This one, listed on the Second Life Marketplace, appears to use the same media-hack to identify the IP address of other users.
The creator suggests that this doesn’t violate the terms-of-service, since it does not send data to any person other than you, nor does it show you the data that it collects.
All it does is tell you if account A who visits your land parcel, is the same as some other account B who visited your land parcel, based on whether they have the same IP address.
I presume that it is self-contained, requiring no external server.
It’s an interesting trick – and it might well side-step the letter of the Second Life terms of service.
Whether Linden Lab will actually allow it or not (it certainly has the freedom to block anything it pleases), is quite another question.
Category:
Disclosure > Second Life information/chat/IMs
Abuser name:
NCSA
Location of abuse:
https://marketplace.secondlife.com/stores/78472
Summary:
Selling a scripted tool which reveals alternate account names
Details:
User ‘NCSA’ sells on the Marketplace a scripted tool which claim to reveal alternate account names. This is a violation of Community Standards (4. Disclosure).
https://marketplace.secondlife.com/p/Alt-Detector-Private-Edition/2194120
https://marketplace.secondlife.com/p/DEMO-Alt-Detector-Private-Edition/2204547
So when a Linden came as an alt and posted nasty comments on your blog, and you used IP address to identify them as a Linden, but in-world, using IP to identify an alt = a no no? I realize you’re literally just asking the question whether Linden will allow it, but I think the standards we set upon what is expected in SL / VWs compared to the web is worth noting.
The question is one about the fundamental nature of Second Life:
Do we want Second Life to be a walled garden protected by Linden, among a swarm of virtual worlds with different regulations, or do we want Second Life to be more like the World Wide Web?
Linden is on a path for the prior. It is, of course, the route of AOL in the 1990s if that’s their only business plan. It could be reasonable for Linden Lab to host a premium world-among-worlds, but I don’t think protecting alt identities is a compelling enough feature set over competitors; it’s also not something that OpenSim worlds couldn’t do themselves. But what is? Faster servers, better uptime, bigger marketplace? I don’t see the edge over competitors in the long-run. Social networked virtual world has potential, in my opinion, and there is definitely a case for protecting user identity the best one can. If this is the route they’re taking, then yes, they need to reverse their course (set in stone with the huge layoff) of policing Second Life *less*, and focus on hiring more support staff to deal with customer issues.
But the more and more down this route Linden Lab goes, the less it is a virtual world and the more of a game it is. Is that necessarily a bad thing? Perhaps Second Life could essentially be a MMOG flagship for SL/OpenSim-based virtual worlds, and then the real business stuff happens on OpenSim. Perhaps Linden Lab opens up a more business oriented grid? Or simply alters its TOS to let estate owners do things that Mainland can’t. Perhaps that’s the solution for LL – just differentiate the Mainland from estates. (while allowing estates to flag themselves as part of “Mainland”)
Then again, if Linden Lab was really really concerned about privacy, I can think of a few suggestions:
- Ignore / Mute all of a user’s objects: I shouldn’t just mute a person, but everything they own.
- Ignore / Mute a parcel: Right-click a parcel, select “ignore / block / mute” and suddenly nothing on the parcel renders / loads to your client.
- Ignore / Mute neighboring parcel: as a land-owner, I’d like to be able to have all visitors not see my neighbor’s items.
- Privacy space (I’ve called it inside/outside): Allow me as a landowner to draw a box around an area, and designate it as “inside”. Things inside don’t render to users outside. The option for vice versa is also there. Privacy + optimization for intererior spaces (clubs, dungeons, etc) in one feature.
- Block group requests from users that aren’t friends.
“So when a Linden came as an alt and posted nasty comments on your blog, and you used IP address to identify them as a Linden, but in-world, using IP to identify an alt = a no no?”
On the matter of alt-detection in SL, it’s not my call to make. That’s the Lab’s call, as well as the decision of any user as to whether to enable their media options or not. However, in many cases, the use of IP addresses is misleading, unless you have a certain amount of knowledge about the system or networks connected to that address.
In the case of the Linden staffer, he either had to be one, or he’d committed a major security breach of the Lab’s servers (I know the particular server involved – and I reported it to the Lab, because the possibility of such a breach could not be ruled out, entirely. It isn’t something that I could leave alone in good conscience, therefore). I would not, for example, assume that another commenter on the same IP address as you is necessarily the same person. I know nothing about the network you’re coming out of and you could be sharing it with dozens, hundreds or thousands of others. Therefore, it makes no sense to me to assume that anyone on the same IP-address must be you.
