{"id":3368,"date":"2021-04-21T18:38:58","date_gmt":"2021-04-21T09:38:58","guid":{"rendered":"https:\/\/joewein.net\/blog\/?p=3368"},"modified":"2021-12-16T08:27:07","modified_gmt":"2021-12-15T23:27:07","slug":"questions-about-gdpr-data-access-process-spam-from-virginia","status":"publish","type":"post","link":"https:\/\/joewein.net\/blog\/2021\/04\/21\/questions-about-gdpr-data-access-process-spam-from-virginia\/","title":{"rendered":"&#8220;Questions About GDPR Data Access Process&#8221; Spam from Virginia"},"content":{"rendered":"<ul>\n<li>NOTE: See recent updates below the original April 2021 post!<\/li>\n<\/ul>\n<p>The other day, I received the following email:<\/p>\n<blockquote><p>Subject: Questions About GDPR Data Access Process for [DOMAINNAME]<br \/>\nTo Whom It May Concern:<\/p>\n<p>My name is [REDACTED], and I am a resident of Roanoke, Virginia. I have a few questions about your process for responding to General Data Protection Regulation (GDPR) data access requests:<\/p>\n<ol>\n<li> Would you process a GDPR data access request from me even though I am not a resident of the European Union?<\/li>\n<li> Do you process GDPR data access requests via email, a website, or telephone? If via a website, what is the URL I should go to?<\/li>\n<li> What personal information do I have to submit for you to verify and process a GDPR data access request?<\/li>\n<li> What information do you provide in response to a GDPR data access request?<\/li>\n<\/ol>\n<p>To be clear, I am not submitting a data access request at this time. My questions are about your process for when I do submit a request.<\/p>\n<p>Thank you in advance for your answers to these questions. If there is a better contact for processing GDPR requests regarding [DOMAINNAME], I kindly ask that you forward my request to them.<\/p>\n<p>I look forward to your reply without undue delay and at most within one month of this email, as required by Article 12 of GDPR.<\/p>\n<p>Sincerely,<\/p>\n<p>[REDACTED]<\/p><\/blockquote>\n<p>It&#8217;s a confusing email, but as it turns out, one received by many other website owners. In fact, there&#8217;s a thread about it on Reddit.<\/p>\n<p>GDPR deals with processing personally identifiable information. Non-compliance can lead to stiff fines. It even applies to companies outside the EU <i>if they process personal data of EU residents<\/i>.<\/p>\n<p>If you get a request regarding personally identifiable information from a EU resident, you will need to answer promptly or you can face fines. However, no such requirement exists under GDPR regarding data of individuals outside the EU.<\/p>\n<p>I don&#8217;t know what the intention of the sender of this email email is, but I have my suspicions.<\/p>\n<p>The email was sent from an address at &#8220;potomacmail.com&#8221;, a recently registered domain (2020-03-02). It was sent from an Amazon EC2 host (52.23.113.96). The HTML portion of the email contains an image reference to a single pixel &#8220;web bug&#8221;, an image loaded from the potomacmail.com website that will cause the IP address of the browser to be logged on that server when you open the email with a web client that doesn&#8217;t automatically block images from untrusted senders:<\/p>\n<blockquote><p><code>https:\/\/potomacmail.com\/p.png?req=GDPR&amp;target=1234<\/code><\/p><\/blockquote>\n<p>The URI contains a unique value (it was something other than 1234 in my case) that presumably identifies the recipient of the email. In other words, the senders of this email themselves collect personally identifiable information which, if the recipient happens to be in the EU, is subject to GDPR and its potential fines.<\/p>\n<p><b>UPDATE (2021-12-11)<\/b><br \/>\nThere is a similar spam e-mail going around recently, with almost identical wording but mentioning the California Consumer Privacy Act (CCPA) instead of the European GDPR:<\/p>\n<blockquote><p>Subject: Questions About CCPA Data Access Process for [DOMAINNAME]<\/p>\n<p>To Whom It May Concern:<\/p>\n<p>My name is [REDACTED], and I am a resident of San Francisco, California. I have a few questions about your process for responding to California Consumer Privacy Act (CCPA) data access requests:<\/p>\n<p>1. Do you process CCPA data access requests via email, a website, or telephone? If via a website, what is the URL I should go to?