Princeton study tricked small websites into thinking they were about to be sued by a Russian organization

Originally published at: Princeton study tricked small websites into thinking they were about to be sued by a Russian organization | Boing Boing

…

Somewhere in Nigeria a Prince is laughing.

We’re totally mad that you asked four completely legitimate questions!

THE SYSTEM WORKS !!1!

And knowingly wasted a shit-ton of time and money that wasn’t yours.

If the research was funded, the budget should have included reimbursement for legal expenses of the test subjects.

There is also a huge problem for the researcher that this was psychological research performed without subject consent.

I hope that sincere apology isn’t the only thing the inevitable class-action lawsuit is going to squeeze out of this feckless researcher.

I don’t think it’s the questions that the problem but rather how they were asked. If the researchers had reached out as they were instead of pretending to be someone else, I doubt that would have been an issue.

and im sure they knew no one would respond to them if they said who they really were. super shady

dunno what my response would have been. please resubmit your questions by certified mail?

It also pretty much violates generally accepted guidelines for conducting research in academia.

But hey… it’s one of the most prestigious universities in Amurica, so I’m sure it’s on the up and up… /s

Sometimes researchers can be remarkably stupid/unethical. My favorite modern example is an economy study to see how a cash reward affected students willingness to participate in a demonstraction in Hong Kong. Bad on so many levels.

And so Princeton furthers its plan to be jerks to everyone involved in computing…

Did they get IRB approval for the study? And were participants provided informed consent?

If they can’t prove you received the email, why bother replying to it?

Princeton U legal representative… identified.

Whats IRB?

Institutional Review Board.

We should add that to the manual.

lol! Thanks, but I have enough irons in the fire without adding that to my CV!

Given the responses to my original message, I was apparently imprecise in the point I was trying to make. I should know better by now than to make short, sarcastic replies here.

If you run a website that is covered by the CCPA, and you have not considered these questions, you are potentially putting yourself in legal peril. While I live in the EU, I have websites hosted by a provider in California, that provide services (though not physical goods) to California residents. I also have canned responses, vetted by our lawyer, to these very questions, which, again, are perfectly legitimate.

While Princeton’s implementation of this as a survey might be questionable, I probably wouldn’t have given it a second thought and just replied with our usual bunch of canned answers. Realistically, they do not apply to any of our hobbyist sites; the CCPA compliance thresholds are quite high, both for revenue or total number of users.

My answers:

1. No. Please see California Code of Regulations, Title 18, section 17014, for the legal definition of a California resident. This is the definition used by the CCPA, California Civil Code (CCC) section 1798.140(g).

2. Via email. We also have general canned responses on each of our covered websites. Please follow the link from the menu of the website you are inquiring about: About Us → Privacy Policy → California Residents. We do not provide a toll-free number as mentioned in the statute because we have no compliance employees nor a physical office in the United States. If you require telephone contact, we can provide the telephone number of our US attorney, but you must specifically request that, and it is not toll-free.

3. We require your full legal name and your verifiable California address, the email address you used to register with our site(s), your current email address if it is different, your username on our site(s), and for which of our site(s) you are requesting CCPA information.

4. That depends on the nature of your business relationship with us, and whether you have purchased goods or services from us. Generally speaking, we provide all information required by California Civil Code, Section 1798.115.

As you’re probably aware, we have a similar though somewhat more extensive data protection law here in Europe: the General Data Protection Regulation (GDPR) which I believe the CCPA is partially based on. These kinds of requests are quite common here. The GDPR also provides rights for consumers, including mechanisms for verifying compliance, especially related to privacy and the release of data to third parties. Alas, the CCPA lacks the right of erasure, one of the important features of the GDPR.

Here, we are required to have a Data Protection Officer (DPO) whose role is to both monitor compliance and respond to this kind of request. That’s generally a role that is included with other specific roles in our overall Compliance Department. That’s necessary-- like the CCPA, the GDPR provides significant legal and financial penalties for non-compliance.

Small websites that receive CCPA requests like this can discover the requirements with a mere moment on Wikipedia or couple of minutes of Googling for the actual statute. They could respond to this request with one sentence: “The website you have inquired about does not meet the minimum threshold for CCPA compliance.” Boom, done. I doubt that tedium.co comes close to the required thresholds, and I feel that this is something of a tempest in a teapot.

How the hell did the university’s review board approve this? It has the obvious potential to cause harm to non-voluntary human participants.

This is a legitimate and much needed study. I’ve lost count of how many places I’ve written to under the GDPR asking to get my data removed that have not bothered to respond. Referring every single case to the ICO (https://ico.org.uk/) takes effort, so I’m glad someone is doing it instead of me.

I am very happy researchers are forcing companies to consider these questions - it saves me effort.

I guess Princeton is okay with security PEN testing without prior notification?