Turns out, Vlad Orlov is a bot.
The supposed "Orlov" and other senders sent emails like the one sent to a website managed by Audrey Eschright, a Portland, Oregon-based writer, community organizer and software engineer. The messages went something like this: “My name is Vlad Orlov, and I am a resident of Moscow, Russia. I have a few questions about your process for responding to General Data Protection Regulation (GDPR) data access requests.”
The problem is, they’re not real, and website admins and small business managers are not happy about them. The emails were sent automatically by a team of researchers at Princeton attempting to learn about how websites respond to requests for data access under Europe’s General Data Protection Regulation and California’s privacy law.
“You have wasted 1000s of hours of people’s time and probably caused thousands of dollars in legal fees. This was a monumental [misjudgment],” U.K. software developer Andy Brice tweeted on Dec. 19. Brice, who runs software consultancy Oryx Digital, added that his friends at other companies also received the automatically generated emails requesting to learn information about how companies process GDPR data access requests and what personal information people need to provide in order to process the requests.
“Where do I send my invoice?” asked Brice rhetorically.
I run a 2 person company and I got 2 of these emails. Lots of my friends in other companies got these emails. You have wasted 1000s of hours of people's time and probably caused thousands of dollars in legal fees. This was a monumental misjudement. Where do I send my invoice?— Andy Brice (@Andy Brice) 1639915546
Now the Princeton-Radboud Study on Privacy Law Implementation — at least in its original, bot-like form — is kaput. Its principal investigator, well-known privacy researcher Jonathan Mayer, said his team stopped sending automated inquiries on Dec. 15.
Mayer issued an apology on a Princeton site associated with the study:
"I have carefully read every single message sent to our research team, and I am dismayed that the emails in our study came across as security risks or legal threats. The intent of our study was to understand privacy practices, not to create a burden on website operators, email system operators, or privacy professionals. I sincerely apologize. I am the senior researcher, and the responsibility is mine."
The project has raised lots of questions and social media discussions around research ethics, why the study passed muster with the Princeton University Institutional Review Board and the obligations of stakeholders when laws create detailed compliance obligations.
For Mayer and other researchers, the project is a learning opportunity. Mayer said his team might send follow-up emails to initial bot-email recipients telling them to disregard the previous automated data access requests. And, he said, “I will use the lessons learned from this experience to write and post a formal research ethics case study” and “I will teach that case study in coursework.”