Fortunately for all of us, cybersecurity law professor Jeff Kosseff of the U.S. Naval Academy was able to clear the air and point out that this was a very problematic approach.
“I respect everyone involved in the study and understand their goals,” he wrote in a Twitter thread
. “I disagree with this approach to the research. I hope that they reach out to all recipients and inform them this was a study (if they haven’t already) so that the organizations can avoid more costs.”
Jonathan Mayer, the principal investigator of the study, posted an apology on the project’s website, and it’s clear that, from this perspective, the researchers didn’t think that part of the study through:
I have carefully read every single message sent to our research team, and I am dismayed that the emails in our study came across as security risks or legal threats. The intent of our study was to understand privacy practices, not to create a burden on website operators, email system operators, or privacy professionals. I sincerely apologize. I am the senior researcher, and the responsibility is mine.
As a result, they ended the study and apologized.
In a way, this reflects a problem with privacy regulations like CCPA and GDPR. Despite each regulatory structure in effect for a few years at this point, each is susceptible to being pressure-tested by random emails sent from anonymous people that, in cases such as these, could lead to costly and unexpected work just to understand if your organization needs to comply.
Put simply, this email, if your company got it today and it was actually real and not part of some misguided academic study, would be the opposite of a Christmas gift.