Many many moons ago I was a student. I was doing a research postgraduate degree in the University of Limerick. A lot of my friends at the time were in academia. Most of them were also doing research. So I have an understanding of how academic research works.
Fraudulently misrepresenting yourself is not acceptable in any academic context that I’m aware of. In fact many universities have honour codes of various styles that all students are bound to. Breach them and you could find yourself being ejected from the university.
However some people seem to think that these kind of rules don’t apply to them. They seem to think that ethics are an obstacle that they can happily ignore. They seem to ignore the consequences of their actions.
Back in 2018 the European Union enacted the GDPR (General Data Protection Regulation). It’s why we all got those emails from various companies in the run up to May 2018 asking us all to confirm that we were “okay” with getting emails from various companies in the future. (We took a slightly different approach) GDPR introduces some quite hefty fines. If a business fails to meet its obligations it can end up costing them dearly. So pretty much all businesses have had to ramp up internal and external resources for dealing with data protection and privacy.
Since May 2018 a lot of businesses, both large and small, have received lots of requests about user data. There are strict timelines that the business has to adhere to when responding so those queries are taken very seriously. And of course the replies need to be cogent.
So when a company gets a query about GDPR or a data subject access request or anything with even the vaguest whiff of GDPR off it they are going to take that query pretty seriously.
That is reality.
Anyone who knows anything about data privacy and data protection knows about all this. Nothing I’ve written is new. This is not a revelation. This is merely a repetition of what many of us have been dealing with for the last number of years.
Oddly, however, this all seems to be a bit foreign to a postgrad student in Princeton who decided that it was “perfectly okay” to send out hundreds if not thousands of misleading email queries to people and companies across the globe.
We got one a few days ago and it was decidedly odd.
To Whom It May Concern: My name is xxxx xxx, and I am a resident of Nice, France. I have a few questions about your process for responding to California Consumer Privacy Act (CCPA) data access requests: 1. Would you process a CCPA data access request from me even though I am not a resident of California? 2. Do you process CCPA data access requests via email, a website, or telephone? If via a website, what is the URL I should go to? 3. What personal information do I have to submit for you to verify and process a CCPA data access request? 4. What information do you provide in response to a CCPA data access request? To be clear, I am not submitting a data access request at this time. My questions are about your process for when I do submit a request. Thank you in advance for your answers to these questions. If there is a better contact for processing CCPA requests regarding blacknight.com, I kindly ask that you forward my request to them. I look forward to your reply without undue delay and at most within 45 days of this email, as required by Section 1798.130 of the California Civil Code. Sincerely, xxx xxx
We are an Irish company. The person contacting us is French. The query doesn’t make any sense. But the language they use in the request is also quite specific and there’s that “lovely” thinly veiled threat about a 45 day time limit.
Fortunately for us we’re used to dealing with most of these kind of queries so we replied briefly and didn’t think too much more about it. However I hadn’t forgotten about it.
A couple of days later while reading the IAPP mailing lists I saw several people talking about receiving the same odd requests and somebody had managed to track down the source.
I have so many issues with this I don’t even know where to begin. I know from talking to several privacy professionals that their clients had contacted them about these emails so this “study” cost small businesses, both in terms of time, money and stress.
First off the “geniuses” behind this study think they’re contacting websites. Now I know AI has come along leaps and bounds over the past few years, but websites don’t run themselves. People do. Every single GDPR (or CCPA) request has to be manually reviewed and responded to by a human being. Trying to rationalise this rubbish by saying it was aimed at website not people is so incredibly dumb that I have no polite words to describe how I feel.
Secondly the fraud and deception in how this was done is at a level that makes my head hurt.
The emails were sent with bogus names and personas. The names aren’t real, the people aren’t either. Apparently there were at least 3 or 4 different versions of the email sent with the focus on CCPA or GDPR and the nationality of the sender varying.
Nobody was told that the emails were part of a “study”. We get emails from researchers all the time. It’s quite common. Some are academic, some are from various government agencies, others are commercial. It’s not at all strange to get a request to assist with some research. Sometimes it’s pretty clear that there’s a benefit to us from responding like when we answer queries from the local chamber of commerce. But in all cases we know who is asking us and why.
The website I linked to above has now been updated to include a sort of apology from the main academic behind this junk. It reads like the kind of grudging half apology that the legal department signed off on under duress. It does not sound or feel genuine.
Princeton is supposedly one of the best universities in the world, yet it’s very clear from the way they’ve handled this that they feel they are entitled to spew their rubbish across the internet and let everyone else deal with the mess.
This paragraph from the “apology” sums up the problem in my eyes:
Third, I will use the lessons learned from this experience to write and post a formal research ethics case study, explaining in detail what we did, why we did it, what we learned, and how researchers should approach similar studies in the future. I will teach that case study in coursework, and I will encourage academic colleagues to do the same. While I cannot turn back the clock on this study, I can help ensure that the next generation of technology policy researchers learns from it.
I’m sorry, but on what planet is sending out thousands of emails using fake identities NOT ethically problematic? On what planet is using us all as lab rats in your experiment without our knowledge or consent ever acceptable?
Do you honestly think that anyone with a modicum of common sense would do something as incredibly dumb as this?
What really confuses me is that some people are lapping up this hamfisted and weak apology.
I’m not alone in being annoyed about this entire mess. See here, here and here.
Simon Woodworth says
I like to think that UCC’s ethics committees would should down this level of weapons-grade fuckery before it ever leaves the institution. What Princeton (and UMN before it) should realise is that this sort of sloppy ethical control is a stain on their reputations.
Michele Neylon says
I’d hope that most universities wouldn’t tolerate this kind of behaviour nor create an environment where anyone would even consider trying it.