Your avatar’s location can be mapped. And you don’t need to give permission.
What We Believe is Not Always Supported By Code
As virtual world technologies are developed I’ve long been an advocate for considering the ways in which, one day, we’ll wake up and wonder why basic policies can’t be executed. The theory is that code is policy-free. OpenSim, for example, is called the Apache of virtual worlds, meaning it’s just a bunch of code snippets that let’s you cobble together a world. But I’m convinced that this obscures the fact that code is built on models, and models are created from a philosophy, and because of these models we’ll end up discovering one day that the premise on which the code was built prevents us from moving beyond certain bandwidths of belief on how virtual worlds should operate.
Take privacy. The philosophy is that an avatar is a representation within a world. The worlds are what’s important - avatars are the agents that interact with the worlds. That’s a philosophy. A competing philosophy might be that avatars are users, and that as such, maximum control, privacy and transparency should be the guiding principles by which virtual worlds provide engagement with avatars.
Under this philosophy, I’d imagine that rather than avatar data being hosted or held by the servers attached to worlds, they’d be hosted by the users themselves. Why should my avatar be held on some corporate server somewhere, or on some OpenSim grid in someone’s basement? I’m not saying this is technically easier, or faster, but I’m pointing out that the philosophy of how you treat avatars leads to code and how that code is hosted, which leads to a constraint in what sorts of policies are possible.
The Mozilla Foundation, for example, is built on a few principles or philosophies. And I’ve written about that, and the open source Second Life viewer at length.
We Know Where You Were Last Night
In Second Life one of the principles is anonymity and privacy of the users. Your rights are protected by the Terms of Service and by the ability to “toggle” a few features. One of these is your location on the Grid.
The “mapping” function lets you ALLOW others to know where you are on the Grid - to map you. The decision to let someone map you is often used with extreme caution. This is a world after all - a world where you can go anywhere, be with anyone, do anything. The existence of detective agencies is proof that human drama exists equally in this world as in others: want to know if your spouse is cheating on you? Hire a detective.
Well, suspicious spouses don’t need to go to the expense of a detective: just run and grab a copy of Second Inventory and you can map anyone on the Grid at any time.
Second Inventory is a popular application that lets you back up inventory. It has taken great care to only allow copying of items for which you have full permissions. But embedded in the application’s communication tools is “user location” data. You can see the region and exact coordinates of any user who speaks in a group chat, or with whom you open (but do not necessarily use) an IM.
Second Inventory takes advantage of an Improved Instant Message function built into Second Life. This message function communicates the region ID and location of users, and is equally applicable to objects.
{
ImprovedInstantMessage Low NotTrusted Zerocoded
{
AgentData Single
{ AgentID LLUUID }
{ SessionID LLUUID }
}
{
MessageBlock Single
{ FromGroup BOOL }
{ ToAgentID LLUUID }
{ ParentEstateID U32 }
{ RegionID LLUUID }
{ Position LLVector3 }
{ Offline U8 }
{ Dialog U8 }
{ ID LLUUID }
{ Timestamp U32 }
{ FromAgentName Variable 1 }
{ Message Variable 2 }
{ BinaryBucket Variable 2 }
}
}
Where you are is being communicated through SL protocols. It’s just that normally you can’t see it.
Compiling a Tracking Viewer
So that’s Second Inventory. But what it points out is that this code is resident in the Second Life viewer. And because the viewer is open source, this means that the viewer could be recompiled. I’ve been told by developers that they’ve evaluated and run tests to see how easy it would be to recompile the viewer to allow ongoing tracking of the location of people in chat, IM, and groups (much of this also applies to the ability to find objects as well).
I’ve been told that it’s a “trivial” recompile.
In other words, with a few snips of the viewer code, others can determine your exact location on the Grid at any time. This location information could be handed over in chat windows as part of a sort of ongoing stream of information. It’s unclear whether Linden Lab would be able to scan for this type of data being ‘pinged’ or whether they’ve built for systems to monitor for this type of activity: the problem is, the information is already being transferred, it’s just not being displayed.
And from being able to track this data “manually” it’s only a few steps from creating automated procedures through a bot or script that would run a “location sweep” to track your movements on the Grid.
Don’t Go Where You Wouldn’t Want Your Mother To Find You
I have no idea how well known this is. Maybe all those detectives and paranoid spouses out there are already using Second Inventory and recompiled viewers to track those they, um, love.
My concern is that as virtual worlds become increasingly used for work, play and exploration that there has not been sufficient emphasis on policy and rights, and that as a result code has been built in a way where it will be impossible to put the Genie back in the bottle.
Just remember: if you don’t want people to know where you’re going - well, I guess that’s what alts are for. Otherwise, just pretend you’re walking around with a GIS locator on your belt because, truly, anyone can find you.
