“Questions About GDPR Data Access Process” Spam from Virginia

  • NOTE: See recent updates below the original April 2021 post!

The other day, I received the following email:

Subject: Questions About GDPR Data Access Process for [DOMAINNAME]
To Whom It May Concern:

My name is [REDACTED], and I am a resident of Roanoke, Virginia. I have a few questions about your process for responding to General Data Protection Regulation (GDPR) data access requests:

  1. Would you process a GDPR data access request from me even though I am not a resident of the European Union?
  2. Do you process GDPR data access requests via email, a website, or telephone? If via a website, what is the URL I should go to?
  3. What personal information do I have to submit for you to verify and process a GDPR data access request?
  4. What information do you provide in response to a GDPR data access request?

To be clear, I am not submitting a data access request at this time. My questions are about your process for when I do submit a request.

Thank you in advance for your answers to these questions. If there is a better contact for processing GDPR requests regarding [DOMAINNAME], I kindly ask that you forward my request to them.

I look forward to your reply without undue delay and at most within one month of this email, as required by Article 12 of GDPR.

Sincerely,

[REDACTED]

It’s a confusing email, but as it turns out, one received by many other website owners. In fact, there’s a thread about it on Reddit.

GDPR deals with processing personally identifiable information. Non-compliance can lead to stiff fines. It even applies to companies outside the EU if they process personal data of EU residents.

If you get a request regarding personally identifiable information from a EU resident, you will need to answer promptly or you can face fines. However, no such requirement exists under GDPR regarding data of individuals outside the EU.

I don’t know what the intention of the sender of this email email is, but I have my suspicions.

The email was sent from an address at “potomacmail.com”, a recently registered domain (2020-03-02). It was sent from an Amazon EC2 host (52.23.113.96). The HTML portion of the email contains an image reference to a single pixel “web bug”, an image loaded from the potomacmail.com website that will cause the IP address of the browser to be logged on that server when you open the email with a web client that doesn’t automatically block images from untrusted senders:

https://potomacmail.com/p.png?req=GDPR&target=1234

The URI contains a unique value (it was something other than 1234 in my case) that presumably identifies the recipient of the email. In other words, the senders of this email themselves collect personally identifiable information which, if the recipient happens to be in the EU, is subject to GDPR and its potential fines.

UPDATE (2021-12-11)
There is a similar spam e-mail going around recently, with almost identical wording but mentioning the California Consumer Privacy Act (CCPA) instead of the European GDPR:

Subject: Questions About CCPA Data Access Process for [DOMAINNAME]

To Whom It May Concern:

My name is [REDACTED], and I am a resident of San Francisco, California. I have a few questions about your process for responding to California Consumer Privacy Act (CCPA) data access requests:

1. Do you process CCPA data access requests via email, a website, or telephone? If via a website, what is the URL I should go to?
2. What personal information do I have to submit for you to verify and process a CCPA data access request?
3. What information do you provide in response to a CCPA data access request?

To be clear, I am not submitting a data access request at this time. My questions are about your process for when I do submit a request.
(…)

This email was sent from an address at “yosemitemail.com”, a domain registered on 2020-03-02 with the same registrar at the exact same time as the “potomacmail.com” domain used in the GDPR variant of this spam:

Domain Name: YOSEMITEMAIL.COM
Registry Domain ID: 2498859495_DOMAIN_COM-VRSN
Registrar WHOIS Server: whois.namecheap.com
Registrar URL: http://www.namecheap.com
Updated Date: 2021-03-08T03:30:04Z
Creation Date: 2020-03-02T02:15:46Z
Registry Expiry Date: 2022-03-02T02:15:46Z
Registrar: NameCheap, Inc.

Domain Name: POTOMACMAIL.COM
Registry Domain ID: 2498859494_DOMAIN_COM-VRSN
Registrar WHOIS Server: whois.namecheap.com
Registrar URL: http://www.namecheap.com
Updated Date: 2021-03-03T22:25:43Z
Creation Date: 2020-03-02T02:15:46Z
Registry Expiry Date: 2022-03-02T02:15:46Z
Registrar: NameCheap, Inc.