What if, for example, an alt-detector identified your SL account with that of someone particularly odious, but who was definitely not you? Any circulation or use of that information would be considered potentially defamatory. Thus the EU DPA specifically not only exercises control over the storage and use of data, but over the accuracy of it.
You are also quite right that that different standards are applied to different domains – the use of IP addresses on the Web is treated quite differently. Also, ‘sockpuppeting’ has been successfully prosecuted under United States Federal law; thus far on 32 counts across two cases (one count failed, one was overturned on appeal, leaving 30).
Oh, and thankyou for asking the question. It’s a great one!
I understand 100% why sim owners want to blacklist or whitelist based on IP address. The off-chance of identity collision and the limitations of temporary effectiveness aside, its a very, very common tool to have in any networked software.
The gist of it is Linden Lab should provide IP-based blacklisting and whitelisting in the simulator software itself, managed by estate owners individually. Doing as much would make the simulator software as harmful and privacy destroying as Apache or this blog, which probably receives more IP addresses linked to avatar names than 90% of sims in SL do on a weekly basis.
Things get iffy though when that functionality is being accomplished through some third party global cache of IP addresses. In that way it isn’t analogous to Tateru seeing the IPs of her commenters, since she isn’t relying on a third party service doing something akin to intercepting a web request from an iframe embedded for that specific purpose. She’s just relying on her own software and own database and that’s an ability sim owners don’t have right now.
IP address/user agent detection is just part of the platform. LL is not going to get rid of it. This was discussed at length in the dev mailing list before the media features were implemented. I even made a quick proof of concept to wake people up by showing them how this works:
http://www.sluniverse.com/php/vb/script-library/56995-plywood-zone.html
The reason why nothing will be done about this can be illustrated with the RedZone incident:
zFire was a sociopath, no question about it, and LL was right to ban him. The problem is, once he was banned the green zone movement hit a wall. It was never really about privacy, it was about hating on an asshole because somebody’s buddy got caught with a copybot. If you want to detect alts LL and the population at large have no problem with it unless you are a complete asshole about it.
Green zone should not be confused for a privacy movement. There is no organized privacy movement in SL. CDS is still out there, not to mention all the homebrew solutions that are probably floating around.
I think an important aspect is the range of activities there are in SL, all accessed on one small part of the net. People have different accounts on the wider internet, doing a whole range of things, and they would be reckoned pretty foolish if used the same ID and password for accessing the website of their kid’s school as for accessing goatse.cx
And, yes, they do it all from the same IP address, but site A and site X don’t compare notes. In many places they’d be breaking the law if they did. Even if it isn’t certain that an IP address is “personal data”, legal advice in the UK is that you should store and handle it as if it were.
But SL has that same wide range of activities. all on the same site, all accessible with the same name and password, and with the current rather huge loophole that lets users get at the IP addresses of other users.
I don’t feel a need to hide what I do in SL, running a separate AV for all the kinky stuff. But I can easily see how some people will want to. And there are advantages in keeping business and pleasure apart. If it comes to that, there are people in SL I don’t want to be following me. And I have come across land-controllers who I consider abusive. If they were tracking IP addresses, what might they do?
I’ve said before, part of this problem might be what LL aren’t doing. I recently found a list of the admitted action which they took on AR reports in SL. It seems to have had the last update in early December, and I didn’t find a single case of copyright breach. People were warned, or maybe banned for a few days, and that was all.
When was the last time somebody was permanently booted from SL?
And have people without a direct involvement with RedZone ever been told that IP collection is a TOS breach?
Emerald got a very public smack-down. Not IP collection.
@Wolf
It’s the same deal. If a person has sense enough to not visit some sex site with the same ID they use to communicate with their kids’ teachers with, then you’d expect they practice the same thing in Second Life: do the things they want to keep secret on one alt and use another alt for whatever else.
It’s the “comparing” notes that you said is the problem. This is allowed only because of third-party outsiders offering that as a feature. It wouldn’t be an issue if Linden Lab provided IP handling in the estate management tools.
Yes, people could still manually “compare notes”, but only in the same way in your analogy the school site administrator and whatever adult sex administrator could compare notes…they could, but why? Is it likely? And at that point, is it legal? Different issues there.
Right now though Linden Lab needs to make a clear stance on all of this, because the hysteria is too much. Take “Shared Media” for example; right now it hasn’t taken off because Viewer 2 is the only viewer that supports it, but its a very promising feature that’ll still be dead in the water even when all TPVs are on the V2 codebase if Linden Lab continues to let fear fester over, god forbid, an HTTP request happening inside the viewer.
