“Questions About GDPR Data Access Process” Spam from Virginia

  • NOTE: See recent updates below the original April 2021 post!

The other day, I received the following email:

Subject: Questions About GDPR Data Access Process for [DOMAINNAME]
To Whom It May Concern:

My name is [REDACTED], and I am a resident of Roanoke, Virginia. I have a few questions about your process for responding to General Data Protection Regulation (GDPR) data access requests:

  1. Would you process a GDPR data access request from me even though I am not a resident of the European Union?
  2. Do you process GDPR data access requests via email, a website, or telephone? If via a website, what is the URL I should go to?
  3. What personal information do I have to submit for you to verify and process a GDPR data access request?
  4. What information do you provide in response to a GDPR data access request?

To be clear, I am not submitting a data access request at this time. My questions are about your process for when I do submit a request.

Thank you in advance for your answers to these questions. If there is a better contact for processing GDPR requests regarding [DOMAINNAME], I kindly ask that you forward my request to them.

I look forward to your reply without undue delay and at most within one month of this email, as required by Article 12 of GDPR.

Sincerely,

[REDACTED]

It’s a confusing email, but as it turns out, one received by many other website owners. In fact, there’s a thread about it on Reddit.

GDPR deals with processing personally identifiable information. Non-compliance can lead to stiff fines. It even applies to companies outside the EU if they process personal data of EU residents.

If you get a request regarding personally identifiable information from a EU resident, you will need to answer promptly or you can face fines. However, no such requirement exists under GDPR regarding data of individuals outside the EU.

I don’t know what the intention of the sender of this email email is, but I have my suspicions.

The email was sent from an address at “potomacmail.com”, a recently registered domain (2020-03-02). It was sent from an Amazon EC2 host (52.23.113.96). The HTML portion of the email contains an image reference to a single pixel “web bug”, an image loaded from the potomacmail.com website that will cause the IP address of the browser to be logged on that server when you open the email with a web client that doesn’t automatically block images from untrusted senders:

https://potomacmail.com/p.png?req=GDPR&target=1234

The URI contains a unique value (it was something other than 1234 in my case) that presumably identifies the recipient of the email. In other words, the senders of this email themselves collect personally identifiable information which, if the recipient happens to be in the EU, is subject to GDPR and its potential fines.

UPDATE (2021-12-11)
There is a similar spam e-mail going around recently, with almost identical wording but mentioning the California Consumer Privacy Act (CCPA) instead of the European GDPR:

Subject: Questions About CCPA Data Access Process for [DOMAINNAME]

To Whom It May Concern:

My name is [REDACTED], and I am a resident of San Francisco, California. I have a few questions about your process for responding to California Consumer Privacy Act (CCPA) data access requests:

1. Do you process CCPA data access requests via email, a website, or telephone? If via a website, what is the URL I should go to?
2. What personal information do I have to submit for you to verify and process a CCPA data access request?
3. What information do you provide in response to a CCPA data access request?

To be clear, I am not submitting a data access request at this time. My questions are about your process for when I do submit a request.
(…)

This email was sent from an address at “yosemitemail.com”, a domain registered on 2020-03-02 with the same registrar at the exact same time as the “potomacmail.com” domain used in the GDPR variant of this spam:

Domain Name: YOSEMITEMAIL.COM
Registry Domain ID: 2498859495_DOMAIN_COM-VRSN
Registrar WHOIS Server: whois.namecheap.com
Registrar URL: http://www.namecheap.com
Updated Date: 2021-03-08T03:30:04Z
Creation Date: 2020-03-02T02:15:46Z
Registry Expiry Date: 2022-03-02T02:15:46Z
Registrar: NameCheap, Inc.

Domain Name: POTOMACMAIL.COM
Registry Domain ID: 2498859494_DOMAIN_COM-VRSN
Registrar WHOIS Server: whois.namecheap.com
Registrar URL: http://www.namecheap.com
Updated Date: 2021-03-03T22:25:43Z
Creation Date: 2020-03-02T02:15:46Z
Registry Expiry Date: 2022-03-02T02:15:46Z
Registrar: NameCheap, Inc.

