Fixing the Security Hole and Terms of Service (TOS)

24 02 2011
Hidden Media URL

Hidden Media URL

Before his alt finder software was neutered yesterday, crackerjack gloated:

so anyway they thought they would let the user see which url’s were being used by media on the sims media streams but then the truth dawned on them and they realised it is against TOS to disclose the media stream of a parcel if the stream is hidden by the owner, or indeed any stream that isnt being offered by the sim owner as public knowledge
Basically they drew a blank lol

Actually to be clear, I made this point up front in my article on the security hole in the SL client on the 9th February:

So Linden Labs and other client developers: how about it? I will immediately change to whichever SL client offers me this option.

Although if Phoenix Viewer did it, I suspect the developers might find themselves under attack from Linden Labs for revealing those “secret” parcel media URLs.

But what the developers are doing is more imaginative. They are munging the URL so it is still clear enough its spyware, whilst not revealing music stream URLs. This keeps the spirit of keeping stream URLs private whilst giving people good information on what they are being secretly asked to connect to.

Not that those music stream URLs are really so secret. The official Linden Lab viewer allows you to see them; just enable the admin menu. If you are not sure how to do that, here are instructions in the official LL Viewer 2 assuming a brand new installation (you may already have done at least the first step):

1. You need to open the Debug Settings in your Advanced menu. Second option from the bottom in figure 2 below.

2. In the debug settings (figure 3) type Admin Menu in the box. Click “true” to enable the Admin Menu

3. Now click the bottom option in the Advanced Menu to show your develop menu.

4. In the Develop menu that appears, the last option will be available: “Show Admin Menu”. Click this.

5. Now take a look at the media stream (World menu/Place Profile/About Land. Click the Media tab), and you will see the URL as in the example in figure 4.

Show Your Admin Menu

Fig 2. Show Your Admin Menu

Enable Admin Menu in Debug Settings

Fig 3. Enable Admin Menu in Debug Settings

The Media URL Revealed

Fig 4. The Media URL Revealed

Easy, isn’t it!

This works in Phoenix and other viewers too. Once enabled, go look at the about land tab – you will see the tick in “hide the url” but you will also see the URL!

So much for secret URLs.

But look at this for utter hypocrisy from redzoneophiles:

ALSO I HAVE MY MUSIC URL HIDDEN FOR A REASON! IF THEY DISPLAY IT TO THE PUBLIC THERE WILL BE HELL TO PAY

Not happy that a third party viewer might actually close the security exploit his spyware uses, he says there will be hell to pay if we look at the URLs… that Linden Lab lets us see in their official viewer.

Hmmm.

Let’s be quite clear. A URL is not secret information. That is public information. The computer needs it to connect to a website.

Sound familiar?

Look at this “I HAVE MY MUSIC URL HIDDEN FOR A REASON!”.

I wonder why Redzoneophiles think our IP addresses are hidden on the SL service. Now what reason could that be?

This guy rants on:

If a viewer does not respect my region privacy settings it will be banned for good
If they put this patch in it will be a breach of TOS

Ah yes…privacy.

The URL is hidden for privacy… now what reason is the IP address hidden again?

Except, of course, the URL is NOT hidden. The IP address is though.

“Woe to you … hypocrites”.





Redzone and CCTV Surveillance

19 02 2011

Another of the cannards the Redzoneophiles like to pull is CCTV camera surveillance which is so much more intrusive than their spyware.

Whilst two wrongs don’t make a right (although three lefts do), let’s look at this one quickly. Here is an example:

The moment your car pulls into the store or mall’s parking lot, their security cameras are watching you

Now in Europe, at least, we have data protection law. For instance, in the UK, all such cameras are covered by the data protection act. You will remember the principles of the act, if you have been following this blog. But in brief, data collection must be fair, and within that definition, those under surveillance must be made aware of the “data collection” (i.e. the filming). So warning signs are important and no hidden cameras.

But more importantly, you retain the right to access to all data pertaining to yourself. Thus under the DPA, I can request a copy of any surveillance tape that includes my image. Moreover the images of others on the tape should be edited out. The cost of this must be born by the data controller although they may charge me up to £10.00 in costs.