Yes, Linden Lab needs to do something about the practice of these third parties trying to make businesses off alt-discovery, but they need to decouple the wrongs of that from the reality of how IP addresses are commonly handled on the rest of the internet.
One of the other posters talked about differentiating services for different land owners.
Personally I think that’s going to have to be the way it has to go.
Why?
Consider this: what’s the functional difference between OpenSim type worlds and Second Life?
Not much. In fact OS type worlds are rapidly developing features that many would *love* to see in Second Life but which are blocked by the cabal of land owning high rent paying “creators”.
The downside of course is that OS type worlds are underpopulated both in terms of users and in terms of content so even though SL is starting to lag behind it has an overwhelming user base and created content.
The problem of course is that tier is too high in SL but Linden Lab needs the income. Unfortunately for the Lab you can get a full region either for free locally (in fact an unlimited number of free regions) or for very cheap you can get a free region on OSGrid or elsewhere for as little as $9.95 a month with 15,000 prims. That’s compelling enough and cheap enough that many people can easily afford it.
On the other hand, who can afford a full region in SL unless you are commercial land receiving rent from individual merchants who have stores?
You basically can’t. Because a full region in SL is upwards of a hundred dollars a month (I don’t know the exact price). But to put it into perspective, my full region on aurora costs $9.95 a month and I have total control over it and I have 15,000 prims. On the other hand I have a 512 sqm plot on SL that costs $5 a month and I have like a hundred fifty prim limit.
The advantage of course of the SL plot is that I have access to an incredible amount of user created content, and also the potential of a lot of visitors. BUT I have very limited control over my plot and a way limited number of prims.
I would be willing to pay say $30 a month for say a half region with 7,500 prims on SL as long as it had server side NPCs so I could make a reasonable game on my region and have access to all the user created content. I don’t have access to the user created content on opensim and I either have to create all of it myself (and I am) or else buy it for much higher prices from renderosity or some other content center.
SL could easily provide a solution while still bringing in funds by creating cheaper non-commerical roleplay land where commerce on the scale of commercial regions was not permitted. Commercial land at the high prices could still exist, since the owners of the land are not having to pay the tier themselves: their store-renting tenants are effectively paying tier.
That’s not too too different from the real world where a store in a prime retail mall costs an arm and a leg whereas a piece of land out in the boonies costs nothing. Right now all land rental in SL is valued equally and it cannot hold that way forever since there is alternative land *way* out in the boonies on OSGrid or elsewhere for peanuts.
The big problem is that we can’t lawfully access the IP logging of a website we don’t control.
Second Life, with the use of third-party media sources, makes IP logging possible without any illicit access. Some of us could set up our own media stream server. I think it would still need a script running in SL to track who was present.
And, on the evidence of the Redzone affair, one might think that Linden Labs doesn’t care. It’s the campaigning sites which kept this a public matter. The Lindens have kept it buried in the JIRA, which is more of a pro developer tool than a communication medium.
I can’t see a way of stopping third party sites abusing IP address data, because they have to have it to provide the media stream, or the shared media, or whatever. There are in-world games which use such sites to track player status: game scores, skills, and such. There’s no technical fix, short of SL running a proxy system which would inevitably be expensive and laggy.
So the answer seems obvious: make a big public announcement that the abuses are a breach of the TOS, and that people will get permanently banned from SL. It may be legally risky to name an AV which gets banned: it may be a partial fix to be able to transfer assets to a new account, should such publicity be wrong. SL does seem short on ways to recover from such a major mistake.
But the Redzone affair also seems to prove that, when it comes to selling security products in SL, there is one born every minute. And I don’t have a fix for that. Though better information might help.
Indeed, unless stream providers (or consumers, or both) are willing to pay extra for the Lab to proxy data, there’s no technical measures that the Lab can deploy to prevent user IP addresses being exposed to anyone that wants them.
@Tateru
It’d be much, much easier to educate any concerned users that the viewer isn’t anymore harmful than a web browser is. That it makes as much sense for Mozilla to provide a proxy between a media stream or Facebook and Firefox as it would Linden Lab to setup a proxy between the viewer and such outside media.
The whole matter gets bloated out of proportion when the Viewer is thought of as some new frontier of privacy concerns, it isn’t when it comes to outside media requests and exposure of IPs, its synonymous with a web browser and every present danger, or lackthereof, that already exists.
@Ezra,
There are various security features available for browsers, things such as NoScript for Mozilla. They’re general-purpose tools that could be used to access anywhere. Security is something that seems to matter.
I do feel that I have more control over my browser than I have over what the SL Viewer is doing, and that does worry me about the shared media features. Viewers, after the RedZone affair exploded, did start appearing with Media Filters, but I think there might be a misleading perception of SL as a safe playbox.
“There might be a misleading perception of SL as a safe playbox.”
Compared to what? If a web browser, the viewer is just as safe. Of the naughty things a malicious web request can result in, such as session cookie jacking in an XSS attack, matching your IP to an avatar name isn’t much a big deal. Not to demean the worry, but its blown out of proportion when the viewer is seen as abnormally dangerous.
Again, given the amount of SL users that comment on these blogs with their avatar names and the hundreds of thousands of visits a year these blogs rack up, the exposure to alt-discovery can be worse outside of the viewer.
But, you probably trust the sites and forums you post on with your avatar name; the same should probably apply to the sims you visit. If you don’t trust the estate owner, don’t visit. Or leave all automatic media off when you do.
The point is though there’s nothing inherently evil or unusual about outside media accessible via the viewer. What new dangers are you exposed to if you post a comment on this blog from Shared Media on a prim, or via your web browser? What privacy do you gain accessing a music stream from your media player rather than parcel media?
It’s the same, except when whomever’s service you’re connecting to decides to do something malicious like alt-hunting. The issue then is crappy human behavior though, something not exclusive to either a browser or the viewer. That’s remedied in other ways.
“What new dangers are you exposed to if you post a comment on this blog from Shared Media on a prim, or via your web browser?”
Absolutely – if you don’t trust me with the inevitably exposed data, you shouldn’t comment here.
Same goes for anywhere else.
We do all know a bit more than average about how this stuff works.
And it is possible to see a difference between a general-purpose web browser that might connect to anywhere, and an SL viewer which only connects to the Grid, at least at first sight.
I’ve ARd it as well.
For those of you running viewers with media filters, this can be blocked by blocking any attempt to play media from the sim’s domain. In general, there’s no good reason for sim*.agni.lindenlab.com to play media on your viewer.
Here’s something I wonder about when I hear about these “alt-detection systems”: What do they do about connection sharing? Selena and I, of course, live together in RL, and we use a shared connection (Comcast/Xfinity cable Internet) to log in. If she and I were both in SL at the same time, would these systems falsely identify her as my alt, or me as her alt, based on the fact that our connections appear to originate from the same IP address, i.e., the one assigned to our shared router?
Erbo: yes. That’s one reason they’re much less accurate than claimed.
In some cases (and it is particularly common with businesses, colleges and universities) you may have hundreds, or thousands of people who all appear to have the same IP address.
Also remember that Gemini CDS is still permitted to operate on the grid and we need to AR Skills Hak as well. All External ‘protection’ systems need to be removed and LL needs to be forced to create a solution. As long as one system exists, more will keep coming. Skills Hak was once a griefer and copybotter and this NCSA is only 50 days old. Stands to reason it’s yet another alt of a current, or previous, griefer/copybotter. (Arabella Steadham appears to be back on the grid as well and was someone supporting Gemini CDS)
All the so-called self-policing griefers and copybotters need to be banned.
We need to continue to AR all of these people.
CDS doesn’t out alts, and so doesn’t run afoul of the CS change that got RZ and makes this one ARable.
In the end well known av’s like myself will just not go sight seeing in SL. Problem solved. How did that work out for ya? I would imagine this too will be ignored by the Lab. Noisy SL ppl suck.
Keeping in mind that for those who think IP Address banning is a good idea, you may be banned thousands of potential customers. In some countries, static IP addresses are rare from ISPs, they are regularly rotated to cut down on privacy invasion, unless specific requested to be static.
I think IP Address banning is just a desperate workaround for (again) unresolved customer issues.
If you’re getting griefers at events, you can ban them, but wouldn’t it be better if after the first one/two, you could enable “high security” for the remainder of the event, locking out newly arriving avatars based on certain criteria (less than 100 days old, first time visitors etc), with a message to the denied avatars that this security measure is temporary. I think there’s a lot of other unexplored options that will provide better solutions than any IP address based filtering.
Seriously, if one wants to buy the same product in an inworld store for his alts? Why should one assume an alt is only logged in for nasty purposes? Beside the privacy violation, how could a merchant think to run such tools just damage his own business? Just another paranoid tool for not so smart customers. The basic tools or a decent orb are enough.
Alt detection via IP address is lame…. many internet providers still rotate IP addresses among users… as in your IP today is someone else’s tomorrow… that could block legit users as alts and let in alts as legit users…. a better way is to re-vamp the system so that one email/street address/credit card/real name/phone number/so on and so forth, can have one account but a number of names on it… sort of like toons in WoW.. then add a function llCheckForLameAlt();
That should fix the issue for a while….