Perhaps you're making an assumption that "normal citizens" receive legal threats regularly? I can count the legal threats I've received on one hand, and I can assure you the days following them were, unfortunately, quite unpleasant (fortunately nothing came of it).
Stress aside, part of the problem is the very real possibility of a subject wasting money on hiring a lawyer.
Does this qualify as a legal threat? It just seems like a reminder of existing laws, like one sees in all manner of contracts or Terms of Service. Like the "you are obligated to pay within X days" you see on your credit card statements.
Or even if there is a legal threat, do you take it seriously unless you know the source? People regularly get calls saying they are in violation of tax law and must pay.
Maybe not "officially", if such a bright line exists. But in practice, a "reminder" of a law including a legal citation and phrases such as "without undue delay" will be interpreted as a threat in many circles. Whether or not it will be seen as a credible threat is a function of the recipient's risk tolerance, prior experience, familiarity with legal processes, etc. Hiring a lawyer ($$$) isn't out of the question if the recipient is unsure or has a low risk tolerance (as, perhaps, an individual blogger might have). It is a little cruel for a researcher to assume every recipient will respond neutrally.
I've received legit legal threats over email from very serious people. I'm certain they would have escalated to more "official" channels if the situation wasn't resolved to their satisfaction (if you're curious, it was a contractor billing issue that was being ignored by my HOA. I was caught in the crossfire).
The fact that random scammers are calling folks claiming they're violating tax law isn't a justification for researchers to engage in similar acts. Do you agree?
> People regularly get calls saying they are in violation of tax law and must pay.
This is an interesting point you bring up, which merits diving into a bit further.
I think it's precisely because CCPA is so new that this experiment is more unethical than if they were just calling up people saying "you owe money to the IRS, send me gift cards". The IRS spends a ton of money every year telling people that these calls are scams; but Christine or the operator of freeradical.zone likely had no such public service announcements from the State of California. On the other hand, they probably did hear news items about this new data privacy law that California passed, and thought the emails were from actual individuals.
> It just seems like a reminder of existing laws, like one sees in all manner of contracts or Terms of Service.
An email purportedly from an individual is not the same as a contract or terms of service issued by a corporation from which I am getting a service. If I, as an individual, were to send you an email asking, for example, if you are paying all the taxes you legally owe, am I just giving you "a reminder of existing laws"? Or are you going to start wondering who I am and why I am asking and wonder if something is going on behind the scenes?
> People regularly get calls saying they are in violation of tax law and must pay.
Yes, that's true. And people who make such calls are regularly considered unethical scammers who do not deserve any consideration. So why should we treat researchers who send similar emails any differently?
Unless one is socially inept, it reads as a veiled threat. When someone asks one a question, it is likely to the point of certainty that social humans will consider (1) who is asking (2) why are they asking (3) what is the tone and (4) what is the text of the question. Failing to understand this or refusing to acknowledge it just means that one is bad at humans.
To be clear, I find the ability for anybody to threaten anybody else with a lawyer to be problematic for many reasons. The legal system in the US sucks and I would love to see some sort of social remedy to this type of lopsided interaction and abuse of power. If that happened in this case that’s part of my question: perhaps there’s noting wrong with the “experiment” itself but rather with wording that might imply legal consequence?
However I’m dubious that there was even a threat of a lawyer. The request simply asked for a prompt response as required by law. That’s quite a stones throw from “I’ll sue you and take you for everything you own if you don’t reply”.
BTW, if you are actually being threatened by a lawyer then they send certified mail or show up at your door. And in terms of the webmaster almost contacting one, no lawyer is going to take your money before talking for 5-15 min to even figure out what the issue is. And even if you paid for 30 min of a lawyer's time, then they would promptly inform you that you can ignore such requests since you’re not a business.
> I’m dubious that there was even a threat of a lawyer.
The usual legal standard is whether a reasonable person could interpret the email as potentially threatening legal action.
> The request simply asked for a prompt response as required by law.
And such a request reads exactly like something written by a lawyer. Lawyers don't usually explicitly threaten a lawsuit in their first communication. They write something very similar to the email the researchers sent. I can easily see how a reasonable person could interpret those emails as potentially threatening a lawsuit if the request were not complied with, or if the sender did not think the response was sufficient.
> The request simply asked for a prompt response as required by law. That’s quite a stones throw from “I’ll sue you and take you for everything you own if you don’t reply”...BTW, if you are actually being threatened by a lawyer then they send certified mail or show up at your door.
I think you are expected random people operating websites to share your knowledge of the legal system. I know you're right, but most people who operate a website likely don't, and these emails make them spend unnecessary time, money figuring that out; not to mention mental distress.
