Privacy: Open Letter To Linden Lab

Privacy: An Open Letter to Linden Lab
and a discussion with residents.

Dear Linden Lab,

Here is my thoughts on privacy in Second Life, including an interpretation of what exists, questions raised by the current state of SL privacy, and major issues that I see that exist that will eventually (if not sooner) become impossible to ignore. I realize you folks are well aware of the importance of the legal ramifications of hosting a Massive Multiplayer Online service of Second Life's scope. I personally have been very happy with the large degree that you do listen to the player base, and I know many people would agree with me.

This is perhaps the most expansive and important issue facing Second Life, since it is both a technological and human issue. I bring up this issue because I see more and more examples of problems dealing around the issue of privacy, and I want the Metaverse to be a success story from Second Life. I hope you consider my thoughts seriously.

----------------
Intro

The Internet, at base, hardware level, is not private. A user, in order to transmit data from one place in the Internet to another, sends data out through hardware that other people own. Data is not secure. The ability to spy on data is hindered essentially three ways: trust and honest, technology (encryption), and laws. Since not everyone is honest and can be trusted, and encryption can be broken, there are laws that are established and enforced by legitimate governments with the power and authority to do so. At the same time, these laws allow our government to, with proper authorization*, to invade our privacy in the interests of law and security. (* This is eroding, unfortunately, with the Patriot Act and lawmakers' lack of understanding of technical issues.)

When you consider privacy in Second Life, you essentially have the same model of ensuring privacy of residents as you do securing bytes of data over the Internet. Most people in Second Life are honest, decent human beings that don't need either laws or technology to respect each others' God-given right to privacy. Yes, the belief that all humans have this as a right is my person opinion, which is another debate. But, regardless of my opinion, Linden Lab has granted residents this right. I'll get back to this.

1. Honesty and Trust

Most people in Second Life can be trusted to a fairly good degree, but the problem of Second Life is the problem of the Internet. This is, namely: anonymity*. Ironically, the very privacy we seek to protect is the thing that emboldens people to violate it. Humans have a natural curiosity, and the Internet provides a place where we can be curious and seemingly no one will know. This is very dangerous because the temptation can be great and the risk and consequences are very low.

(* Or rather, pseudo-anonymity. As I stated earlier, data is not secure. However, because the Internet has a decent level of privacy, and combined with people's belief that it is ultimate privacy, it makes people feel invincible online.)

Philip has so boldly and accurately stated how Second Life will go worldwide and mainstream. What does that mean for privacy? Well, we could let privacy go the way of the general Internet, and we will bump into griefers and rude people and such constantly. It's obvious we need to look to other solutions to protect our privacy in Second Life.


2. The "Law": community standards



I've highlighted a few key parts:

entitled: The word implies Linden Lab grants this as a right.

reasonable level (of privacy): Ambiguous. It acknowledges that, essentially, there are ways around the privacy we try and obtain.
Is the word "reasonable" necessary?
Is there truly a need to qualify the level of privacy that users deserve?
Abuse reports go so far as to completely keep the privacy of an offender of policies and his/her punishment. This being the extreme example of where privacy might be waived, why not remove the word "reasonable" and simply state that all residents are entitled to privacy, period?

personal information: The details of what Linden Lab states as reasonable privacy appears to be limited to facts about first life. What is interesting is that nothing about your Second Life avatar appears to be private.
What about one's sexual preference in Second Life?
What about one's home location in Second Life?
What about one's alternate accounts?
Arguably these are three examples of things in Second Life that an avatar deserves privacy that are not included anywhere in the community standards.

Remotely monitoring conversations: Why is this limited to conversations? In practice, is not spying on someone's movements just as bad? It seems while du jour this is not included in the Community Standards, it is de facto enforced by Linden liaisons.

without consent: This seems to me to be the very crux of what privacy is about. A person ought to be able to keep things private unless he/she gives consent. Some is implicit, obviously, like having your land with unrestricted access and without locked doors consents that people are entitled to explore your land. While a player has posted a picture of him or herself on the 1st life profile, gender and race are granted consent for public knowledge.
I would recommend updating the privacy section of the Community Standards and centralizing it around the idea of consent.

Implied: Privacy in Community Standards is stated in general terms, which implies that the rules apply to employees of Linden Lab as well. I would like to see this explicitly stated, and under which specific, unambiguous conditions that Linden Lab can violate privacy. (Fixing an immediate bug, responding to a serious abuse report, payment for Second Life, etc.)

Enforcement: Here's another can of worms. Obviosuly, it needs to be fair and consistent. Eventually Linden Lab may have to rely on community based enforcement, and that is a wholly separate discussion from this one.

3. Technology

Ultimately, since every player runs the same user client, the greatest weapon we have to defend our player privacy is technology. For instant, we have private messaging. This is a very basic example of how we can grant consent to a specific person; only one person can read the speech. Object permissions are similar - by making scripts no modify, for instance, scripters are given privacy to their ideas and programming. Cory Linden has spearheaded the ongoing drive to improve our permissions system, and has worked to listen to player comments on how best to implement them.