<br \/>\n2. What personal information do I have to submit for you to verify and process a CCPA data access request?<br \/>\n3. What information do you provide in response to a CCPA data access request?<\/p>\n<p>To be clear, I am not submitting a data access request at this time. My questions are about your process for when I do submit a request.<br \/>\n(&#8230;)<\/p><\/blockquote>\n<p>This email was sent from an address at &#8220;yosemitemail.com&#8221;, a domain registered on 2020-03-02 with the same registrar at the exact same time as the &#8220;potomacmail.com&#8221; domain used in the GDPR variant of this spam:<\/p>\n<blockquote><p>\nDomain Name: YOSEMITEMAIL.COM<br \/>\nRegistry Domain ID: 2498859495_DOMAIN_COM-VRSN<br \/>\nRegistrar WHOIS Server: whois.namecheap.com<br \/>\nRegistrar URL: http:\/\/www.namecheap.com<br \/>\nUpdated Date: 2021-03-08T03:30:04Z<br \/>\nCreation Date: 2020-03-02T02:15:46Z<br \/>\nRegistry Expiry Date: 2022-03-02T02:15:46Z<br \/>\nRegistrar: NameCheap, Inc.<\/p>\n<p>Domain Name: POTOMACMAIL.COM<br \/>\nRegistry Domain ID: 2498859494_DOMAIN_COM-VRSN<br \/>\nRegistrar WHOIS Server: whois.namecheap.com<br \/>\nRegistrar URL: http:\/\/www.namecheap.com<br \/>\nUpdated Date: 2021-03-03T22:25:43Z<br \/>\nCreation Date: 2020-03-02T02:15:46Z<br \/>\nRegistry Expiry Date: 2022-03-02T02:15:46Z<br \/>\nRegistrar: NameCheap, Inc.<\/p><\/blockquote>\n<p>As you can see, the creation time is the exact same, down to the second and the Domain IDs of the two domains are actually consecutive. Both sender domains were obviously created by the same registrant who uses them for the same purpose.<\/p>\n<p>As far as I can tell, whether you are in California or outside, you are under no obligation to reply to this email. I would not advise replying to it.<\/p>\n<p><b>UPDATE (2021-12-13)<\/b><br \/>\nThe GDPR mails sent in the name of a person in Russia are sent from a domain registered via a different registrar about one month after the other two domains:<\/p>\n<blockquote><p>\ndomain:        NOVATORMAIL.RU<br \/>\nnserver:       ns1crv.name.com.<br \/>\nnserver:       ns2ckr.name.com.<br \/>\nnserver:       ns3cjl.name.com.<br \/>\nnserver:       ns4fpy.name.com.<br \/>\nstate:         REGISTERED, DELEGATED, UNVERIFIED<br \/>\nperson:        Private Person<br \/>\nregistrar:     RU-CENTER-RU<br \/>\nadmin-contact: https:\/\/www.nic.ru\/whois<br \/>\ncreated:       2020-04-06T05:35:06Z<br \/>\npaid-till:     2022-04-06T05:35:06Z<br \/>\nfree-date:     2022-05-07<br \/>\nsource:        TCI<\/p><\/blockquote>\n<p>Another domain used for sender addresses is &#8220;envoiemail.fr&#8221; which was registered a day after &#8220;yosemitemail.com&#8221; and &#8220;potomacmail.com&#8221;<\/p>\n<blockquote><p>domain:      envoiemail.fr<br \/>\nstatus:      ACTIVE<br \/>\nhold:        NO<br \/>\nholder-c:    ANO00-FRNIC<br \/>\nadmin-c:     ANO00-FRNIC<br \/>\ntech-c:      RT12727-FRNIC<br \/>\nzone-c:      NFC1-FRNIC<br \/>\nnsl-id:      NSL82816-FRNIC<br \/>\nregistrar:   1API GmbH<br \/>\nExpiry Date: 2022-03-03T20:45:06Z<br \/>\ncreated:     2021-03-03T20:45:06Z<br \/>\nlast-update: 2021-03-03T20:45:07Z<br \/>\nsource:      FRNIC<\/p><\/blockquote>\n<p>All four domains have their email hosted at Google. That is not unusual, lots of domains use Gmail for mail hosting these days. It is still worth pointing out though.<\/p>\n<blockquote><p>POTOMACMAIL.COM.        3600    IN      MX      1 aspmx.l.google.COM.<br \/>\nPOTOMACMAIL.COM.        3600    IN      MX      10 alt3.aspmx.l.google.COM.<br \/>\nPOTOMACMAIL.COM.        3600    IN      MX      10 alt4.aspmx.l.google.COM.<br \/>\nPOTOMACMAIL.COM.        3600    IN      MX      5 alt1.aspmx.l.google.COM.<br \/>\nPOTOMACMAIL.COM.        3600    IN      MX      5 alt2.aspmx.l.google.COM.<\/p>\n<p>YOSEMITEMAIL.COM.       1799    IN      MX      1 aspmx.l.google.COM.