which states, in relevant part:

‘‘§1037. Fraud and related activity in connection with electronic mail

‘‘(a) IN GENERAL.—Whoever, in or affecting interstate or foreign commerce, 
knowingly —

‘‘(2) uses a protected computer to relay or retransmit multiple commercial 
electronic mail messages, with the intent to deceive or mislead recipients, or 
any Internet access service, as to the origin of such messages,
‘‘(3) materially falsifies header information in multiple commercial electronic 
mail messages and intentionally initiates the transmission of such messages,
‘‘(4) registers, using information that materially falsifies the identity of 
the actual registrant, for five or more electronic
mail accounts or online user accounts or two or more domain names, and 
intentionally initiates the transmission of multiple commercial electronic mail 
messages from any combination of such accounts or domain names, or

...shall be punished as provided in subsection (b).

‘‘(2) a fine under this title, imprisonment for not more than 3 years, or both, 
if—

‘‘(A) the offense is an offense under subsection (a)(1); ‘‘(B) the offense is 
an offense under subsection (a)(4)
and involved 20 or more falsified electronic mail or online user account 
registrations, or 10 or more falsified domain name registrations;
‘‘(C) the volume of electronic mail messages transmitted in furtherance of the 
offense exceeded 2,500 during any 24-hour period, 25,000 during any 30-day 
period, or 250,000 during any 1-year period;
‘‘(D) the offense caused loss to one or more persons aggregating $5,000 or more 
in value during any 1-year period;
‘‘(E) as a result of the offense any individual committing the offense obtained 
anything of value aggregating $5,000 or more during any 1-year period; or
‘‘(F) the offense was undertaken by the defendant in concert with three or more 
other persons with respect to whom the defendant occupied a position of 
organizer or leader;

As you can see, you and your team, and your actions, fit squarely within 
several of the acts detailed above, having registered domains specifically to 
send out falsified headers and false information, claiming to be individuals 
looking for information, wh

Re: [mailop] Ethics Complaint to Princeton (was: Privacy research spam apparently from a grad student at Princeton)

2021-12-17 Thread Dave Crocker via mailop


On 12/17/2021 6:40 AM, yuv via mailop wrote:

* On the big issue, the ENROLLMENT OF HUMAN SUBJECTS WITHOUT CONSENT
into the study, I have been told that "[t]he IRB determined that our
study does not constitute human subjects research."



I haven't gone through an IRB process.  So I've no idea what the 
dynamics, practical criteria, or typical outcomes are from them.


But this particular decision seems bizarre.  Beyond concern for this IRB 
repeating the error, it occurs to be that it could be replicated by 
other IRBs.


That makes me wonder about the possible benefit of 
independently-developed guidance that might be circulated among them. 
Possibly from a respected anti-abuse organization?



d/
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop


Re: [mailop] Ethics Complaint to Princeton (was: Privacy research spam apparently from a grad student at Princeton)

2021-12-17 Thread yuv via mailop
Apology for this diversion, off-topic to the subject of the Ethics
Complaint, but definitely on-topic for mailop.

On Fri, 2021-12-17 at 08:32 -0700, Anne P. Mitchell, Esq. wrote:
> His response to the above was that CAN-SPAM didn't apply as it was
> academic and not commercial email, at which point I pointed out to
> him that he and I both knew that reasonable minds can differ on what
> is "commercial"

Hair-splitting.  IMHO this is an aspect on which CAN-SPAM is flawed. 
The general rule must be that spam is in the eyes of the recipient, and
from there on the rule can be overriden with exceptions for acceptable
message classes.  The commercial or non-commercial nature of a message
should have ZERO bearing on whether a message qualifies as spam or not,
but it was a convenient and self-serving way for some non-commercial
actors with overweighted influence on the legislative process to carve
themselves an exemption.  I find political parties, charities, and
universities to be much worse spammers than legitimate commercial
entities.


> So, again, Yuval, well done!  We make a good 'good cop bad cop' team!

Our interests are aligned but I am not sure that we are on the same
team.  Your team is tackling the email deliverability / spam issue,
which can be fixed technically (at a cost) by blackisting the sender. 
My team is tackling the offense on individual autonomy.  Being coerced
into a scientific research under the threat of consequences from
GDPR/CCPA non-compliance.  There is no tech fix for that.

Yuv
--
Yuval Levy, JD, MBA, CFA
Ontario-licensed lawyer


___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop


Re: [mailop] Ethics Complaint to Princeton (was: Privacy research spam apparently from a grad student at Princeton)

2021-12-17 Thread Al Iverson via mailop
Okay, I have to admit, this was very well handled on your part. It's really
good guidance.

Cheers,
Al Iverson

On Fri, Dec 17, 2021 at 8:49 AM yuv via mailop  wrote:

