You’ve probably already heard of RedZone, a system which is used to implement ban-by-IP-address functionality, and to make (variably accurate) guesses at alt accounts.
Avoiding RedZone data collection has been a bit tricky for the average user, since RedZone uses a scripting trick that allows it to perform data-collection, even when media-autoplaying is disabled (you either have to block traffic to RedZone’s server, or completely disable the Second Life viewer’s ability to access the Web and all forms of media to get around that – just disabling autoplay isn’t enough).
Linden Lab has stepped in, made a couple of updates to the Second Life Terms of Service (Community Standards: Disclosure), and required RedZone to obtain consent before displaying alt accounts. Note that this doesn’t in any way stop the data-collection process or banning by IP-address.
A message recently sent by RedZone creator, zFire Xue, goes as follows (typographical errors have been left intact):
Hello RedZone owners.
After talking with Linden Labs over the past month we have reached an agreement.
Effective now and retroactively the RedZone system will request Consent to display alt name information.
LL policy will reflect this change by tomorrow the 25th.
The zRZ HUD will now request consent much like a bloodlines bite.
The zRZ Website now offers a system to send an IM to request consent for a zF RedZone Alt Background check.
The system is already in place, new functions and consent methods will be offered as we discover how best to implement this feature.
Linden Labs has been good enough to suggest many ideas that settled on this one.
Alt names can still be viewed to settle disputes, run security background checks etc. (With Consent)
Please see http://isellsl.ath.cx/checkconsentinfo.php for more.
The RedZone system has been, and always will be current with SecondLife(tm) terms of service.
I would like to thank Linden Labs for working with RedZone and providing enough time for RedZone to make these changes.
Best Regards,
zFire Xue
PS: Everything is still logged as before, everything still works as before.
Only now to view the alts you need consent.
Alts are still banable if they are related to a new user you do not want on your land.
Alts of people you banned are still banned, alts of copybots are still banned, alts of anyone you have banned are still going to be banned, just not named.
Of course, one should remember EU courts have previously ruled that the collection of IP address data of EU citizens in order to associate that data with identities or alt-accounts is unlawful without prior, express consent – IP address data has been determined by the EU judiciary to be private information as far as this purpose is concerned; so RedZone would be in the wrong if it retained any IP address data from EU citizens or used it for matching alt-accounts, without seeking consent prior to collection of that data.
EU citizens who are concerned that this may have already taken place or be currently taking place should file a complaint with their Information Commissioner or European Union Representatives.
| You’ve probably already heard of RedZone, a system which is used to implement ban-by-IP-address functionality, and to make (variably accurate) guesses at alt accounts.
Avoiding RedZone data collection has been a bit tricky for the average user, since RedZone uses a scripting trick that allows it to perform data-collection, even when media-autoplaying is disabled (you either have to block traffic to RedZone’s server, or completely disable the Second Life viewer’s ability to access the Web and all forms of media to get around that – just disabling autoplay isn’t enough).
Linden Lab has stepped in, made a couple of updates to the Second Life Terms of Service (Community Standards: Disclosure), and required RedZone to obtain consent before displaying alt accounts. Note that this doesn’t in any way stop the data-collection process or banning by IP-address.
A message recently sent by RedZone creator, zFire Xue, goes as follows (typographical errors have been left intact):
Hello RedZone owners.
After talking with Linden Labs over the past month we have reached an agreement.
Effective now and retroactively the RedZone system will request Consent to display alt name information.
LL policy will reflect this change by tomorrow the 25th.
The zRZ HUD will now request consent much like a bloodlines bite.
The zRZ Website now offers a system to send an IM to request consent for a zF RedZone Alt Background check.
The system is already in place, new functions and consent methods will be offered as we discover how best to implement this feature.
Linden Labs has been good enough to suggest many ideas that settled on this one.
Alt names can still be viewed to settle disputes, run security background checks etc. (With Consent)
Please see http://isellsl.ath.cx/checkconsentinfo.php for more.
