Deeply-weird privacy people

Every now and then I get what feels like a bad-faith form letter from someone who I’ve never heard of before, has probably never even come to this website, and is probably a privacy lawyer out to make a quick buck.

UPDATE: The mystery has been solved.

Here’s the most recent one:

To Whom It May Concern:

My name is [REDACTED], and I am a resident of Norfolk, Virginia. I have a few questions about your process for responding to California Consumer Privacy Act (CCPA) data access requests:

Would you process a CCPA data access request from me even though I am not a resident of California? Do you process CCPA data access requests via email, a website, or telephone? If via a website, what is the URL I should go to? What personal information do I have to submit for you to verify and process a CCPA data access request? What information do you provide in response to a CCPA data access request? To be clear, I am not submitting a data access request at this time. My questions are about your process for when I do submit a request.

Thank you in advance for your answers to these questions. If there is a better contact for processing CCPA requests regarding beesbuzz.biz, I kindly ask that you forward my request to them.

I look forward to your reply without undue delay and at most within 45 days of this email, as required by Section 1798.130 of the California Civil Code.

Sincerely,

[REDACTED]

My response is to just direct them to the privacy policy for this website which is a weird thing for me to even need for, y'know, a personal blog.

Maybe I should just not respond and see if they try to sue me for data that I don’t have and have no reason to keep, though.

Incidentally the letter is always exactly the same except for the name and the cited law; they’re always from Roanoke, Virginia, and the wording is otherwise identical each time. They also always come from the same email domain.

So I mean it’s probably a bot, but… to what end? Other folks have been receiving these as well, and the prevailing theory is that it’s people trying to sell GDPR/CCPA compliance packages, but my responses have gone unanswered. So strange.

An open letter to the .us domain registrar

I attempted to send this message to the .us registrar’s contact form but they kept on throwing up unreasonable, hidden barriers; it required a full first name that’s at least four letters long (sucks to have a name like “Jay” I guess) and “must only contain alphabets” (i.e. no punctuation or spaces, sucks for anyone with apostrophes) and the text input must be under 500 characters, with no indication of how many characters you’ve written.

So, I’ve submitted a very edited-down version, but am reproducing my letter in full here:

Hi, I have a number of domain names registered under several different TLDs. Most of them allow anonymous proxy registrations, with the sole exception of .us.

The lack of proxy registration causes me to get quite a lot of unsolicited calls, violations to my privacy, and attempted scams from bad actors who are all making use of the WHOIS database.

When will .us allow anonymous/proxy registrations, as is standard for pretty much every other TLD?

The current policy is especially problematic for marginalized people who are subject to protracted abuse, harassment, and threats of violence, and this makes .us unsafe for use for all but the most privileged of people.

I absolutely implore you to revisit this regressive, unfair, and downright dangerous policy that does nothing to actually improve the supposed security of the .us registration database.

Private, friends-only, IndieWeb stuff

Yesterday I participated in the IndieWeb sensitive data pop-up, or at least the first half of it (I had to disappear for my refrigerator delivery). It was really great to have some further discussion about what people want out of this stuff and how we’re all going to agree to get it.

Authentication stuff

One of the biggest pain points that keeps on coming up is there being no support for people to be able to get private posts without having to log in or be notified about them in side channels. Lots of people are doing things like making pages with unguessable URLs and then doing side-channel notification, but that’s unwieldy; fewer folks are doing things with actual login mechanisms.

Read more…

Moving away from Disqus

So, Disqus has served me pretty well for quickly embedding comments into my website, but there are a few pretty big downsides to it:

  • No support for private/hidden threads
  • No way to disable random discovery of hidden threads, by design
  • They’re trying to make the whole Internet into their own forum rather than providing “just” a comment system (not that anyone even uses it the way they intend)
  • Their UX keeps getting more and more cumbersome and annoying

I’m going to look into alternative comment systems, ideally ones I can self-host. Isso looks promising, if a bit sparse. So does Schnack. (I’m going to try Isso first because its setup/requirements are far less onerous.)

Anyway, thanks Passerine for bringing the privacy leak issue to my attention. I figured there was probably something like that lurking in the shadows, but I didn’t think it was quite so close to the surface…