Cadey is coffee
<Cadey> Hello! Thank you for visiting my website. You seem to be using an ad-blocker. I understand why you do this, but I'd really appreciate if it you would turn it off for my website. These ads help pay for running the website and are done by Ethical Ads. I do not receive detailed analytics on the ads and from what I understand neither does Ethical Ads. If you don't want to disable your ad blocker, please consider donating on Patreon or sending some extra cash to xeiaso.eth or 0xeA223Ca8968Ca59e0Bc79Ba331c2F6f636A3fB82. It helps fund the website's hosting bills and pay for the expensive technical editor that I use for my longer articles. Thanks and be well!

I Was Part of a Human Subject Research Study Without My Consent

Read time in minutes: 8

Cadey is coffee
<Cadey> Note for the readers, I usually try to do one post per week. This is not that post this week. I am just frustrated by being used as a human subject in a Princeton study without my consent. If you are ever in a position to be doing this kind of survey, please don't send legal threats around recklessly.

This is a response to CCPA Scam November 2021 from the freeradical.zone blog. On or about 2021-12-11 11:29 PM I got an email from Maya Mishina with the following contents:

To Whom It May Concern:

My name is Maya Mishina, and I am a resident of Novosibirsk, Russia. I have a few questions about your process for responding to California Consumer Privacy Act (CCPA) data access requests:

  1. Would you process a CCPA data access request from me even though I am not a resident of California?
  2. Do you process CCPA data access requests via email, a website, or telephone? If via a website, what is the URL I should go to?
  3. What personal information do I have to submit for you to verify and process a CCPA data access request?
  4. What information do you provide in response to a CCPA data access request?

To be clear, I am not submitting a data access request at this time. My questions are about your process for when I do submit a request.

Thank you in advance for your answers to these questions. If there is a better contact for processing CCPA requests regarding christine.website, I kindly ask that you forward my request to them.

I look forward to your reply without undue delay and at most within 45 days of this email, as required by Section 1798.130 of the California Civil Code.

Sincerely,

Maya Mishina

This scared the shit out of me. My blog is a passion project that I do as a way to get better at writing. I almost contacted a lawyer. This should probably have stood out as suspect to me, however I am a believer that people have a right to privacy and that they should be able to be forgotten.

I go out of my way to ensure that this website handles as little user data as possible. I have gone so far to do this that the only unique identifiers I deal with are IP addresses, but even then only a tiny fraction of those IP addresses even get to my server because I use Cloudflare for caching. I probably need to set up some kind of proper log rotation in my server, but right now there are only three things collected by my site:

  1. If you are a patron to my site, your name shows up on /patrons. This queries the Patreon API to get the display name that you configured in your account and is refreshed every time the site restarts.
  2. If you send me a Webmention, they will be shown on the footer of the website. They are stored in a SQLite database on the same server. I can remove entries from that table upon request.
  3. Your IP address is recorded in /var/log/nginx/xesite.access.log in common log format on my server which is located in the Netherlands. Here is an example of what this looks like:

127.0.0.1 - - [18/Dec/2021:04:04:57 +0000] "GET /security.txt HTTP/1.1" 404 2110 "-" "Go-http-client/2.0"

No other data is stored. Any intermediate things in the system journal disappear after an hour or two because my journal is limited to 512 MB and my services are chatty.

Here is what the application logged for that request:


Dec 18 04:04:57 lufta xesite-start[2121878]: 2021-12-18T04:04:57.585717Z  INFO xesite/2.3.0: - "GET /security.txt HTTP/1.1" 404 "-" "Go-http-client/2.0" 12.474┬Ás

It is literally the bare minimum that I can get away with.

Cadey is coffee
<Cadey> Wanna know why there's no comments on this blog? I don't want to have to deal with storing user data and doing moderation!

I probably should have consulted a lawyer before drafting this, but here is what I replied with:

Hello,

  1. I can process a CCPA data access request even for people that are not residents of California.
  2. My website does not collect personal information, but emailing either me@christine.website or privacy@xeserv.us would be the correct action.
  3. My website does not collect personal information, including IP addresses. I keep track of hit counts via CloudFlare analytics, but as far as I know there is no way for me to collect information about a single subject (all I see is aggregate anonymized data). I guess if you give me a public IP address I can dig through the system logs to see if anything pops up. 4. I would provide relevant request logs provided they exist. That is the only information that I could provide and I would be willing to provide it in the industry standard plaintext log format.

Please keep in mind this is a blog run by a single person as a passion project to get better at writing. As it is not a corporate endeavor, I don't believe that I need to provide this information at all. However I am willing to search the logs folder to see if anything is there.

Please let me know which IP addresses to look up and I will do my best to get you that information as fast as possible.

Thanks and be well,

Xe

I should have expected this to be a human research study after the University of Minnesota disaster.

Overall, I am disappointed in this. I want to have a positive outlook on humanity. I want to be able to trust that requests to be forgotten are legitimate. I am going to have a harder time doing that now.

In case you actually do want to make a GDPR/CCPA request, here is the process and the rough steps I will take:

  • I will need your Twitter username and any links listed on the Webmentions section of any article on my blog if you want those removed. I will require you to either tweet a magic phrase and email me a link to it, a DNS TXT record on the domain or for you to upload an arbitrary string to a path on your server. These processes will help me confirm that you are the person who wants the information. Send me an email to privacy@xeserv.us. If you want access logs deleted, please let me know what IP addresses to delete and I will see what I can do.
  • I will prepare a .zip file that will contain the following:
    • The email conversation in the industry-standard .eml format.
    • Any SQLite rows from my Webmention service in .csv format.
    • Any request logs from nginx in .log format.
  • This may take up to a week or two. I am only one person and I have a job. This blog is not my primary source of income.

I do not have to offer this service. I am not a business. I am a single person that wants to get better at writing. Please do not include wording that gives me the impression that you are making a legal threat. I know you are allowed to, but it scares the shit out of me when you do that and will make me put your request at the end of the list.

tl;dr: I got phished by trying to be a good netizen. Don't fall for this scam.

This article was posted on M12 17 2021. Facts and circumstances may have changed since publication Please contact me before jumping to conclusions if something seems wrong or unclear.

This post was not WebMentioned yet. You could be the first!

The art for Mara was drawn by Selicre.

The art for Cadey was drawn by ArtZorea Studios.