As you can see, the creation time is the exact same, down to the second and the Domain IDs of the two domains are actually consecutive. Both sender domains were obviously created by the same registrant who uses them for the same purpose.

As far as I can tell, whether you are in California or outside, you are under no obligation to reply to this email. I would not advise replying to it.

UPDATE (2021-12-13)
The GDPR mails sent in the name of a person in Russia are sent from a domain registered via a different registrar about one month after the other two domains:

domain: NOVATORMAIL.RU
nserver: ns1crv.name.com.
nserver: ns2ckr.name.com.
nserver: ns3cjl.name.com.
nserver: ns4fpy.name.com.
state: REGISTERED, DELEGATED, UNVERIFIED
person: Private Person
registrar: RU-CENTER-RU
admin-contact: https://www.nic.ru/whois
created: 2020-04-06T05:35:06Z
paid-till: 2022-04-06T05:35:06Z
free-date: 2022-05-07
source: TCI

Another domain used for sender addresses is “envoiemail.fr” which was registered a day after “yosemitemail.com” and “potomacmail.com”

domain: envoiemail.fr
status: ACTIVE
hold: NO
holder-c: ANO00-FRNIC
admin-c: ANO00-FRNIC
tech-c: RT12727-FRNIC
zone-c: NFC1-FRNIC
nsl-id: NSL82816-FRNIC
registrar: 1API GmbH
Expiry Date: 2022-03-03T20:45:06Z
created: 2021-03-03T20:45:06Z
last-update: 2021-03-03T20:45:07Z
source: FRNIC

All four domains have their email hosted at Google. That is not unusual, lots of domains use Gmail for mail hosting these days. It is still worth pointing out though.

POTOMACMAIL.COM. 3600 IN MX 1 aspmx.l.google.COM.
POTOMACMAIL.COM. 3600 IN MX 10 alt3.aspmx.l.google.COM.
POTOMACMAIL.COM. 3600 IN MX 10 alt4.aspmx.l.google.COM.
POTOMACMAIL.COM. 3600 IN MX 5 alt1.aspmx.l.google.COM.
POTOMACMAIL.COM. 3600 IN MX 5 alt2.aspmx.l.google.COM.

YOSEMITEMAIL.COM. 1799 IN MX 1 aspmx.l.google.COM.
YOSEMITEMAIL.COM. 1799 IN MX 10 alt3.aspmx.l.google.COM.
YOSEMITEMAIL.COM. 1799 IN MX 10 alt4.aspmx.l.google.COM.
YOSEMITEMAIL.COM. 1799 IN MX 5 alt1.aspmx.l.google.COM.
YOSEMITEMAIL.COM. 1799 IN MX 5 alt2.aspmx.l.google.COM.

NOVATORMAIL.RU. 300 IN MX 5 alt1.aspmx.l.google.com.
NOVATORMAIL.RU. 300 IN MX 5 alt2.aspmx.l.google.com.
NOVATORMAIL.RU. 300 IN MX 10 alt3.aspmx.l.google.com.
NOVATORMAIL.RU. 300 IN MX 10 alt4.aspmx.l.google.com.
NOVATORMAIL.RU. 300 IN MX 1 aspmx.l.google.com.

envoiemail.fr. 1799 IN MX 10 alt3.aspmx.l.google.com.
envoiemail.fr. 1799 IN MX 10 alt4.aspmx.l.google.com.
envoiemail.fr. 1799 IN MX 5 alt1.aspmx.l.google.com.
envoiemail.fr. 1799 IN MX 5 alt2.aspmx.l.google.com.
envoiemail.fr. 1799 IN MX 1 aspmx.l.google.com.