In cases where I feel a camera is entirely unwarranted and intrusive, I have been known to make use of my entitlement under the act. In all cases to date, the data controller has agreed to voluntarily remove the camera rather than pay for editing of the tapes to meet request.

So, you see, CCTV – in Europe at least – comes with some very important privacy protections. They may be underused, but they exist.

zFire’s database is subject to the same rules, but thus far he has failed to reply to me as to how I may access a copy of all personal data he holds on me.





Casey Pelous on the SL Blog

17 02 2011

This was so hilarious and so spot on, I am shamelessly copying it to my blog!

Rickster Highfield wrote:

ya’ll get your panties in a bunch about Redzone but no one mentions the DJ’s that rent streams that have websites they can admin their streams which shows actual IP numbers and locations of the IP’s where as redzone does not and are encrpyted nice to see your all concerned about privacy but if you truly were you would never log on the net

Casey Pelous replied:

I’ve searched in vain for the Shoutcast web site that scans the crowd, dumps the IP addresses into a database and collates them with avatar names then makes all the collated results available inworld to anyone for USD $17.   Can you assist me?   Without that I’m afraid I’ll just never get these panties unwadded.





Is RedZone Just Like Google?

14 02 2011

RedZoneophiles do get a bit repetitive. In the hope that they can prove black is white through repeated assertion, they tell anyone who dares disagree that RedZone is allowed by Linden Labs TOS (see elsewhere on this site – that is false), that it is legal, that IP addresses are not private information (an example of the logical fallacy of equivocation), and so on. In this forum, this weekend, zFire accused me of not knowing that websites gather IP addresses! and the latest mantra seems to be that if we object to RedZone, why don’t we object to the information gathering by Google?

So here is the answer. In short, the answer is that Google comp plies with the law, and RedZone does not.

But that is not the whole story. First, it is only fair to say that Google does not always comply with the law. In November Google were taken to task by the Information Commissioner in the UK over its data gathering activities when building Streetview. As a result of this breach of Data Protection Law, Google are now under audit over their data protection practices in the UK.

What happened was this: Streetview cars took photos of streets, as they do, linked to GPS for use on their street view service. There is nothing wrong with doing this. Where Google fell foul of the law was in the activity of one of their engineers who also collected data of Wireless Access Points as the cars travelled the country.

Note that what the engineer collected was the SSID of the access points. For those unfamiliar with the protocol, the SSID includes network name and a MAC address of the access point which is transmitted in the WiFi beacon frame.

To be clear, these beacon frames are broadcast in the clear precisely because they announce service set information to anyone in range of the access point. No one would be foolish enough to suggest the information is “private”.

But the collation of the data breached the Data Protection Act because it was done secretly, with no opt outs, was linked to other data allowing profiling (the GPS location) and was also not collated for a stated purpose. The ICO was quite clear that this was a serious breach of the data protection act.

Notice the similarities with RedZone (not in scope – Google’s breach is orders of magnitude larger – but in the principles that they are in breach of).

So, yes, I do object to Google’s data collation activities when they breach the law, just as I object to RedZone’s activities.

But the people comparing RedZone with Google are not, in fact, thinking of this incident (or some related incidents in other countries). They are thinking of the profiling Google does on its own website.

Why are RedZone not like Google? Because unlike Google, RedZone do not have a legally compliant data protection policy, nor could they – as if they did, their business model would be destroyed.

Let’s look at some paragraphs of Google’s privacy policy to see why:

1. Google are up front about data collection. It is right here – what they collect and why:

We may collect the following types of information:

Information that you provide – When you sign up for a Google Account, we ask you for personal information. We may combine the information that you submit under your account with information from other Google services or third parties in order to provide you with a better experience and to improve the quality of our services.

I snip here for brevity in this message, but feel free to take a look at the full list of data they collect on the privacy policy on their website.

2. They state the purpose of data collection:

In addition to the above, we may use the information that we collect to:

Provide, maintain, protect and improve our services (including advertising services) and develop new services; and
Protect the rights or property of Google or our users.
If we use this information in a manner different to the purpose for which it was collected, then we will ask for your consent prior to such use.

Note carefully: Google will ask your consent before using data for a purpose other than that for which it is collected. They MUST do this as it is a principle of law in EU countries and many other localities. Thus, if you gather IP log data and you wish to use it for some purpose other than the systems administration purposes for which such logs are intended, you MUST ask consent. No consent = no legal use.

