I have been quiet the last few days, but not inactive. I am doing some research on the number of sims that actually have active RedZone installations, and I hope to have something reasonably conclusive to report fairly soon.
In the meantime there is a burning (or at least warmly glowing) question that people are asking:
Has Linden Lab done all that it can to ban RedZone spyware from the grid?
When I started this blog, only about 6 weeks ago, I had no idea that Linden Lab would move so far so quickly. The reason for this is that prior to my blogging, I had been following RedZone for some time, and in that time there was simply no sign that Linden Lab were taking the issue seriously. ARs seemed to be ignored, and a comment on another JIRA by Samuel Linden appeared to be totally dismissive of real security concerns regarding the Second Life client software.
But the last 6 weeks saw a storm of protest, and all the time it seems that there was an internal fight going on in the lab between those who felt that residents concerns about privacy were very important, and those who apparently felt a hands off approach was better. I will note that no one in Linden Lab ever gave the impression they actually liked what RedZone was doing.
And so at last we have seen action. As per the news on the JIRA and various blogs, including this one, we all know that Linden Lab has clarified their community guidelines to make it very clear that harvesting of IP addresses and linking to second life avatar profiles to provide profiles of users is clearly against their terms of service (as well as the law in many localities). They banned RedZone from the marketplace twice, and also removed it from in world stores and have insisted that alt outing functionality should be banned.
Additionally Sione Lomu and other developers have provided fixes to the SL client along the lines that I suggested were necessary in this blog in my article on “The Security Hole in the Second Life Client”. (I am not taking credit for the idea of the patches; I suspect work was already underway on these, and the fix is obvious to anyone with an internet security background).
It is also clear that Linden Lab will be incorporating the patch or something very similar in their own official viewer. Moreover, the hiding of the stream URLs, which I argued was wrongheaded and ineffective, is coming out of the client as per Oz Linden’s own JIRA.
So in essence everything I suggested Linden Lab should do has been or is being done. They are fixing the security holes and forbidding use of alt outing functionality.
So why not stop there?
The problem is zFire’s database still exists, and his customers are still freely gathering data for him. Most of those customers do not have the links to alts, but he does. That is problem number one. This data collection remains illegal
But the problem is not really one Linden Lab can act on. They can ban zFire and his alts, but that won’t stop him coming back later with new alts and the same database, or leaking the database to all his friends (if he has any).
Linden Lab could attempt to get the courts to seize the database, but this is both messy and difficult. The legal grounds for such seizure must surely be based on the personal data that is held in it. But any such action would have to be prosecuted first in Europe. To be clear, I have spoken to the Information Commissioner’s Office in the UK about this, and the process is rather complex. The ICO, in the first instance would just try to speak to zFire to get him to desist from the data collection. Any action prosecuted under English law, at least, would be long and protracted and the database would no doubt be leaked or moved long before we approached any resolution – even if anyone thought the prosecution was worth the substantial costs involved.
So zFire’s database is not an easy legal target, and I fully understand why Linden Lab does not move against that. I don’t like it, but I think the lab has gone as far as it can on that point.
Data collection is another issue. Data collection without consent remains illegal and also against the Lab’s own TOS, and I think Linden Lab could continue to ban this product from in world stores wherever found. That is the only point on which I think Linden Lab has fallen short. Other than this they have done all that we asked and that they reasonably could.
Oh except one other thing:
The database and RedZone systems are linked to the neighbourhood watch website. This website continues to out people’s alts, because listed on it are literally hundreds of avatar profiles with alts listed. The neighbourhood watch is, in my opinion, one of the nastiest things about RedZone. It is full of slanderous accusations and petty spite. Anyone who posted there needs to be firmly slapped with a damp eel for several hours or until they begin to see sense.
An argument will be posited “this is a website outside of Linden Lab’s service and thus not subject to TOS”. To which I say fuey! This database is populated by RedZone systems and available to in world RedZone huds. It acts as a database back end to the RedZone system. I therefore believe that RedZone remains in contravention of the Terms of Service, and should ARd for revealing alt information and other personal information about users of the Second Life service to those using RedZone in world.
Let’s hope Linden Lab will move on these last points, and then at last perhaps we will have seen the end of this nasty little system