I am told the GDPR reply period of one month under Article 12 of GDPR only applies to data access requests, which the email specifically clarifies this is not.

UPDATE (2021-12-15)

It turns out that these deceptive emails using fake identities were sent out by a researcher at Princeton University as part of a study into how website operators implement GDPR and CCPA. In the most recent mails to website operators, the senders are now disclosing their background instead of using fake identities.

These GDPR and CCPA emails created great anxiety amongst the recipients (nobody wants to pay huge fines) and that should have been clear to the senders from the very beginning, yet they went ahead and spammed us as if we were human guinea pigs.

Even if somehow it wasn’t clear to them in the beginning, public blog posts and forum discussions after the April spam run should soon have shown them that this wasn’t going to end well. Why did they continue with the same mode of operation more than half a year later? And why did their university let them do that?

Normally I would expect to be able to easily distinguish between online scams and academic research but I guess, not any more. We are living in strange times.

21 thoughts on ““Questions About GDPR Data Access Process” Spam from Virginia

  1. i got this too, as apparently many people have…must be some sort of scam, but it’s unclear what they are trying to do

  2. Thank you, Joe. This was super helpful! Regards from Montreal.

  3. Hi Joe
    Thanks this post. Last night I received two similar emails for GDPR and CCPA. The wording is exactly the same as the one you have listed. The GDPR emaiI claimed to be from someone from France. I wonder if you have any further updates. Did you respond? Did you hear back from them. I’m at a loss what to do as I know you are supposed to comply with a request but I’m hesitant to do this if it is spam or any other form of coercion.
    Thanks

    Peter

  4. I got a near identical email, but they claimed to be in Virginia.

  5. @Peter,
    You don’t have to reply as it’s *not* a data access request (as they explicitly state in the mail), it’s basically a fishing expedition to see who would respond. If it isn’t a data access request you are under no obligation to reply and frankly, you gain nothing by replying.

    I think their purpose is to see who gets scared enough by this first mail into replying. Respondents will then receive the next email, which most likely leads to some scheme where whoever sends you these mails can make money. At least that’s my guess.

  6. yesterday I received two similar emails for GDPR and CCPA. Same wording, one from France and one from Virginia.
    This was very helpful! regards from Milan

  7. Hi,
    I received a similari email from a sender kurtmayfair@potomacmail.com .
    My website Is intended mainly for italiano users (the content is in italian language).

    If it could be usefull, the email received is the follow (I replaced the URL of my website with text MY_WEBSITE).

    “To Whom It May Concern:

    My name is Kurt Mayfair, and I am a resident of Norfolk, Virginia. I have a few questions about your process for responding to California Consumer Privacy Act (CCPA) data access requests:

    Would you process a CCPA data access request from me even though I am not a resident of California?
    Do you process CCPA data access requests via email, a website, or telephone? If via a website, what is the URL I should go to?
    What personal information do I have to submit for you to verify and process a CCPA data access request?
    What information do you provide in response to a CCPA data access request?
    To be clear, I am not submitting a data access request at this time. My questions are about your process for when I do submit a request.

    Thank you in advance for your answers to these questions. If there is a better contact for processing CCPA requests regarding MY_WEBSITE, I kindly ask that you forward my request to them.

    I look forward to your reply without undue delay and at most within 45 days of this email, as required by Section 1798.130 of the California Civil Code.

    Sincerely,

    Kurt Mayfair”

  8. Would be an interesting opportunity for a scam buster to play along and see what crawls out from under the stone. Since the domains are registered through NameCheap, I wouldn’t have seen them as such domains require whitelisting at our system, for obvious reasons.

  9. I suspect what’s going on here is that some bottom-feeder is looking for companies to extort with the help of the law.

    In the US, some scummy law firms make their bread and butter issuing legal threats over compliance with the Americans with Disabilities Act. An ambulance chaser, who has recruited a disabled person to act as an ostensible potential plaintiff, will visit public businesses looking for legitimate but minor ADA violations. Then they run an extortion scheme on the business.