The RedZone system has been, and always will be current with SecondLife(tm) terms of service.
I would like to thank Linden Labs for working with RedZone and providing enough time for RedZone to make these changes.
Best Regards,
zFire Xue
PS: Everything is still logged as before, everything still works as before.
Only now to view the alts you need consent.
Alts are still banable if they are related to a new user you do not want on your land.
Alts of people you banned are still banned, alts of copybots are still banned, alts of anyone you have banned are still going to be banned, just not named.
Of course, one should remember EU courts have previously ruled that the collection of IP address data of EU citizens in order to associate that data with identities or alt-accounts is unlawful without prior, express consent – IP address data has been determined by the EU judiciary to be private information as far as this purpose is concerned; so RedZone would be in the wrong if it retained any IP address data from EU citizens or used it for matching alt-accounts, without seeking consent prior to collection of that data.
EU citizens who are concerned that this may have already taken place or be currently taking place should file a complaint with their Information Commissioner or European Union Representatives. | |  | |
Tags: Data Protection Act/DPA, European Union, Law, Linden Lab / Linden Research Inc, Opinion, RedZone, Second Life, Terms of Service/Terms of Use, Virtual Environments and Virtual Worlds, zFire Xue
This entry was posted
on Saturday, 26th February, 2011.
You can follow any responses to this entry through the RSS 2.0 feed.
You can leave a response, or trackback from your own site.
Possibly related posts
RedZone maker banned, RedZone deleted, RedZone service probably cracked, data exposed, RedZone drops access to alt information in latest release, RedZone removed from Marketplace a second time (also from in-world twice today), Linden Lab comments officially on RedZone
Commenters are to be civil, courteous and respectful to others, insofar as it is possible to do so. Beyond that, you're not required to agree with the opinions expressed by me or by others.
Think for yourselves! First time commenters will wind-up in the moderation queue and your comment won't appear right away. Ditto for anything that gets flagged by the anti-spam rules.
Ineffective and the rz operator has openly stated in numerous communiques on his forum that he plans to deploy thousands of automatic consent systems that will leverage the poor SLv2 UI design to acquire consent without user action to opt in.
I have created a feature request for a do not track opt out system:
https://jira.secondlife.com/browse/SVC-6793
This will solve the problem of redzone and all such systems going forward. The effort to implement is low IMHO and the value is high both for LL’s customers as well as for LL’s public relations. The new media assault detection capability being deployed in TPVs will assist in identifying systems that do not abide by the do not track opt out system requirements.
People who support the LL created/managed/supported official do not track system need to express their interest by watching the issue and optionally vote for it. LL now views the number of watchers as the number of votes and no longer looks at votes. But some like to vote anyway and all votes are welcome.
With all the Facebook buttons, and the way that Profiles are moving to be read via the Viewer’s built-in web browser, it’s hard to avoid the conclusion that the Lindens don’t f–king care about the potential abuse of IP addresses.
Every time you look at a Profile, your IP address goes to a Facebook-run server, with HTTP-referer data. And the code fetches that image through a script, not a direct HTML link.
Last I checked, the RedZone website had a domain name from Christmas Island. Based on past performance,I reckon you’ll have more chance of getting a useful response, being in Australia, than I have of getting anything out of the UK’s ICO.
Note that also it appears to be in breach of several aspects of the UK’s Data Protection Act that requires (amongst other things):
* Data must not be disclosed to other parties without the consent of the individual whom it is about, unless there is legislation or other overriding legitimate reason to share the information (for example, the prevention or detection of crime). It is an offence for Other Parties to obtain this personal data without authorisation.
* Individuals have a right of access to the information held about them, subject to certain exceptions (for example, information held for the prevention or detection of crime).
* Personal information may be kept for no longer than is necessary and must be kept up to date.
* Personal information may not be sent outside the European Economic Area unless the individual whom it is about has consented or adequate protection is in place, for example by the use of a prescribed form of contract to govern the transmission of the data.
