I'm honestly baffled about the response, especially from the pro-privacy crowd on HN. This is simply the reality of GDPR. If you host and operate a website that serves EU visitors you must comply with GDPR. Of course this is a burden on small operators and it may come off alarming the first time you receive a GDPR request, however, this is GDPR working as intended. It is intended to force operators to explicitly decide which user data they are going to collect (incl. on how to inform users, correct, delete, export, etc. this data).
I do agree that there might be ethical concerns on how this study was conducted, however, the email messages do not suggest pending legal action. They're pretty standard GDPR requests.
The emails were sent to websites that do not process personal information and are thus not subject to GDPR, so the recipients were in some cases confused about what their responsibilities would be. And though the emails did not suggest that legal action was pending, they do suggest a willingness to resort to legal action in a relatively short time frame. This caused anxiety for apparently many small-time, non-profit bloggers.
Is it unethical? I dunno. But it's nuanced, at least.
As soon as the client's IP address touches your server you are processing personal information. E.g. I have seen many webserver which save these in their access logs.
Again, this is the reality of GDPR. It is not okay to operate a website serving EU visitors without considering GDPR implications. This is how GDPR is intended. Don't operate a website serving EU visitors if you don't have a plan on how to respond to these emails. I'm not trying to be harsh or dissuade these small websites from operating. It is just the reality of GDPR.
I do agree that there might be ethical concerns on how this study was conducted, however, the email messages do not suggest pending legal action. They're pretty standard GDPR requests.