I'm the person who wrote that blog post. I got an email from a fake person in France who asked several questions about my small social media site's CCPA compliance, then ended the letter with:
> I look forward to your reply without undue delay and at most within 45 days of this email, as required by Section 1798.130 of the California Civil Code.
I thought I was about to be sued by someone who was the equivalent of a patent troll, but for the CCPA. I had a minor panic attack before I was able to calm down and piece together an open response (as I wasn't about to reply directly to them, not after their thinly veiled legal threat). I briefly considered lawyering up just in case, which would have cost me a fair chunk of money.
> We submitted an application detailing our research methods to the Princeton University Institutional Review Board, which determined that our study does not constitute human subjects research. The focus of the study is understanding website policies and practices, and emails associated with the study do not solicit personally identifiable information.
Either:
1. Teixeira misrepresented his research to the IRB, or
2. The IRB is grossly incompetent or unimaginative.
I don't see a middle ground on this, particularly after the University of Minnesota vs Linux contributors debacle (see https://www.theverge.com/2021/4/30/22410164/linux-kernel-uni...). I see Teixeira's research as the equivalent of sending a bunch of fake legal notices to random people to "study the legal system", while claiming with a straight face that it doesn't involve human subjects research. Frankly, that's bullshit, and I can't believe someone signed off on this.
As noted on the blog post, I've reported this to Princeton's Research Integrity & Assurance department. This isn't OK. I didn't consent to be a part of their human research (which it absolutely is, however they might try to claim otherwise), and this research seriously freaked me out. I slept poorly for a couple of days thinking I was facing possible legal issues over hosting a little not-for-profit hobby website.
There is a separate Research Integrity group to address exactly this sort of problem. I'd call and email them [0] and then maybe cc' the office of General Council (their lawyers) [1] so they are aware of the type of liability that lax research oversight may be causing.
For good measure, his research advisors should hear about this as well. Per his own website (now unavailable but archived on wayback [2]) they are Jonathan Mayer [3] and Jenifer Rexford. [4]
Ross: should you come across this HN post, read through every comment. You need to understand-- especially studying tech policy!!!-- just how poorly done this was. Really not a great way to begin your reputation in this field.
I've met Ross during my time at Princeton and he is a really genuine person, he is not trying to ruin anyone's life. This incident is the result of an uncharacteristic blind spot in empathy: a mistake.
I also have experience with the Princeton IRB on similar topics. The reality is that Princeton's IRB, and IRBs in general, are not equipped to deal with this sort of online research. IRBs were created as a reaction to unethical medical research, in particular the Tuskegee Syphilis Study [1]. My experience has been that the IRB has a greater expertise on medical and sociological studies. This leads the IRB to having a very narrow view of its remit in other domains. Unless humans are in a very literal way "subjects" of the study, then the IRB doesn't see it as human subjects research. In this case the IRB likely saw "Free Radical" and other websites as the subject. In both my studies and those done by my peers, the responses on what is and isn't human subjects research is uneven and you will often get a generic "this study does not constitute human subjects research" response from the IRB. This can be the case even if there possible negative repercussions to the "not subjects" in your research.
For example, say your study involves testing the vulnerability disclosure policies. How well do websites respond to vuln reports? In your study you send out 100 vulnerability disclosures. After you report these vulnerabilities, a human may read your vulnerability report and make a decision based on it. This presents a risk that the individual security team employees involved in your study will be scapegoated and fired when you publish your (potentially damning) results. How do you balance the value this study provides the public against the risk to the individual employees' livelihoods? The IRB isn't going to help you do this balancing, they will just say "this isn't human subjects research".
IRBs quite simply aren't equipped to evaluate this sort of research at the moment. This can be frustrating for a young twenty-something researcher just out of college trying to do the right thing while generating impactful research. You come in thinking that the IRB will be a guiding hand of wisdom and prudence, but you are quickly disabused of that notion after most of your interactions feel like conversations with lawyers in a compliance department. Many researchers in "CS" don't even involve the IRB, because they don't always see the ethical dimension of their work, but the fact that Ross did shows that he was trying to do the right thing here.
I don’t doubt that Ross is a nice person, and I think he meant well. FWIW, I think this is a great thing to study and in other circumstances I’d be glad he’s doing it. But much as Ross didn’t intend for me to be hyperventilating, heart pounding as I imagine trying to explain to my wife how my little hobby is getting us sued, that’s exactly what happened. That was a whole awful lot of extra stress that I didn’t need.