> UPDATE:
>
> * I had waited for the answer to my direct note to Jonathan Mayer and
> fell asleep.  It arrived at 01:44 EST.  This morning I replied to him.
> With a direct line of communication open,  the letter higher up is on
> hold.
>
> * They are currently not sending emails and will be publishing an FAQ
> soon.  The issue that is relevant for mailop is, at least temporarily,
> defused.  The feedback I have given them with regard to the spam issue
> is that:
>
> The study abused the mechanism created by the laws to deliver its
> questionnaire to an email address whose purpose is only to receive
> legal GDPR/CCPA requests.  Maybe, on balance, such minor abuse could be
> tolerated as an efficient, low-cost shortcut to reach the person better
> placed to answer the study's questionnaire.  However, the obfuscation
> of the sender; the use of fraudulent identities; the covert and
> indirect questions; all void any possible justification, whether the
> study does or does not constitute human subjects research.
>
> [...]
>
> (a) put your questions in a direct plain view survey form on the web
> instead of covering them up with hypothetical facts scenarios;
>
> (b) identify yourself as the sender instead of using covert domains and
> false identities;
>
> (c) use a strict opt-in logic: the first email is the last one unless
> the subject responds; and the first email has all the elements for the
> subject to make an informed consent decision.
>
>
> * On the big issue, the ENROLLMENT OF HUMAN SUBJECTS WITHOUT CONSENT
> into the study, I have been told that "[t]he IRB determined that our
> study does not constitute human subjects research."  I do not have the
> reasons for such determination, but this is the fault line at the
> moment.  I have offered to Jonathan my opinion that:
>
> The IRB's determination stands corrected (of course without admitting
> fault, given the litigious contest of the land).  Behind every website
> there is an operator and in most cases, the end-operator is a human
> subject, or an organization within which a human subject bears ultimate
> responsibility for processing the study's emails.  That human deserves
> respect [Belmont Report].
>
> In the context of GDPR/CCPA, the mechanism they create and the
> obligations and sanctions they impose, the study as designed resulted
> in the ENROLLMENT OF HUMAN SUBJECTS WITHOUT CONSENT.
>
> It is work in progress.  I am trying to identify who at Princeton would
> be the optimal recipient of my letter.  A Researcher Misconduct
> Complaint to the DoF would only deal with the individual researcher's
> integrity and would not prevent the IRB from making further misguided
> decisions on the coerced enrollment of humans.  At this time I am not
> seeking to punish the researchers.  I wait to see how the dialog with
> Jonathan unfolds.
>
>
> On Thu, 2021-12-16 at 22:10 -0700, Grant Taylor via mailop wrote:
> > I don't buy the silly mistake.  Not the second time around.
> [...]
> > But the fact that the student repeated the action and apparent lack
> > of caring completely negates both "silly" and "mistake" in my head.
>
> https://en.wikipedia.org/wiki/Three-strikes_law
>
>
> --
> Yuval Levy, JD, MBA, CFA
> Ontario-licensed lawyer
>
>
> ___
> mailop mailing list
> mailop@mailop.org
> https://list.mailop.org/listinfo/mailop
>


-- 
*Al Iverson /* Deliverability blogging at www.spamresource.com
Subscribe to the weekly newsletter at wombatmail.com/sr.cgi
DNS Tools at xnnd.com / (312) 725-0130 / Chicago (Central Time)
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop


Re: [mailop] Ethics Complaint to Princeton (was: Privacy research spam apparently from a grad student at Princeton)

2021-12-17 Thread Anne P. Mitchell, Esq. via mailop
Yuval this is awesome, and an awesome result!

FWIW, this is what I told Jonathan (after two previous replies/re-replies), 
yesterday morning, in part - cc:ed to the chair of the compsci department, and 
the Princeton legal department:

He wrote:

> Thank you for reaching out about our research on the European Union General 
> Data Protection Regulation (GDPR) and the California Consumer Privacy Act 
> (CCPA). A component of the study involves requesting information from 
> websites about how they have implemented the consumer data access provisions 
> of the GDPR and the CCPA. Both the GDPR and CCPA provide for these types of 
> information requests. We would be glad to answer any questions you have about 
> the study goals, methods, and safeguards, and we welcome any additional 
> feedback you would like to provide.

I responded:

That GDPR and CCPA provide for such requests is immaterial (not the least of 
which because neither is controlling law here).  You are in violation of U.S. 
Federal law, namely CAN-SPAM, which states, in relevant part:

‘‘§1037. Fraud and related activity in connection with electronic mail

‘‘(a) IN GENERAL.—Whoever, in or affecting interstate or foreign commerce, 
knowingly —

‘‘(2) uses a protected computer to relay or retransmit multiple commercial 
electronic mail messages, with the intent to deceive or mislead recipients, or 
any Internet access service, as to the origin of such messages,
‘‘(3) materially falsifies header information in multiple commercial electronic 
mail messages and intentionally initiates the transmission of such messages,
‘‘(4) registers, using information that materially falsifies the identity of 
the actual registrant, for five or more electronic
mail accounts or online user accounts or two or more domain names, and 
intentionally initiates the transmission of multiple commercial electronic mail 
messages from any combination of such accounts or domain names, or

...shall be punished as provided in subsection (b).

‘‘(2) a fine under this title, imprisonment for not more than 3 years, or both, 
if—

‘‘(A) the offense is an offense under subsection (a)(1); ‘‘(B) the offense is 
an offense under subsection (a)(4)
and involved 20 or more falsified electronic mail or online user account 
registrations, or 10 or more falsified domain name registrations;
‘‘(C) the volume of electronic mail messages transmitted in furtherance of the 
offense exceeded 2,500 during any 24-hour period, 25,000 during any 30-day 
period, or 250,000 during any 1-year period;
‘‘(D) the offense caused loss to one or more persons aggregating $5,000 or more 
in value during any 1-year period;
‘‘(E) as a result of the offense any individual committing the offense obtained 
anything of value aggregating $5,000 or more during any 1-year period; or
‘‘(F) the offense was undertaken by the defendant in concert with three or more 
other persons with respect to whom the defendant occupied a position of 
organizer or leader;

As you can see, you and your team, and your actions, fit squarely within 
several of the acts detailed above, having registered domains specifically to 
send out falsified headers and false information, claiming to be individuals 
looking for information, when in fact it is not those individuals but members 
of your team, and in fact you are doing a study, not seeking such information 
as an individual, making the entire email false and misleading.