<br \/>\nYOSEMITEMAIL.COM.       1799    IN      MX      10 alt3.aspmx.l.google.COM.<br \/>\nYOSEMITEMAIL.COM.       1799    IN      MX      10 alt4.aspmx.l.google.COM.<br \/>\nYOSEMITEMAIL.COM.       1799    IN      MX      5 alt1.aspmx.l.google.COM.<br \/>\nYOSEMITEMAIL.COM.       1799    IN      MX      5 alt2.aspmx.l.google.COM.<\/p>\n<p>NOVATORMAIL.RU.         300     IN      MX      5 alt1.aspmx.l.google.com.<br \/>\nNOVATORMAIL.RU.         300     IN      MX      5 alt2.aspmx.l.google.com.<br \/>\nNOVATORMAIL.RU.         300     IN      MX      10 alt3.aspmx.l.google.com.<br \/>\nNOVATORMAIL.RU.         300     IN      MX      10 alt4.aspmx.l.google.com.<br \/>\nNOVATORMAIL.RU.         300     IN      MX      1 aspmx.l.google.com.<\/p>\n<p>envoiemail.fr.\t\t1799\tIN\tMX\t10 alt3.aspmx.l.google.com.<br \/>\nenvoiemail.fr.\t\t1799\tIN\tMX\t10 alt4.aspmx.l.google.com.<br \/>\nenvoiemail.fr.\t\t1799\tIN\tMX\t5 alt1.aspmx.l.google.com.<br \/>\nenvoiemail.fr.\t\t1799\tIN\tMX\t5 alt2.aspmx.l.google.com.<br \/>\nenvoiemail.fr.\t\t1799\tIN\tMX\t1 aspmx.l.google.com.<\/p><\/blockquote>\n<p>I am told the GDPR reply period of one month under Article 12 of GDPR only applies to data access requests, which the email specifically clarifies this is not.<\/p>\n<p><b>UPDATE (2021-12-15)<\/b><\/p>\n<p>It turns out that these deceptive emails using fake identities were sent out by a researcher at Princeton University as part of a <a href=\"https:\/\/measurement.cs.princeton.edu\/privacystudy\/\">study<\/a> into how website operators implement GDPR and CCPA. In the most recent mails to website operators, the senders are now disclosing their background instead of using fake identities.<\/p>\n<p>These GDPR and CCPA emails created great anxiety amongst the recipients (nobody wants to pay huge fines) and that should have been clear to the senders from the very beginning, yet they went ahead and spammed us as if we were human guinea pigs.<\/p>\n<p>Even if somehow it wasn&#8217;t clear to them in the beginning, public blog posts and forum discussions after the April spam run should soon have shown them that this wasn&#8217;t going to end well. Why did they continue with the same mode of operation more than half a year later? And why did their university let them do that?<\/p>\n<p>Normally I would expect to be able to easily distinguish between online scams and academic research but I guess, not any more. We are living in strange times.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>NOTE: See recent updates below the original April 2021 post! The other day, I received the following email: Subject: Questions About GDPR Data Access Process for [DOMAINNAME] To Whom It May Concern: My name is [REDACTED], and I am a &hellip; <a href=\"https:\/\/joewein.net\/blog\/2021\/04\/21\/questions-about-gdpr-data-access-process-spam-from-virginia\/\">Continue reading <span class=\"meta-nav\">&rarr;<\/span><\/a><\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[21,2],"tags":[],"class_list":["post-3368","post","type-post","status-publish","format-standard","hentry","category-scams","category-spam"],"_links":{"self":[{"href":"https:\/\/joewein.net\/blog\/wp-json\/wp\/v2\/posts\/3368","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/joewein.net\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/joewein.net\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/joewein.net\/blog\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/joewein.net\/blog\/wp-json\/wp\/v2\/comments?post=3368"}],"version-history":[{"count":15,"href":"https:\/\/joewein.net\/blog\/wp-json\/wp\/v2\/posts\/3368\/revisions"}],"predecessor-version":[{"id":3548,"href":"https:\/\/joewein.net\/blog\/wp-json\/wp\/v2\/posts\/3368\/revisions\/3548"}],"wp:attachment":[{"href":"https:\/\/joewein.net\/blog\/wp-json\/wp\/v2\/media?parent=3368"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/joewein.net\/blog\/wp-json\/wp\/v2\/categories?post=3368"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/joewein.net\/blog\/wp-json\/wp\/v2\/tags?post=3368"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}