Then, a couple of months later, I get spam from a seller trying to get me to buy knockoff designer handbags, or a Nigerian prince trying to secret his fortune away, or something else odious.
But look -- the email was sent to the address "crappytire@example.net"!
Now I know, with absolute certainty, that this spammer got my address, directly or indirectly, from Crappy Tire. Maybe they sold their mailing list far and wide. Maybe their systems were hacked and every customer's email was exfiltrated.
I can now take action. If I think they sold my address, I can write a nastygram referencing their privacy policy or Canada's PIPEDA act, or Europe's GDPR, or whatever. If I think my address was stolen from their systems, I can report the security incident to them, or publicize it so others know it may have happened to them.
And most importantly, I can disable that email address. Just refuse all mail sent to it. It's no longer of use to spammers or crooks. If I ever deal with Crappy Tire again, I give them a new unique address.
Anyway, that's a lot of backstory. I use this technique extensively. I have caught many, many companies selling/renting their mailing lists in violation of their own policies. I have caught many others that have been hacked, and they didn't even know it.
So what's the thing that happens to me occasionally regarding this?
2/x
𝗖𝗼𝗹𝗹𝗲𝗰𝘁𝗶𝗻𝗴 𝘂𝗻𝗻𝗲𝗰𝗲𝘀𝘀𝗮𝗿𝘆 𝗱𝗮𝘁𝗮 𝗶𝘀 𝗹𝗶𝗸𝗲 𝗯𝗿𝗶𝗻𝗴𝗶𝗻𝗴 𝘁𝘄𝗲𝗻𝘁𝘆 𝘀𝘂𝗶𝘁𝗰𝗮𝘀𝗲𝘀 
𝗳𝗼𝗿 𝗮 𝘄𝗲𝗲𝗸𝗲𝗻𝗱 𝘁𝗿𝗶𝗽
! The GDPR provides us with great guidelines for conducting safe research, for example regarding 𝗱𝗮𝘁𝗮 𝗺𝗶𝗻𝗶𝗺𝗶𝘇𝗮𝘁𝗶𝗼𝗻: only collect what you need. 
, but no less serious because of that! 