* Subject to some exceptions for organisations that only do very simple processing, and for domestic use, all entities that process personal information must register with the Information Commissioner’s Office.
* Entities holding personal information are required to have adequate security measures in place. Those include technical measures (such as firewalls) and organisational measures (such as staff training).
* Subjects have the right to have factually incorrect information corrected (note: this does not extend to matters of opinion)
Thank you Tate. Now where exactly can the law and court decision be found on this matter? I know for a fact that my IP has been logged on my main and also one of my alts. I never got asked of any on any of them only by backtracking my steps and having knowledge that the devises was used in areas that i was in while having media active in my preff was I able to know this.
Another question. when we do file a complaint do we file it agaisnt the creators that made the devises or do we file the complaint agains Linden Lab? Do you know ?
I don’t have the reference to the EU group’s findings to-hand, but it was headed up by Germany’s Peter Scharr.
As for the complaint, it would be vs Redzone’s creators/operator. Their domain name is allocated from Christmas Island, but the service is (I believe) in Seattle Washington. My understanding is that both regions have treaty obligations which would give the EU force in this matter. Establishing the identity for complaint might have to go through Linden Lab, but that’s likely to be a matter for your Information Commissioner to deal with.
@Hitomi
“Individuals have a right of access to the information held about them, subject to certain exceptions (for example, information held for the prevention or detection of crime).”
That is, “prevention or detection of crime” by the police, and other duly authorised law enforcement bodies – not by individuals, businesses or corporations – of course.
First they scanned for the griefers,
and I didn’t speak out because I wasn’t a griefer.
Then they scanned for the copybotters,
and I didn’t speak out because I wasn’t a copybotter.
Then they scanned for the Alts,
and I didn’t speak out because I wasn’t using an Alt.
Then they scanned for me
and there was no one’s alt left to speak out for me.
Less you all forget, please don’t think it’s perfectly OK for the JLU to do this with scrips also, because they say someone is a griefer, copybotter or someone is not to be trusted on the service they patrol.
Why should Redzone be Opt-in? when JLU are scanning and distributing wiki information on residents they collect thats factual, personal and fantasiful through scripts? and Linden Lab still lets them do this? but spanks RedZone?
I’m no fan of RedZone but I see a double standard forming where by it’s ok for Linden Lab to let the JLU use these type of scripts to help them file false reports on mass which is against the TOS, your not supposed to TP people on mass to file reports but the JLU get away with it time and time again! ffs.
It’s a shame people don’t stand up as much as you do when the griefer word is thrown around, only when it impacts outing your alts, and sure I understand that’s natural no one cares until it impacts them like with recycling and climate no one want’s to do it until the environment forces them to change their ways.
So here you now have an environment that you had no control over through Redzone a blanket placebo pill protection system being modified to accommodate protecting you, but the JLU are still allowed to use their scripts to target people they don’t like for any and all reasons they dream up, the JLU issue should be pounded as much as the Redzone issue.
It’s these want to help groups that cause others to create these mass accusatory transit systems, when it should be up to the operator of the virtual world to develop the technology to prevent, catch and alert administration teams on the fly.
@Tateru – yes, it means real criminal agencies, sorry if that confused anyone.
Please note that the EU directive was just that – a directive – member states have generally enacted it in their own laws
Anybody care to expand on what loophole RZ is using?
(Preferably not here, unless it’s complex enough that there isn’t any danger of some hax0r/script kiddy reproducing it)
I’ve never really cared much about Second Life’s server-side security, simply because 99% of griefers or other trouble makers were n00bs (not newbies, “n00bs”) and relied on simply inworld tools rather than manipulated viewers…
I guess the fact that there are now more and more people with considerably more skill than your average griefer makes the whole area way more interesting again
@Alexander It’s fairly simple and has been widely enough discussed that mentioning it here shouldn’t make things any worse. If you use PARCEL_MEDIA_COMMAND_AGENT it works in many viewers even if the viewer’s autoplay is disabled.
