Ir al contenido principal

Canciones sobre la seguridad de las redes
un blog de Michał "rysiek" Woźniak

FLOSS developers and open web activists are people too

Lo sentimos, este no está disponible en español, mostrando en: English.

I can’t believe I have to spell this out, but:
free/libre/open-source software developers and open web activists selflessly running independent services online are people too.

It seems this idea is especially difficult to grasp for researchers (including, apparently, whoever reviews and green-lights their studies). The latest kerfuffle with the Princeton-Radboud Study on Privacy Law Implementation shows this well.

“Not a human subject study”

The idea of that study seems simple enough: get a list of “popular” websites (according to the research-oriented Tranco list), send e-mails to e-mail addresses expected to be monitored for privacy-related requests (like, and use that to assess the state of CCPA and GDPR implementation. Sounds good!

There were, however, quite a few problems with this:

Imagine you’re running a small independent social media site and you get a lawyery-sounding e-mail about a privacy regulation you might not even have heard about, that ends with:

I look forward to your reply without undue delay and at most within 45 days of this email, as required by Section 1798.130 of the California Civil Code.

Should you reach out to a lawyer? That can easily get costly, fast. Is it okay to ignore it? That could end in an even costlier lawsuit. And so, now you’re losing sleep over something that sounds serious, but turns out to be a researcher’s idea of “not a human subject study”.


The study’s FAQ consistently mentions “websites”, and “contacting websites”, and so on, as if there were no people involved in running them nor in answering these e-mails. Consider this gem (emphasis mine):

What happens if a website ignores an email that is part of this study?

We are not aware of any adverse consequences for a website declining to respond to an email that is part of this study. We will not send a follow-up email about an email that a website has not responded to, and we will not name websites when describing email responses in our academic research.

Sadly, nobody told this to the volunteer admin of a small social media site, who is perhaps still worrying (or even spending money on a lawyer) over this. But don’t worry, the Princeton University Institutional Review Board has determined that the “study does not constitute human subjects research”. So it’s all good!

This is not the first time such humanity-erasure happens, either. Some time ago, researchers at University of Minnesota conducted a study that involved submitting intentionally buggy patches to the Linux kernel.

They insisted that they were “studying the patching process”, but somehow missed the fact that that process involved real humans, many of whom volunteered time and effort to work on the Linux kernel. The developers were not amused.

Eventually, the researchers had to issue an apology for their lack of empathy and consideration for Linux kernel developers and their wasted time.

Tangent: taking “open” seriously

This is a bit tangential, but to me all this seems to be connected to a broader problem of people not treating communities focused on (broadly speaking) openness seriously.

In the case of the Princeton study, several Fediverse instance admins were affected. The University of Minnesota study affected Linux kernel developers. In both cases their effort (maintaining independent social media sites; developing an freely-licensed piece of software) was not recognized as serious or important – even if its product (like the Linux kernel) perhaps was.

I see this often in other contexts: people complain about Big Tech and “the platforms” a lot, but any mention of Fediverse as a viable alternative (both in the terms of a service, but also in terms of a funding model) is more often than not met with a patronizing dismissal. We’ve been seeing the same for years regarding free software, too.

Meanwhile, a proven abuser like Facebook can pull a Meta and everyone will dutifully debate how insightful and deep a move this is.

Oh, the humanity!

It is quite disconcerting that researchers seem unable to recognize the humanity of FLOSS developers or admins of small, independent websites or services. It is even more disturbing that, apparently, this tends to fly under the radar of review boards tasked with establishing if something is or isn’t a human-subject study.

And it is disgraceful to abuse scarce resources (such as time and energy) available to volunteer admins and FLOSS developers in order to run such inconsiderate research. It alienates a privacy-conscious, deeply invested community at a time when research into privacy and digital human rights is more important than ever.