xesite/blog/princeton-study-2021-12-17....

154 lines
7.3 KiB
Markdown
Raw Permalink Normal View History

---
title: I Was Part of a Human Subject Research Study Without My Consent
date: 2021-12-17
author: ectamorph
---
[Note for the readers, I usually try to do one post per week. This is not that
post this week. I am just frustrated by being used as a human subject in a
Princeton study without my consent. If you are ever in a position to be doing
this kind of survey, please don't send legal threats around
recklessly.](conversation://Cadey/coffee)
This is a response to [CCPA Scam November
2021](https://blog.freeradical.zone/post/ccpa-scam-2021-12/) from the
[freeradical.zone](https://blog.freeradical.zone/) blog. On or about 2021-12-11
11:29 PM I got an email from [Maya Mishina](mailto:mayamishina@novatormail.ru)
with the following contents:
> To Whom It May Concern:
>
> My name is Maya Mishina, and I am a resident of Novosibirsk, Russia. I have a
> few questions about your process for responding to California Consumer Privacy
> Act (CCPA) data access requests:
>
> 1. Would you process a CCPA data access request from me even though I am not a
> resident of California?
> 2. Do you process CCPA data access requests via email, a website, or
> telephone? If via a website, what is the URL I should go to?
> 3. What personal information do I have to submit for you to verify and process
> a CCPA data access request?
> 4. What information do you provide in response to a CCPA data access request?
>
> To be clear, I am not submitting a data access request at this time. My
> questions are about your process for when I do submit a request.
>
> Thank you in advance for your answers to these questions. If there is a better
> contact for processing CCPA requests regarding christine.website, I kindly ask
> that you forward my request to them.
>
> I look forward to your reply without undue delay and at most within 45 days of
> this email, as required by Section 1798.130 of the California Civil Code.
>
> Sincerely,
>
> Maya Mishina
This scared the shit out of me. My blog is a passion project that I do as a way
to get better at writing. I almost contacted a lawyer. This should probably have
stood out as suspect to me, however I am a believer that people have a right to
privacy and that they should be able to be forgotten.
I go out of my way to ensure that this website handles as little user data as
possible. I have gone so far to do this that the only unique identifiers I deal
with are IP addresses, but even then only a tiny fraction of those IP addresses
even get to my server because I use Cloudflare for caching. I probably need to
set up some kind of proper log rotation in my server, but right now there are
only three things collected by my site:
1. If you are a patron to my site, your name shows up on [/patrons](/patrons).
This queries the Patreon API to get the display name that you configured in
your account and is refreshed every time the site restarts.
2. If you send me a [Webmention](https://en.wikipedia.org/wiki/Webmention), they
will be shown on the footer of the website. They are stored in a SQLite
database on the same server. I can remove entries from that table upon
request.
3. Your IP address is recorded in `/var/log/nginx/xesite.access.log` in common
log format on my server which is located in the Netherlands. Here is an
example of what this looks like:
```
127.0.0.1 - - [18/Dec/2021:04:04:57 +0000] "GET /security.txt HTTP/1.1" 404 2110 "-" "Go-http-client/2.0"
```
No other data is stored. Any intermediate things in the system journal disappear
after an hour or two because my journal is limited to 512 MB and my services are
chatty.
Here is what the application logged for that request:
```
Dec 18 04:04:57 lufta xesite-start[2121878]: 2021-12-18T04:04:57.585717Z INFO xesite/2.3.0: - "GET /security.txt HTTP/1.1" 404 "-" "Go-http-client/2.0" 12.474µs
```
It is literally the bare minimum that I can get away with.
[Wanna know why there's no comments on this blog? I don't want to have to deal
with storing user data and doing moderation!](conversation://Cadey/coffee)
I probably should have consulted a lawyer before drafting this, but here is what
I replied with:
> Hello,
>
> 1. I can process a CCPA data access request even for people that are not
> residents of California.
> 2. My website does not collect personal information, but emailing either
> me@christine.website or privacy@xeserv.us would be the correct action.
> 3. My website does not collect personal information, including IP
> addresses. I keep track of hit counts via CloudFlare analytics, but as
> far as I know there is no way for me to collect information about a
> single subject (all I see is aggregate anonymized data). I guess if you
> give me a public IP address I can dig through the system logs to see if
> anything pops up.
> 4. I would provide relevant request logs provided they exist. That is
> the only information that I could provide and I would be willing to
> provide it in the industry standard plaintext log format.
>
> Please keep in mind this is a blog run by a single person as a passion
> project to get better at writing. As it is not a corporate endeavor, I
> don't believe that I need to provide this information at all. However I
> am willing to search the logs folder to see if anything is there.
>
> Please let me know which IP addresses to look up and I will do my best
> to get you that information as fast as possible.
>
> Thanks and be well,
>
> Xe
I should have expected this to be a human research study after the [University
of Minnesota
disaster](https://www.theverge.com/2021/4/30/22410164/linux-kernel-university-of-minnesota-banned-open-source).
Overall, I am disappointed in this. I want to have a positive outlook on
humanity. I want to be able to trust that requests to be forgotten are
legitimate. I am going to have a harder time doing that now.
In case you actually do want to make a GDPR/CCPA request, here is the process
and the rough steps I will take:
- I will need your Twitter username and any links listed on the Webmentions
section of any article on my blog if you want those removed. I will require
you to either tweet a magic phrase and email me a link to it, a DNS TXT
record on the domain or for you to upload an arbitrary string to a path on
your server. These processes will help me confirm that you are the person who
wants the information. Send me an email to `privacy@xeserv.us`. If you want
access logs deleted, please let me know what IP addresses to delete and I
will see what I can do.
- I will prepare a `.zip` file that will contain the following:
- The email conversation in the industry-standard `.eml` format.
- Any SQLite rows from my Webmention service in `.csv` format.
- Any request logs from nginx in `.log` format.
- This may take up to a week or two. I am only one person and I have a job.
This blog is not my primary source of income.
I do not have to offer this service. I am not a business. I am a single person
that wants to get better at writing. Please do not include wording that gives me
the impression that you are making a legal threat. I know you are allowed to,
but it scares the shit out of me when you do that and will make me put your
request at the end of the list.
tl;dr: I got phished by trying to be a good netizen. Don't fall for [this
scam](https://privacystudy.cs.princeton.edu/).