Princeton apologizes for threatening emails

[neverendingmidi]

I have to admit I don't know what the original emails sent out looked like, but apparently the "study" consisted of sending out official looking threatening legal emails to websites and people and seeing how they responded. I wonder if @Null got one? Well, apparently it pissed a lot of people off. (Archive)

Here's the full post:

Spoiler

If you received an email message from one of the domains listed below, please disregard it.

• envoiemail.fr
• novatormail.ru
• potomacmail.com
• princetondmarcstudy.org
• princetonprivacystudy.org
• yosemitemail.com

We will delete all messages sent to those domains on December 31, 2021.

Princeton-Radboud Study on Privacy Law Implementation​

Update 3 (Tuesday, December 21 @ 7:40pm): Added an update from the Principal Investigator. Updated FAQs about no additional emails and deletion of study data. Updated contact information for the research team.​

Update 2 (Saturday, December 18 @ 11:30pm): Added a note from the Principal Investigator below. Added a note above to disregard emails from domains listed.​

Update 1 (Friday, December 17 @ 7pm): Added an FAQ below.​

We are a team of computer science researchers at Princeton University and Radboud University, conducting an academic study of how online services have implemented the European Union General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA).

As part of the study, we are asking public websites about their processes for responding to GDPR and CCPA data access requests. We attempt to identify a website's correct email address for data access requests through an automated system. While we have evaluated the system to confirm that it has high accuracy, some emails may be incorrectly directed to a website or email address.

We are sending emails related to this study from the following single-purpose domains:

• envoiemail.fr
• novatormail.ru
• potomacmail.com
• princetondmarcstudy.org
• princetonprivacystudy.org
• yosemitemail.com

Please contact the study team at privacystudy@lists.cs.princeton.edu if you have any questions or concerns. The members of the study team are Ross Teixeira and Professor Jonathan Mayer (the Principal Investigator) at the Princeton University Center for Information Technology Policy, and Professor Gunes Acar at the Radboud University Digital Security Group.

Note from Jonathan Mayer, the Principal Investigator (Saturday, December 18 @ 11:30pm)​

Hi, my name is Jonathan Mayer. I’m the Principal Investigator for this academic research study. I have carefully read every single message sent to our research team, and I am dismayed that the emails in our study came across as security risks or legal threats. The intent of our study was to understand privacy practices, not to create a burden on website operators, email system operators, or privacy professionals. I sincerely apologize. I am the senior researcher, and the responsibility is mine.

The touchstone of my academic and government career, for over a decade, has been respecting and empowering users. That’s why I study topics like web tracking, dark patterns, and broadband availability, and that’s why I launched this study on privacy rights. I aim to be beyond reproach in my research methods, both out of principle and because my work often involves critiquing powerful companies and government agencies. In this instance, I fell short of that standard. I take your feedback to heart, and here is what I am doing about it.

First, our team will not send any new automated inquiries for this study. We suspended sending on December 15, and that is permanent.

Second, our team is prioritizing a possible one-time follow-up email to recipients, identifying the academic study and recommending that they disregard the prior email. If that is feasible, and if experts in the email operator community agree with the proposal, we will send the follow-up emails as expeditiously as possible.

Third, I will use the lessons learned from this experience to write and post a formal research ethics case study, explaining in detail what we did, why we did it, what we learned, and how researchers should approach similar studies in the future. I will teach that case study in coursework, and I will encourage academic colleagues to do the same. While I cannot turn back the clock on this study, I can help ensure that the next generation of technology policy researchers learns from it.

Fourth, I will engage with the communities that have contacted me about this study, which have already offered valuable suggestions for future directions to simplify, standardize, and enhance transparency for GDPR and CCPA data rights processes. I very much appreciate the earnest outreach so far, and I will be reciprocating.

If you have questions or concerns about the study, please do not hesitate to reach out. I gratefully acknowledge the feedback that we have received.

Thank you for reading, and again, my sincere apologies.

Update from Jonathan Mayer, the Principal Investigator (Tuesday, December 21 @ 7:40pm)​

Thank you to the website operators, email system operators, privacy professionals, academic colleagues, and all others who have reached out about our privacy rights study. I am writing to provide an update about how we are acting on the feedback that we have received.

Our top priority has been issuing a one-time follow-up message that identifies our study and that recommends disregarding prior email. We are sending those messages.

We have also received consistent feedback encouraging us to promptly discard responses to study email. We agree, and we will delete all response data on December 31, 2021.