In addition, each response you have received generated a cost to the responder 
both in terms of time and, in some cases, dollar amounts as they had to pay 
their employees, and sometimes pay legal fees, to determine how to respond.

...

I then reiterated my offer that there were many professionals in the email 
receiving and policy communities who would be happy to assist them in designing 
a method to accomplish their goal in a way that does it right and does not run 
afoul of best practices, abuse polices, and the law.

His response to the above was that CAN-SPAM didn't apply as it was academic and 
not commercial email, at which point I pointed out to him that he and I both 
knew that reasonable minds can differ on what is "commercial", and it would be 
a fun court case, but that at this point I was going to bow out and watch from 
the sidelines.  I figured with my two emails going to the department chair, and 
the legal department, and Yuval's email, someone there would hit 'pause' on it.

So, again, Yuval, well done!  We make a good 'good cop bad cop' team! ;-)

Anne

Anne P. Mitchell,  Attorney at Law
Author: Section 6 of the Federal CAN-SPAM Law
Board of Directors, Denver Internet Exchange
Professor Emeritus, Lincoln Law School
Chair Emeritus, Asilomar Microcomputer Workshop
Former Counsel: MAPS Anti-Spam Blacklist


> On Dec 17, 2021, at 7:40 AM, yuv via mailop  wrote:
> 
> UPDATE:
> 
> * I had waited for the answer to my direct note to Jonathan Mayer and
> fell asleep.  It arrived at 01:44 EST.  This morning I 

Re: [mailop] Ethics Complaint to Princeton (was: Privacy research spam apparently from a grad student at Princeton)

2021-12-17 Thread yuv via mailop
UPDATE:

* I had waited for the answer to my direct note to Jonathan Mayer and
fell asleep.  It arrived at 01:44 EST.  This morning I replied to him. 
With a direct line of communication open,  the letter higher up is on
hold.

* They are currently not sending emails and will be publishing an FAQ
soon.  The issue that is relevant for mailop is, at least temporarily,
defused.  The feedback I have given them with regard to the spam issue
is that:

The study abused the mechanism created by the laws to deliver its
questionnaire to an email address whose purpose is only to receive
legal GDPR/CCPA requests.  Maybe, on balance, such minor abuse could be
tolerated as an efficient, low-cost shortcut to reach the person better
placed to answer the study's questionnaire.  However, the obfuscation
of the sender; the use of fraudulent identities; the covert and
indirect questions; all void any possible justification, whether the
study does or does not constitute human subjects research.

[...]

(a) put your questions in a direct plain view survey form on the web
instead of covering them up with hypothetical facts scenarios;

(b) identify yourself as the sender instead of using covert domains and
false identities;

(c) use a strict opt-in logic: the first email is the last one unless
the subject responds; and the first email has all the elements for the
subject to make an informed consent decision.


* On the big issue, the ENROLLMENT OF HUMAN SUBJECTS WITHOUT CONSENT
into the study, I have been told that "[t]he IRB determined that our
study does not constitute human subjects research."  I do not have the
reasons for such determination, but this is the fault line at the
moment.  I have offered to Jonathan my opinion that:

The IRB's determination stands corrected (of course without admitting
fault, given the litigious contest of the land).  Behind every website
there is an operator and in most cases, the end-operator is a human
subject, or an organization within which a human subject bears ultimate
responsibility for processing the study's emails.  That human deserves
respect [Belmont Report].

In the context of GDPR/CCPA, the mechanism they create and the
obligations and sanctions they impose, the study as designed resulted
in the ENROLLMENT OF HUMAN SUBJECTS WITHOUT CONSENT.

It is work in progress.  I am trying to identify who at Princeton would
be the optimal recipient of my letter.  A Researcher Misconduct
Complaint to the DoF would only deal with the individual researcher's
integrity and would not prevent the IRB from making further misguided
decisions on the coerced enrollment of humans.  At this time I am not
seeking to punish the researchers.  I wait to see how the dialog with
Jonathan unfolds.


On Thu, 2021-12-16 at 22:10 -0700, Grant Taylor via mailop wrote:
> I don't buy the silly mistake.  Not the second time around.
[...]
> But the fact that the student repeated the action and apparent lack
> of caring completely negates both "silly" and "mistake" in my head.

https://en.wikipedia.org/wiki/Three-strikes_law

 
--
Yuval Levy, JD, MBA, CFA
Ontario-licensed lawyer


___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop


Re: [mailop] Ethics Complaint to Princeton (was: Privacy research spam apparently from a grad student at Princeton)

2021-12-16 Thread Grant Taylor via mailop

On 12/16/21 5:56 PM, Chris via mailop wrote:
This would *hardly* hurt the kid's life forever.  It's simply a silly 
mistake, the fault is more with the research committee permitting it in 
the first case.


I don't buy the silly mistake.  Not the second time around.

I'll look the other way for the silly mistake the first time 
/especially/ if the student learned from the mistake and didn't repeat 
the action.


But the fact that the student repeated the action and apparent lack of 
caring completely negates both "silly" and "mistake" in my head.




--
Grant. . . .
unix || die



smime.p7s
Description: S/MIME Cryptographic Signature
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop


Re: [mailop] Ethics Complaint to Princeton (was: Privacy research spam apparently from a grad student at Princeton)

2021-12-16 Thread Chris via mailop

On 2021-12-16 10:59 a.m., Al Iverson via mailop wrote:


Well, I'm sure this'll be a popular opinion, but I'm giving it anyway.
Maybe let's try not to do something that'll screw up that college
kid's life forever over their bit of stupidity. It's wrong, they
shouldn't be doing it, but it's not for commercial gain, and the
amount of bad mail being sent here in comparison to the amount of bad
mail being sent by others is .1%. If I had a top ten list of
spam problems I cared about, this would be #14, barely.


