[kf6nux]

From the study's FAQ[0]:

> Did an Institutional Review Board consider this study?

> We submitted an application detailing our research methods to the Princeton University Institutional Review Board, which determined that our study does not constitute human subjects research.

From the social experiment[as reported by OP's link]:

> I look forward to your reply without undue delay and at most within 45 days of this email, as required by Section 1798.130 of the California Civil Code.

I'm pretty sure most people would find that to be a thinly veiled threat of a lawsuit. I'd like to know if the review board considered the text of the email that the "researchers"[1] intended to send and the fact that they were likely to send it to individuals instead of solely publicly traded companies.

[0] https://archive.md/cSDGT

[1] Seems to fall more under experimental psychology to me https://en.wikipedia.org/wiki/Experimental_psychology?wprov=...

[collectedparts]

If I had to guess, the wording is in the study's FAQ is carefully chosen: "an application detailing our research methods" doesn't necessarily mean "an application with the verbatim text of the emails we planned to send, including our thinly veiled legal threat at the end."

Not trying to turn this thread into a generic flameware against "academic" research methods, but this whole things seems oddly reminiscent of the "let's try to insert malicious code into Linux" fiasco [1]. I'm conceptually fine with generic passive tools like web crawlers to conduct research, but since when did the internet become a place where nonconsensual interactive research became fine?

[1] https://www.bleepingcomputer.com/news/security/linux-bans-un...

[webmaven]

> Not trying to turn this thread into a generic flameware against "academic" research methods, but this whole things seems oddly reminiscent of the "let's try to insert malicious code into Linux" fiasco [1]. I'm conceptually fine with generic passive tools like web crawlers to conduct research, but since when did the internet become a place where nonconsensual interactive research became fine?

In a very real sense, every landing page A/B test is nonconsensual interactive research.

Or at least, if there is line between them, however blurry, I can't find it.

I am skeptical of the idea that such a line should be drawn according to who is doing the experimentation, I don't think that a manipulative act becomes okay just because it is being done by an academic for research purposes, nor do I think that it becomes okay just because it is being done by a layman with a profit motive (or a political one, for that matter).

[rtpg]

> In a very real sense, every landing page A/B test is nonconsensual interactive research.

I think that lots of benign testing is only this a bit pedantically, at least for the general "two variants of a page" type of thing, context matters of course.

"I want to use this service" -> "OK, here is the page for that service" is a certain interaction where, granted, you might be presented with a different kind of look, but... well, you are getting what you asked for I suppose. Though you could get into the ethics of price differentiation by geo-data, and other general things that lead you to feeling ripped off.

OK, maybe lots of "growth-hacking" A/B test stuff does fall into this category...

I think the primary component of both this CCPA thing and the Linux kernel is, esentially, dishonesty. Researchers are doing things to outright lie to others. Here they are using fake identities! And it probably fails the general smell test of "if the counterparty was informed of the details, would they feel bad about the whole interaction". I said it elsewhere, I don't know if it's really fraud legally but it sure feels like it.

[emn13]

To play devils advocate - is that really all that different from much other online communication? A significant chunk of the web runs on advertisements; and those are in essence tons of little influence games, often with little regard for the truth or honesty: the aim is to manipulate by whatever means you can get away with.

A lot of forums have issues with spam and sock puppets, and not all of that is obvious nor all of it honest.

Even many large, curated news sites have now succumbed to the benefits of deceiving their audience; whether through outright misrepresentation, or merely selective ommission, or merely editorial emphasis that prioritizes their agenda over their readers' understanding of the material.

Attempts to course correct here run into vast vested interests (when it comes to e.g. advertising or biases media), and also against the implementation of free speech protections in the US (and many other places), and more subtly, against public opinion on free speech, which refuses to countenance any attempts at reform.

In essence, we prioritize the right to deceive over the right not to be deceived - in all but the most extreme of circumstances.

Chalk one up for team deception - while this surely isn't a good trend, I can't see how this research is even close to some of the more problematic stuff floating around.

[phone8675309]

> In a very real sense, every landing page A/B test is nonconsensual interactive research.

I think the difference here is that the user requests a page with a web browser (which could be argued as giving consent to view the contents) while the person that received this email didn't request the experimental email (and therefore didn't consent to the experiment).

[XCSme]

If you consider A/B test nonconsensual research, then you can also consider localized versions of the sites as A/B tests. Or even serving differnet content for mobile and desktop.

[seoaeu]

The problem, like in that previous case, is that "human subject research" is a pretty narrowly defined category. It is mostly meant to cover testing out drugs on human subjects, and stuff like that. Notably, there is plenty of unethical research that doesn't qualify. So when an IRB gets a proposal that amounts to "I'm going to send some emails/interact with some folks online" their reply is likely to be along them lines "not our problem", and it becomes the responsibility of the research to assess the ethics of what they're doing.

[ineedasername]

The IRB boards I've interacted with or seen peers go through included more than just drugs etc. A survey or interviewing people has always been included as human subject research by the boards. Depending on the specifics, surveys & interviews may be exempt from a full review of the human subjects process, but only after the IRB itself has made that designation. Basically a PI shouldn't be talking to a human as as part of their research without the IRB making a determination on it.

Anything related to food & drug testing is usually its own special category of review within the IRB, but it's not just meant-- and has never been meant-- to only deal with biomed research. The Belmont Report in 1979 that gave rise to the modern IRB explicitly addressed research with human subjects, not just biomedical research. Anyone in that field is aware of the extreme examples like Milgram's work and the Stanford Prison experiment that make this review necessary.

It may be the case that some IRB's don't take that side of thing as seriously as they should, but that doesn't mean the ethical burden is primarily on the researchers. The legal liability is on the institution, and the IRB is the regulation-mandated body required to ensure compliance.

