February 27, 2010

Shared Media poses huge privacy risk


The blogposts of the past week are full of praise for the new "shared media" option introduced in Viewer 2.0 (and surely being retrofitted soon into 3rd party viewers). On the surface, this shiny new functionality adds a lot of benefits which have been discussed at length already. Under the surface, however, this new technology gives everybody the tools to melt away your privacy and anonymity!

How does shared media work?

With the new shared media function you can put a webpage on the face of a prim. This webpage can contain all sorts of content, up to full fledged Flash animations and sound. The prim-face assigned with shared media acts like a web browser. The webpages in question get requested from your own PC - not from a central server at Linden Lab.

How does this affect my privacy?

Whenever you request a webpage, your IP address is transmitted to the web server. Most web servers store this address in their logfiles. IP-addresses are considered personal information in many countries, especially since more and more refined techniques of IP-Geolocation allow to pinpoint the geographic location of a user with increasing accuracy. Try it yourself - click this link to have yourself IP-geolocated and let me know in the comments how accurate it was (no, I don't see the actual results).

With the shared media, a webpage on a prim loads as soon as you look at it - probably even as soon as you are in the vicinity - thus transmitting the IP address of your PC to the remote server. This is not an opt-in process! It happens automatically, and without giving you the option to accept or deny. There might be an opt-out, but it would disable all shared media for you.

Now imagine the website on a shared media prim is not a general website, but a specific website, tailored to gather specifically YOUR IP-address and related data. Would you like that?

OK, but where is the difference to requesting a website?

The holy grail for web marketers for years was to identify individual users. All sorts of more or less unethical tricks where thought of, to identify recurring visits, and to gather data about a user. Web-surfers are sensitized to the topic by now, and most users know their IP data gets logged. Privacy concerns have led to legislation in many countries. In my country, for example, collecting the IP-addresses in server logfiles is illegal in most cases now.

In Second Life however, the level of expectation is different. Second Life is NOT a webpage. While it is common knowledge that Linden Lab tracks certain parameters like your IP-address, nobody expects that any other resident is able to get this information. On top of that, shared media allows you to create exact avatar-name-to-IP-address matches.

A horror scenario

I personally have been blackmailed and RL-threatened by a SL resident who reverse-engineered my RL identity before. My friend Zonja Capalini came up with this horror scenario:

A and B are in SLove and partner. Everything is roses. A while later, the love dies and B resolves the bond, which drives A up the wall. A creates a shared media prim pointing to a specific webpage on a server A controls, and hides it where B - and only B - is about to see it repeatedly. Over the course of a few days A collects enough IP-addresses of B to not only pinpoint the geographic location but also the ISP of B and - because B logged in from work twice - also the fixed IP address of B's employer. A little more digging reveals B's realname, B's work telephone number, the name of B's boss who might be interested that B worked as a virtual stripper, and in consequence B's home phone number and B's Flickr account where B's kids are displayed.

OK, sure, you are right, B should not log in from work. And B should not have lied about about their gender and marital status. So B saw it coming, yeah? So let's look at this:

X is a fashion designer, doing some rather nice designs. Y is a drama blogger and asked X for free samples to blog them. X denies the samples and Y swears revenge. Y manages to place a shared media prim with a specifically tailored spy-webpage where X sees it. No tangible data is found though since X uses a popular ISP and has frequent changing IP addresses. However to Y's huge surprise she also tracks the IP-address of Z, another fashion blogger. And it turns out that Z's address and X's address are identical, even that web-cookies X's browser loaded are already present in Z's browser. Y has now identified an alt-account of X and uses this knowledge to spread drama.

Yeah, sure, X saw it coming. Why does she create a secret alt in the first place?

But that has been possible before!

Yes, it has been possible before. Parcel media stream settings could have been abused this way before. However it required two things: you need a parcel whose media stream you can control, and the victim needs to have media-playing switched on. Plus you need the victim to come to your land, while a shared media prim could even be worn and thus brought into the vicinity of the victim.

A similar exploit uses the webpage tab in profiles. If you have set webpages to auto-load, malicious web addresses could also be used. However this is a pretty broad approach, since you can barely fine-tune it towards one victim only.
What is novel about shared media is that those stalker-tools have been given into the hands of literally every resident. If I am alone with someone, I just need to rez or wear a prim with shared media and a specific webpage and get that person's IP address.

