I Was Part of a Human Subject Research Study Without My Consent
A 8 minute read.
<Cadey> Note for the readers, I usually try to do one post per week. This is not that
post this week. I am just frustrated by being used as a human subject in a
Princeton study without my consent. If you are ever in a position to be doing
this kind of survey, please don't send legal threats around
My name is Maya Mishina, and I am a resident of Novosibirsk, Russia. I have a
few questions about your process for responding to California Consumer Privacy
Act (CCPA) data access requests:
Would you process a CCPA data access request from me even though I am not a
resident of California?
Do you process CCPA data access requests via email, a website, or
telephone? If via a website, what is the URL I should go to?
What personal information do I have to submit for you to verify and process
a CCPA data access request?
What information do you provide in response to a CCPA data access request?
To be clear, I am not submitting a data access request at this time. My
questions are about your process for when I do submit a request.
Thank you in advance for your answers to these questions. If there is a better
contact for processing CCPA requests regarding christine.website, I kindly ask
that you forward my request to them.
I look forward to your reply without undue delay and at most within 45 days of
this email, as required by Section 1798.130 of the California Civil Code.
This scared the shit out of me. My blog is a passion project that I do as a way
to get better at writing. I almost contacted a lawyer. This should probably have
stood out as suspect to me, however I am a believer that people have a right to
privacy and that they should be able to be forgotten.
I go out of my way to ensure that this website handles as little user data as
possible. I have gone so far to do this that the only unique identifiers I deal
with are IP addresses, but even then only a tiny fraction of those IP addresses
even get to my server because I use Cloudflare for caching. I probably need to
set up some kind of proper log rotation in my server, but right now there are
only three things collected by my site:
If you are a patron to my site, your name shows up on /patrons.
This queries the Patreon API to get the display name that you configured in
your account and is refreshed every time the site restarts.
If you send me a Webmention, they
will be shown on the footer of the website. They are stored in a SQLite
database on the same server. I can remove entries from that table upon
Your IP address is recorded in /var/log/nginx/xesite.access.log in common
log format on my server which is located in the Netherlands. Here is an
example of what this looks like:
My website does not collect personal information, including IP
addresses. I keep track of hit counts via CloudFlare analytics, but as
far as I know there is no way for me to collect information about a
single subject (all I see is aggregate anonymized data). I guess if you
give me a public IP address I can dig through the system logs to see if
anything pops up.
4. I would provide relevant request logs provided they exist. That is
the only information that I could provide and I would be willing to
provide it in the industry standard plaintext log format.
Please keep in mind this is a blog run by a single person as a passion
project to get better at writing. As it is not a corporate endeavor, I
don't believe that I need to provide this information at all. However I
am willing to search the logs folder to see if anything is there.
Please let me know which IP addresses to look up and I will do my best
to get you that information as fast as possible.
Overall, I am disappointed in this. I want to have a positive outlook on
humanity. I want to be able to trust that requests to be forgotten are
legitimate. I am going to have a harder time doing that now.
In case you actually do want to make a GDPR/CCPA request, here is the process
and the rough steps I will take:
I will need your Twitter username and any links listed on the Webmentions
section of any article on my blog if you want those removed. I will require
you to either tweet a magic phrase and email me a link to it, a DNS TXT
record on the domain or for you to upload an arbitrary string to a path on
your server. These processes will help me confirm that you are the person who
wants the information. Send me an email to [email protected]. If you want
access logs deleted, please let me know what IP addresses to delete and I
will see what I can do.
I will prepare a .zip file that will contain the following:
The email conversation in the industry-standard .eml format.
Any SQLite rows from my Webmention service in .csv format.
Any request logs from nginx in .log format.
This may take up to a week or two. I am only one person and I have a job.
This blog is not my primary source of income.
I do not have to offer this service. I am not a business. I am a single person
that wants to get better at writing. Please do not include wording that gives me
the impression that you are making a legal threat. I know you are allowed to,
but it scares the shit out of me when you do that and will make me put your
request at the end of the list.
tl;dr: I got phished by trying to be a good netizen. Don't fall for this
This article was posted on M12 17 2021. Facts and circumstances may have changed since publication. Please contact me before jumping to conclusions if something seems wrong or unclear.