A recent research project into the compliance of online services with data protection and privacy measures has ended in confusion, frustration and wasted costs for the businesses and other organisations unwittingly subjected to the study.
The joint study by academics at Princeton University Center for Information Technology Policy and Radboud University Digital Security Group set out to investigate how online services have implemented steps to comply with the General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA).
However, the poor execution of the research has resulted in embarrassment for the academics involved and - more seriously - potentially has made it more difficult for data subjects to exercise their own rights under those laws.
The study (the “Princeton-Radboud Study on Privacy Law Implementation”) appears to have involved the sending of masses of emails from specific domains, created solely for the study. with the intention of “asking public websites about their processes for responding to GDPR and CCPA data access requests”, “whether websites are extending…rights to non-EU citizens and non-California residents, and whether websites are effectively authenticating users when they exercise these rights”. The emails, purported to be from named individuals, asked a number of questions (requiring a response within one month) and put the recipients on notice that an access request was likely to follow. They were sent without regard to whether there was any likelihood that the recipients could conceivably be processing the purported sender's personal data. They were all apparently sent from one of the following domains: envoiemail.frnovatormail.ru; potomacmail.com; princetondmarcstudy.org; princetonprivacystudy.org; yosemitemail.com.
Anecdotal evidence suggests that a number of recipients were confused and concerned by the emails and that several consulted external lawyers on the grounds that they might be facing legal challenge or claims in relation to the emails. In particular, the rather arbitrary selection of websites which would be sent the emails ("The set of websites for this study is sampled from the Tranco list of popular websites and publicly available datasets of third-party tracking websites") seems to have resulted in many small and unfunded or poorly funded organisations receiving it.
Following an outcry about ethical concerns, the senior researcher for the project ceased the email exercise (as of 15 December) and issued an apology, saying:
“I am dismayed that the emails in our study came across as security risks or legal threats…I will use the lessons learned from this experience to write and post a formal research ethics case study, explaining in detail what we did, why we did it, what we learned, and how researchers should approach similar studies in the future.”
This is to be welcomed, as is the accompanying suggestion that he will be engaging with those who have contacted him with concerns about the study.
There is a risk that, unless their legal and ethical implications are properly thought through, mass projects involving automated sending of emails purportedly exercising fundamental data protection rights could actually diminish or dilute those rights. It is understood that many recipients of the original Princeton-Radbaud study emails received advice simply to ignore them (and that is certainly what the senior researcher is now recommending). The concern is that if deceptive requests are made, which can effectively be ignored, then a general culture could develop which might result in genuine requests being ignored.
The rights conferred under data protection and privacy laws are valuable and potentially powerful. They are a valid subject for academic research, but only when studies are planned with comprehensive prior ethical assessment and approval.