I find this not dissimilar from a standard "I'm in prison, but know where a million dollars are buried, send me money" email scam; and if researchers were sending those around as tests to see who was gullible, they would be promptly end up on several blocklists. I don't see how this is different; and therein lies the ethical problem. Quite a few people seem to agree.
> I think you [are] expected random people operating websites to share your knowledge of the legal system. I know you're right, but most people who operate a website likely don't, and these emails make them spend unnecessary time, money figuring that out; not to mention mental distress.
But if you're hosting a website, you should have that knowledge. I can't run a business and expect not to be asked about taxes, either. Honestly, as an EU citizen, if I wasn't aware of the GDPR in regards to my websites, I'd have bigger problems than some research study.
That being said, I fully agree that this mail wasn't nice and I can absolutely understand why people became nervous. But things like this are expected and the issue seems exaggerated in that light. Quite a few people seem to agree to this, too ;-)
> BTW, if you are actually being threatened by a lawyer then they send certified mail or show up at your door.
Sure, but if you haven't lawyered up by that point you're going to have a bad time. Doubly so if you aren't familiar with the amount of info-gathering and record-keeping involved in winning a suit--if you don't know what needs to be written down for when you do have to call a lawyer, waiting until the last second can easily shoot your entire case in the foot.
And if you do lawyer up, you're spending massive amounts of money--money that some people just don't have.
Completely agree here. There was no reason the people running this couldn't have been clear about what they were doing and why up front. I've dealt with GDPR requests before and it is a hassle. Especially when someone does it for the purposes of causing that hassle.
And I don't see what's threatening about pointing out that you have a very nice windshield, and that it would truly be a shame if anything happened to it... And that I sell windshield insurance.
Also, while not a legal threat, "My questions are about your process for when I do submit a request." strongly implies an intent to submit a legal CCPA request in the future. Using "if" instead of "when" would have somewhat mitigated this, although it still comes across as somebody trying to find a loophole.
Then they’re not very good cease and desist letters. A C&D should state exactly what you are asking them to stop doing and exactly what will happen if they don’t. That way the other party can’t claim they didn’t understand later.
Search C&D samples on google and see for yourself.
“Your failure to abide by your Agreements will result in [redacted] pursuing any and all available remedies, including but not limited to injunctive relief and monetary damages.”
So, I don’t consider this very specific (you may, and that’s fine but then our disagreement is about something different).
Yes, language like that. Put it this way, a cease and desist should contain an IF THEN. If you don’t stop copying my CD then I will sue you for injunctive relief and monetary damages.
Contrast that to the subject email. There’s no if you don’t respond then I will sue you. It’s not a threat, it’s a request and the requestor’s reference to a statute that they think might apply.
I’ve been on the internet since before Al Gore invented it. I’ve seen more crappy stuff from lawyers all the time. Remember, in the US, you do not need a reason to sue someone. A friend just got sued by a guy who tried to by his house for some BS reason. Trust me, stupid stuff happens.
EDIT: Some grammar, and minor clause clarification in second-to-last paragraph.
Yes, frequently. And throwaway.
About once a week, I pick an account in my LastPass collection, and initiate the following process:
1. Initiate a CCPA data request using a form or email, and I always include language about the timeline. I am not a lawyer, I'm just a person.
2. Then, once I have the data, I delete the account.
I'm trying to purge my web presence before I move out of California. I have about 200 accounts left, and have done this with 50.
Admittedly, these are all large businesses, so far. Think Google, where I've worked myself, so I know they are equipped to handle it. But, I will be working my way down to small businesses eventually, and I am surprised to find out that simply quoting the statute (which is what I do) is considered anything but vaguely legally threatening. If the website doesn't fall under CCPA, or hell, if it does, I just expect it to be ignored. I mean no ill will.
I'm personally pretty conflicted, since I actually fully agree with this [1] about the study being unethical, but if I send an email as an individual to a website with my data, quoting a California law, that doesn't seem wrong to me, even if it causes $10k in legal costs, since my request is truly genuine and not intended to cause harm.
I would agree that there is a distinction at the study level, but I'm not exactly sure why.
The distinction is super clear to me. You as an individual are exercising genuine data subject access rights granted to you by law. They are a researcher prentending to be a data subject exercising rights in order to gather data for their study.
Even if what you are doing is "legal" it seems abusive as hell to me, especially if it is ever targeted at a smaller company or person like in the OP's case. Why are being so difficult? Why don't you find something more useful to do with your time instead of making others jump through idiotic hoops out of some misplaced sense of justice?
I imagine that for some companies it is difficult, and to the extent that I feel a 'sense of justice' about it, I would hope that my efforts help the organization (or single person, acknowledging that) set up a process to handle this.
I'm *genuinely* not trying to be abusive though. It's *extremely important* that consumers have the ability to exercise their data and privacy rights.