This would *hardly* hurt the kid's life forever.  It's simply a silly 
mistake, the fault is more with the research committee permitting it in 
the first case.


This is the sort of thing research committees are *supposed* to do.

It's the research committee that needs its knuckles rapped.

___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop


Re: [mailop] Ethics Complaint to Princeton (was: Privacy research spam apparently from a grad student at Princeton)

2021-12-16 Thread Andrew C Aitchison via mailop


On Thu, 16 Dec 2021, Robert L Mathews via mailop wrote:
While I know what you mean, I think the reason people are up in arms about it 
is that it's not solely a spam problem.


This researcher is impersonating a customer of our various services, then 
asking questions about how we all handle legally required disclosures for 
that customer. If it were a real customer and we sent the wrong answer, that 
has legal and financial implications. It can't just be deleted like most 
spam.


When my staff originally received it, they didn't know how to handle it. 
Although they knew we take legal requirements seriously, they couldn't find 
any records related to the supposed person asking the question, so I then 
spent 30 minutes trying to locate "Anna Roland, [...] a resident of San 
Francisco, California" in our records, composing a helpful reply, and so on. 
This is a very poor use of my time, and the upshot is that the researcher 
tricked me into spending time participating in their study.


Imagine if I impersonated an ethics committee member and sent messages to 
these professors, asking how they handle complaints, in a way that required 
an answer so as to not jeopardize their jobs. I doubt they'd be happy when 
they discovered the impersonation.


--
Robert L Mathews, Tiger Technologies, http://www.tigertech.net/


Thanks. As someone not in that role I had missed that.
This point needs to be made to the supervisors you wish to complain to.

--
Andrew C. Aitchison Kendal, UK
and...@aitchison.me.uk
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop


Re: [mailop] Ethics Complaint to Princeton (was: Privacy research spam apparently from a grad student at Princeton)

2021-12-16 Thread Robert L Mathews via mailop

On 12/16/21 7:59 AM, Al Iverson via mailop wrote:

Well, I'm sure this'll be a popular opinion, but I'm giving it anyway.
Maybe let's try not to do something that'll screw up that college
kid's life forever over their bit of stupidity. It's wrong, they
shouldn't be doing it, but it's not for commercial gain, and the
amount of bad mail being sent here in comparison to the amount of bad
mail being sent by others is .1%. If I had a top ten list of
spam problems I cared about, this would be #14, barely.


While I know what you mean, I think the reason people are up in arms 
about it is that it's not solely a spam problem.


This researcher is impersonating a customer of our various services, 
then asking questions about how we all handle legally required 
disclosures for that customer. If it were a real customer and we sent 
the wrong answer, that has legal and financial implications. It can't 
just be deleted like most spam.


When my staff originally received it, they didn't know how to handle it. 
Although they knew we take legal requirements seriously, they couldn't 
find any records related to the supposed person asking the question, so 
I then spent 30 minutes trying to locate "Anna Roland, [...] a resident 
of San Francisco, California" in our records, composing a helpful reply, 
and so on. This is a very poor use of my time, and the upshot is that 
the researcher tricked me into spending time participating in their study.


Imagine if I impersonated an ethics committee member and sent messages 
to these professors, asking how they handle complaints, in a way that 
required an answer so as to not jeopardize their jobs. I doubt they'd be 
happy when they discovered the impersonation.


--
Robert L Mathews, Tiger Technologies, http://www.tigertech.net/
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop


Re: [mailop] Ethics Complaint to Princeton (was: Privacy research spam apparently from a grad student at Princeton)

2021-12-16 Thread yuv via mailop
On Thu, 2021-12-16 at 12:13 -0500, John Levine via mailop wrote:
> It appears that Al Iverson via mailop  said:
> > 
> > Maybe let's try not to do something that'll screw up that college
> > kid's life forever over their bit of stupidity.
>
> I'm not worried about the kid.  I'm worried that his department and
> the university's IRB
> thinks that sending pretextual spam is OK.

Indeed supervision is the problem here, and the kids is currently being
sent straight onta a F*book style ethics trajectory.  The goal is to
get the supervisors' attention, not to play whack-a-mole with every kid
that will come after this one.

--
Yuval Levy, JD, MBA, CFA
Ontario-licensed lawyer


___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop


Re: [mailop] Ethics Complaint to Princeton (was: Privacy research spam apparently from a grad student at Princeton)

2021-12-16 Thread Larry M. Smith via mailop

On 12/16/2021, Al Iverson via mailop wrote:

On Thu, Dec 16, 2021 at 9:48 AM Larry M. Smith via mailop
 wrote:


On 12/15/2021, Anne P. Mitchell, Esq. via mailop wrote:

FYI, I have sent my own letter, with my full signature (same one as below), to 
Princeton, including cc:ing the dept. chair, the abuse department, and the 
legal department.  I do hope you send yours, and soon, as it would be a good 
1-2 punch.



It would appear that other punches are being thrown elsewhere;

https://www.spamhaus.org/sbl/query/SBL538721


Well, I'm sure this'll be a popular opinion, but I'm giving it anyway.
Maybe let's try not to do something that'll screw up that college
kid's life forever over their bit of stupidity. It's wrong, they
shouldn't be doing it, but it's not for commercial gain, and the
amount of bad mail being sent here in comparison to the amount of bad
mail being sent by others is .1%. If I had a top ten list of
spam problems I cared about, this would be #14, barely.

Not every annoying gnat needs a nuclear missile response. (Quite
possibly, few-to-none of them do.)

