Princeton study tricked small websites into thinking they could be sued by a Russian organization

A couple of weeks ago, Ernie Smith, author of the excellent Tedium newsletter, received an alarming email from someone in Russia named Maya Mishina.

"The email was worded as if a lawsuit was hitting my door in a few months," wrote Smith.

It read:

To Whom It May Concern:

My name Maya Mishina, and I am a resident of Novosibirsk, Russia. I have a few questions about your process for responding to California Consumer Privacy Act (CCPA) data access requests:

1. Would you process a CCPA data access request from me even though I am not a resident of California?

2. Do you process CCPA data access requests via email, a website, or telephone? If via a website, what is the URL I should go to?

3. What personal information do I have to submit for you to verify and process a CCPA data access request?

4. What information do you provide in response to a CCPA data access request?

To be clear, I am not submitting a data access request at this time. My questions are about your process for when I do submit a request.

Thank you in advance for your answers to these questions. If there is a better contact for processing CCPA requests regarding, I kindly ask that you forward my request to them.

I look forward to your reply without undue delay and at most within 45 days of this email, as required by Section 1798.130 of the California Civil Code.

Maya Mishina

Smith says he poked around the internet to learn more about Maya Mishina and her request for a "reply without undue delayas required by Section 1798.130 of the California Civil Code." The only search results were from others "wondering why they got this email." Smith wrote off the email as an "exotic kind of spam, or a phishing attempt of sorts."

It turns out that the email is even more bizarre than either of those. It was sent by researchers at Princeton University to scare/threat website and newsletter publishers into finding how they were complying with the CCPA. Smaller websites (ones that don't make tens of millions of dollars) are exempt from CCPA but many don't know this and may have incurred significant legal expenses to provide answers to the fictional Maya Mishina's requests. Larger companies might have viewed this email as a security threat, triggering costly countermeasures.

When Jeff Kosseff, a cybersecurity law professor at the U.S. Naval Academy found out about the study he posted a highly critical Twitter thread. He wrote, in part:

The email asks questions that demonstrate why CCPA is so confusing, but then places the burden on unsuspecting website operators — many of whom are operating on a shoestring budget during a pandemic — to spend money and time to figure it out, while failing to identify that this is a study. I've practiced privacy law for more than a decade, and the responses would require me to do some research and put some time into it. I understand the value in "secret shopper" type research, but this is different because many businesses will need to turn to outside counsel and their costly billable hours to come up with a response. They have no idea they're taking part in a study, and they just want to avoid getting a letter from the California AG.

The principal investigator of the study, Jonathan Mayer, has since issued an apology about the way the privacy rights study was conducted:

Many comments to Mayer's tweet seem to indicate that his apology for the misleading and threatening email is not enough: