Privacy Disclosure Issues

When LL rolled out their new web site today, several people comments mentioned privacy disclosure issues. They seem to say that because of third-party paid content on the new site (via amazonaws) that random advertisers can obtain your personal information (linking your avatar name and RL info). The comments also said that something similar has been happening for months on the old web site, on the Events calender page. A third issue was something about third-parties being able to delete (but not see?) your credit card information.

The comments were short on details.

Can anyone shed light on this, with specific technical analysis?

Seems to be a growing trend, beginning with the buy up and merger of XStreet, on into the Zindra reforms. :/

My concern there wasn't that LL was sending my RL info. It was that they might be sending my SL name to some site that has my RL name and that that site might be able to match the two up.

Though I'm pretty tech-savvy, this area really isn't my gig. Dunno if this is something that actually needs to be worried about or not.

This would be a most excellent time for WebGuru Linden to stand up and chat about this a bit.

Which is why I did not like the idea of Aristotle. LL I reasoned about and decided to share with - everyone else they invite to the table, not as much.

Does anyone have any more information about this alleged leak?

Can you be more specific about where the advertisements or third-party content can be seen?

I think the OP meant that if you click on a third party site like Amazon from the page, while logged in as your avatar name, then that third party can connect your real info at their site, with your avatar name.

I don't know if it is true or not - would like to hear more about that. Not saying it isn't, just would like more details.

Some people don't like the whole notion of everything they do online being connected up.

I don't see any third party links on the dashboard page. Ordinarily, clicking on a regular link (an "a" tag in HTML) won't send anything other than the current page URL (as the referrer) to the new site, along with anything embedded in the target URL. The current page URL doesn't seem have any private information, so that's ok. The links all seem to go to either secondlife.com or xstreetsl.com, so that's ok, too.

The images in the XStreet SL box are being loaded from Amazon. Either LL or perhaps the original SLExchange people set things up to use Amazon's servers, which is a reasonable thing to do. The URLs for these images are encoded, so there's no way by looking at them to tell whether or not they include personal information, but I'd be surprised if they did. Obviously Amazon is getting these URLs, since they need them to figure out which image to send to your browser. A more interesting technical question is whether Amazon can learn anything by analyzing which images are being requested, but I don't even know whether the SL website is basing them in any way on your account.

The Blog Feed links are also encoded, so again, there's no easy way to tell if they contain personal information, and again, it seems unlikely. These links go to feedproxy.google.com, which seems odd to me, but I guess there must be a reason. I'm not that familiar with Google's web services.

This is just from a cursory scan of both the original source for my dashboard page and the generated source (via Firebug). It's entirely possible that there's stuff I missed, or stuff that's not readily apparent or that can be hidden from Firebug. It's possible that there's stuff on other pages that don't appear on the dashboard page. It's also possible that some things are filtered by my Firefox configuration (e.g. by Flashblock or Adblock), though nothing stands out. It's also possible that there's information leakage in the backend between LL and third-parties, but there would be no way to detect that from the web page.

If you look at some of the other notes on the new web site, you'll see that I raised privacy issues concerning posting the friends list by default. There are similar issues concerning posting the L$ balance and group memberships. So I do care very much about privacy. While I can't rule out the possibility of leakage to third parties, based on what I've seen so far, I'd put that concern below the other concerns.

Look at the source.. There are references to google.com, amazonaws.com, xstreetsl.com and feedburner.com.

Again, I dunno if these present any privacy issues at all - I just see that they are there.

Pages on SL *do* (like many other websites) use Google Analytics to track traffic trends and stuff, and to do that, they embed a javascript live from Google (https://ssl.google-analytics.com/ga.js, gripping read lol). A script embedded that way could read info the page or even other pages on the site, send details to another site, and generally do anything, but it's assumed that some sites are trusted.

And this is why Firefox's NoScript add-on is so nice.

LittleMe: Info please?

If I turn on NoScript, the web site does not function. I can't look at my L$ balance or buy Linden Dollars, Friends Online does not work, XL Street does not work, Video Tutorials does not work, My Groups does not work, and Upcoming Events does not work. Those portions of the page do not rez. Probably other things don't work, too.



It is not relevant that other sites embed spy ("metrics" code on their pages -- other sites do not know the RL identity of my avatar! I trusted Linden Lab to keep that secret, and now it appears that they are giving it away, for profit, without telling me.

If this is true, I am extraordinarily upset.

The best technical explanation someone has offered so far is: Can't tell exactly what's going on: maybe, maybe not.

What I want is an explanation of how this could not possibly really be happening. Unfortunately, I don't feel that I can trust Linden Labs anymore to provide that, so I am hoping people on the forums can figure it out.

https://addons.mozilla.org/en-US/firefox/addon/722

After you install it, in the lower right of your browser will be a large S and when you hit web pages where scripts have not been allowed, there will be a note to that effect along the bottom of your browser. You then click the 'options' button down there and you'll get options to temporarily or always allow the various scripts that that site/page is trying to run. If you are not sure about one, just use the temporary option. If there is something on the page not showing or running right, view the list of scripts that are not yet enabled and select the ones that might be appropriate.



Turn No-Script on and then selectively activate the things in the list that sound like they are not traffic counters and advertisements. I have no issues in the forums with No-Script running.

Just make sure you have this entry in Adblock Plus: *google-analytics*



The BetterPrivacy add-on is also useful to have:



This is designed to stop tracking by the much less well known Flash-cookies (Local Shared Objects, LSO)

Yes, and there is also an addon called Flash-Block that keeps any flash stuff from running until I specifically click on it.

had not heard of the BetterPrivacy one - will go check that one.