DSAR probing ‘attack’ from Princeton researchers
Over the course of the week, most of our clients, across disparate industries, have been hit by some form of a template DSAR probing message purporting to be from actual data subjects.
The messages all follow a form template like the following:
To Whom It May Concern:
My name is [Random Name], and I am a resident of [Random Location, often outside of the territorial jurisdiction of the referenced law]. I have a few questions about your process for responding to [Either CCPA or GDPR] data access requests:
1. Do you process [CCPA or GDPR] data access requests via email, a website, or telephone? If via a website, what is the URL I should go to?
2. What personal information do I have to submit for you to verify and process a [CCPA or GDPR] data access request? In particular, are there specific cookie values I should submit?
3. What information do you provide in response to a [CCPA or GDPR] data access request? In particular, would you provide records of my activity on websites other than your own?
To be clear, I am not submitting a data access request at this time. My questions are about your process for when I do submit a request.
Thank you in advance for your answers to these questions. If there is a better contact for processing [CCPA or GDPR] requests regarding [Some URL, often not associated with the receiving company], I kindly ask that you forward my request to them.
I look forward to your reply without undue delay and at most within [45 days o 1 month], as required by [CCPA or GDPR legal reference].
For several days, privacy offices were quite confused by these messages, burning cycles and in some cases legal fees trying to understand what, if any, legal obligations they were under to respond to a DSAR that a) wasn’t actually a DSAR, despite referencing legal provisions and mandatory time frames; and b) often came from data subjects stating up front that they were not in a location covered by either CCPA or GDPR.
Eventually, these DSAR requests were linked to a Princeton research group (‘Princeton-Radboud Study on Privacy Law Implementation’), who claimed the project on a public page. One of the lead names behind the project will be familiar to veterans of the Do Not Track discussions from ten years ago: Jonathan Mayer.
The project appears to use scanning and automation to identify public DSAR channels and privacy contacts on websites, and then picks essentially random combinations of made up names and locations as a pretense to gather information about the target’s DSAR processes.
These DSARs are all sent from one of the following email domains:
To begin with, *fake* DSARs, even if they purport to be sent from the appropriate jurisdiction, do not enjoy the legal status of true DSARs under the CCPA or GDPR, and companies are free to use their own good sense to address the inquiry (or not).
As a person working in the privacy community, it is beyond frustrating that small teams can drain the resources of thousands of professionals around the world for the purpose of their own research. Because of inquiries like these, many companies are viewing their DSAR channels as ‘attack vectors.’ DSARs are a critical method for resolving actual data subject inquiries, but they are abused on the regular and I fear this is only increasing over time. At some point, the cost of supporting DSAR channels and screening out fake DSARs might actually become unsustainable. This particular project is also producing a bit of a backlash with Princeton.
If you have you received one of these inquiries to your DSAR channel, we recommend that you first check to see if the domain referenced has anything to do with your company. If it does not, feel free to state this clearly in a very brief response. If the domain matches, you might want to respond with simple answers to the general process questions the email poses, or refer the sender to a section of your site that addresses these questions.
Without creating unnecessary conflict, try to respond in good faith. But protect those cycles! There is actually important privacy work to be done. ;0)
PS: These novel uses of the DSAR process also remind us of the startups that have built commercial services to automate wide scale DSAR triggering (especially PrivacyBee and Revoke). This discussion from earlier in 2021 on the IAPP site includes an excellent breakdown of the related compliance considerations.
Update Monday December 20:
The ‘Principal Investigator’ (Jonathan Mayer) behind the ‘Princeton-Radboud Study’ has come under considerable fire, and issued a formal apology over the weekend with a pledge to learn from the experience:
The project website has been updated with additional information about the goals of the study, and perhaps most helpful for the companies hit with these inquires, an actual request to ignore them:
If you received an email message from one of the domains listed below, please disregard it.
For perhaps the first time, we are seeing abuses of the DSAR system result in negative impact for the culprits.
How … refreshing?
We amend our advice from last week: companies should no longer feel any obligation to dignify these inquiries with a response.