Yuval this is awesome, and an awesome result! FWIW, this is what I told Jonathan (after two previous replies/re-replies), yesterday morning, in part - cc:ed to the chair of the compsci department, and the Princeton legal department:
He wrote: > Thank you for reaching out about our research on the European Union General > Data Protection Regulation (GDPR) and the California Consumer Privacy Act > (CCPA). A component of the study involves requesting information from > websites about how they have implemented the consumer data access provisions > of the GDPR and the CCPA. Both the GDPR and CCPA provide for these types of > information requests. We would be glad to answer any questions you have about > the study goals, methods, and safeguards, and we welcome any additional > feedback you would like to provide. I responded: That GDPR and CCPA provide for such requests is immaterial (not the least of which because neither is controlling law here). You are in violation of U.S. Federal law, namely CAN-SPAM, which states, in relevant part: ‘‘§1037. Fraud and related activity in connection with electronic mail ‘‘(a) IN GENERAL.—Whoever, in or affecting interstate or foreign commerce, knowingly — ‘‘(2) uses a protected computer to relay or retransmit multiple commercial electronic mail messages, with the intent to deceive or mislead recipients, or any Internet access service, as to the origin of such messages, ‘‘(3) materially falsifies header information in multiple commercial electronic mail messages and intentionally initiates the transmission of such messages, ‘‘(4) registers, using information that materially falsifies the identity of the actual registrant, for five or more electronic mail accounts or online user accounts or two or more domain names, and intentionally initiates the transmission of multiple commercial electronic mail messages from any combination of such accounts or domain names, or ...shall be punished as provided in subsection (b). ‘‘(2) a fine under this title, imprisonment for not more than 3 years, or both, if— ‘‘(A) the offense is an offense under subsection (a)(1); ‘‘(B) the offense is an offense under subsection (a)(4) and involved 20 or more falsified electronic mail or online user account registrations, or 10 or more falsified domain name registrations; ‘‘(C) the volume of electronic mail messages transmitted in furtherance of the offense exceeded 2,500 during any 24-hour period, 25,000 during any 30-day period, or 250,000 during any 1-year period; ‘‘(D) the offense caused loss to one or more persons aggregating $5,000 or more in value during any 1-year period; ‘‘(E) as a result of the offense any individual committing the offense obtained anything of value aggregating $5,000 or more during any 1-year period; or ‘‘(F) the offense was undertaken by the defendant in concert with three or more other persons with respect to whom the defendant occupied a position of organizer or leader; As you can see, you and your team, and your actions, fit squarely within several of the acts detailed above, having registered domains specifically to send out falsified headers and false information, claiming to be individuals looking for information, when in fact it is not those individuals but members of your team, and in fact you are doing a study, not seeking such information as an individual, making the entire email false and misleading. In addition, each response you have received generated a cost to the responder both in terms of time and, in some cases, dollar amounts as they had to pay their employees, and sometimes pay legal fees, to determine how to respond. ... I then reiterated my offer that there were many professionals in the email receiving and policy communities who would be happy to assist them in designing a method to accomplish their goal in a way that does it right and does not run afoul of best practices, abuse polices, and the law. His response to the above was that CAN-SPAM didn't apply as it was academic and not commercial email, at which point I pointed out to him that he and I both knew that reasonable minds can differ on what is "commercial", and it would be a fun court case, but that at this point I was going to bow out and watch from the sidelines. I figured with my two emails going to the department chair, and the legal department, and Yuval's email, someone there would hit 'pause' on it. So, again, Yuval, well done! We make a good 'good cop bad cop' team! ;-) Anne Anne P. Mitchell, Attorney at Law Author: Section 6 of the Federal CAN-SPAM Law Board of Directors, Denver Internet Exchange Professor Emeritus, Lincoln Law School Chair Emeritus, Asilomar Microcomputer Workshop Former Counsel: MAPS Anti-Spam Blacklist > On Dec 17, 2021, at 7:40 AM, yuv via mailop <mailop@mailop.org> wrote: > > UPDATE: > > * I had waited for the answer to my direct note to Jonathan Mayer and > fell asleep. It arrived at 01:44 EST. This morning I replied to him. > With a direct line of communication open, the letter higher up is on > hold. > > * They are currently not sending emails and will be publishing an FAQ > soon. The issue that is relevant for mailop is, at least temporarily, > defused. The feedback I have given them with regard to the spam issue > is that: > > The study abused the mechanism created by the laws to deliver its > questionnaire to an email address whose purpose is only to receive > legal GDPR/CCPA requests. Maybe, on balance, such minor abuse could be > tolerated as an efficient, low-cost shortcut to reach the person better > placed to answer the study's questionnaire. However, the obfuscation > of the sender; the use of fraudulent identities; the covert and > indirect questions; all void any possible justification, whether the > study does or does not constitute human subjects research. > > [...] > > (a) put your questions in a direct plain view survey form on the web > instead of covering them up with hypothetical facts scenarios; > > (b) identify yourself as the sender instead of using covert domains and > false identities; > > (c) use a strict opt-in logic: the first email is the last one unless > the subject responds; and the first email has all the elements for the > subject to make an informed consent decision. > > > * On the big issue, the ENROLLMENT OF HUMAN SUBJECTS WITHOUT CONSENT > into the study, I have been told that "[t]he IRB determined that our > study does not constitute human subjects research." I do not have the > reasons for such determination, but this is the fault line at the > moment. I have offered to Jonathan my opinion that: > > The IRB's determination stands corrected (of course without admitting > fault, given the litigious contest of the land). Behind every website > there is an operator and in most cases, the end-operator is a human > subject, or an organization within which a human subject bears ultimate > responsibility for processing the study's emails. That human deserves > respect [Belmont Report]. > > In the context of GDPR/CCPA, the mechanism they create and the > obligations and sanctions they impose, the study as designed resulted > in the ENROLLMENT OF HUMAN SUBJECTS WITHOUT CONSENT. > > It is work in progress. I am trying to identify who at Princeton would > be the optimal recipient of my letter. A Researcher Misconduct > Complaint to the DoF would only deal with the individual researcher's > integrity and would not prevent the IRB from making further misguided > decisions on the coerced enrollment of humans. At this time I am not > seeking to punish the researchers. I wait to see how the dialog with > Jonathan unfolds. > > > On Thu, 2021-12-16 at 22:10 -0700, Grant Taylor via mailop wrote: >> I don't buy the silly mistake. Not the second time around. > [...] >> But the fact that the student repeated the action and apparent lack >> of caring completely negates both "silly" and "mistake" in my head. > > https://en.wikipedia.org/wiki/Three-strikes_law > > > -- > Yuval Levy, JD, MBA, CFA > Ontario-licensed lawyer > > > _______________________________________________ > mailop mailing list > mailop@mailop.org > https://list.mailop.org/listinfo/mailop _______________________________________________ mailop mailing list mailop@mailop.org https://list.mailop.org/listinfo/mailop