I'm not that old (mid 30s), but genuinely much of the data I have on the internet was put there when I was an actual child. And it's still there. This is actually one of the first times I've posted in *years* online. I really want to delete *almost everything*. Note in my OP, I said I worked at Google. I quit, because although I actually think ad targeting and the surveillance network are actually okay-ish, I wanted to opt-out myself, on both ends. So far, this decision has cost me 250k USD personally (if I calculate out the opportunity cost since I quit, just so far). And for the websites/apps I do still use, I donate some amount of money per year. OK, maybe I'm a freak, I really do think this stuff is important.
What would you suggest I do? Leave all my data online? As I said, in my cases, I was an actual child (those COPPA things did nothing to stop me), and this is, so far, a really effective way at getting places to delete my data. Maybe it's because they're "scared" of the law, but you know, then the law is working. Before, nobody responded to my deletion requests, and many websites had no option to delete. As a libertarian-ish person, this is a clear win for the consumer in terms of "coercive power of the state being used to create a framework that increases net freedom".
I am open to being wrong though! Let me delete all of my data first though so I don't have to do this again.
Responding to throwaway, I think the critical difference here is that you're making the requests in good faith. The researcher was making these (could be interpreted as vague) requests deceptively.
Yeah, I think that's right. But it does raise an interesting point. The meta-point of the study was a good one, I think, which is to "study privacy on the internet".
I'm soooo behind that (one reason I am disappointed in the ethical lapses here)—I've often considered publishing the steps I take for each website on a substack or whatever, to help other people. Sometimes, it can be hard to figure out (1) if your data can be requested-to-be-deleted, and (2) how to even do it.
Clearly, the deception was bad; I guess, just thinking out loud, how could this study have been done ethically? Perhaps, sign up real people to request the data, and transparently include a notice that this was part of a study?
The last bit is the tricky one; including that might skew the results in favor of websites being compliant.
If I understand correctly the sentiment is that the study is not in “good faith” by virtue of being a study. That’s where I’m genuinely ethically confused. It’s not like the study is bad faith (like they’re trying to trick websites into something illegal then sue them). At worst it’s neutral faith. But why is that unethical?
>Perhaps you're making an assumption that "normal citizens" receive legal threats regularly?
I consider myself a normal citizen and I receive "legal" and "illegal" threats regularly, the very vast majority being scam attempts of course.
Recently e.g. scammers keep telling me that my website's imprint is not up to code[0], either threatening to sue or outright claiming they are in fact a law firm and want a cease-and-desist and compensation for their law work, of course.
I also noticed how the Indian and Pakistani "security researcher" scammers[1] telling me about "major vulnerabilities" in my website - aka missing DMARC/DKIM headers (which are not even missing) - also started telling me how one can be fined under the GDPR for "bad security".
As for the "illegal" threats... I, according to scammers at least, watch a lot of "bad" porn[2] and they know about it because they hacked me, and recorded me on my own webcam. But if I paid them some BTC/monero/whatevercoin ("Follow this link to learn how you can easily buy <coin>"), they wouldn't rat me out to my family/friends or the police. I guess I will just have to pay them, but then again I have a HUGE payday coming from that nice Nigerian prince and another from that fantastic Singaporean economic attaché... once I send them some bucks to cover processing fees, of course[3].
All joking aside tho, I get how some people may be scared by things like the CCPA emails, or the kind of emails I mentioned (if those didn't work enough times, scammers would have stopped by now). When I just read that particular email in the article, I didn't see a legal threat, but that's just me of course. Other people might read it differently, and I cannot fault them for that. I remember being concerned myself the first time one of those "imprint" scam emails made it through the spam filter.
[0] In Germany, commercial websites are legally required to have an imprint, and everybody can basically sue you if you mess that up, that much is true. It's also true that courts regularly rule that if you profit even from a private website, e.g. by displaying ads, then your website is in fact commercial and requires that imprint.
[1] This isn't to denigrate all Indian or Pakistani people, of course. It's just that the "security researcher" scammers I encountered thus far all operated from these two nations.
[2] Ranging from "homosexual" to "child". I wouldn't consider adult gay porn "bad" myself at all (just not interesting to me), that's their definition. It's quite interesting to me to see how they try to phish for closeted gay people more often than for pedophiles, at least anecdotally from what makes it to my spam folder. My guess is that the number of people who actually watch gay porn and are ashamed of it largely exceeds the number of people watching child abuse porn.
[3] I received those "huge money - pay fee" scam emails more than 20 years ago, and I still receive them today. Cannot argue with success, I guess?
I've received plenty of voicemail from scammers who claim that I owe some agency money and that there will be penalties if I do not comply. That feels like a threat
Stress aside, part of the problem is the very real possibility of a subject wasting money on hiring a lawyer.