Land

A very large issue with privacy is land. For $200 / month and a cool grand cash down, all players can own their own sim island and have all the privacy they want by restricting ports in. Should players be forced to pay this much to ensure their privacy? Currently, the answer is yes. Recent posts have shown that players defending their own land from griefers are punished, while the griefers are not.

This should not be.

Follow this logic:
1. Community Standards protects IM conversations and remote monitoring of public conversation.
2. Linden Lab has asserted that all possessions in SL should be treated as real capital.
3. Owners of items in SL have a right for other players not to copy / modify / otherwise mess with their items.
4. Both objects and land actually in real life exist as data on a server owned and/or rented by Linden Lab and have no significant different in physical ownership.
5. Therefore, land should have the same protection as objects in Second Life.
6. Philip Linden has gone so far to ensure object permission security and privacy as to offer a bounty on showing a bug.
7. Therefore, it should be a high priority of Linden Lab to seal up the ways to exploit privacy of land.

Ways a player can violate land privacy:
1. Ban lines have a limited altitude. While it's silly to extend it indefinitely (bumping into random air high above land would be silly), there are other methods. The ideal would be to have a radius above and below actual objects on or above a person's land that would define the ban area. The simpler solution would be to let the land owner set the height of ban lines. If this is abused, it could be reported just like any other ban line abuse.
2. No build? Build on the land next door and move the prim over the land.
3. Locked door? Sit on a prim and move it inside.
4. Walls blocking line of sight? Use your alt-camera and zoom inside.

We could really use the camera modified so that one could set an attribute on a prim so that a camera cannot penetrate it. This would also be supremely handy for game developers in Second Life to not only prevent cheating, but force nice camera angles without having elaborate scripting.

Ghosting
I've saved the worst for last. Ghosting poses an unlimited threat to personal privacy in Second Life. By ghosting, I am speaking of the exploit where a player can use the 3-corners bug to become completely invisible both avatar and on the map. I believe this also allows people to pass through ban lines. This leaves unlimited spying access with no accountability.

The 3-corners bug I refer to is when you fly too fast through corners of sims and the sim essentially "loses" the avatar client. This bug has been around since I started Second life, almost a year ago. It is widely known and I am not outing anything new. I have reported the bug, spoken with Lindens about this issue both by email, IM, and phone, and relayed how serious of a privacy issue this raises. I have posted about it here:

/13/f3/27687/1.html#post312288

Now it seems to make sense why the Community Standards still excludes land privacy rights; because technologically, there is no way to assure them. As we continue to grow in the future, and ESPECIALLY now that we have a teen grid coming, I believe this is a serious issue that deserves immediate addressing. (Forget Havok 2 for now, haha!)

----------

CONCLUSION

While Second Life is not Beta, the game itself is a Beta for the Metaverse. Linden Lab has asserted very strongly their intentions to make Second Life work as the Metaverse. I had the

I have the utmost respect for Linden Lab. I believe they are a talented crew. They work hard, and cannot do it all, think it all, or foresee it all. This is why player input is so vital and valuable, and Linden Lab's leadership is very intelligent to take the players seriously at their requests. They also have the wisdom to weigh ideas, reject, and prioritize.

I also believe in Second Life as the Metaverse. It is an inspiration that the common person is able to guide the future of what will be the entire world's communications. As always, thank you for the opportunity to share my thoughts.

Regards,
(the person behind) Hiro Pendragon.

*breathes*

someone has had alot of time on their hands...

Yeah man, like, I mean, he could adding to SL by dancing a the badger dance and playing the mushroom mushroom song!

Who says I wasn't while writing this?

I mean, hypothetically.

I wish I was.

That was powerful, Hiro. I didn't get all of it on the first pass. I'm going to re-read it but I think you laid out your view really concisely with the main points -- yet elaborated in the body text -- and optimistically. I like the end part too where you refer to a certain sci-fi book that we hold dear. *grins*

that was amazing, hiro

Thank you, Torley and Jauani.

To clarify - I tried to focus on what LL's goals were for privacy and expanding SL, and what ways LL is / could do to help ensure it.

I didn't even touch on issues like:
- Avatar privacy & taking photos without permission
- Land sale privacy (one thing I think that should be public)
- Extra land options such as restricting camera, or sound / chat in and out of a plot of land
( /13/9b/27774/1.html )
- Group member privacy

There are just so many issues dealing with privacy ...

My thought:

I think you're confusing your right to RL pesonal privacy versus your SL av's privacy. They are different, and I'm guessing LL's policy is designed to protect your RL privacy, not necessarily so much of your av's privacy in SL.

Excellent thought.
However, unlike games like Everquest or Ultima or whatnot, many people see their RL blend into SL.

The real question is not, "Why should we protect people's privacy?"
It is, "Why should other people pay for access to Second Life and have other people pry into what they do?"

