“No, I don’t think that the conventional wisdom is the only way to look at it. Privacy is extremely important for anyone putting themselves out there, expressing themselves, or expressing a side of themselves through an avatar. People don’t want other people to connect the dots from their avatar to their real life person — or even, for that matter, to an alt. One of the ethical obligations we have is to protect people’s privacy.
People come to Second Life because they want a story, they want to be in a story….and we have an ethical obligation to protect that. I’m not so sure that the conventional wisdom makes any sense. Yes, it might be technically easy to track people and all that. But in the long-term I’m optimistic that we’ll see the pendulum swing back in the other direction towards more privacy.” – Rod Humble, CEO of Linden Lab – February 12, 2011 in an interview with (the wonderful) Dusan Writer.
From the same interview:
“See, there’s the me who goes to school meetings with my kids and that’s a very well established identity. And there’s the me who plays shooter games online and I don’t want those separate identities to mix up. It’s not appropriate.”
I want to make sure those quotes are right at the top, where everyone can see them. They’re important, especially coming from the Big Kahuna down at Linden Lab.
In the past week, the issue of privacy — how it’s maintained, stolen, disseminated, put up for sale, and ignored — has caused something akin to open warfare across the Second Life grid, pitting content creators, consumers, and coders against one another. All of it could be stopped and solved by the person who said those words. But as of this writing, there has been no intervention.
The problem of the week is RedZone.
I want to make it clear that RedZone isn’t the first privacy issue to hit the grid, and I’m quite sure it won’t be the last. But it is the current one, and given the limited space I have here, I’m going to restrict what I write to this particular system (lest I be typing all day).
So What is This RedZone Thing, Anyway?
RedZone is a device sold by a man (whose real name I won’t print here, ironically) who in SL goes by the name of zFire Xue. It is sold for approximately $17, and is primarily marketed as a means by which content creators (that would be people who make virtual goods) may protect themselves against theft by technical means, colloquially known as “copybot.”
Theft of content in this manner has been a problem for years, and many merchants, particularly those who are well known to make extremely high quality items, often find themselves having to combat against content thieves who copy, recreate and then either sell huge boxes of those creations for a fraction of their value or give them out freely for the fun of it.
To date, the Lab hasn’t found a way to effectively stop copybot related theft. Think of it like virtual shoplifting — you can try to police it as best you can, but every retail store knows about “inventory shrinkage.” It is, unfortunately something that happens.
But just like in the real world, copybot related theft costs people real money. When that happens, people become frantic in the search for help and solutions to their problem.
Many content creators are desperate to try something, anything, in the hopes that they can slow down or stop copybotters even in small amounts.
Enter RedZone and its marketing. They think “Woohoo! Finally something that will help!” They buy the product and install it in locations they control. Problem solved, right?
No. Not at all.
Here’s the problem. According to the creator’s own figures, RZ stops (wait for it) a whole .025% of copybotters.
No, that wasn’t a typo.
RedZone doesn’t create a statistically significant difference in the area of copybot detection or protection of any content whatsoever. In fact, you’d have better luck simply wishing for copybotters to stop.
“The truth is, even if this device managed to ban every copier that visits your land — it prevents nothing. It’s not even really a deterrent,” Vasha Martinek, one of the owners of popular clothing store +DV8+ wrote in a telling and completely valid comment on Ciaran Laval’s well written blog post on this very same topic several days ago.
OK, so the thing doesn’t work. People are giving this guy $17 a pop for magic beans. Wouldn’t be the first time that’s happened, right?
But those magic beans in “Jack and the Beanstalk” did something. So does RedZone — and what it does has the grid in turmoil.
The Missing Link
Go read those quotes about privacy up at the top again. I want those to be fresh in your mind.
RedZone can’t protect anyone against copybot. What it does is silently scans every avatar that goes to a location that has the device.
It’s important to understand that there is no notification. You don’t know it’s happening. You can’t opt-in or opt-out.
Once you arrive at a RedZone “protected” location, this scan will happen to you. RedZone takes advantage of an overall lack of security protections in Second Life viewer’s media protocols to obtain your IP address.
“So what?” you ask. “I leave my IP address all over the Internet. Everyone does, it’s how the net works!”
And you’d be correct. But that’s not all that happens.
Once your IP address has been obtained, the device then cross-references that IP with its database. You know, the database of over 8 million (that’s zFire’s figure, and quoted in the JIRA copy) of people it has already scanned previously without their knowledge or consent. It then finds any and all IP matches and links them with your account — deciding that everyone with the same IP are really the same person, using alternate accounts from one another.
Further, this device allows the owner to ban not just one account, but every account on the same IP, and (not done yet) stores these relationships in a database that anyone can purchase and access for, well, $17.
That sound you just heard was anyone who knows how IP addresses work facepalming themselves so hard something cracked.
For those not as familiar, this means that anyone in your house? They think you’re all the same person.
If you live in a dorm? Everyone in it is the same person.
If you use an Internet cafe? Hey guess what! You’re all the same person.
More than that, most IP addresses aren’t constant and fixed. They are dynamic, and changing your IP address is as simple as resetting your modem.
ZFire knows about this problem. Except, following in the footsteps of someone far bigger than himself, he claims, “It’s not a bug, it’s a feature.”