[ravel-bar-foo]

But when the Sokal squared hoaxers were submitting fake papers to humanities journals, it was deemed human subject research and widely denounced (by humanities researchers) for lack of ethical review. This seems to be a very analogous situation.

[BrazzVuvuzela]

The wording of the message is one hell of a detail to leave out when detailing your research methods.

[avs733]

It’s seems like it but it’s not.

The IRB review determination is going to be based on the typology of what you are doing not the internal contents for the most part. Once they decide the level of appropriate review then they will typically look at the ‘details’.

[eli]

The false legal threat is particularly galling, but this absolutely should have gone through IRB even without it. Someone should have had to at least consider the impact on recipients of the messages before they were sent.

IRB review is typically required even for just simple research surveys.

[southerntofu]

How is a reminder of the law a legal threat? More specifically when you feel like you're not impacted by this law, it's as far from a legal threat as could be.

[amalcon]

Whether or not I feel I am impacted by a law has little to nothing to do with whether someone else will decide to sue or prosecute me based on it. Even if it's without merit, it's still an extreme hassle if that happens (and also very expensive).

[paranoidrobot]

> How is a reminder of the law a legal threat?

In the same way that "This is a nice place you've got here, it'd be a real shame if something were to happen to it", when spoken by a Mafia enforcer is most definitely a threat.

It's not, outright, threatening to bring a lawsuit, however the language of that last paragraph is definitely something which you'd expect to see from a lawyer in preparation for such legal action.

[southerntofu]

I'm not a lawyer, and i've both sent and received email like that over the years, none of which ever produced a legal action. That's standard procedure for private data requests.

[dsr_]

Either there's another nonconsensual experiment underway or a legal threat scam involving security bounties, because the phrasing of this Princeton email is very similar to the security bounty emails I keep getting... at my personal, static, blog.

[zebraflask]

It's obviously implying a threat if you're at all familiar with the legal sphere.

Passive-aggressive language, sure, but still not exactly inviting the recipient to a picnic, and passive-aggressive language doesn't get you off the hook.

Related, doesn't matter if it is completely without merit and could never succeed.

This entire story and thread is just something else. Talk about failing to meet even baseline ethical standards.

[southerntofu]

> It's obviously implying a threat if you're at all familiar with the legal sphere.

And if you're not a lawyer it's just a very normal message of someone trying to get answers and have their privacy rights respected. I've both sent and received many messages like this one over the years (CNIL requests) and there's nothing frightening about it.

> Talk about failing to meet even baseline ethical standards.

This study certainly meets my ethical standard of trying to hold corporations accountable to what they do with out data. I really don't see what the fuss is about: if freeradical.zone admin had received this email from anyone else (as could well be the case) would we even talk about it?

[desmosxxx]

You're wrong. The reaction to the email and apology from Princeton is proof of that, but there are also very few people here agree with you. I'm not a lawyer or a business man and I read the email as a clear legal threat. I had anxiety just reading it, the same as the OP.

It's clear as day. And if for whatever reason you don't see it that way the rest of the email and the way it's written should set off alarm bells as being a potential scam.

[elliekelly]

I don’t think it’s intended as a veiled threat of a lawsuit so much as a statement of the compliance requirements. Unfortunately it seems they misunderstood the scope which makes the it inaccurate. But if the statement was true and accurate I would just take it as a helpful reminder of the timeframe.

[Ansil849]

> But if the statement was true and accurate I would just take it as a helpful reminder of the timeframe.

No. Absolutely not. A helpful reminder of the timeframe would be "the deadline for our study is ..., please try to send your response by then if you wish to be included."

Quoting legal code is not at all a helpful reminder of a timeframe, but is a direct implication of legal ramifications for failure to comply.

[phkahler]

IMHO that is the most significant part of this. Any question about the intent is clearly tipped toward legal trouble by that.

[dataflow]

> if the statement was true and accurate I would just take it as a helpful reminder of the timeframe.

People don't go through the trouble of digging up the particular section number of the specific statute of the specific jurisdiction in question for the mere sake of a generic "helpful reminder of the timeframe" required by law.

And similarly for the "without undue delay" part.

[elliekelly]

I do. Every day. I provide the citation so you can read the law and if you disagree with my interpretation you can respond saying as much. This is internet outrage mob justice. I understand why people are mad but it’s far more to do with ignorance on the part of the researchers than malice.

[complypls]

The context is important: if you deal with user support (especially in the context of privacy) then someone quoting law at you is a huge red flag for an impending nightmare. I’ve dealt with irate users who actually did go as far as to file lawsuits and the email from this “study” activated my fight or flight response because of how much it (unintentionally?) mirrors the way angry litigious internet users communicate. The only worse phrase to read is “free speech”.

[detaro]

I would guess as an attorney you're more used to that style of communication than a random blogger or small entity. Citing law has very different signaling purpose and effect in different contexts.

[eli]

That's a very generous assumption. Especially in the context of an email sent under false pretenses and a false name and an anonymous domain.

It's either a veiled threat or a serious error. Either way, this study needed more oversight.

[dr_dshiv]

Calls for more oversight are calls for more bureaucratic procedures and this whole situation is already bureaucracy gone mad.

[wtallis]

> and this whole situation is already bureaucracy gone mad.

That sounds like you're referring to the CCPA itself as the bureaucracy gone mad, and probably have already made up your mind about what outcomes research like this will find. If so, that's not really a helpful attitude for this kind of discussion.

[eli]

In this specific situation it doesn’t seem like there was any bureaucracy at all

[wildrhythms]

What world do you live in that regular webmaster inquiry emails are footnoted with a reference to a law number?