I definitely see a problem in that some people think that if the IRB doesn't object to what they're doing, it's OK. But ethics is a responsibility of the entire research team, and the research team is usually far better placed to understand the implications of their research strategy than the IRB.
The following are big problems here:
- lack of informed consent
- deception
Researchers should be trained that those are only allowed in exceptional cases where the benefits outweigh the harms.
Well if you have informed consent, it's not going to be a problem. If you don't, then you need to do a more careful analysis of ill effects might ensue when someone gets the letter (feel distress, spend money on a lawyer).
There is often a tendency to dehumanize things when it involves sending stuff to corporations. Even in that footnote, it's not employers processing fictious resumes, it's people.
So it's much more likely you'd get approval to do something "to a corporation" even though 99% of the time, it's really still being done to humans
I'd like to disagree as someone who knew Ross during my time at Berkeley. He absolutely is intelligent and thoughtful enough to know what he was doing -- including the consequences.
Berkeley's IRB is similarly illed -- resulting, a lot of trust (i.e. empathy) is placed that the lead will not do anything as obviously unethical as this. This is not the mistake that someone as intelligent as Ross makes, this was a conscious decision that backfired.
The fact that Ross didn't mean to do this is all the more reason why someone - maybe an IRB, maybe not (your argument makes sense) - should be assisting 20-something researchers with having a well-informed perspective.
In the absence of an organization that's good at this (which doesn't seem to exist and should), this probably should be the supervising professors.
As a research group leader, I find it unfortunate that the grad student seems to be the public face of this and is therefore attracting most of the ire. Feels like the student is being thrown under the bus, and responsibility for ensuring the study is conducted ethically should ultimately be that of the principal investigator.
I hope this fellow Ross does not become suicidal or otherwise depressed when he sees the weight of the internet coming down on him for this faux pas. Ross, none of this wil matter in a year. Or 5 years.
Sorry, but this sort of attack is not ok on HN and I've banned the account. It's entirely possible to post substantive critique without stooping to this—as many HN users have demonstrated in this very thread.
Fortunately there are a lot of other more-senior leaders in larger companies and longer-lasting non-profits who believe people can learn from their mistakes and there is no magical class of people who never make mistakes. Obviously mistakes were made here, and obviously at least the PIs should have known better - but deciding that you're going to keep the student on some mental blacklist forever, and instead find people who haven't yet had the chance to learn from their mistakes, is short-sighted.
You've probably heard the story of IBM's Thomas Watson being asked if he was going to fire someone who made a mistake that cost the company $600,000 in lost sales. No, he said - I just spent $600,000 training you! Why would I want someone else to benefit from that training?
(Also, the fact that you are aware there might be enduring consequences to this comment if you associated it with your name, and are therefore keeping your name off of it, is ... interesting. My advice to Ross Texiera is that, until proven otherwise, the commenter above is some random troll in high school who doesn't know how the real world works. If they wanted the threat to be taken seriously, they'd post it on LinkedIn.)
I think it’s kinda funny how sending vaguely threading emails (suggesting violation of statutes) sailed right through an IRB, but Scott Alexander got the third degree for giving patients a survey. Description:
>> When we got patients, I would give them the bipolar screening exam and record the results. Then Dr. W. would conduct a full clinical interview and formally assess them. We’d compare notes and see how often the screening test results matched Dr. W’s expert diagnosis. We usually got about twenty new patients a week; if half of them were willing and able to join our study, we should be able to gather about a hundred data points over the next three months.
"Any systematic investigation (including pilot studies, program evaluations, qualitative research), that is designed to develop or contribute to generalizable (scholarly) knowledge, and which uses living humans or identifiable private information about living humans qualifies as human subjects research. See Definition of Human Subjects Research for more information."
"Research is as a systematic investigation, including research development, testing and evaluation, designed to develop or contribute to generalizable knowledge.
...
Examples of systematic investigations include:
Surveys and questionnaires
"
So far, we got it in one.
I'll skip the part of whether it's generalizable - it's clearly intended to be here.
"A human subject means a living individual about whom an investigator (whether professional or student) conducting research:
Obtains information or biospecimens through intervention or interaction with the individual, and uses, studies, or analyzes the information or biospecimens; or
<The or is about getting PII in more cases, but this study is not getting PII>
...