Please do not hesitate to reach out with further questions or concerns, and I again offer my heartfelt apologies for the burdens caused by this study.

Frequently Asked Questions​

• What are the goals of this research study?
  The study aims to advance understanding of how websites have implemented the data rights provisions of European Union and California privacy law, specifically the General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA).
  Our goals are to accurately describe how websites have operationalized these new user rights, whether websites are extending these rights to non-EU citizens and non-California residents, and whether websites are effectively authenticating users when they exercise these rights.
• Why does this study involve contacting websites?
  Very few websites post details of their processes for handling GDPR and CCPA requests. Both the GDPR and the CCPA contemplate users and intermediaries reaching out with questions about data rights processes, and we are using that opportunity to understand current website policies and practices.
• When are you contacting websites for this study?
  We sent emails to websites through December 15, 2021. We are not currently sending additional emails for this study, and we will not send further emails.
• How will you use the results from this study?
  We will publish the results of this study as academic research, with the intent of highlighting best practices for implementing GDPR/CCPA data rights and informing future policymaking about data privacy. There is no commercial component to this study. We will not identify how particular websites responded or did not respond to the emails in this study. We will delete all response data and disable inbound email to the above domains on December 31, 2021.
• What happens if a website ignores an email that is part of this study?
  We are not aware of any adverse consequences for a website declining to respond to an email that is part of this study. We will not send a follow-up email about an email that a website has not responded to, and we will not name websites when describing email responses in our academic research.
• How is this study contacting websites?
  The majority of websites which are covered by GDPR or CCPA provide a public email address, which users can contact to exercise their data rights (e.g., privacy@example.com, gdpr@example.com, or ccpa@example.com). We attempt to identify a website's appropriate email address through an automated system that exclusively uses publicly available information from websites, website rankings, and website categorizations. The system assigns a confidence value depending on the website, email address, webpage where the email address appeared, website ranking, and website categorization. While we have evaluated the system to confirm that it has high accuracy, some emails may be directed to an incorrect website or email address.
• Which websites are you contacting?
  The set of websites for this study is sampled from the Tranco list of popular websites and publicly available datasets of third-party tracking websites.
• What types of emails are associated with this study, and why are some emails sent from simulated identities?
  The study aims to understand how websites would respond to real users, while accommodating websites that may have less capacity to respond. We strike this balance by considering a website’s ranking, its categorization, the email address, the URL and content of the page where the email address appeared, and (when available from directory services) information about the business associated with the website.
  When our study system cannot confidently identify a website email address which appears appropriate for GDPR or CCPA requests, the system does not send an email.
  When the system has higher confidence that it has identified an appropriate email address, it sends a request for information that describes the study.
  When the system has even higher confidence, it sends up to several emails that simulate real user inquiries about GDPR or CCPA processes. This research method is analogous to the audit and “secret shopper” methods that are common in academic research, enabling realistic evaluation of business practices. Simulating user inquiries also enables the study to better understand how websites respond to users from different locations.
• Did an Institutional Review Board consider this study?
  We submitted an application detailing our research methods to the Princeton University Institutional Review Board, which determined that our study does not constitute human subjects research. The focus of the study is understanding website policies and practices, and emails associated with the study do not solicit personally identifiable information.

Edit: this is apparently what the email looked like (From here, Archive):

From: Victor Coutand

Subject: Questions About CCPA Data Access Process for freeradical.zone

To Whom It May Concern:

My name is Victor Coutand, and I am a resident of Nice, France. I have a few questions about your process for responding to California Consumer Privacy Act (CCPA) data access requests:

1. Would you process a CCPA data access request from me even though I am not a resident of California?
2. Do you process CCPA data access requests via email, a website, or telephone? If via a website, what is the URL I should go to?
3. What personal information do I have to submit for you to verify and process a CCPA data access request?
4. What information do you provide in response to a CCPA data access request?

To be clear, I am not submitting a data access request at this time. My questions are about your process for when I do submit a request.

Thank you in advance for your answers to these questions. If there is a better contact for processing CCPA requests regarding freeradical.zone, I kindly ask that you forward my request to them.

I look forward to your reply without undue delay and at most within 45 days of this email, as required by Section 1798.130 of the California Civil Code.

Sincerely,

Victor Coutand

 

[The Mass Shooter Ron Soye]

Is there an example of one of the "threatening" emails? Not the follow-up "we're sorry" emails.

 

[neverendingmidi]

Is there an example of one of the "threatening" emails? Not the follow-up "we're sorry" emails.

