- NOTE: See recent updates below the original April 2021 post!
The other day, I received the following email:
Subject: Questions About GDPR Data Access Process for [DOMAINNAME]
To Whom It May Concern:My name is [REDACTED], and I am a resident of Roanoke, Virginia. I have a few questions about your process for responding to General Data Protection Regulation (GDPR) data access requests:
- Would you process a GDPR data access request from me even though I am not a resident of the European Union?
- Do you process GDPR data access requests via email, a website, or telephone? If via a website, what is the URL I should go to?
- What personal information do I have to submit for you to verify and process a GDPR data access request?
- What information do you provide in response to a GDPR data access request?
To be clear, I am not submitting a data access request at this time. My questions are about your process for when I do submit a request.
Thank you in advance for your answers to these questions. If there is a better contact for processing GDPR requests regarding [DOMAINNAME], I kindly ask that you forward my request to them.
I look forward to your reply without undue delay and at most within one month of this email, as required by Article 12 of GDPR.
Sincerely,
[REDACTED]
It’s a confusing email, but as it turns out, one received by many other website owners. In fact, there’s a thread about it on Reddit.
GDPR deals with processing personally identifiable information. Non-compliance can lead to stiff fines. It even applies to companies outside the EU if they process personal data of EU residents.
If you get a request regarding personally identifiable information from a EU resident, you will need to answer promptly or you can face fines. However, no such requirement exists under GDPR regarding data of individuals outside the EU.
I don’t know what the intention of the sender of this email email is, but I have my suspicions.
The email was sent from an address at “potomacmail.com”, a recently registered domain (2020-03-02). It was sent from an Amazon EC2 host (52.23.113.96). The HTML portion of the email contains an image reference to a single pixel “web bug”, an image loaded from the potomacmail.com website that will cause the IP address of the browser to be logged on that server when you open the email with a web client that doesn’t automatically block images from untrusted senders:
https://potomacmail.com/p.png?req=GDPR&target=1234
The URI contains a unique value (it was something other than 1234 in my case) that presumably identifies the recipient of the email. In other words, the senders of this email themselves collect personally identifiable information which, if the recipient happens to be in the EU, is subject to GDPR and its potential fines.
UPDATE (2021-12-11)
There is a similar spam e-mail going around recently, with almost identical wording but mentioning the California Consumer Privacy Act (CCPA) instead of the European GDPR:
Subject: Questions About CCPA Data Access Process for [DOMAINNAME]
To Whom It May Concern:
My name is [REDACTED], and I am a resident of San Francisco, California. I have a few questions about your process for responding to California Consumer Privacy Act (CCPA) data access requests:
1. Do you process CCPA data access requests via email, a website, or telephone? If via a website, what is the URL I should go to?
2. What personal information do I have to submit for you to verify and process a CCPA data access request?
3. What information do you provide in response to a CCPA data access request?To be clear, I am not submitting a data access request at this time. My questions are about your process for when I do submit a request.
(…)
This email was sent from an address at “yosemitemail.com”, a domain registered on 2020-03-02 with the same registrar at the exact same time as the “potomacmail.com” domain used in the GDPR variant of this spam:
Domain Name: YOSEMITEMAIL.COM
Registry Domain ID: 2498859495_DOMAIN_COM-VRSN
Registrar WHOIS Server: whois.namecheap.com
Registrar URL: http://www.namecheap.com
Updated Date: 2021-03-08T03:30:04Z
Creation Date: 2020-03-02T02:15:46Z
Registry Expiry Date: 2022-03-02T02:15:46Z
Registrar: NameCheap, Inc.Domain Name: POTOMACMAIL.COM
Registry Domain ID: 2498859494_DOMAIN_COM-VRSN
Registrar WHOIS Server: whois.namecheap.com
Registrar URL: http://www.namecheap.com
Updated Date: 2021-03-03T22:25:43Z
Creation Date: 2020-03-02T02:15:46Z
Registry Expiry Date: 2022-03-02T02:15:46Z
Registrar: NameCheap, Inc.
As you can see, the creation time is the exact same, down to the second and the Domain IDs of the two domains are actually consecutive. Both sender domains were obviously created by the same registrant who uses them for the same purpose.
As far as I can tell, whether you are in California or outside, you are under no obligation to reply to this email. I would not advise replying to it.
