Imagine this scenario:

You are visiting a local shopping mall or favorite nightclub.

As you walk in the door, a rather shady private detective hired by owner to catch shoplifters, collects your name, address, age, financial information, what car you drive, takes a picture, and then sends all of that information to his (not the owner’s) home office.

All of this without your consent, or even knowledge it has happened.

Since the detective doesn’t have very good eyesight, he thinks that nearly everyone is shoplifting.

As if that wasn’t enough, if someone wants to, they can call on this detective, who gladly provides them with the information and tools to stalk you or even smack you around.

That scene is being enacted across Second Life.

ZF Redzone and other self proclaimed “anti-copybot” and “land security” tools do all of the above and more.

It is a stalker, griefer and data miners wet dream come true.

Here is a little sample of what types of information gets collected by RedZone

Check the picture. That is potentially information being collected about you .

In addition to data mining, the RedZone system also provides numerous griefing tools such as cages, kills, orbits, and more.

How does it work?

A rather technical explanation can be found on the No2RedZone website, but I’ll summarize my limited understanding:

These “Client Detection Systems”, or CDS,  exploit a security hole in your viewer’s code.

Way back when, some coder decided it would be really neat to allow each person on a parcel of land to be able to watch or listen to a different media stream by allowing scripts to send specific media URLs to a specific detected avatar.

It is really kind of cool if you think about it.

However, in an effort to keep people on the land and not have them just plug the media stream URL into an external player, these types of media stream URLs are now hidden in your viewer.

By silently and secretly injecting one of these custom media URLs when you have media enabled, the CDS connects to the website and collects a ton of information about the person who just got scanned, then disconnects so that the expected media stream URL can be connected.

This data can include your avatar name, IP address, if you have payment information on file (not the actual information itself, just if you have it), which viewer you are using, a picture of your avatar and much more.

The information is then added to a database where your IP address and viewer version is cross referenced against any other occurrence of that IP address. If one is found, you are labelled as an “alt” and, if your viewer is deemed a “copybot” viewer, you also get the “criminal” tag.

Using the copybot viewer argument was Redzone’s initial defense against being nothing more than a thinly-veiled data mining operation.

Why these systems are useless

Suppose your spouse/son/daughter/Aunt Edna gets scanned by a CDS system while connected to Second Life at your home.

You want to go shopping so you log in on you other computer and suddenly you are ejected and banned from the area you were about to spend money in.

What just happened?

You ISP normally provides you one public IP address. This IP number is subject to change after time or if you have to restart a modem.

All devices connected to the Internet using your connection will have the same public IP address.

So when Aunt Edna got scanned while using your Internet connection, anyone else who is using that same IP address must be, according to the Redzone criteria, an “alt” account.

To make things even more complicated, if you use a shared public Internet connection, such as an Internet cafe or dormitory, anyone else who uses that connection looks like the same person to these systems and everyone gets tagged as “alts”.

If the CDS system does not like your viewer for some reason, you get tagged as “copybot”, banned and ejected.

When people began disabling media (Just turning the player off won’t protect you. Media has to be disabled totally) in order to avoid this behavior, the Redzone creator’s solution was to have his device automatically ban from the parcel everyone who didn’t have media enabled.

How Linden Labs Failed

Rod Humble, the new CEO of Linden Lab was quoted in an article as saying

“People don’t want other people to connect the dots from their avatar to their real life person or even, for that matter, to an alt. One of the ethical obligations we have is to protect people’s privacy”

“See, there’s the me who goes to school meetings with my kids and that’s a very well established identity. And there’s the me who plays shooter games online and I don’t want those separate identities to mix up. It’s not appropriate.”

Rather than ban the devices and fix the hole that allows stealing your information, Linden Labs updated its Community Standards

Here is the relevant section (emphasis added by me):

4. Disclosure

Residents are entitled to a reasonable level of privacy with regard to their Second Life experience. Sharing personal information about your fellow Residents without their consent — including gender, religion, age, marital status, race, sexual preference, alternate account names, and real-world location beyond what is provided by them in their Resident profile — is not allowed. Remotely monitoring conversations in Second Life, posting conversation logs, or sharing conversation logs without the participants’ consent are all prohibited.

