Privacy and Protection, Second Life

Second Life Privacy Flaw Allows Tracking of Users, Anywhere, Any Time

Your avatar’s location can be mapped. And you don’t need to give permission.

What We Believe is Not Always Supported By Code
As virtual world technologies are developed I’ve long been an advocate for considering the ways in which, one day, we’ll wake up and wonder why basic policies can’t be executed. The theory is that code is policy-free. OpenSim, for example, is called the Apache of virtual worlds, meaning it’s just a bunch of code snippets that let’s you cobble together a world. But I’m convinced that this obscures the fact that code is built on models, and models are created from a philosophy, and because of these models we’ll end up discovering one day that the premise on which the code was built prevents us from moving beyond certain bandwidths of belief on how virtual worlds should operate.

Take privacy. The philosophy is that an avatar is a representation within a world. The worlds are what’s important – avatars are the agents that interact with the worlds. That’s a philosophy. A competing philosophy might be that avatars are users, and that as such, maximum control, privacy and transparency should be the guiding principles by which virtual worlds provide engagement with avatars.

Under this philosophy, I’d imagine that rather than avatar data being hosted or held by the servers attached to worlds, they’d be hosted by the users themselves. Why should my avatar be held on some corporate server somewhere, or on some OpenSim grid in someone’s basement? I’m not saying this is technically easier, or faster, but I’m pointing out that the philosophy of how you treat avatars leads to code and how that code is hosted, which leads to a constraint in what sorts of policies are possible.

The Mozilla Foundation, for example, is built on a few principles or philosophies. And I’ve written about that, and the open source Second Life viewer at length.

We Know Where You Were Last Night
In Second Life one of the principles is anonymity and privacy of the users. Your rights are protected by the Terms of Service and by the ability to “toggle” a few features. One of these is your location on the Grid.

The “mapping” function lets you ALLOW others to know where you are on the Grid – to map you. The decision to let someone map you is often used with extreme caution. This is a world after all – a world where you can go anywhere, be with anyone, do anything. The existence of detective agencies is proof that human drama exists equally in this world as in others: want to know if your spouse is cheating on you? Hire a detective.

Well, suspicious spouses don’t need to go to the expense of a detective: just run and grab a copy of Second Inventory and you can map anyone on the Grid at any time.

Second Inventory is a popular application that lets you back up inventory. It has taken great care to only allow copying of items for which you have full permissions. But embedded in the application’s communication tools is “user location” data. You can see the region and exact coordinates of any user who speaks in a group chat, or with whom you open (but do not necessarily use) an IM.

Second Inventory takes advantage of an Improved Instant Message function built into Second Life. This message function communicates the region ID and location of users, and is equally applicable to objects.

ImprovedInstantMessage Low NotTrusted Zerocoded
AgentData Single
{ AgentID LLUUID }
{ SessionID LLUUID }
MessageBlock Single
{ FromGroup BOOL }
{ ToAgentID LLUUID }
{ ParentEstateID U32 }
{ RegionID LLUUID }
{ Position LLVector3 }
{ Offline U8 }
{ Dialog U8 }
{ Timestamp U32 }
{ FromAgentName Variable 1 }
{ Message Variable 2 }
{ BinaryBucket Variable 2 }

Where you are is being communicated through SL protocols. It’s just that normally you can’t see it.

Compiling a Tracking Viewer
So that’s Second Inventory. But what it points out is that this code is resident in the Second Life viewer. And because the viewer is open source, this means that the viewer could be recompiled. I’ve been told by developers that they’ve evaluated and run tests to see how easy it would be to recompile the viewer to allow ongoing tracking of the location of people in chat, IM, and groups (much of this also applies to the ability to find objects as well).

I’ve been told that it’s a “trivial” recompile.

In other words, with a few snips of the viewer code, others can determine your exact location on the Grid at any time. This location information could be handed over in chat windows as part of a sort of ongoing stream of information. It’s unclear whether Linden Lab would be able to scan for this type of data being ‘pinged’ or whether they’ve built for systems to monitor for this type of activity: the problem is, the information is already being transferred, it’s just not being displayed.

And from being able to track this data “manually” it’s only a few steps from creating automated procedures through a bot or script that would run a “location sweep” to track your movements on the Grid.

Don’t Go Where You Wouldn’t Want Your Mother To Find You
I have no idea how well known this is. Maybe all those detectives and paranoid spouses out there are already using Second Inventory and recompiled viewers to track those they, um, love.

My concern is that as virtual worlds become increasingly used for work, play and exploration that there has not been sufficient emphasis on policy and rights, and that as a result code has been built in a way where it will be impossible to put the Genie back in the bottle.

Just remember: if you don’t want people to know where you’re going – well, I guess that’s what alts are for. Otherwise, just pretend you’re walking around with a GIS locator on your belt because, truly, anyone can find you.


speak up

Add your comment below, or trackback from your own site.

Subscribe to these comments.

*Required Fields

Creative Commons License
This work is licensed under a Creative Commons Attribution-Noncommercial-Share Alike 3.0 Unported License.