    For example, suppose a restaurant has a wheelchair ramp installed, but the grade of the ramp slightly exceeds the federally-mandated maximum 1:12 ratio for such a ramp. The lawyer will send the restaurant a letter threatening an expensive federal lawsuit over ADA violations on behalf of his disabled client. Of course, this matter can be quietly and discreetly settled for a small fee of $500, which is cheaper than replacing the ramp and much less costly than litigation…

    So, my guess here is that someone’s blasting this letter out and saving all of the responses that admit — in writing! — that the company isn’t in compliance / refuses to comply / doesn’t know how to comply with the relevant law. The extortionist will then begin threatening lawsuits, offering to go away for a fee.

  10. I got one of these about GDPR saying they’re from Moscow in Russia. It was in my spam, as others in that Reddit thread said too.

  11. Thanks for the helpful post!

    On Saturday 11 December I received two emails from different senders with exactly the same text expect for names and places (Roanoke, Virginia sent from potomacmail.com and Sacramento, California sent from yosemitemail.com).

    Both emails referenced GDPR but not CCPA.

    Both emails were received during the night with the second one coming in 59 minutes after the first.

  12. We received the same email but with CCPA in place of GDPA. I hate scammers.

  13. Pingback: California Privacy Rights Act (CPRA) > Datenschutzrecht

  14. Thank you Joe, this is really useful as we’ve received a similar request (the CCPA one) Presumed it was dodgy but always nice to know!

    Out of interest the reason these might get a response from a lot of EU or UK based organisations is that it’s possible for non EU/UK citizens to be covered by the GDPR. An American citizen attending a UK university for example, would be able to exercise rights under GDPR with regard to the information processed by the university about them. Similarly if your data is processed by a company based in the EU you’d fall within the scope of GDPR, even if you’d never been to the UK or Europe.

  15. I received both the CCPA and GDPR variety of this mail message, and was surprised to learn it is part of a research project. My personal site is outside the scope of both acts, and it makes me wonder what type of filtering if any did they do on their list of recipients and how my e-mail address ended up on that list in the first place. I have reached out to the researchers and they write that “We currently held off sending any further emails” due to some of the feedback received. I have filed a complaint with the Radboud University (as I’m in the same country), and am approaching Princeton for information about any approval process w.r.t. ethical research design, that was applied to this research.

  16. Many thanks for digging into this. We also received these emails.
    I wonder if it would be helpful to report this to Princeton’s Internal Review Board. In light of the burden it sought to impose on non-consenting data subjects, it seems it should have been flagged as an unethical practice.

  17. Very helpful post. Thank you.

    Since these emails are causing many companies to spend a lot of time figuring out whether and how to respond, is there some professional organization that can tell Princeton to state in their emails that this is a legit study? Just goes to show that they may be brilliant in computer science, but not so much in awareness of how their actions affect others.

  18. If the sender is from the US, is it possible to sue the hell out of the sender? In my layman opinion this causes pain to the recipient, not to speak of expenses from an assumed legal position. A clever lawyer may be able to make them pay a painful amount of money in response.

  19. @Ned Land: I am no lawyer and the following is just my personal interpretation of the legal situation. The Federal CANSPAM act in the US is rather toothless and prosecutions under it are rare. The crucial detail here probably is the fact that it specifically only regulates commercial emails whereas these mails supposedly were sent for academic purposes. There is no business angle. Even if all the other provisions apply (e.g. the deceptive nature of the description of the originator), that would probably prevent a prosecution under the act.

    It’s the universities where this “research” was conducted that should have supervised the design and methodologies of the study. That they apparently didn’t do so hints at deeper problems. I think their ethics boards will take an interest in public submissions about it.

  20. Pingback: Vorsicht, gefälschte E-Mail-Anfragen zum Datenschutz! - Steiger Legal

Leave a Reply

Your email address will not be published.