I'm getting a deja vu feeling from when somebody tried to get my
friend thrown out of college 25 years ago for doing open relay testing
after being told to stop. In both cases, what the person was doing was
stupid, but the response was way over the top. That was dumb then and
this is dumb now.



I feel that its a bit different, as a quick google search shows 
discussion on this spam eight months ago, and then it dies down.  I 
would suggest that they were put on notice back around April that this 
was questionable behavior, and yet they decided to start it back up.


I also don't believe that anyone here is going after the student, but 
instead pointing out to Princeton (and its staff) that this is 
unacceptable behavior.


--
SgtChains


___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop


Re: [mailop] Ethics Complaint to Princeton (was: Privacy research spam apparently from a grad student at Princeton)

2021-12-16 Thread John Levine via mailop
It appears that Al Iverson via mailop  said:
>On Thu, Dec 16, 2021 at 9:48 AM Larry M. Smith via mailop
> wrote:
>>
>> On 12/15/2021, Anne P. Mitchell, Esq. via mailop wrote:
>> > FYI, I have sent my own letter, with my full signature (same one as 
>> > below), to Princeton, including cc:ing the dept. chair, the abuse
>department, and the legal department.  I do hope you send yours, and soon, as 
>it would be a good 1-2 punch.
>> >
>>
>> It would appear that other punches are being thrown elsewhere;
>>
>> https://www.spamhaus.org/sbl/query/SBL538721
>
>Well, I'm sure this'll be a popular opinion, but I'm giving it anyway.
>Maybe let's try not to do something that'll screw up that college
>kid's life forever over their bit of stupidity. It's wrong, they
>shouldn't be doing it, but it's not for commercial gain, and the
>amount of bad mail being sent here in comparison to the amount of bad
>mail being sent by others is .1%. If I had a top ten list of
>spam problems I cared about, this would be #14, barely.

I'm not worried about the kid.  I'm worried that his department and the 
university's IRB
thinks that sending pretextual spam is OK.

R's,
John
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop


Re: [mailop] Ethics Complaint to Princeton (was: Privacy research spam apparently from a grad student at Princeton)

2021-12-16 Thread Al Iverson via mailop
On Thu, Dec 16, 2021 at 9:48 AM Larry M. Smith via mailop
 wrote:
>
> On 12/15/2021, Anne P. Mitchell, Esq. via mailop wrote:
> > FYI, I have sent my own letter, with my full signature (same one as below), 
> > to Princeton, including cc:ing the dept. chair, the abuse department, and 
> > the legal department.  I do hope you send yours, and soon, as it would be a 
> > good 1-2 punch.
> >
>
> It would appear that other punches are being thrown elsewhere;
>
> https://www.spamhaus.org/sbl/query/SBL538721

Well, I'm sure this'll be a popular opinion, but I'm giving it anyway.
Maybe let's try not to do something that'll screw up that college
kid's life forever over their bit of stupidity. It's wrong, they
shouldn't be doing it, but it's not for commercial gain, and the
amount of bad mail being sent here in comparison to the amount of bad
mail being sent by others is .1%. If I had a top ten list of
spam problems I cared about, this would be #14, barely.

Not every annoying gnat needs a nuclear missile response. (Quite
possibly, few-to-none of them do.)

I'm getting a deja vu feeling from when somebody tried to get my
friend thrown out of college 25 years ago for doing open relay testing
after being told to stop. In both cases, what the person was doing was
stupid, but the response was way over the top. That was dumb then and
this is dumb now.

Regards,
Al Iverson


-- 
Al Iverson / Deliverability blogging at www.spamresource.com
Subscribe to the weekly newsletter at wombatmail.com/sr.cgi
DNS Tools at xnnd.com / (312) 725-0130 / Chicago (Central Time)
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop


Re: [mailop] Ethics Complaint to Princeton (was: Privacy research spam apparently from a grad student at Princeton)

2021-12-16 Thread yuv via mailop
Direct note just sent to Jonathan Mayer 
below.  Letter to the Office of the Dean of the Faculty at Princeton
University will follow later.


Dear Jonathan:

I am a lawyer with an interest in online privacy.  You are named as a
"team member" on ;.

While writing a polite note trying to understand how your name can be
associated with an initiative that seems to be so out of character with
your impressive and adimrable profile, I received notice of your
generic response to Anne P. Mitchell on the subject, in which you
characterize this part of the study as "requesting information from
websites" and generally state your openness to answer questions. [1]

With all due respect, your characterization omits the most important of
the many problematic aspects of the research: the fraudulent and
possibly illegal (I am not licensed to practice in the US but have been
told that CAN-SPAM applies) information requests ends up on the desk of
an individual person and that individual person is thus involuntarily
enrolled as research subject without meaningful consent.  Can you see
this point of view?

A letter to the Office of the Dean of the Faculty at Princeton
University is in preparation and will be sent out later today. [2]

At this point, the only question that may influence the content of that
letter is:  are the researchers responsible for the harvesting of email
addresses and the sending of fraudulent GPRD/CCPA requests willing to
suspend immediately all harvesting and emailing activity, pending
ethical review; and engage with the community on a redesign of their
harmful data collection practice?

[1] 

[2] 

Sincerely,
-- 
Yuval Levy, JD, MBA, CFA
Ontario-licensed lawyer

___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop


Re: [mailop] Ethics Complaint to Princeton (was: Privacy research spam apparently from a grad student at Princeton)

2021-12-16 Thread Larry M. Smith via mailop

On 12/15/2021, Anne P. Mitchell, Esq. via mailop wrote:

FYI, I have sent my own letter, with my full signature (same one as below), to 
Princeton, including cc:ing the dept. chair, the abuse department, and the 
legal department.  I do hope you send yours, and soon, as it would be a good 
1-2 punch.