Interaction includes communication or interpersonal contact between investigator and subject.
...
"
Well, there we go.
Seems a lot more straightforward in various IRBs than you seem to say.
As an aside, lots of IRB's also have mass email policies and are required to approve the text.
Now, maybe Princeton's IRB does not have as clear a definition. I can buy it, in fact!
But honestly, it doesn't seem that hard. If you are going to simulate fake emails to humans, for the purpose of gathering their responses, you are in fact, doing human subject research.
It also doesn't seem very hard to draw bright lines:
1. If you are interacting with people to see what their response is, even by email, they need to consent.
2. Do not deliberately deceive humans.
(You can even modify #2 to "do not deliberately deceive humans without an IRB explicitly understanding and weighing the cost/benefit" if you like, but most of the time, you actually do not need to deceive humans)
It's also really really hard to believe someone went to an IRB, and said "i'm going to survey people by sending them emails from fake people that seem mildly threatening, and seeing how they respond.", and an IRB was like "yeah, that seems okay, it's definitely not human subjects research".
It's up to the researchers to explain precisely what thy are doing in an accurate way. Saying you are surveying websites is totally inaccurate and confusing.
If a sociological researcher was like "whoa, i'm not emailing people asking for their family histories", that would be human subject research. Instead, i'm just "retrieving directed graph data from remote email addresses". I don't think that would go over very well.
Finally, as for not seeing the ethical dimension of their work, there is an easy fix for this (IMHO):
Make ethics classes required.
In fact, in lots of places, IRB's wont' review things if you haven't!
I think their point was IRBs say information isn't about an individual when the individual would say it is. Everything you quoted depends on the word about. And UCI's policy refers to US regulations. Those regulations contain surprisingly broad exemptions.[1]
People talk about emailing web sites any time they don't know if it's a person or a company in my experience. And ethics classes don't give everyone the same understanding of ethics.
Quick meta-comment; this is useful and informative information about the original link - please don’t downvote because you disagree with the point of view. If you disagree, please add a comment and make HN a great place for discourse!
Poignant detail: the Radboud professor that's part of this "research" has experience in dark patterns so he knows damn well what he's doing. By his own words, from his website:
> I also study anonymous communication networks such as Tor, and investigate deceptive and manipulative (dark) design patterns
Radboud has policies about informed consent [1] that were clearly ignored, or were explained away with the idea that informing should be allowed afterwards to not taint the experiment (even though this is just a basic data policy).
I believe the recipients of these emails should file a complaint against Teixeira's co-conspirator as well. Contact information for the Radboud ethic's board can be found at [2], though the documentation is mostly aimed at students.
I agree that you were wronged by these so-called ‘researchers’, but it’s also tragic that our legal systems are so bad that everyone fears them. The legal system should be a low-stress, reliable, and predictable way to avoid or reduce conflict, instead of a weapon of terror.
What's more annoying is that the decision to construct the email as a non-academic "other person" was a CONSCIOUS decision by the research team (most likely the advisor). I don't see what benefit hiding behind the illusion gathered does for the information beyond worrying the recipients wouldn't respond to a more traditional "We are researching CCPA..." style email.
IRB does allow for deception, just to be clear. Its annoying, but sometimes that's what's needed to get genuine responses. HOWEVER, the hoops the team needed to do to justify its use here was very poorly executed.
Implying the law said they had to respond looks like a bigger problem to me. Some people said they wouldn't have ignored email from a researcher. So saying it was for research would have changed the responses.
That's a fair point. The text of the CCPA is very clear that it doesn't apply to my hobby website (see https://oag.ca.gov/privacy/ccpa for a nice FAQ), but I wasn't thrilled about the idea of having to explain that to a jury.
You did not lawyer up, but some other recipient might have had. Is there a ground for a lawsuit here for... well.. fraud? After all, resources were spent; surely, there was some stress..
I'm not a lawyer, clearly, but I'd say so. Some people are replying to him on Twitter saying that they've spent money here and asking who to send the invoice to.
Not a lawyer, but I would say no. Being aware of your legal obligations is part of cost of doing business. Expecting company to follow law isn't anything special. Just because in past they have been unethical and not spend money to follow them doesn't mean when they hear about it and spend money the person they heard about it from has to pay. That would be insane. They have been bad people by not following the laws or being aware. Now they are aware of them. In no way is him responsible for these idiots legal cost. Specially when they should have already paid them before.