As you can see, the creation time is the exact same, down to the second and the Domain IDs of the two domains are actually consecutive. Both sender domains were obviously created by the same registrant who uses them for the same purpose.

As far as I can tell, whether you are in California or outside, you are under no obligation to reply to this email. I would not advise replying to it.

UPDATE (2021-12-13)
The GDPR mails sent in the name of a person in Russia are sent from a domain registered via a different registrar about one month after the other two domains:

domain: NOVATORMAIL.RU
nserver: ns1crv.name.com.
nserver: ns2ckr.name.com.
nserver: ns3cjl.name.com.
nserver: ns4fpy.name.com.
state: REGISTERED, DELEGATED, UNVERIFIED
person: Private Person
registrar: RU-CENTER-RU
admin-contact: https://www.nic.ru/whois
created: 2020-04-06T05:35:06Z
paid-till: 2022-04-06T05:35:06Z
free-date: 2022-05-07
source: TCI

Another domain used for sender addresses is “envoiemail.fr” which was registered a day after “yosemitemail.com” and “potomacmail.com”

domain: envoiemail.fr
status: ACTIVE
hold: NO
holder-c: ANO00-FRNIC
admin-c: ANO00-FRNIC
tech-c: RT12727-FRNIC
zone-c: NFC1-FRNIC
nsl-id: NSL82816-FRNIC
registrar: 1API GmbH
Expiry Date: 2022-03-03T20:45:06Z
created: 2021-03-03T20:45:06Z
last-update: 2021-03-03T20:45:07Z
source: FRNIC

All four domains have their email hosted at Google. That is not unusual, lots of domains use Gmail for mail hosting these days. It is still worth pointing out though.

POTOMACMAIL.COM. 3600 IN MX 1 aspmx.l.google.COM.
POTOMACMAIL.COM. 3600 IN MX 10 alt3.aspmx.l.google.COM.
POTOMACMAIL.COM. 3600 IN MX 10 alt4.aspmx.l.google.COM.
POTOMACMAIL.COM. 3600 IN MX 5 alt1.aspmx.l.google.COM.
POTOMACMAIL.COM. 3600 IN MX 5 alt2.aspmx.l.google.COM.

YOSEMITEMAIL.COM. 1799 IN MX 1 aspmx.l.google.COM.
YOSEMITEMAIL.COM. 1799 IN MX 10 alt3.aspmx.l.google.COM.
YOSEMITEMAIL.COM. 1799 IN MX 10 alt4.aspmx.l.google.COM.
YOSEMITEMAIL.COM. 1799 IN MX 5 alt1.aspmx.l.google.COM.
YOSEMITEMAIL.COM. 1799 IN MX 5 alt2.aspmx.l.google.COM.

NOVATORMAIL.RU. 300 IN MX 5 alt1.aspmx.l.google.com.
NOVATORMAIL.RU. 300 IN MX 5 alt2.aspmx.l.google.com.
NOVATORMAIL.RU. 300 IN MX 10 alt3.aspmx.l.google.com.
NOVATORMAIL.RU. 300 IN MX 10 alt4.aspmx.l.google.com.
NOVATORMAIL.RU. 300 IN MX 1 aspmx.l.google.com.

envoiemail.fr. 1799 IN MX 10 alt3.aspmx.l.google.com.
envoiemail.fr. 1799 IN MX 10 alt4.aspmx.l.google.com.
envoiemail.fr. 1799 IN MX 5 alt1.aspmx.l.google.com.
envoiemail.fr. 1799 IN MX 5 alt2.aspmx.l.google.com.
envoiemail.fr. 1799 IN MX 1 aspmx.l.google.com.

I am told the GDPR reply period of one month under Article 12 of GDPR only applies to data access requests, which the email specifically clarifies this is not.

UPDATE (2021-12-15)

It turns out that these deceptive emails using fake identities were sent out by a researcher at Princeton University as part of a study into how website operators implement GDPR and CCPA. In the most recent mails to website operators, the senders are now disclosing their background instead of using fake identities.