[…] Here is the original post: Second Life Privacy Flaw Allows Tracking of Users, Anywhere, Any Time […]
Simple solution. Do not IM people when you’re someplace you don’t want them to know where you are. The method described above will only report location if it has received an IM from you. Otherwise it has no clue where you are on the grid.
As for spouses, partners, Masters, Dom’s, Domme’s, etc. tracking and spying on their loved ones. People have been doing that in SL for ages with scripted objects and/or by just requiring that “can map me” is turned on. (map location is available via the web on the LL Friends list if it is on)
“You can see the region and exact coordinates of any user … with whom you open (but do not necessarily use) an IM.” Are you sure about that last bit? Which of the forms of that data block would you expect to get (and why/when) if you just open an IM channel to someone but they don’t speak on it? Of course if you say something they’ll be likely to answer, but if you say something meaningless every ten seconds just to do location tracking they’re likely to be suspicious.
Similarly you might sort-of-force a reply packet that would contain location information if you sent them a friendship request or TP offer, but again doing that constantly for monitoring purposes would be very obvious.
Is there in fact a way to get a packet like that back from a user without the user noticing? If so, that is indeed something that ought to be fixed (and should probably be pJIRA’d).
Second Life grid protocol leaks avatar locations?…
According to Dusan Writer, the Instant Messaging portion of the Second Life grid network protocols contains location information about every avatar who sends an IM to you. It’s been known for some time that the fields designed to encapsulate that info…
Things like this are an artifact of a closed system designed with little thought to what would happen if the system were to become open. The protocols of Second Life were designed with developer convenience in mind and not security or privacy. We’ve been seeing the consequences of this decisions for a few years now since the protocol was reverse engineered and then finally opened(sans actual documentation. GPLed code as documentation?).
To clarify: you do NOT need to say something to someone in IM to get their sim location. It appears that location (coordinate) data is passed as well, although this was not directly tested. So, the idea that you need to message people in order to get their location is erroneous - all you have to do is open the IM and not say anything.
So, Dale and Thraxis - your “work-arounds” don’t work. Because someone just needs to open an IM window to find out where you are. Similarly, muting someone does not prevent them from doing this.
This has always been the case, In fact, it used to be you could map anyone on the grid. Yes, anyone.
To be able to “turn off” mapping was a new viewer feature added about this time in 2006 if I remember correctly. back then, you had to actually turn it off as it defualted to on (which made sense since it is what everyone was used to.)
Over time, we all simply became used to that ‘feature’. However, if you think of it, that informat really does have to still be constantly tranfered back and forth so it works when you turn mapping ON.
Thus, mapping always happens. it’s not the design of the software to have the ability to turn it on and off. It always was on. What Linden lab has done was to add a little checkbox that simply tells the map “don’t show this location) - even though your viewer already knows it’s there.
So, for those who complain about this feature (”flaw”) being an issue with poor software design… fair enough. But the ability to turn mapping OFF is really just a patch to hide what is there.
Think “Digital Liquid Paper”.
Agreed Ari, and I should have made the point that the very REASON this exists is because of the fact that at one point it was an “open” map. All Linden Lab did was turn off the DISPLAY of that location information as a default. It didn’t eliminate the information stream, just hid it.
I still stand, however, by my assertion that this is an example of how the initial intentions of code (even if supposedly divorced from policy) can later have an impact on the ability to enforce or deploy policy.
[…] to Dusan Writer, the Instant Messaging portion of the Second Life grid network protocols contains location information about every avatar who sends an IM to you. It’s been known for some time that the fields designed to encapsulate that information were […]
Second Life: You Can be Mapped by Anyone at Anytime?…
Article LinkThose of you who were registered in Second Life prior to 2007 may remember a feature where anyone on your Friends List could map you without your consent. It was later resolved by allowing you to toggle mapping capabilities for those on yo…
[…] Dusan’s Theory of Trackability The Lost Continent of Nautilus The Great Tech Debate by Podnutz - Crooked Things Straight - Kensington Prairie Little Mos Eisley - I Cant See You Anymore - Adam and the Walter Boys Little Heaven Bewitched Yxes’ Mission Complete? SL on an Acer Aspire One […]
[…] Dusan’s Theory of Trackability The Lost Continent of Nautilus The Great Tech Debate by Podnutz - Crooked Things Straight - Kensington Prairie Little Mos Eisley - I Cant See You Anymore - Adam and the Walter Boys Little Heaven Bewitched Yxes’ Mission Complete? SL on an Acer Aspire One […]
Privacy (not) in Second Life…
In a post about a week ago, Dusan Writer talked about code in the SL viewer that can be used to track any avatar in SL, any time. This was a "feature" of the SL map until late 2006, when it was turned off, but the underlying code is still the…