I really should type this in notepad so I can cut and paste(this has to be the 20th time I’ve written this in the past 12 hours)
There is a legal difference between implied consent and explicit consent. They are independent legal concepts. Soft Linden, in response to the JIRA here:
https://jira.secondlife.com/browse/VWR-24746?focusedCommentId=244647&page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#comment-244647
“@deety, Treminari – The ARs that got some products taken down were based on disclosing alts without consent. If you can demonstrate that anyone but the single database owner has access to alt lists without appropriate, explicit consent, please file an AR for that.”
————-
That is clear. The requirement in the new CS does *not* allow for implied consent, and Soft Linden clearly states explicit consent in that comment. All of the things zFire has blustered about doing- ways around getting consent, fudging consent, getting auto consent, etc. etc. whatever (which have been nicely screencapped for future reference by MANY people) will be the immediate end to him and his product. He doesn’t get it- these concepts *cannot* be substituted for one another, and he will do so at the risk of his almost inevitable) destruction.
The way the new system apparently works is that once it has scanned you and entered you into the database, it gives you 60 seconds to consent to having your alt information displayed – if you decline, you’re teleported home.
Which is – as far as I can tell – within Linden Lab’s terms-of-service.
The EU data protection laws have no jurisdiction outside the EU, nor should they, even if you go to the European version of global business websites, they will often inform you that the data is collected by their American company and therefore is outside of EU directives.
@Tateru if it’s TP’ing you home that’s fine but on the Redzone forum ZFire suggested that no response within sixty seconds would be considered consent, which is not really on.
Tateru-
Yes. That (being TPed home) is perfectly fine- absolutely above board. But let’s look at what zFire *actually said* about this:
“I will make more stand alone objects, free for zRZ owners, that include auto-consent functions if they remain in the sim 60 seconds or longer after being given a notice that they must leave within 60 seconds or will be considered as accepting consent. 60 seconds is more then enough time.”
This is what he really *said*. I want to make that clear- because it’s only one of many (oh boy, so many) statements he’s made indicating his *clear* intention to circumvent actual, explicit consent.
TPing home? Totally fine. But that isn’t what he said when presented with the issue- and his actual statement on this is important.
@Ciaran Actually, there is some reach for it insofar as US-based businesses go. It’s not as comprehensive as one might hope for, but it might be applicable.
@bronxelf Ouch.
Actually…. let me look at that again:
“I will make more stand alone objects, free for zRZ owners, that include auto-consent functions if they remain in the sim 60 seconds or longer after being given a notice that they must leave within 60 seconds or will be considered as accepting consent. 60 seconds is more then enough time.”
Okay, that’s actually sort of clever. You know, clever in a nasty, sneaky way.
Obviously that wouldn’t constitute valid consent anywhere, but RedZone isn’t actually breaking the TOS by making those objects available as an option for zRZ owners. Only the zRZ owners who use those objects would be in technical violation of the Terms-of-Service, as they stand.
@Tateru-
Correct. He would be throwing his own customers under the bus- after he’s gotten their $17 bucks.
DING. We have a winner.
I do not understand why LL always acts as if their hands were bound by some “higher force”.
They literally have a clause in their ToS that allows them to deny you access to the service (=ban) for any reason whatsoever.
If they really wanted to stop RZ or CDS or any other product, service or type of behaviour in or around Second Life, a simple conversation along the lines of “either you stop doing XYZ or we’ll ban you” would be well inside their possibilities.
However, this is another one of those cases where Linden Lab’s position doesn’t seem to be coming from too high up the chain of command….
There was a time under M Linden when they didn’t even issue grid status reports without the approval of PR, now they’ve fallen back to the exact opposite….
I don’t actually care too much about RedZone itself, I just think it’s a really bad sign that LL still hasn’t learned how to handle situations like this one professionally.
@Tateru
Please, don’t spead fudge: RedZone and any other scripted device is UNABLE to log your IP as long as you keep both streaming audio and media *disabled* in your viewer.
@Henri To the best of my knowledge, that information is accurate. There are JIRAs open on the topic.