You should report this to the IRB. The research is conducted on information obtained by interacting with humans, and therefore should be classify as Human Subjects Research [1].
Waivers of informed consent can be obtained under some circumstances, for example in the case of a retrospective study where the data has already been collected and contacting subjects would be difficult/unnecessary, or it can be shown to adversely affect the outcomes of the study [2, search for waiver].
But regardless, even if informed consent were to be waived, the fact that this is human research means that the researchers should be trained in Research Ethics and Good Clinical Practice (even if the research is not clinical), and understand that the goal is always to minimize risk for the participants - risk which was clearly not properly evaluated under the current project.
The IRB is underneath the RIA. If this was the IRB's screwup, it's the RIA they will answer to. And probably a nice chat with general counsel to assess any liability.
1. Teixeira misrepresented his research to the IRB, or
2. The IRB is grossly incompetent or unimaginative
My experience with IRB's is that they are often extremely conservative in their interpretations. Legal liability is attached to them. Human-involved research requires an order of magnitude more review to get approved. There are gray areas, and my (very limited) direct observations are that people will try to frame their material to avoid the extra review. I can't rely completely on Princeton's reputation for this, but if I had to guess, Ross either did a poor job presenting to the IRB or deliberately downplayed the nature of the of things.
I love how they say they are "contacting websites" as if websites are sentient beings that can respond to questions, rather than operations run by human beings who will receive and respond to the communication.
Websites aren’t sentient beings, but they are more similar to commercial entities than people. Even if not intentional, websites gain traffic and can display ads. They have Google ranking. They have an audience and can get paid to share information with their audience.
Would there be an issue if they sent out letters to businesses asking how they comply with a California regulation?
>Would there be an issue if they sent out letters to businesses asking how they comply with a California regulation?
I think this is where you may be overlooking the context.
People aren't mad they asked about compliance with a law, they are mad about the way it was asked: from fake personas implying legal threat, while cataloguing the replies for their study no one asked to be involved in.
The researcher was an actual human being, so all they would have to do to require a response is to register on the site before sending the email. If they had registered accounts, then requested their information be sent to them and required its deletion, it would have been an order of magnitude more work for the site owners than just sending answers about the process (which, if the site is subject to the law, should already be prepared.)
I think people are mad precisely because they were asked about compliance with a law. Largely because emails went out to sites that were not commercial or too small to be bound by the law, so they weren't aware of it and panicked.
If the researcher is at Princeton, which (last I checked) is neither in the EU nor in California, they may not have standing to compel a response under GDPR or CCPA, both of which apply to data about persons within their territories, as I understand it (although interpretations certainly vary).
According to the linked blog, the owner wasn't covered by CCPA anyway as I suspect is the case for a lot of the recipients, so there would still not be a response required. Some of the sites may have data exports and account deletion clearly available to users anyway, in which case no human interaction would be needed; but the research wasn't looking for that.
If there's a settlement, I hope it's in the form of a nice bottle of scotch, and a letter from Princeton apologizing and swearing not to do it again. I'm not out money; I'm out peace of mind.
I don't think this reaches the level of a cash settlement, personally. It is certainly shocking and would upset me. I agree that Princeton should try harder.
I don't know California statutes, but in Illinois that would be a crime:
(720 ILCS 5/17-50) (was 720 ILCS 5/16D-5 and 5/16D-6)
Sec. 17-50. Computer fraud.
(a) A person commits computer fraud when he or she knowingly:
(1) Accesses or causes to be accessed a computer or any part thereof, or a program or data, with the intent of devising or executing any scheme or artifice to defraud, or as part of a deception;
Because receiving a letter citing chapter & verse of the legal code is generally never the precursor to a nice friendly chat.
The actual-not-fake-researcher (instead of fictional people) could have sent a nice friendly request saying, "I'm a PhD candidate working on public policy in the tech sector. Could you please answer the following questions regarding your process of CCPA compliance, if applicable"
Legal threats are a common occurance nowadays though. I get calls weekly saying a warrant had been issued for my arrest or that my "SSN is about to be revoked".
The email also clearly says they are not sending a request at this time and it seems nicely written to me. I guess I don't get why this is on HN and everyone is so livid about it.