UPDATE (2021-12-13)
The GDPR mails sent in the name of a person in Russia are sent from a domain registered via a different registrar about one month after the other two domains:
domain: NOVATORMAIL.RU
nserver: ns1crv.name.com.
nserver: ns2ckr.name.com.
nserver: ns3cjl.name.com.
nserver: ns4fpy.name.com.
state: REGISTERED, DELEGATED, UNVERIFIED
person: Private Person
registrar: RU-CENTER-RU
admin-contact: https://www.nic.ru/whois
created: 2020-04-06T05:35:06Z
paid-till: 2022-04-06T05:35:06Z
free-date: 2022-05-07
source: TCI
Another domain used for sender addresses is “envoiemail.fr” which was registered a day after “yosemitemail.com” and “potomacmail.com”
domain: envoiemail.fr
status: ACTIVE
hold: NO
holder-c: ANO00-FRNIC
admin-c: ANO00-FRNIC
tech-c: RT12727-FRNIC
zone-c: NFC1-FRNIC
nsl-id: NSL82816-FRNIC
registrar: 1API GmbH
Expiry Date: 2022-03-03T20:45:06Z
created: 2021-03-03T20:45:06Z
last-update: 2021-03-03T20:45:07Z
source: FRNIC
All four domains have their email hosted at Google. That is not unusual, lots of domains use Gmail for mail hosting these days. It is still worth pointing out though.
POTOMACMAIL.COM. 3600 IN MX 1 aspmx.l.google.COM.
POTOMACMAIL.COM. 3600 IN MX 10 alt3.aspmx.l.google.COM.
POTOMACMAIL.COM. 3600 IN MX 10 alt4.aspmx.l.google.COM.
POTOMACMAIL.COM. 3600 IN MX 5 alt1.aspmx.l.google.COM.
POTOMACMAIL.COM. 3600 IN MX 5 alt2.aspmx.l.google.COM.YOSEMITEMAIL.COM. 1799 IN MX 1 aspmx.l.google.COM.
YOSEMITEMAIL.COM. 1799 IN MX 10 alt3.aspmx.l.google.COM.
YOSEMITEMAIL.COM. 1799 IN MX 10 alt4.aspmx.l.google.COM.
YOSEMITEMAIL.COM. 1799 IN MX 5 alt1.aspmx.l.google.COM.
YOSEMITEMAIL.COM. 1799 IN MX 5 alt2.aspmx.l.google.COM.NOVATORMAIL.RU. 300 IN MX 5 alt1.aspmx.l.google.com.
NOVATORMAIL.RU. 300 IN MX 5 alt2.aspmx.l.google.com.
NOVATORMAIL.RU. 300 IN MX 10 alt3.aspmx.l.google.com.
NOVATORMAIL.RU. 300 IN MX 10 alt4.aspmx.l.google.com.
NOVATORMAIL.RU. 300 IN MX 1 aspmx.l.google.com.envoiemail.fr. 1799 IN MX 10 alt3.aspmx.l.google.com.
envoiemail.fr. 1799 IN MX 10 alt4.aspmx.l.google.com.
envoiemail.fr. 1799 IN MX 5 alt1.aspmx.l.google.com.
envoiemail.fr. 1799 IN MX 5 alt2.aspmx.l.google.com.
envoiemail.fr. 1799 IN MX 1 aspmx.l.google.com.
I am told the GDPR reply period of one month under Article 12 of GDPR only applies to data access requests, which the email specifically clarifies this is not.
UPDATE (2021-12-15)
It turns out that these deceptive emails using fake identities were sent out by a researcher at Princeton University as part of a study into how website operators implement GDPR and CCPA. In the most recent mails to website operators, the senders are now disclosing their background instead of using fake identities.
These GDPR and CCPA emails created great anxiety amongst the recipients (nobody wants to pay huge fines) and that should have been clear to the senders from the very beginning, yet they went ahead and spammed us as if we were human guinea pigs.
Even if somehow it wasn’t clear to them in the beginning, public blog posts and forum discussions after the April spam run should soon have shown them that this wasn’t going to end well. Why did they continue with the same mode of operation more than half a year later? And why did their university let them do that?
Normally I would expect to be able to easily distinguish between online scams and academic research but I guess, not any more. We are living in strange times.