Is spying on other people integral to gameplay? No. Is it useful other than to exploit people? No.

A person's actions in SL are still things that a person does in RL, since SL is a subset of RL. Now either you treat SL as purely public interaction, or else you consider it private actions of a person. This is a decision that should be left up to the players, since they pay. If players want everything they do to be public, then they certainly can leave themselves open to public scrutiny. If not, why should they be forced to?

They shouldn't. Therefore, privacy is something valuable as is, and necessary as SL grows into the Internet-replacement.

Yes Hiro, truly it can always be expanded. But it is important to state a number of things, as ambiguous and as many opinions on the matter as they are -- it remains your very well-expressed right to say as such. However, I was thinking about this part:



I hadn't considered the latter part of what you said here before. That is an astute point, and fits well with a "kills two birds with one stone" approach, if it in fact can be carried out. I'd like that too, for some tight spaces -- or better-defined camera angles 'cuz it's hard to get into some crawlspaces without the camscanning going nutty.

Also:



Is Second Life beta? I'm confused about that point. Did you mean it's *not* beta?

A little side comment on real life privacy. People should be aware if you hear someone's streaming audio they possibly just got your real life ip address. It's not something I'm particularly concerned about and there isn't much the Lindens can do about it since the stream is direct from them to you. But it is something to be aware of.

Now that would just be silly, and apparently, a bannable offense

Uhr... K, I just read through the entire thing. It may be the fact that I'm just now getting off a 12 hour (and 23 minute) long graveyard shift stocking shelves at a grocery store (work I am most definitely not in shape for, nor used to in any way), but the entire thing strikes me as anticlimactic.

You build up and make all these amazing points about privacy and land rights and such and then your conclusion is "LL's making the metaverse. Good job LL!" A bit weak, no? Leaves me thinking "Wait, wasn't there supposed to be more? An idea? A goal? Something?"

Anywho... one other note:



That can not be done until at least Havok 2. Or so I read from Andrew (I think it was Andrew. It was a Linden who knew what he was talking about.)

We have the goal: The Metaverse.
Throughout my piece I explained why I thought certain things needed to be to achieve that goal. Do you think I didn't mention enough when I asked them to clarify a number of points on what should be considered privacy, asking LL to rewrite community standards from the ground up, add several additions to the engine, develop a plan to enforce privacy violations fairly and evenly, and seal up a bug that is fairly integral to the inter-sim architecture of the grid?
Perhaps I should have more explicitly stated them at the end.

Whew..good post. Well thought out.

Okay, seriously, the phrase "open letter to Linden Labs" should be banned already.

Hiro, as you pointed out, Island owners are currently able to exercise a great deal of control over the privacy of their own spaces. In fact, the original winner of a private island (Elysian Island) went to a great deal of effort to make the privacy of the space a major selling point.

Personally I haven't felt the need for privacy in SL very often. Frankly it frustrates me when a friend of mine is out of reach on one of the private islands. However, I agree with you that the ability to opt in for privacy is something that needs to be democratized somehow. It shouldn't be reserved solely for a privileged class of large landowners.

Another option for privacy would be to take a page from that other 3D chat room. Create smaller private spaces that can be rented or bought as land, which essentially sits off the main grid but can be accessed through a teleport device. You could set up 64 or so running off of a single server, and they would function as "mini-islands" or the equivalent of the inside of a house sitting on the main grid. Frankly it might be easier to implement this than trying to figure out how to prevent cameras from invading all the strange configurations of prims people come up with.

People with much smaller land tiers could thus get some away time, just like the bigger landowners.

Thanks for proving conclusively that not even forum weenies actually read the forums. I appreciate the effort my sweet little pile of partly dissolved sugar.

Hint: maybe someone wasn't banned for playing the hamster dance. As an intrepid seeker of the truth I expect you should be able to ferret it out.

Privacy does not exist in second life, everything you say is recorded and can be viewed by the lindens.

Malachi, apparently whatever doseage of anti-psychotic medication they have you on is not working. I don't know why you feel the need to snipe like a rabid dog at me all the time, but good lord, lighten the fuck up. You are right, I did not read the entire "I was dressed as a badger and I was banned thread" because quite simply, I didn't care. I don't care why said dancer was actually banned, nor was I outraged by it, so why as always you feel the need to chime in is beyond me, but knock yourself out.

Crissy, my chicana guapa, so you care enough to post on a subject that doesn't interest you? That explains a lot. Me and my psychiatrist love you to itty-bitty pieces. And don't worry, my rabies test was negative (my shrink I'm not so sure about, just don't let him bite you).

It was a joke in response to a joke I made. At least find some better subject matter. Dragging that axe around has to be getting tiresome, so maybe you should pick your whacks a little more wisely.

You do remember humor right Malachi? OH! Was this an attempt at humor? Chews on it a bit and spits it out like a bad piece of beef jerky. Dry, very dry.

Nolan, a careful and insightful person like yourself knows that I only have eyes for Crissy.

I will take insightful over inciteful any day of the week.