It would appear that other punches are being thrown elsewhere;

https://www.spamhaus.org/sbl/query/SBL538721


--
SgtChains
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop


Re: [mailop] Ethics Complaint to Princeton (was: Privacy research spam apparently from a grad student at Princeton)

2021-12-16 Thread yuv via mailop
I was writing a nice direct note to Jonathan following  Hal Murray's
lead when this email arrived.  Obviously too late to be nice.  I will
still send it out as an heads up, but I will also finish the Research
Misconduct letter and mail it out this afternoon.  After reading
Jonathan's profile, I find this so out of character, I wonder what his
explanation is.

Updates follow, thanks for your patience.  English is my fifth language
and when I have to write something important I am slower than I would
like to be, sorry.

On Thu, 2021-12-16 at 07:54 -0700, Anne P. Mitchell, Esq. via mailop
wrote:
> As a follow up, to my letter, I received the following:
> 
> > Thank you for reaching out about our research on the European Union
> > General Data Protection Regulation (GDPR) and the California
> > Consumer Privacy Act (CCPA). A component of the study involves
> > requesting information from websites about how they have
> > implemented the consumer data access provisions of the GDPR and the
> > CCPA. Both the GDPR and CCPA provide for these types of information
> > requests. We would be glad to answer any questions you have about
> > the study goals, methods, and safeguards, and we welcome any
> > additional feedback you would like to provide.
> > 
> > Sincerely,
> > Jonathan
> 
> That was really the wrong response.  I responded explaining *exactly*
> how they are in violation of U.S. Federal law (CAN-SPAM), and I cc:ed
> the chair of the compsci department, and Princeton's general legal
> counsel.  If you are going to send something, please let it be soon
> so as to make clear that I'm not a single cartoony voice crying in
> the wilderness.
> 
> FWIW, here is the section of CAN-SPAM of which they are in violation:
> 
> ‘‘§1037. Fraud and related activity in connection with electronic
> mail
> 
> ‘‘(a) IN GENERAL.—Whoever, in or affecting interstate or foreign
> commerce, knowingly —
> 
> ‘‘(2) uses a protected computer to relay or retransmit multiple
> commercial electronic mail messages, with the intent to deceive or
> mislead recipients, or any Internet access service, as to the origin
> of such messages,
> ‘‘(3) materially falsifies header information in multiple commercial
> electronic mail messages and intentionally initiates the transmission
> of such messages,
> ‘‘(4) registers, using information that materially falsifies the
> identity of the actual registrant, for five or more electronic
> mail accounts or online user accounts or two or more domain names,
> and intentionally initiates the transmission of multiple commercial
> electronic mail messages from any combination of such accounts or
> domain names, or
> 
> ...shall be punished as provided in subsection (b).
> 
> ‘‘(2) a fine under this title, imprisonment for not more than 3
> years, or both, if—
> 
> ‘‘(A) the offense is an offense under subsection (a)(1); ‘‘(B) the
> offense is an offense under subsection (a)(4)
> and involved 20 or more falsified electronic mail or online user
> account registrations, or 10 or more falsified domain name
> registrations;
> ‘‘(C) the volume of electronic mail messages transmitted in
> furtherance of the offense exceeded 2,500 during any 24-hour period,
> 25,000 during any 30-day period, or 250,000 during any 1-year period;
> ‘‘(D) the offense caused loss to one or more persons aggregating
> $5,000 or more in value during any 1-year period;
> ‘‘(E) as a result of the offense any individual committing the
> offense obtained anything of value aggregating $5,000 or more during
> any 1-year period; or
> ‘‘(F) the offense was undertaken by the defendant in concert with
> three or more other persons with respect to whom the defendant
> occupied a position of organizer or leader;
> 
> ---
> 
> Anne
> 
> Anne P. Mitchell,  Attorney at Law
> Author: Section 6 of the Federal CAN-SPAM Law
> Board of Directors, Denver Internet Exchange
> Professor Emeritus, Lincoln Law School
> Chair Emeritus, Asilomar Microcomputer Workshop
> Former Counsel: MAPS Anti-Spam Blacklist
> ___
> mailop mailing list
> mailop@mailop.org
> https://list.mailop.org/listinfo/mailop
-- 
--
Yuval Levy, JD, MBA, CFA
Ontario-licensed lawyer
https :// moneylaw.ca
Tel: 519.488.1783 (does not receive MMS)
Tel: 1.844.234.5389
Fax: 1.888.900.5709
2201-323 Colborne Street
London, ON N6B 3N8

___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop


Re: [mailop] Ethics Complaint to Princeton (was: Privacy research spam apparently from a grad student at Princeton)

2021-12-16 Thread Anne P. Mitchell, Esq. via mailop
As a follow up, to my letter, I received the following:

> Thank you for reaching out about our research on the European Union General 
> Data Protection Regulation (GDPR) and the California Consumer Privacy Act 
> (CCPA). A component of the study involves requesting information from 
> websites about how they have implemented the consumer data access provisions 
> of the GDPR and the CCPA. Both the GDPR and CCPA provide for these types of 
> information requests. We would be glad to answer any questions you have about 
> the study goals, methods, and safeguards, and we welcome any additional 
> feedback you would like to provide.
> 
> Sincerely,
> Jonathan

That was really the wrong response.  I responded explaining *exactly* how they 
are in violation of U.S. Federal law (CAN-SPAM), and I cc:ed the chair of the 
compsci department, and Princeton's general legal counsel.  If you are going to 
send something, please let it be soon so as to make clear that I'm not a single 
cartoony voice crying in the wilderness.

