Known Statutory Problems with Proposed Age Verification Policy

At the request/suggestion of Heretic Linden, I am starting a new thread on this hot topic.

PLEASE only post here known/verifiable legal precedents applicable in your country/state/city. For the greatest benefit of the community, please try to provide links to definitive/precedental legal/governmental/statutory websites.

Again ! it's not about age verification we already have that, it's the proposed "Identity Verification" part thats the problem. Please rename the thread to reflect the actual blog post not what LL want us to mistakenly believe it's about.

Thanks, tried that, to no effect, as you can see. Ultimately, it doesnt matter what you call it, a rose by any other name is still a rose....

Problems with it apart from the gaping hole the lindens and aristotle seem to have ignored?
The data that is verified is not tied in any way to the person submitting the data. Anyone can submit SSN/drivers license/passport/national ID, but there is no way to verify that data belongs to that specific person.
It is all just a very expensive way to say "yes, john smith exists somewhere and is over 18".

For evidence of how badly their other services perform, check out bud.tv. If you don't want to submit your own details, dont. The name George Bush with the zip code 20500 (whitehouse) works no matter what country you are accessing from. Dig up the DOB from wikipedia

The "name" doesn't matter, the issue trying to get solved here is:

"is the user at the end of the wire who you believe them to be?"

This is unfortunately NOT solvable unless the user has "something secret" commonly known between service provider and user.
Either, "something they HAVE", like an RSA hardware token, dongle, phone EMEI code etc.
Or, "somthing they KNOW", like one time passwords, bio-info... etc.

Even those are not 100% guaranteed to establish that the "user" is who they say they are.

Believe me I have spent millions of companies monies analysing and/or trying to implement such systems for them - its simply not 100% possible.

Lindens are getting far too carried away with this and need to step back to regroup.

And on the level that Lindens are considering? It's not worth the investment.
May as well simply go back to relying on credit card as much as possible.
Not perfect (as stated by VISA), but just as good as this madness and less expensive I am sure.

regards.

Please keep in mind that this is the thread for posting URL's to laws/statutes from your home country/state/city that forbid or otherwise overrule LL's current proposal...they are monitoring this thread for such references.

To my knowledge, it's not illegal in Washington State for a business to request a customer's social security number, even when it is being misused as a national id number (as in this case). The customer has every right to refuse to provide the number, and the business can refuse services based on that refusal (as in this case). This is federal law; I'm not sure whether any U.S. states have stricter controls over business requirement of SSNs.

Of course, many government and private anti-identity-theft resources (including the SSA website) consider this to be unethical, and strongly recommend that US citizens consider taking their business elsewhere if this happens.

I'm in support of an age-verification system of some sort, but I will not be providing my SSN to LL, let alone some third-party provider, under any circumstances. I don't care how much we are reassured that this data is being immediately discarded. I know too much about database systems, websites, and the fallibility and/or corruptibility of the people running them to be able to trust in this.

LL really needs to just come forward and name/link to the verification company because while I did just send off an email to the privacy commission of my goverment requesting guidelines I didn't have any name to give them so I'm not sure I'll get a definite answer one way or the other. I don't even know if my country is covered to begin with.

As a side-note, it shouldn't be up to residents to check whether asking for the information is legal or not. If whatever verification company is used can not provide LL with a written legal guarantee that what they're doing is legal in all the countries they claim to offer verification for then it's probably not.

They did link/name it in the last blog post. http://integrity.aristotle.com/

I agree that it's a good bet but Integrity is a service offered by Aristotle so it's not quite "Integrity Services" .

I don't really much care one way or the other, but I figured I could settle the answer of legality for one European country at least . I guess the best I can hope for is that they get back with a list of authorized companies.

Daniel/Robin confirmed that it is them at her office today. They also made it quite clear that integrety and aristotle are two different divisions of the company and do not share data.

Not shared, but still stored for two years, which would be illegal for any company to do if it was located here.

Many have pointed out (as well as some pointing it out every chance they get) that aristotle is in the business of selling data to politicals.. I was just echoing what LL said about the dictinction between the divisions.

Somehow I have to think that if a company has to ask on their forums if anybody knows if something they're about to do may be illegal, then they shouldn't be doing it.

Kevin single-handedly wins the game, folks.
Thread over.

Still waiting for a response that doesn't just direct me to treaties that make my head hurt .

So far:

Recommendation No. R (99) 5 - THE PROTECTION OF PRIVACY ON THE INTERNET
http://peru.cpsr.org/bdatos/decisiones/europa/Recom_99r5.pdf

These are guidelines, so in human readable form, and not legal texts.

The (6) and (7) footnotes are:
Directive 95/46/EC (http://ec.europa.eu/justice_home/fsj/privacy/docs/95-46-ce/dir1995-46_part1_en.pdf and http://ec.europa.eu/justice_home/fsj/privacy/docs/95-46-ce/dir1995-46_part2_en.pdf) was ratified into a law for all members of the EU and is the base text that contains the restrictions of export of personal data to countries which have a lower standard (such as the US).

There are guidelines for ISPs as well (which in the context of the text means any kind of content provider) but they don't really apply to LL since it's not European, although having/opening an office in the UK may muddle things up.