Don’t get me wrong — RedZone’s ability to locate alternate accounts is infinitely more accurate than its ability to protect anyone from copybot. But that’s not to say it’s accurate. If it were a school exam, it would get a C- (hardly anything to write home about). But a C average is still more than enough for people to realize their personal data is being stolen and sold for (enormous) profit.
Your Money and Your Life
Understand that zFire claims to have sold more than 20,000 of these devices. Remember how much they cost, right? Do the math. This isn’t pocket change we’re talking about.
But I wouldn’t be writing this if something else hadn’t happened. You see, my major issue with this thing is that there’s no notification in advance, and no way to decide that you don’t want your information put in zFire’s for-profit database.
How about giving users fair warning by greeting them with a large, clear notification like this: “By leaving this platform, you consent to be scanned by RedZone. Your IP will be logged and matched up to our database, revealing (theoretically) all of your alt accounts. This information will then be stored for further use.”
Now it’s your choice to go to the location and be scanned, or you can leave. You would be aware of what you were getting into.
It’s about the ability to choose — opt-in, or leave. But this device is meant to be hidden. No warning. No consent. No knowledge of the scan. It happens silently. Then your data is for sale, too.
But then… zFire made this thing mobile. It was produced as a HUD (heads up display) that you could wear — no one would notice it or see it. Its only purpose was to spy on people around you. Not on your own land, in areas you control — but in areas controlled by other people, potentially violating their sim rules silently and with no chance to opt out.
Again, this device is marketed as protection against copybot. As such, there’s no reason for it to be mobile at all.
So why is it then? Because the “copybot protection” is a tissue thin cover for what it really is — a stalking device.
It didn’t take long for the abuse to begin. Read this harrowing story, and see how far it’s gone.
The TOS, the JIRA, the Alts
One might think that an issue such as this would be covered under the Second Life terms of service (TOS). Let’s have a look at the relevant bits, shall we (emphasis mine)?
SecondLife TOS 8.3:
Post or transmit viruses, Trojan horses, worms, spyware, time bombs, cancelbots, or other computer programming routines that may harm the Service or interests or rights of other users, or that may harvest or collect any data or personal information about other users without their consent;
That sentence fragment contains the entire controversy. zFire keeps claiming that IP addresses aren’t personal data. Actually he’s right about that. But no one is claiming that’s the problem.
He also claims that gathering a list of avatar names who visit a location is not a problem — that’s not personal data either. He’s batting two for two — he’s right about that also.
Where this entire train screeches off the rails in spectacular fashion is when you attach the IP address to the username, and use that system to find other, ostensibly alternate accounts (accurate or not), and harvest this information and sell it for profit.
Interestingly, and honestly laughably, on Friday morning, he said this on his own forums:
“it turns out GZers are upset about usernames being linked. I had no idea this entire time because they spend so much time writing blogs about irrelevant law, my real life name, real life address, posting lists of RedZone user names, passing threatening notecards, planning group ARs, spreading false rumors, debating stats…. It was news to me. Usernames are not real life personal information. It is quite simple. But if one user posts real life info on alt A, and alt B says “my RL is private”, they debate that. I countered that LL holds them responsible for any and all actions they take under any account. Providing RL info and then complaining about it is an invalid point. RedZone does not record Real life info. If Alt A had personal info listed, and alt B did not want personal info listed… then the user of Alt A aka Alt B needs to remove the info they made public on their own profile and not complain to RZ about it.”
Now everyone go back to the very top of this page, and read those two quotes again… and then go back to the middle and read the TOS.
Are we all on the same page again now? Though he is correct in his claim that The Lab holds you responsible for any and all actions you may perform on any account that belongs to you, please note that zFire does not work for Linden Lab and therefore has no rights to any of this information at all — he is not their personal enforcement agency.
Understand that people have alt accounts for various reasons. I have one — it’s not a secret. I use the account to do modeling for clothing I personally don’t feel comfortable wearing, and to store L$ in.
But the fact that that account isn’t a secret is a choice I get to make for myself. Everyone gets to make that same choice for themselves. Also — for any reason or no reason at all.
We already have a system by which to ban people who are behaving inappropriately in Second Life. It takes under 30 seconds to put an estate ban into place. I know, because I’ve put in over 300 of them in the past 2.5 years.
Just as Rod Humble says above, “People don’t want other people to connect the dots from their avatar to their real life person — or even, for that matter, to an alt. One of the ethical obligations we have is to protect people’s privacy.”
So why isn’t the Lab doing anything? Honestly? I have no idea.
But I know that the JIRA on ths issue now has received enough (meaningless) votes to qualify for being one of the top 10 most voted on JIRAs in the history of SL. The number of watchers (supposedly marginally less meaningless) is no less impressive.
But in case it goes poof? He’s a screencap (note that even after all these votes, as of now, this issue is still unassigned to a Linden Lab employee):
What You Can do if You Don’t Want to be Scanned
Unfortunately, space considerations (I’m way over my usual word count already) don’t allow me to create an exhaustive exploration of this entire issue — it really is huge. However, if you are simply interested in stopping RedZone’s ability to scan you, go here, read this, do that.
Also, you should know that several fine coders have been working overtime in order to cap the hole in the viewer, and plan to release that patch (if they haven’t done so already) to Third Party Viewer development teams. If you’re looking for help — it’s coming.
In the meantime, I’m wondering why Rod Humble is remaining so very, very silent.