Next, principles of fair collection:

Choices

You can use the Google Dashboard to review and control the information stored in your Google Account.

Big snip. But in essence, Google explain to you how to avoid providing them personal information if you do not wish to do so. RedZone offers no such choice.

Then this is a key principle:

Information sharing

Google only shares personal information with other companies or individuals outside Google in the following limited circumstances:

We have your consent. We require opt-in consent for the sharing of any sensitive personal information.

Snipping here – Redzoneophiles thinking I snipped something pertinent, go read the privacy policy. In essence though, Google will only share your information with users or customers of their service with your consent. Again, this is a principle of data protection law that RedZone is in breach of. The selling of personal data gathered by RedZone without our consent or opt out is a clear breach of data protection law.

Next:

Information security

We take appropriate security measures to protect against unauthorised access to or unauthorised alteration, disclosure or destruction of data.

zFire makes our information available for free, so fails on this point. He does offer to hide the actual IP addresses used, but his information security measures are frankly not appropriate for a serious business. I have audited his security and there are some significant failings.

Another key principle of the law is our right to access information about ourselves. Google has this here:

Accessing and updating personal information

When you use Google services, we make good faith efforts to provide you with access to your personal information and either to correct this data if it is inaccurate or to delete such data at your request, if it is not otherwise required to be retained by law or for legitimate business purposes.

For Redzoneophiles saying alt detection is a legitimate business purpose: no it is not, because it is not proportionate. You could argue for the retention of personal information about customer transactions, certainly. Also account information about people who have been verified as copybotting (as long as the subject retains the right to inspect the data and have inaccuracies corrected). What you cannot hold onto is all information about everyone – even if you had fairly collected the data. And, of course, the data is not collected fairly and thus none of it may be held.

Google provide a clear process for data subjects to access their information, and verify it, correct it or have it deleted. RedZone has nothing but an “appeal” to the person who illegally harvested it in the first place and tells you that you will be muted if you kick up a fuss!

So we come to:

Enforcement

Google adheres to the US Safe Harbour Privacy Principles of Notice, Choice, Onward Transfer, Security, Data Integrity, Access and Enforcement, and is registered with the US Department of Commerce’s Safe Harbour Programme.

I have mentioned this in previous messages. The Safe Harbour Programme allows companies to register and audit their privacy policies and data protection policies with a body in the US, and as long as they comply with this in good faith they will be immune from prosecution in EU jurisdictions. zfRedZone does not participate in this programme, but does collect data on EU citizens and sells to other EU citizens. It is thus liable to EU data protection law, as well as similar sanction in its own jurisdiction.

So in summary, Google collects and handles data legally. RedZone does not. That is the reason we object to RedZone spyware and the lawbreakers who operate it.





Is RedZone allowed?

9 02 2011

In the RedZone forum today, zFire’s biggest Fanboi writes:

(Privacy Policy) TOS
“Further, you agree and understand that Linden Lab does not control and is not responsible for information, privacy or security practices concerning data that you provide to, or that may otherwise be collected by, Second Life users other than Linden Lab. For instance, some services operated by Second Life users may provide content that is accessed through and located on third party (non-Linden Lab) servers that may log IP addresses.

Looks like am not breaking any law to scan people

This user is from Blackburn, England. So I have news for him. Yes he is.

As we have seen, Even zFire is breaking European law, because he uses equipment in Europe for his data gathering. But you would think a British citizen would be a little more aware of the protections and rights afforded him in his own domicile.

As for this favoured quotation that Redzoneophiles keep trotting out. The Second Life Terms of Service are an agreement between a user of the Second Life Service and Linden Labs. The purpose of that clause is so that Linden Labs will not be held liable if someone does something illegal with IP data gathered outside of their service. Like what RedZone is doing.

See the key terms here are “Linden Lab does not control and is not responsible for”. It does not say that Optimus Prime or Micky Mouse or anyone else has a legal right to harvest data in a way that contravenes the OECD privacy definitions and breaks European law. It just says that we have to file suit against the perpetrator and not Linden Labs.

Of course, we won’t file suit. But YES Cole, you ARE breaking the law.