From 540ae4a3a9735d3f55ebceb1d271e472cd7f950e Mon Sep 17 00:00:00 2001 From: Xe Date: Sat, 18 Dec 2021 00:06:12 -0500 Subject: [PATCH] princeton scam research post Signed-off-by: Xe --- blog/princeton-study-2021-12-17.markdown | 153 +++++++++++++++++++++++ 1 file changed, 153 insertions(+) create mode 100644 blog/princeton-study-2021-12-17.markdown diff --git a/blog/princeton-study-2021-12-17.markdown b/blog/princeton-study-2021-12-17.markdown new file mode 100644 index 0000000..aba2041 --- /dev/null +++ b/blog/princeton-study-2021-12-17.markdown @@ -0,0 +1,153 @@ +--- +title: I Was Part of a Human Subject Research Study Without My Consent +date: 2021-12-17 +author: ectamorph +--- + +[Note for the readers, I usually try to do one post per week. This is not that +post this week. I am just frustrated by being used as a human subject in a +Princeton study without my consent. If you are ever in a position to be doing +this kind of survey, please don't send legal threats around +recklessly.](conversation://Cadey/coffee) + +This is a response to [CCPA Scam November +2021](https://blog.freeradical.zone/post/ccpa-scam-2021-12/) from the +[freeradical.zone](https://blog.freeradical.zone/) blog. On or about 2021-12-11 +11:29 PM I got an email from [Maya Mishina](mailto:mayamishina@novatormail.ru) +with the following contents: + +> To Whom It May Concern: +> +> My name is Maya Mishina, and I am a resident of Novosibirsk, Russia. I have a +> few questions about your process for responding to California Consumer Privacy +> Act (CCPA) data access requests: +> +> 1. Would you process a CCPA data access request from me even though I am not a +> resident of California? +> 2. Do you process CCPA data access requests via email, a website, or +> telephone? If via a website, what is the URL I should go to? +> 3. What personal information do I have to submit for you to verify and process +> a CCPA data access request? +> 4. What information do you provide in response to a CCPA data access request? +> +> To be clear, I am not submitting a data access request at this time. My +> questions are about your process for when I do submit a request. +> +> Thank you in advance for your answers to these questions. If there is a better +> contact for processing CCPA requests regarding christine.website, I kindly ask +> that you forward my request to them. +> +> I look forward to your reply without undue delay and at most within 45 days of +> this email, as required by Section 1798.130 of the California Civil Code. +> +> Sincerely, +> +> Maya Mishina + +This scared the shit out of me. My blog is a passion project that I do as a way +to get better at writing. I almost contacted a lawyer. This should probably have +stood out as suspect to me, however I am a believer that people have a right to +privacy and that they should be able to be forgotten. + +I go out of my way to ensure that this website handles as little user data as +possible. I have gone so far to do this that the only unique identifiers I deal +with are IP addresses, but even then only a tiny fraction of those IP addresses +even get to my server because I use Cloudflare for caching. I probably need to +set up some kind of proper log rotation in my server, but right now there are +only three things collected by my site: + +1. If you are a patron to my site, your name shows up on [/patrons](/patrons). + This queries the Patreon API to get the display name that you configured in + your account and is refreshed every time the site restarts. +2. If you send me a [Webmention](https://en.wikipedia.org/wiki/Webmention), they + will be shown on the footer of the website. They are stored in a SQLite + database on the same server. I can remove entries from that table upon + request. +3. Your IP address is recorded in `/var/log/nginx/xesite.access.log` in common + log format on my server which is located in the Netherlands. Here is an + example of what this looks like: + +``` +127.0.0.1 - - [18/Dec/2021:04:04:57 +0000] "GET /security.txt HTTP/1.1" 404 2110 "-" "Go-http-client/2.0" +``` + +No other data is stored. Any intermediate things in the system journal disappear +after an hour or two because my journal is limited to 512 MB and my services are +chatty. + +Here is what the application logged for that request: + +``` +Dec 18 04:04:57 lufta xesite-start[2121878]: 2021-12-18T04:04:57.585717Z INFO xesite/2.3.0: - "GET /security.txt HTTP/1.1" 404 "-" "Go-http-client/2.0" 12.474µs +``` + +It is literally the bare minimum that I can get away with. + +[Wanna know why there's no comments on this blog? I don't want to have to deal +with storing user data and doing moderation!](conversation://Cadey/coffee) + +I probably should have consulted a lawyer before drafting this, but here is what +I replied with: + +> Hello, +> +> 1. I can process a CCPA data access request even for people that are not +> residents of California. +> 2. My website does not collect personal information, but emailing either +> me@christine.website or privacy@xeserv.us would be the correct action. +> 3. My website does not collect personal information, including IP +> addresses. I keep track of hit counts via CloudFlare analytics, but as +> far as I know there is no way for me to collect information about a +> single subject (all I see is aggregate anonymized data). I guess if you +> give me a public IP address I can dig through the system logs to see if +> anything pops up. +> 4. I would provide relevant request logs provided they exist. That is +> the only information that I could provide and I would be willing to +> provide it in the industry standard plaintext log format. +> +> Please keep in mind this is a blog run by a single person as a passion +> project to get better at writing. As it is not a corporate endeavor, I +> don't believe that I need to provide this information at all. However I +> am willing to search the logs folder to see if anything is there. +> +> Please let me know which IP addresses to look up and I will do my best +> to get you that information as fast as possible. +> +> Thanks and be well, +> +> Xe + +I should have expected this to be a human research study after the [University +of Minnesota +disaster](https://www.theverge.com/2021/4/30/22410164/linux-kernel-university-of-minnesota-banned-open-source). + +Overall, I am disappointed in this. I want to have a positive outlook on +humanity. I want to be able to trust that requests to be forgotten are +legitimate. I am going to have a harder time doing that now. + +In case you actually do want to make a GDPR/CCPA request, here is the process +and the rough steps I will take: + +- I will need your Twitter username and any links listed on the Webmentions + section of any article on my blog if you want those removed. I will require + you to either tweet a magic phrase and email me a link to it, a DNS TXT + record on the domain or for you to upload an arbitrary string to a path on + your server. These processes will help me confirm that you are the person who + wants the information. Send me an email to `privacy@xeserv.us`. If you want + access logs deleted, please let me know what IP addresses to delete and I + will see what I can do. +- I will prepare a `.zip` file that will contain the following: + - The email conversation in the industry-standard `.eml` format. + - Any SQLite rows from my Webmention service in `.csv` format. + - Any request logs from nginx in `.log` format. +- This may take up to a week or two. I am only one person and I have a job. + This blog is not my primary source of income. + +I do not have to offer this service. I am not a business. I am a single person +that wants to get better at writing. Please do not include wording that gives me +the impression that you are making a legal threat. I know you are allowed to, +but it scares the shit out of me when you do that and will make me put your +request at the end of the list. + +tl;dr: I got phished by trying to be a good netizen. Don't fall for [this +scam](https://privacystudy.cs.princeton.edu/).