Your information is still being stolen but they have to ask you before it can be shared.

A short time later we find this on the RedZone forum

http://isellsl.ath.cx/madsci/forum/viewtopic.php?f=8&t=490

Thu Feb 24, 2011 12:39 pm

Hello RedZone owners.
After talking with Linden Labs over the past month we have reached an agreement.
Effective now and retroactively the RedZone system will request Consent to display alt name information.
LL policy will reflect this change by tomorrow the 25th.
The zRZ HUD will now request consent much like a bloodlines bite.
The zRZ Website now offers a system to send an IM to request consent for a zF RedZone Alt Background check.
The system is already in place, new functions and consent methods will be offered as we discover how best to implement this feature.
Linden Labs has been good enough to suggest many ideas that settled on this one.
Alt names can still be viewed to settle disputes, run security background checks etc. (With Consent) …

… PS: Everything is still logged as before, everything still works as before.
Only now to view the alts you need consent.
Alts are still banable if they are related to a new user you do not want on your land.
Alts of people you banned are still banned, alts of copybots are still banned, alts of anyone you have banned are still going to be banned, just not named.

To be clear, there are a number of CDS systems being used currently. That these objects were not immediately banned when it was first discovered what they did and how they did it is shocking.

RedZone happens to be the one getting the most attention currently because it does all this so blatantly, and badly.

Second Life Jira Issue VWR-24746 which is specificly about RedZone, has received nearly 1500 votes and nearly 600 people watching it. Clearly a considerable number of people seem to find the fact of personal data being harvested rather disturbing.

Several Jira entries have been started in regards to the technology aspect: VWR-24764, VWR-24805, SVC-6751, and VWR-24807.

You may say “They need consent to share it and no one in their right mind would give consent”.

If you read the Terms and Conditions on the RZ site, you will have a strong indication the Redzone creator’s attitude about you and your information.

Epic Fail.

[Updated Feb 25]

True to what I had suspected, the change in CS means absolutely nothing the RZ creator.

The RZ creator has made it quite clear on his forums that he considers the CS change meaningless and will look for ways around it.

From the RZ forum:

Nailed? Hardly. This is just a political formality so that LL can feel they have done something, nothing has really changed.

Furthmore, it seems he considers permission received from one person as consent for every other linked account, whether the links are valid or not.

It’s obvious that the RZ creator and those who use these types of systems do not have a care in the world about your privacy, although RZ owners are able to exclude their personal data from being shared.

Some of the workarounds that were being discussed in the wake of the CS change were:

1) A method that gives you 20 seconds to leave or else the system will consider you as having given consent. You will have already been scanned and your information collected. As others were pointing out, it takes that long just to rezz up in some areas, let alone be able to read a notice then hit a button or link to TP out.

2) A message that makes you visit a page on the creators website if you DO NOT consent to share. Again, you will have already been scanned and your information gathered. WTH? In order to use the page, you have to register on the website, thus validating some of the data you just had stolen.

3)  A method to ban access to an area totally unless you consent to being scanned and having your information shared. This one is not actually too bad. IF you know you are not being scanned anyway. Judging from the creator’s ethics, I would have serious doubts.

4) Modifying the shared data so that the names are obscured somehow, but all other information is revealed. This may be modified so that only part of the names are obscured (Yeah..like that will help).

[Update #2 February 25]

A comment on the Second Life Jira Issue VWR-24746 caught something I had missed in regards to the CS update.

Old:
4. Disclosure
…blah blah… Remotely monitoring conversations, posting conversation logs, or sharing conversation logs without consent are all prohibited in Second Life and on the Second Life Forums.

New:
4. Disclosure
..blah blah… Remotely monitoring conversations in Second Life, posting conversation logs, or sharing conversation logs without the participants’ consent are all prohibited.

Not quite sure what this means yet.