These GDPR and CCPA emails created great anxiety amongst the recipients (nobody wants to pay huge fines) and that should have been clear to the senders from the very beginning, yet they went ahead and spammed us as if we were human guinea pigs.

Even if somehow it wasn’t clear to them in the beginning, public blog posts and forum discussions after the April spam run should soon have shown them that this wasn’t going to end well. Why did they continue with the same mode of operation more than half a year later? And why did their university let them do that?

Normally I would expect to be able to easily distinguish between online scams and academic research but I guess, not any more. We are living in strange times.

Expiring the Internal Combustion Engine Car

The US state of Washington has decided to ban sales of new cars with internal combustion engines (ICE, gasoline or diesel) by the year 2030. That is five years earlier than in the state of California.

There are two issues to overcome for a switch to battery electric vehicles (BEVs): supply and charging. Two common worries however will not stand in the way of BEVs replacing ICEs: cost and range. Let me explain.

Battery cost per kWh has been dropping for decades and this trend is expected to continue. This is highly significant: Most parts of a BEV car other than the big battery cost either the same as in an ICE car or they’re cheaper. As a result, the cost of batteries will stop being a major obstacle to adoption of BEVs years before the end of the decade.

The same is true for range. Cheaper batteries mean BEVs with more capacity will become affordable. The higher the capacity, the more km of charge can be replenished in a given number of minutes. For example, a Nissan Leaf with a 40 kWH battery will fast-charge from 0 to 80% in 40 minutes. The Volkswagen ID.4 First Edition with an 82 kWh battery (of which 77 kWh are usable capacity) will go from 5% to 80% charge in 38 minutes, essentially double the charging speed (kWh added per minute) for a battery with twice the range. If you can add hundreds of km of range in the time it takes you to use the toilet and get a cup of coffee then BEVs will be just as viable for long distance trips as ICE cars.

By the middle of this decade there is likely to be a wealth of different battery electric vehicle models on the market, with even BEV laggards such as Toyota, Honda and Subaru having joined in. Production could increase to about 50% of new sales of several large makers (e.g. GM, VW). It will have to scale up further, with the necessary increase in battery production capacity, by the end of the decade to make this happen but it seems eminently doable. Right now, the major bottleneck to ramping up production is not lack of demand but limited availability of battery cells. Every big car maker getting into BEVs will have to build Gigafactories churning out battery packs, or team up with battery makers who make these huge investments.

The more BEV there will be on the road, the more the impact on the electric grid becomes an issue. If you have a car that can cover 300 km or more on a full battery and you can charge at home every night then most likely you will almost never have to seek out a charging station, unlike drivers of ICE cars who regularly will have to fill up at a gas station. BEVs parked in a driveway or garage with a nearby wall socket are much easier to accommodate than cars currently parking in the street or on parking lots, who will require capacity at paid public charging points, which are more likely to be used at daytime. The grid has plenty of capacity for off-peak charging (e.g. overnight), but if a lot of people want to do their charging at superchargers or other fast charging points, this could require an upgrade in generating and transmission capacity to cover a higher daytime peak load. Vehicle to grid technology would help to make this more manageable, as cars sitting idle in a driveway could provide spare power for the few cars doing the odd long distance trip.

In any case, I see a date roughly around 2030 as the Goldilocks target for a phase-out of ICE-powered new cars. For high income countries this goal is neither too unambitious nor too unrealistically aggressive. Japan’s goal by contrast for a phase-out by the mid-2030s that still allows hybrid ICEs like the Toyota Prius after that date is quite unambitious. By setting the bar that low, prime minister Suga pleases Toyota, as expected, allowing it to keep selling dated technology in Japan that they will no longer be able to sell elsewhere. That puts Japan in the company of developing countries, which will most likely continue using ICE cars exported from rich countries for years to come.

The sooner rich countries switch to BEVs, the shorter the long tail of CO2-emitting ICE cars still running in poorer countries will be.