Found one and added it to the OP.

 

[Knight of the Rope]

We are a team of computer science researchers at Princeton University and Radboud University, conducting an academic study of how online services have implemented the European Union General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA).

Imagine having the stones to call this "computer science research".

 

[NigKid]

I am dismayed that the emails in our study came across as security risks or legal threats. The intent of our study was to understand privacy practices, not to create a burden on website operators, email system operators, or privacy professionals. I sincerely apologize. I am the senior researcher, and the responsibility is mine.

maybe you shouldnt have worded it that way then cunt, you cant convince me these guys were to dumb to understand what they were doing

 

[ddlloo]

>create fake persona
>claim you WILL be eventually making a formal request
>demand a prompt reply

It's just research guys :^]

 

[Fomo Hoire]

maybe you shouldnt have worded it that way then cunt, you cant convince me these guys were to dumb to understand what they were doing

IdK what a "computer science researcher" is, but I know that after filtering out the affirmative action hires "computer scientists" are disproportionately autistic...

But, these guys are also pussies.

I look forward to your reply without undue delay and at most within 45 days of this email, as required by Section 1798.130 of the California Civil Code.

We will delete all messages sent to those domains on December 31, 2021.

If you're going to give people a 45 day threat, the least you could do is give them 45 days to send you hatemail and counter threats.

Sadly these fuckers had the sense to register their domains with whois privacy...

 

[NigKid]

Sadly these fuckers had the sense to register their domains with whois privacy...

Ross Teixeira

Jonathan Mayer​

Used to be a advisor to, guess who, Kamela Harris

GÜNEŞ ACAR​

Only guy that seems to do genuine research, seems like a smart guy

 

[Fomo Hoire]

View attachment 2823129

View attachment 2823131

View attachment 2823134

I was hoping more for phone numbers/home addresses that would outlast them purging the domains.

I don't know what use they'd be, I know you can sign emails up for some service that autoregisters you for mailing lists but I don't know if they exist for other things... But it would feel like a "fuck you, you don't tell me when I have to respond / can't respond by"

 

[Fomo Hoire]

One response
I can't open archive.fo right now

Update 2021-12-17: This is a human subject research study conducted Princeton University and Radboud University on unwitting persons. I verged on a panic attack for nothing. People who wasted money asking lawyers for their advice on this did it for nothing. How dare you, Princeton? I didn’t give you permission to experiment on me!

I followed Princeton’s online instructions to send this letter to their Research Integrity & Assurance department:

On December 10, 2021, I received an email from a researcher, Ross Teixeira (see https://privacystudy.cs.princeton.edu) that read as though I were about to be subject to legal processes over a small social network site I operate (https://freeradical.zone). I had a minor panic attack, literally, upon receipt, as I thought I was about to be sued. I wrote about this letter at https://blog.freeradical.zone/post/ccpa-scam-2021-12/ and discovered that many of my associates had received a similar letter.

At no time did I consent to participate in this human research study conducted by Princeton. I am beyond livid that I was subject to a stressful situation, and one that very easily could have caused me to hire a lawyer and incur legal costs. I demand to be removed from this study and others like it, and I strongly suggest that this study be halted immediately.

Note: I haven’t spoken to Teixeira or his supervisors, nor will I. I’m not confident that I could remain civil when talking to the person who inflicted this on me without my permission or knowledge.

I wonder if the fact that the people who have objective damages (people who paid lawyers for nothing) and people who have lawyers have a 100% overlap is why they aborted the study and went into damage control mode. Good job IRB for not noticing that lawyer fees were one potential harm of the study, you done fucked up!

 

[NigKid]

I was hoping more for phone numbers/home addresses that would outlast them purging the domains.

I don't know what use they'd be, I know you can sign emails up for some service that autoregisters you for mailing lists but I don't know if they exist for other things... But it would feel like a "fuck you, you don't tell me when I have to respond / can't respond by"

rapt@cs.princeton.edu

jrmayer@cs.princeton.edu
(609) 258-2175

of course these are only here for legitimate contact in regards to the study, and therefor in public interest.

 

[Fomo Hoire]

of course these are only here for legitimate contact in regards to the study, and therefor in public interest.

Oh yes, public interest. I don't know what those spam services are and if I did, I would only consider maybe possibly using them to save people who fell for this scam via security by obscurity or for identifying future activities by the same individuals. And even then I'd probably be too lazy to do it.