My interpretation (still waiting for an "official" recommendation):
If Aristotle/Integrity has an official license to handle the information of EU citizens (it doesn't mention such) or if it agrees to uphold the above EU directive (it doesn't mention that either) then there shouldn't be any problem for EU citizens.
In the case of neither, then the handling of personal information will not be up to EU standards, but any single individual can still provide their own, be it at their own risk.

My understanding of this is that LL will be fine asking for this information (barring the possible implications of having part of their business in the EU and starting this whole process the wrong way round, afterall, if even Microsoft can't just do there own thing, I don't think LL can either).

At present, individuals are free to provide this information to LL or the company that LL chooses.
But just as in the case of credit cards, it is highly recommended that you only provide that information to those who are authorised to have it, and if you willingly give it out to any other party, the results are completely on you.

I am certain that should this as of now unnamed company (it has been removed from the blog) be given your details freely by you, you will have to take full reasonability for any missuse, and will have no sympathy from your government.

Just having your identity documents stolen is really bad, if they are used, it is even worse, just ask those in this forum who have mentioned that it has happened to them.
Now think how your government will react when they know that you gave this information away freely, especially when this information is not yours to give... (I just checked my passport, yes, it is the property of the government...).

Of course the current outrage is nothing compared to what will happen when a country with good privacy laws finds out that there is a company trying to get this identity information about it's citizens, if things keep going as pear-shaped as they are at the moment, we could be watching whole countries drop of the SL map.

Of course LL knows all this, afterall this is just basic due dilegence that even I as a non-lawyer can do.

It will really be very interesting to see how this all plays out in the end. The vast majority of people voicing their opinions are saying that they definately do not feel comfortable giving out personal information. LL has already said that this new requirement for access to certain content is going to take place so they are up against the wall now to actually make it happen. However, it is amusing to see that they are just now starting to think this though...and hilarious that they are asking SL citizens for legal help (especially since they have already announced that this is something that is going to happen). Good luck LL. I hope the aim is not at your foot.

Not a helpful post - I would much rather LL change their policies on the basis of feedback from their users, then push on regardless with a flawed policy just in order not to loose face!

I received a signed notice today, informing me that the inquiry was passed on to a different government official for further investigation.

Age verification will be there for years before my questions make it through the bureaucracy treadmill .

Not sure if any Linden is still following this thread, but unless Integrity has a European presence (in which case it would be held to European privacy laws and would have needed to petition each government to handle its citizens information), it would not posess any official information on European citizens.

The general recommendation is to not provide Integrity with any sensitive personal information.

Things that need to be cleared up: clarify what *exactly* is asked for every different country because it makes a rather big difference (it's the national/passport number that's the obvious problem), whether LL already has a business presence in the EU and the name of a contact with Integrity because additional questions were asked in the letter which I can't answer (specifically how "identity verification service that integrates a government-issued ID database check" from their site applies to the EU).

For Germany: http://www.gesetze-im-internet.de/bdsg_1990/index.html

Here a link to an interesting court decision about the Directive 95/46/EC:

http://curia.europa.eu/jurisp/cgi-bin/gettext.pl?lang=en&num=79968893C19010101&doc=T&ouvert=T&seance=ARRET

If Europeans provide information to Integrity and Integrity process that information in the United States, none of our data protection laws protect us. If however Integrity process the information in the UK, they will have to abide by European data protection laws.

However as the Lindens have said the data can only be audited on a government order, I'd assume they mean the US government, which suggests the data is being processed in the states and therefore Europeans are advised not to provide LL or Integrity with this information.

This is rather an important point.

Canadian Privacy Act:

http://laws.justice.gc.ca/en/ShowFullDoc/cs/P-21//20070524/en?command=searchadvanced&caller=AD&search_type=bool&shorttitle=privacy&day=24&month=5&year=2007&search_domain=cs&showall=L&statuteyear=all&lengthannual=50&length=50


Office of the Privacy Commissioner - SIN Faq:

http://www.privcom.gc.ca/fs-fi/02_05_d_02_e.asp

And just to help the poor LL Lawyers - here's an excerpt from that document to get them started:

The Personal Information Protection and Electronic Documents Act (PIPEDA) sets out ground rules for how private sector organizations may collect, use or disclose personal information in the course of commercial activities.

Since January 1, 2001, the Act applied to personal information about customers or employees that is collected, used or disclosed by the federally-regulated sector in the course of commercial activities. It also applies to information that is sold across provincial and territorial boundaries. As of January 1, 2004, the Act covers the collection, use and disclosure of personal information in the course of any commercial activity within a province, including provincially-regulated organizations, except in provinces that have enacted legislation that is deemed to be substantially similar to the federal law.

Under the new law, organizations like banks, telecommunications companies and airlines cannot require you to consent to the collection, use or disclosure of your personal information unless it is required for a specific and legitimate purpose.

This means that unless an organization can demonstrate that your SIN is required by law, or that no alternative identifier would suffice to complete the transaction, you cannot be denied a product or service on the grounds of your refusal to provide your SIN.

If you disagree with a request for your SIN made by an organization that is subject to the PIPEDA, you can complain to the Privacy Commissioner of Canada, who will investigate the complaint.


Happy reading