FWIW, here is the section of CAN-SPAM of which they are in violation:

‘‘§1037. Fraud and related activity in connection with electronic mail

‘‘(a) IN GENERAL.—Whoever, in or affecting interstate or foreign commerce, 
knowingly —

‘‘(2) uses a protected computer to relay or retransmit multiple commercial 
electronic mail messages, with the intent to deceive or mislead recipients, or 
any Internet access service, as to the origin of such messages,
‘‘(3) materially falsifies header information in multiple commercial electronic 
mail messages and intentionally initiates the transmission of such messages,
‘‘(4) registers, using information that materially falsifies the identity of 
the actual registrant, for five or more electronic
mail accounts or online user accounts or two or more domain names, and 
intentionally initiates the transmission of multiple commercial electronic mail 
messages from any combination of such accounts or domain names, or

...shall be punished as provided in subsection (b).

‘‘(2) a fine under this title, imprisonment for not more than 3 years, or both, 
if—

‘‘(A) the offense is an offense under subsection (a)(1); ‘‘(B) the offense is 
an offense under subsection (a)(4)
and involved 20 or more falsified electronic mail or online user account 
registrations, or 10 or more falsified domain name registrations;
‘‘(C) the volume of electronic mail messages transmitted in furtherance of the 
offense exceeded 2,500 during any 24-hour period, 25,000 during any 30-day 
period, or 250,000 during any 1-year period;
‘‘(D) the offense caused loss to one or more persons aggregating $5,000 or more 
in value during any 1-year period;
‘‘(E) as a result of the offense any individual committing the offense obtained 
anything of value aggregating $5,000 or more during any 1-year period; or
‘‘(F) the offense was undertaken by the defendant in concert with three or more 
other persons with respect to whom the defendant occupied a position of 
organizer or leader;

---

Anne

Anne P. Mitchell,  Attorney at Law
Author: Section 6 of the Federal CAN-SPAM Law
Board of Directors, Denver Internet Exchange
Professor Emeritus, Lincoln Law School
Chair Emeritus, Asilomar Microcomputer Workshop
Former Counsel: MAPS Anti-Spam Blacklist
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop


Re: [mailop] Ethics Complaint to Princeton (was: Privacy research spam apparently from a grad student at Princeton)

2021-12-15 Thread Hal Murray via mailop
> Professor Jonathan Mayer

A direct note may shortcut a few layers of bureaucracy.

He has both a Ph.D. in computer science and a J.D. from Stanford.
  https://cyberlaw.stanford.edu/about/people/jonathan-mayer
  https://en.wikipedia.org/wiki/Jonathan_Mayer

I don't know him personally, but I think of him as a good-guy.  I started 
paying attention when he did great work on phone metadata back in the Snowden 
days.

-- 
These are my opinions.  I hate spam.



___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop


Re: [mailop] Ethics Complaint to Princeton (was: Privacy research spam apparently from a grad student at Princeton)

2021-12-15 Thread Brielle via mailop
I’ll throw my signature on something like this too, as a former DNSbl operator. 
 Just keep me in the loop.

It’s nice to see the community working together to deal with incidents as a 
single voice.  Shows that we still all have common goals even if we don’t 
always see eye to eye on everything.

Sent from my iPhone

> On Dec 15, 2021, at 5:15 PM, yuv via mailop  wrote:
> 
> On Wed, 2021-12-15 at 08:53 -0700, Grant Taylor via mailop wrote:
>> I feel like the student and the 
>> professor / powers that be which approved this study should be clued 
>> into the costs of the research on the rest of the world.
> 
> +1
> 
> https://dof.princeton.edu/policies-procedure/policies/research-misconduct
> 
> If enough mailops, preferably representing large corporate names that
> donate money to Princeton (hint), are interested to co-operate and
> ultimately co-sign a letter to Princeton's along the following lines, I
> volunteer to circulate and update a draft until there is a reasonable
> mass of signatories / consensus; and to send it on law office
> letterhead to the responsible dean at:
> 
> Office of the Dean of the Faculty
> Princeton University
> 9 Nassau Hall, Princeton, NJ 08544-5264
> Phone: 609-258-3020
> Fax: 609-258-2168
> Email: d...@princeton.edu
> 
> IMHO this is an important issue that transcends this individual
> spamming instance.  The student's dandy attitude did not originate in a
> vacuum and while some universities such as Harvard and Stanford are at
> the forefront of addressing the (lack of) ethics in IT [1], it is
> obvious that others still need some prodding.  The design does not come
> near to the complexity of real IT ethics questions such as who should a
> self driving car sacrifice in case of an inevitable collision with
> predictable casualties.  The ethical questions raised are of the
> traditional kind: how does the researcher interact with the subject of
> their research.  This researcher and his supervisors have failed
> completely, in a way that shines a negative light on Princeton and
> should not go unpunished.
> 
> It is generally uncontroversial that co-opting subjects into academic
> research is unethical.  Where persons capable of consent are the
> intended subject of academic research, it is accepted practice to
> obtain informed consent before enrolling them into the research.  In
> this case, consent was not obtained at all and information was
> intentionally falsified, obfuscated, and withheld.
> * The opt-out is only offered after the involuntary enrollment has
> occured, and on a difficult to find, seemingly unrelated site [2].
> * The researcher has knowingly obfuscated the identity of the sender,
> used false or stolen identities and bogus domains.
> * No meaningful information about the research was provided to the
> unwitting subjects before, during, or after the involuntary enrollment.
> * The information available when trying to investigate, from "official
> source" [2] as well as from the affected community [3] is incomplete at
> best.
> * Apparently the researcher has been made aware and has not done
> anything but further obfuscating between April [3] and December.
> 
> In my view, co-opting websites and email addresses through harvesting
> and spamming is equivalent to co-opting persons capable of consent.
> Behind each and every one of the harvested email addresses there are
> persons and ultimately a responsible individual that had to deal with
> the threatening content of the emails.  Based on annecdotal feedback
> [3], receipt of the email has caused a great deal of uncertainty,
> anxiety and fear in addition to the economic harm of the spam that
> became subject of expert investigation in an attempt to mitigate the
> fallout for our systems and our email recipients[4].  It has a negative
> effect on the operators of email systems signed below; on their user
> communities; and frankly also on Princeton's reputation.  Has the
> Princeton given permission to the use of its name as part of the bogus
> domain names?
> 
> The way this study was designed raises questions about the ethics, but
> also the intellectual integrity of the researcher.  His reaction when
> made aware of the shortcomings was intellectually dishonest.  We trust
> that your investigation in the matter will find whether his supervisors
> were part to this dishonesty, or whether this continued harrassment is
> the result of a single, rogue, element in your university.  In either
> case, in my view those responsible deserve to be disciplined and I do
> not exclude the possibility of a class action if Princeton does not
> take satisfactory corrective and punitive actions.
> 
> Apparently, Princeton's Research Integrity and Assurance (RIA) has been
> recently informed and has said they'll check and get back on the matter
> to the informer. [5] The same informer has received a reply from the
> researcher that points to either the researcher not being aware of
> RIA's involvement, or having 