Releasing Tritium-tainted Water from Fukushima 1

The Japanese government has approved a plan by Tepco to release more than a million tons of water stored in tanks at the site of the Fukushima 1 nuclear power station. The water is supposed to be gradually released into the ocean starting two years from now.

Currently about 1.2 million t of contaminated water are stored on site, an amount that is increasing by about 170 t per day. Tepco is expected to run out of space at the end of 2022. Water is being injected into severely damaged reactors on the site to cool the remains of nuclear fuel left inside. It leaks back out, mingles with ground water that seeps in and is then purified through a filtration system called ALPS. This removes most of the radioactive contamination, but leaves tritium, a radioactive isotope of hydrogen which can not be chemically removed from water. So it ends up in the storage tanks.

Proponents of the release argue that tritium poses little hazard in small quantities. Radiation from tritium is so weak, it only travels for a couple of mm through air and it is stopped by the dead cells on the outside of human skin. Even if ingested it does not accumulate in the human body.

The water released will be diluted to levels so low it would meet drinking water standards in Japan and in other countries. Opponents fear an economic backlash against local fisheries or argue in principle that Japan has no right to contaminate the Pacific ocean, which is not just their territorial waters but shared by many other countries.

Proponents call such criticism hypocritical, given that many other countries, including the Republic of Korea, routinely release tritium into the ocean from their own nuclear facilities.

The issue is complicated. First of all, whether the danger from the water release is real or exaggerated, fishermen will suffer economically because consumers will end up avoiding fish from Fukushima more than they already do, even if it was safe to eat. If the release is unavoidable, the fishermen should receive compensation for their economic losses. That is only fair.

The truth about the water is not black or white. The 1.2 million t of water that has accumulated over the past decade was treated in different ways at different times. Some may indeed contain only those low levels of tritium as a contaminant, but other tanks will hold water that still has significant amounts of caesium, strontium and other dangerous isotopes that unlike tritium can accumulate in organisms and pose long term hazards. More purification and testing will definitely be needed before a release can take place. As Motoko Rich and Makiko Inoue reported for the New York Times in 2019:

Until last year, Tepco indicated that with the vast majority of the water, all but one type of radioactive material — tritium, an isotope of hydrogen that experts say poses a relatively low risk to human health — had been removed to levels deemed safe for discharge under Japanese government standards.

But last summer, the power company acknowledged that only about a fifth of the stored water had been effectively treated.

Last month, the Ministry of Economy, Trade and Industry briefed reporters and diplomats about the water stored in Fukushima. More than three-quarters of it, the ministry said, still contains radioactive material other than tritium — and at higher levels than the government considers safe for human health.

The authorities say that in the early years of processing the deluge of water flowing through the reactors, Tepco did not change filters in the decontamination system frequently enough. The company said it would re-treat the water to filter out the bulk of the nuclear particles, making it safe to release into the ocean.
(New York Times, 2019-12-23)

Long term there is no real alternative to releasing the water. Once its radioactivity has been reduced to only tritium, dilution and disposal at sea should pose little risk.

The challenge however is that Tepco and the government have a public trust problem, at home and abroad. How do we know the water released will be as clean as claimed?

Any release process needs to be transparent and independently verified to make sure there are no shortcuts or other shenanigans.

See also:

My team “Maillot 24Tokyo” ride of AR Nihonbashi Flèche 2021

I survived my second Flèche ride from Toyohashi in Aichi prefecture back to Tokyo (on Strava) and my third Flèche overall.



Although we officially did not finish again, I rode 401 km altogether from Saturday morning to Sunday afternoon, including the entire 368 km route as planned, just not within the set hours. A Flèche is a randonneuring event where teams of 3 to 5 machines (tandems only count once) ride at least 360 km in 24 hours towards a central location / meeting point. At least 25 km have to be covered after hour 22 of the 24 hour ride. It was organised by AR Nihonbashi.

We used almost the same course again as last year, only the part close to Tokyo was different. The biggest difference overall was that it didn’t rain all day on Saturday as it had last year. Therefore I rode the whole day in shorts instead of in rain gear and the temperature was much more pleasant too.

