I Was Part of a Human Subject Research Study Without My Consent
Published on , 1330 words, 5 minutes to read
Note for the readers, I usually try to do one post per week. This is not that post this week. I am just frustrated by being used as a human subject in a Princeton study without my consent. If you are ever in a position to be doing this kind of survey, please don't send legal threats around recklessly.
To Whom It May Concern:
My name is Maya Mishina, and I am a resident of Novosibirsk, Russia. I have a few questions about your process for responding to California Consumer Privacy Act (CCPA) data access requests:
- Would you process a CCPA data access request from me even though I am not a resident of California?
- Do you process CCPA data access requests via email, a website, or telephone? If via a website, what is the URL I should go to?
- What personal information do I have to submit for you to verify and process a CCPA data access request?
- What information do you provide in response to a CCPA data access request?
To be clear, I am not submitting a data access request at this time. My questions are about your process for when I do submit a request.
Thank you in advance for your answers to these questions. If there is a better contact for processing CCPA requests regarding christine.website, I kindly ask that you forward my request to them.
I look forward to your reply without undue delay and at most within 45 days of this email, as required by Section 1798.130 of the California Civil Code.
This scared the shit out of me. My blog is a passion project that I do as a way to get better at writing. I almost contacted a lawyer. This should probably have stood out as suspect to me, however I am a believer that people have a right to privacy and that they should be able to be forgotten.
I go out of my way to ensure that this website handles as little user data as possible. I have gone so far to do this that the only unique identifiers I deal with are IP addresses, but even then only a tiny fraction of those IP addresses even get to my server because I use Cloudflare for caching. I probably need to set up some kind of proper log rotation in my server, but right now there are only three things collected by my site:
- If you are a patron to my site, your name shows up on /patrons. This queries the Patreon API to get the display name that you configured in your account and is refreshed every time the site restarts.
- If you send me a Webmention, they will be shown on the footer of the website. They are stored in a SQLite database on the same server. I can remove entries from that table upon request.
- Your IP address is recorded in
/var/log/nginx/xesite.access.login common log format on my server which is located in the Netherlands. Here is an example of what this looks like:
127.0.0.1 - - [18/Dec/2021:04:04:57 +0000] "GET /security.txt HTTP/1.1" 404 2110 "-" "Go-http-client/2.0"
No other data is stored. Any intermediate things in the system journal disappear after an hour or two because my journal is limited to 512 MB and my services are chatty.
Here is what the application logged for that request:
Dec 18 04:04:57 lufta xesite-start: 2021-12-18T04:04:57.585717Z INFO xesite/2.3.0: - "GET /security.txt HTTP/1.1" 404 "-" "Go-http-client/2.0" 12.474µs
It is literally the bare minimum that I can get away with.
Wanna know why there's no comments on this blog? I don't want to have to deal with storing user data and doing moderation!
I probably should have consulted a lawyer before drafting this, but here is what I replied with:
- I can process a CCPA data access request even for people that are not residents of California.
- My website does not collect personal information, but emailing either firstname.lastname@example.org or email@example.com would be the correct action.
- My website does not collect personal information, including IP addresses. I keep track of hit counts via CloudFlare analytics, but as far as I know there is no way for me to collect information about a single subject (all I see is aggregate anonymized data). I guess if you give me a public IP address I can dig through the system logs to see if anything pops up. 4. I would provide relevant request logs provided they exist. That is the only information that I could provide and I would be willing to provide it in the industry standard plaintext log format.
Please keep in mind this is a blog run by a single person as a passion project to get better at writing. As it is not a corporate endeavor, I don't believe that I need to provide this information at all. However I am willing to search the logs folder to see if anything is there.
Please let me know which IP addresses to look up and I will do my best to get you that information as fast as possible.
Thanks and be well,
I should have expected this to be a human research study after the University of Minnesota disaster.
Overall, I am disappointed in this. I want to have a positive outlook on humanity. I want to be able to trust that requests to be forgotten are legitimate. I am going to have a harder time doing that now.
In case you actually do want to make a GDPR/CCPA request, here is the process and the rough steps I will take:
- I will need your Twitter username and any links listed on the Webmentions
section of any article on my blog if you want those removed. I will require
you to either tweet a magic phrase and email me a link to it, a DNS TXT
record on the domain or for you to upload an arbitrary string to a path on
your server. These processes will help me confirm that you are the person who
wants the information. Send me an email to
firstname.lastname@example.org. If you want access logs deleted, please let me know what IP addresses to delete and I will see what I can do.
- I will prepare a
.zipfile that will contain the following:
- The email conversation in the industry-standard
- Any SQLite rows from my Webmention service in
- Any request logs from nginx in
- The email conversation in the industry-standard
- This may take up to a week or two. I am only one person and I have a job. This blog is not my primary source of income.
I do not have to offer this service. I am not a business. I am a single person that wants to get better at writing. Please do not include wording that gives me the impression that you are making a legal threat. I know you are allowed to, but it scares the shit out of me when you do that and will make me put your request at the end of the list.
tl;dr: I got phished by trying to be a good netizen. Don't fall for this scam.
Facts and circumstances may have changed since publication. Please contact me before jumping to conclusions if something seems wrong or unclear.