 

[ddlloo]

View attachment 2823131

Jonathan Mayer​

Used to be a advisor to, guess who, Kamela Harris

I almost said it earlier, after seeing the email, but I was wondering if any of these guys had ties to any kind of the pro-censorship leftist online groups and this was just a backdoor into finding ways to try and fuck with some of the websites targeted. The faggot who ran the study being a literal advisor to Harris raises my eyebrow another centimeter.

EDIT: his last two published papers...

Adapting Security Warnings to Counter Online Disinformation
Usenix Security (2021)

Identifying Harmful Media in End-to-End Encrypted Communication
Usenix Security (2021)

 

[DamnWolves!]

Imagine having the stones to call this "computer science research".

You've got Von Neumann, Dijkstra, and then a guy who sends e-mails to companies. Truly, all belong in this Pantheon of Intellectual Giants...

 

[NigKid]

I almost said it earlier, after seeing the email, but I was wondering if any of these guys had ties to any kind of the pro-censorship leftist online groups and this was just a backdoor into finding ways to try and fuck with some of the websites targeted. The faggot who ran the study being a literal advisor to Harris raises my eyebrow another centimeter.

EDIT: his last two published papers...

unless i see proof these emails ended up in the inboxes of left leaning institutions/companies i will believe this was nothing more then an intimidation campaign masking as a study

 

[ddlloo]

unless i see proof these emails ended up in the inboxes of left leaning institutions/companies i will believe this was nothing more then an intimidation campaign masking as a study

Freeradicals.zone , the group mentioned in the supplied email, is a leftwing mastodon instance.

Funfact kiwifarms gets a mention... in their suspended servers list:

kiwifarms.cc

Literal Nazi stuff. Pediophilia advocacy.

 

[NigKid]

Freeradicals.zone , the group mentioned in the supplied email, is a leftwing mastodon instance.

Funfact kiwifarms gets a mention... in their suspended servers list:

kiwifarms.cc

Literal Nazi stuff. Pediophilia advocacy.

nevermind, me dumb, me not check properly

even i know how to spell pedophilia, learned it through all those cnn scandals...

 

[The Mass Shooter Ron Soye]

Adapting Security Warnings to Counter Online Disinformation
Usenix Security (2021)

Identifying Harmful Media in End-to-End Encrypted Communication
Usenix Security (2021)

Waste of good oxygen. That's an enemy.

 

[Fomo Hoire]

If you received an email message from one of the domains listed below, please disregard it.
envoiemail.fr
novatormail.ru
potomacmail.com
princetondmarcstudy.org
princetonprivacystudy.org
yosemitemail.com

So now that I'm past my initial gut reaction to hope the team was as stupid as Jann-Michael Greenburg, my next thought is Geez, that was a lot of domains to look up! Why do they need six domains to send these emails? They're only pretending to be one person, and one person needs only like... 3 email addresses, normally. (Professional-work, Professional-personal, personal).

envoiemail.fr

Translates to mailemail.fr; dumb but makes sense if they're larping as a baguette.

novatormail.ru

Odd, why would some frenchie use a .ru email? Googling that domain gets me another victim who dug deeper into the domains than I did and actually uncovered the network before the "researchers" were forced to admit the jig was up. (Only part of the network, only 2 days before the reveal). Noteworthy things from that post:

• Some domains were registered in March. The post itself is from April.
  • Note on their FAQ they state when they stopped sending emails but not when they started. They were doing this for a long time.
• There is a thread about this somewhere on reddit. They didn't link it but it's probably worth looking for.
• They were using Gmail for email.
  • I just say this because I'm cheap and don't have university/DNC funding: I believe Gmail charges per email address per month, so it makes using so many domains and addresses all the more infuriating
• The reason some people caught on to this being bad faith is because they got multiple emails with the same wording, just different sender/country of origin/law cited.

Normally I would expect to be able to easily distinguish between online scams and academic research but I guess, not any more. We are living in strange times.

(I'll probably try to look up the other domains later, got lazy after that detour. Hopefully they bring up more posts about this topic)

 

[neverendingmidi]

Here’s an update/rundown of the whole thing:

Small Business Owners Were Unknowingly Used as Lab Rats Costing Them Thousands of Dollars. And Princeton University Approved It.​

Archive

Apparently Princeton itself is not saying anything. From what I got out of that article a researcher can only do experiments on people if they volunteer, but somehow they wrote this up with the assumption that it would only affect computers, so it was a-okay to spam it to everybody.