To get to the start, I drove to Aichi by car the day before (I can’t rinko my Elephant Bikes NFE). I was joined by my wife and my son. Together we visited Cape Irago (Iragomisaki) on the Atsumi peninsula of southern Aichi. After dropping me off they drove back to Tokyo. The peninsula is beautiful. I was impressed by the natural forests that are a sprinkle of different colors, unlike around Tokyo where much of the current forests are regrown mono-cultures planted after post war clearcutting.

I had dinner with two other team members, then went to bed at 21:00.

The alarm went off at 05:15 and we assembled at 06:00 to get the bikes ready.

It was a 20 minute ride to the official start at a 7-11 on the outskirts, where we set off at 07:00. We head a very pleasant tailwind on our ride through farm country out to Iragomisaki, where we uploaded a group picture in front of a road sign to prove passage.

The view from the road next to the Irako View Hotel (伊良湖ビューホテル) was breathtaking. You could see the coast of Mie prefecture on the other side of the entrance to Ise Bay and various islands in the sea. I took in the view but we didn’t stop for a picture. Here’s a picture from Wikipedia (By Bariston – Own work, CC BY-SA 4.0):

We headed into the headwind that would be blowing in our faces for the next 120 km. Sometimes we took turns leading the ride. Many of the farmhouses had a storehouse between it and the coastal side, probably to block the wind.

There were also many greenhouses. Regardless of shape and size, glass or plastic they all seemed to have fuel oil tanks with the JA logo (Japan Agricultural Cooperatives), so it’s a safe bet that JA sells most of the fuel oil consumed to help grow crops in the cold season. Lots of signs advertising melons which are currently out of season but we came across many kei trucks loaded with cabbages.

There were many wind turbines in Aichi and also Shizuoka, as well as many photovoltaic installations. Their ubiquity there highlighted for me how few of them we have in Tokyo and Kanagawa. Perhaps Chubu Power is easier to deal with for feed ins than Tepco is, especially for wind power.

At noon we stopped for lunch at a ramen and gyoza place about halfway between Cape Irago and Omaezaki.

As we passed the former Hamaoka nuclear power station (it is permanently shut down) we were passed by a group of three cyclists on mamachari. Actually, one was a hybrid bike with flat bars while the other two were bona-fide mamachari. It was team ”マチャリはロング向き!” (“Mamachari is suitable for long rides!”) running in the AR Nihonbashi event and they were steaming ahead of us.

We got to Omaezaki a little after 16:00. By then it was a Century ride (160.9 km / 100 mi), but not even half of what we had set out to do.

As the course turned north here, the headwind ceased and became more of a tailwind again. It got dark near Shizuoka City.

I had felt a bit sleepy after lunch but then felt OK again. Over the next couple of hours others became sleepy as we were riding through the dark and it became more and more of a problem.

I wasn’t able to see Mt Fuji on the drive on Tomei expressway on Friday because of low clouds and now I couldn’t see it because it was night time. After crossing Fuji city and Numazu we started our climb in Izu towards Atami toge. When we finally got to the top, we had to take another power nap break at the tunnel entrance. We put on all our extra clothes for the steep descent down to Atami (13 percent). After that my rear disk brake, which recently had been very noisy and not very effective (maybe due to oil contamination from the chain) has been working perfectly again, as the heat and wear effectively decontaminated it.

Dawn approached as we headed from Atami to Yugawara and Manazuru.

We had burnt up most of our time buffer for the sleep break planned at the 22 hour stop by then, but the sleepiness in the team only got worse. So after another long break at Manazuru we sent in our DNF-notification to the event organiser. We headed to Odawara and had breakfast at the station.

After that, my friends rinko’ed their bikes for the train home while I continued on the planned route to Yamato, then another 26 km to my home. I also needed a few naps to get me home safely.

With this ride, I now have 104 contiguous months of Century a Month.

I may join a 400 km brevet later this spring and a 200 km brevet or two again after the summer.

As for the Flèche that we DNF’ed twice now, let’s see what we can come up with next year. We may just try it again a third time 🙂