On December 11, 2021, Coywolf News received the following message from Kurt Mayfair with the subject line, Questions About CCPA Data Access Process for coywolf.news.
The message looked suspicious. It came from a nondescript email address, stated they were from Virginia (not California), and didn’t provide any details about who they were associated with. Googling
Kurt Mayfair also didn’t return any relevant results.
CCPA and GDPR request emails with fake personas were part of Princeton-Radboud privacy law study
On December 26, 2021, Coywolf News received an email message from the Princeton-Radboud Study on Privacy Law Implementation. The subject line stated, “Please disregard recent email about GDPR or CCPA processes.”
The email said the previous CCPA and GDPR inquiry email was sent as part of an academic study on privacy law implementation and that all replies would be discarded by December 31, 2021. It included a link with more details about the privacy law study, which revealed who was behind the study, what they were studying, what went wrong, and how they were attempting to rectify its botched execution.
The page is maintained by Professor Jonathan Mayer at the Princeton University Center for Information Technology Policy, the Principal Investigator of the study. In an update published on December 18, 2021, Professor Mayer said he was
dismayed that the emails in our study came across as security risks or legal threats. The intent of our study was to understand privacy practices, not to create a burden on website operators, email system operators, or privacy professionals. I sincerely apologize. I am the senior researcher, and the responsibility is mine. In a later update on December 21, 2021, he announced that they would be discarding all results.
We have also received consistent feedback encouraging us to promptly discard responses to study email. We agree, and we will delete all response data on December 31, 2021.Professor Jonathan Mayer, Princeton-Radboud Study on Privacy Law Implementation
The page also included a Frequently Asked Questions (FAQ) section that addressed several concerns made by the study’s subjects. The FAQs confirmed the use of automation and “simulated identities” (i.e., fake personas). Mayer stated that he will be writing an ethics case study from this experience to help other technology policy researchers avoid making similar mistakes in future studies.
Details about the Princeton-Radboud Study on Privacy Law Implementation are available at this Princeton University subdomain and this IPFS archive (saved on December 27, 2021).