What can I do?

If this concerns you - and to my huge surprise it has not concerned many people I spoke with - your safest approach is to not use Viewer 2.0. Viewers based on 1.x will not display shared media, and you are safe. Of course this also prevents you from using the many new fancy features.

Viewer 2.0 has an "Allow media to autoplay" in the settings. I need to run tests to see if this attributes to shared media as well. If it does, it at least gives you the choice.

Finally there is a "Enable Web Proxy" setting in Viewer 2.0. Again I have not yet tested if this gets used for shared media as well. At least this will be some security against direct pinpointing. Public proxy servers can be found on many lists on the web. For hardcore security fans you can use a TOR-proxy as well, however sacrificing a lot of speed.

Anything Linden Lab can do?

Linden Lab could actually remove this problem at its root by not having the individual viewers request web-content but have it centrally fetched and distributed via the SL network. This would also solve the problem that two watchers of a shared media prim might see two different things. Unfortunately this is not a feasible solution since it would put an immense strain on the LL network and would easily boost the required bandwidth beyond any sensible measure.

Living with the Pandora's Box opened


Shared media was inevitable. Users have been asking for HTML-on-a-prim for years, it is a function not only the educators need urgently, but which will find many, many uses in the coming months and which will change the face of SL in a very literal sense. It's too late to put it back in the box - the aspects of its use are just too large and thrilling.

My goal with this post is to make you aware that your privacy and anonymity has just been diminished further. Many people will applaud this in fact, advocating that avatars should come out of their hiding. Maybe I belong to an endangered species of immersionists, believing in a separation between SL and RL. But as a resident you need to know that you can - and probably will - be tracked by shared media prims.

Welcome to the new world!

Update: There has been a JIRA issue created on that matter, and in the comments there are some sensible suggestions that boil down to some sort of personal firewall inside of SL, where you are a) made aware of media surfaces that want to load and b) can decide on a case-by-case basis if you want to allow the.

50 comments:

Emilly Orr said...

I like what you're saying here, though I think the chances of the Labs disabling shared content are nil.

What worries me more, though, was the Geo-locator page you posted. Granted, I make no special efforts to hide or disguise IP (I live in a secured building) but that page tracked me down to zipcode, city, and accurate longitude and latitude.

That scares me.

Tateru Nino said...

For whatever reason, the geo-location data for my IP is something like about ten thousand miles wrong. The network I'm on used to be routed to some other country, I think - but that wouldn't be the common case.

And yes, it's quite trivial to make a single prim that will grab an IP address and associate an SL user-name with it. Formerly you had to at least own the land. Now that's no longer necessary.

Anonymous said...

It tracked me as far as my ISPs HQ, about 200 miles from me.

Emerald Wynn said...

:\

Zonja Capalini said...

Geolocated the city and longitude and latitude up to 2% precision. This is very scary. Of course the Lab will not disable Shared Media, but it should at least do two things:

1) Provide clear and accurate information to their users about the security risks involved in using Shared Media.

2) Implement a single "private mode" switch that disabled all obvious security leaks, i.e., at least auto-load of profiles, parcel media, and shared media.

Thanks for a well-thought and comprehensive article, btw :-)

Zonja Capalini said...

Some more digging:

* Enabling the web proxy in the "Setup" tab in the preferences panel seems to have no effect :-(

* Fortunately, there is a "Play media attached to other avatars" in the "Sound & Media" tab. I've immediatelty checked it off. This does slightly reduce the risk, but the problem is still there.

Chestnut Rau said...

The geo-locator tracked me to several towns away where my ISP is located.

I am probably stupid about such things, but I think if someone wants to find out who I am they will do so. I really do not worry about it much. My SL and RL are fairly transparent to anyone with basic google skills anyway.

People have always had to make trade offs between using the web and privacy. It was not that long ago people would not shop online for fear of their private information being compromised. Now online shopping is the norm and does not seem so scary. Yes, identity theft has grown and the dangers are real. There is always a risk when you are online.

Of course, we could all turn off our computers and not take advantages of what the web offers. If any web service is insecure then people will make the choice to not use it. I think the advantages of web on a prim for business, education, art and all kinds of collaborative efforts far outweighs any privacy risk -- for me that is. Everyone has to make a choice between their need for privacy and the tools the web broadly and Sl specifically offer.