[mailop] Ethics Complaint to Princeton (was: Privacy research spam apparently from a grad student at Princeton)

2021-12-15 Thread yuv via mailop
On Wed, 2021-12-15 at 08:53 -0700, Grant Taylor via mailop wrote:
> I feel like the student and the 
> professor / powers that be which approved this study should be clued 
> into the costs of the research on the rest of the world.

+1

https://dof.princeton.edu/policies-procedure/policies/research-misconduct

If enough mailops, preferably representing large corporate names that
donate money to Princeton (hint), are interested to co-operate and
ultimately co-sign a letter to Princeton's along the following lines, I
volunteer to circulate and update a draft until there is a reasonable
mass of signatories / consensus; and to send it on law office
letterhead to the responsible dean at:

Office of the Dean of the Faculty
Princeton University
9 Nassau Hall, Princeton, NJ 08544-5264
Phone: 609-258-3020
Fax: 609-258-2168
Email: d...@princeton.edu

IMHO this is an important issue that transcends this individual
spamming instance.  The student's dandy attitude did not originate in a
vacuum and while some universities such as Harvard and Stanford are at
the forefront of addressing the (lack of) ethics in IT [1], it is
obvious that others still need some prodding.  The design does not come
near to the complexity of real IT ethics questions such as who should a
self driving car sacrifice in case of an inevitable collision with
predictable casualties.  The ethical questions raised are of the
traditional kind: how does the researcher interact with the subject of
their research.  This researcher and his supervisors have failed
completely, in a way that shines a negative light on Princeton and
should not go unpunished.

It is generally uncontroversial that co-opting subjects into academic
research is unethical.  Where persons capable of consent are the
intended subject of academic research, it is accepted practice to
obtain informed consent before enrolling them into the research.  In
this case, consent was not obtained at all and information was
intentionally falsified, obfuscated, and withheld.
* The opt-out is only offered after the involuntary enrollment has
occured, and on a difficult to find, seemingly unrelated site [2].
* The researcher has knowingly obfuscated the identity of the sender,
used false or stolen identities and bogus domains.
* No meaningful information about the research was provided to the
unwitting subjects before, during, or after the involuntary enrollment.
* The information available when trying to investigate, from "official
source" [2] as well as from the affected community [3] is incomplete at
best.
* Apparently the researcher has been made aware and has not done
anything but further obfuscating between April [3] and December.

In my view, co-opting websites and email addresses through harvesting
and spamming is equivalent to co-opting persons capable of consent.
Behind each and every one of the harvested email addresses there are
persons and ultimately a responsible individual that had to deal with
the threatening content of the emails.  Based on annecdotal feedback
[3], receipt of the email has caused a great deal of uncertainty,
anxiety and fear in addition to the economic harm of the spam that
became subject of expert investigation in an attempt to mitigate the
fallout for our systems and our email recipients[4].  It has a negative
effect on the operators of email systems signed below; on their user
communities; and frankly also on Princeton's reputation.  Has the
Princeton given permission to the use of its name as part of the bogus
domain names?

The way this study was designed raises questions about the ethics, but
also the intellectual integrity of the researcher.  His reaction when
made aware of the shortcomings was intellectually dishonest.  We trust
that your investigation in the matter will find whether his supervisors
were part to this dishonesty, or whether this continued harrassment is
the result of a single, rogue, element in your university.  In either
case, in my view those responsible deserve to be disciplined and I do
not exclude the possibility of a class action if Princeton does not
take satisfactory corrective and punitive actions.

Apparently, Princeton's Research Integrity and Assurance (RIA) has been
recently informed and has said they'll check and get back on the matter
to the informer. [5] The same informer has received a reply from the
researcher that points to either the researcher not being aware of
RIA's involvement, or having been cleared by it [6].  

The researcher's conduct goes beyond negligence.  He has displayed
willful blindness when expert system operators alerted him to the
negative effects of his conduct and tried to engage in constructive
criticism.  The email's text, the fake identities, the obfuscated
domains, all point to intentionally raising the fear factor in a way
unsavoury spammers typically do to force answers from recipients that
would normally ignore their requests.  While I am myself curious about
how website operators handle GDPR or