I understand what you’re saying, but this seemed a far more credible threat than someone wanting me to send them Bitcoin to delete my webcam video. For instance, here’s a story about a lawyer who filed so many ADA lawsuits that a judge barred them from filing any more. People abuse the legal system all the time, and while people on the receiving end of a lawsuit can fight it, it’s guaranteed to be expensive in many ways. I could absolutely see someone filing thousands of CCPA lawsuits that wouldn’t actually stand up in trial, but which would be an utter fiasco for even the un-liable defendants.
> I guess I don't get why this is on HN and everyone is so livid about it.
I think this kind of scam would end up on HN even if it was a bunch of Nigerians doing it, and what's making people angry instead of merely taking note while rolling their eyes at scammers stooping to a new low is the fact that it's respectable universities rather than Nigerians.
> . I get calls weekly saying a warrant had been issued for my arrest or that my "SSN is about to be revoked".
And those are all illegal. If the telecoms weren't incompetent and protected from liability, you could find the people who did those things and either sue them or file charges.
If you have run a business small enough that you don't have a lawyer on standby then you might understand a little better.
I have, and received a real legal threat. A bit of panic as you contemplate the financial devastation & wreckage it might leave your life in... well, a little bit of panic is actually a pretty reasonable response there.
If you've been in that situation and been totally calm about it then that's a good thing for you, but that's not the common response for someone contemplating a life-changing encounter with the legal system.
These businesses should have been aware of this already. It is their own fault for not being aware of their status and preparing for it. In no way anyone but they are to blame in this case.
I think you didn’t read my original blog post that’s linked here. I’m not a business. They send the email to me regarding my personal, hobby, zero-revenue website. I have no legal obligations under the CCPA, but I didn’t know that until I spent a few stressed-out hours researching this. Even then I was worried about the idea of being sued over it anyway, and having to explain to a court why I believed I shouldn’t be liable for damages.
Because it sounds like a letter you’d receive from someone who’s prepared to abuse the legal system to extract money from you. Also I think the OP pretty well described their reaction: they were afraid they were going to be sued.
I'm just running a hobby website. I'm not at all used to receiving letters that bring up legal questions, then give me a time frame to reply as per a specific law. To my non-lawyer reading, that looks like someone's doing their homework to figure out how to drag me into court. Judging from a lot of the responses I've gotten from other recipients, I'm far from the only one.
Obvious scams are a lot easier to dismiss without worry than ones that actually look like potentially credible legal threats.
You're just blaming the victim here, possibly because you're biased by the hindsight of already knowing the legal threat was never real in the first place.
I see that you're being downvoted, but for what it's worth I agree with you. I read the message and if I received it I wouldn't have thought much of it. Honestly I would've just thought it was spam. It's a shame though if the OP did have mental duress as a result of it, though.
> I look forward to your reply without undue delay and at most within 45 days of this email, as required by Section 1798.130 of the California Civil Code.
I thought I was about to be sued by someone who was the equivalent of a patent troll, but for the CCPA. I had a minor panic attack before I was able to calm down and piece together an open response (as I wasn't about to reply directly to them, not after their thinly veiled legal threat). I briefly considered lawyering up just in case, which would have cost me a fair chunk of money.
After all that, it turns out it was research by Princeton University: https://privacystudy.cs.princeton.edu
The lead researcher, Ross Teixeira, says that:
> We submitted an application detailing our research methods to the Princeton University Institutional Review Board, which determined that our study does not constitute human subjects research. The focus of the study is understanding website policies and practices, and emails associated with the study do not solicit personally identifiable information.
Either:
1. Teixeira misrepresented his research to the IRB, or
2. The IRB is grossly incompetent or unimaginative.
I don't see a middle ground on this, particularly after the University of Minnesota vs Linux contributors debacle (see https://www.theverge.com/2021/4/30/22410164/linux-kernel-uni...). I see Teixeira's research as the equivalent of sending a bunch of fake legal notices to random people to "study the legal system", while claiming with a straight face that it doesn't involve human subjects research. Frankly, that's bullshit, and I can't believe someone signed off on this.
As noted on the blog post, I've reported this to Princeton's Research Integrity & Assurance department. This isn't OK. I didn't consent to be a part of their human research (which it absolutely is, however they might try to claim otherwise), and this research seriously freaked me out. I slept poorly for a couple of days thinking I was facing possible legal issues over hosting a little not-for-profit hobby website.