Feline said...

My ISP must have rerouted me since the last time I clicked one of those IP geolocation gadgets. It used to be off by about 30 miles. Now it's off by 90 miles. But I certainly understand that it's a lot more revealing for other people than it is for me, so it's a real concern. Good job explaining the risk in a clear way for the less technically inclined, Peter! I hope they are listening.

Eidur said...

I've been tracked very precisely as well and it left me... ahem, with a bad taste in my mouth.

And well yes I've always been concerned a lot by privacy in SL; I loved that feeling to share tiny bits of my RL infos just to the people I care for.
Now, everyone can track me. No more "safe" sex, I guess.

Us immersionist, we are being ghettoized to some other virtual environment, maybe... maybe they have statistics and they just realized we invest too slowly in L$...

Or maybe we're just ruining the fun of all the rest of the happy augmentationists world... After all, who need creeps like people separating RL from SL?

Kim said...

the geographical locator you shared in this blog post isnt very accurate.

http://network-tools.com/ is way more accurate. Use the Trace feature and it traces the connection from the server all the way to you, listing all used routers on the way... the name of the towns are in the hostname, and sometimes you even have more than one per town, to add on precision.

This is a bit dumb from LL, they surely know about it and chose not to care.. Sure they gave a nice tools for conferences, the community has been asking for such a tool for years, but they also gave grievers a powerful tool to push their attacks to RL. What was LL thinking?

I wasnt interested in trying out viewer 2.0, now I'm sure I dont want to.

Cajsa Lilliehook said...

Right city, wrong zip code. It's also the wrong zip code for the provider, oddly enough. It's about 10 blocks from the provider's office, about 2 miles from my place.

Cajsa Lilliehook said...

incidentally, I put the coordinates into http://www.mapquest.com/maps?form=maps&geocode=LATLNG to see how close it came on longitude and latitude which is how I realized it was just two miles off.

Caliburn Susanto said...

Two blocks. Two. Appalling. Also, I have never understood this obsession with having Web tools INSIDE SL®. It's a completely foolish compulsion.

When you are on the Net all of it is available to you. Having media is as easy as opening another window; when you are logged into Second Life® you are not trapped there, you are merely using ONE of the many windows you can have open on the screen. To Tweet, Plurk, Flickr, or listen to music or even watch a movie all you have to do is open another window. The people "with you" in SL® simply have to open a second window also and point their browser to the same location. Easy and obvious, although the obviousness of it seems to have escaped the attention of the digital population.

Second Life® is NOT the Internet, it's just a program in a window. If you expect everything to be done inside it you are foolish. Also you are failing to take advantage of power you have as a digital citizen to grab the best resources for your needs.

Anonymous said...

This scares me because I actually had someone contact someone in my RL to try and start drama in the past. This person also did other illegal things I wont get into. Anyway this just makes it even easier for them to get info from whoever they want.

LL just made it even easier for stalkers..sigh

Thanks for posting this. <3

senbanbabii said...

The geo-locator thingy in my case was very inaccurate which I'm pleased about naturally.

As for the rest of it, it's yet another nail in the coffin of my usage of SL. There comes a point where all the baggage attached to using a platform reaches critical point and SL has pretty much reached it in my case. The increasing levels of crap outweigh what little value remained.

MSo Lambert said...

First they expose us to security risks by buying AU and now they completely throw our privacy away with Shared Media? If the sky doesn't fall *this time* I'm not sure when it will :)

Jokes aside, the harsh reality is we are forced to make more and more trade-offs in regards to our privacy to support our always-connected way of life. Computers on the web track our every move and try to compose useful behavior patterns, our personal data is collected by social media, sold to advertisers, aggregated, analyzed and used for many different purposes - to sell us stuff, make our lives better or take advantage of our identity or behavior patterns.

I can't drive two blocks without cameras recording me or analyzing my license plates.

I was at a mobile conference a while ago where a company presented shocking ways of how they're able to analyze human (or consumer, those are synonyms for companies) simply by tracking our position through our mobile phones and trying to pair this with things like time of day etc. They showed a map of a city with little red blips representing people that were tracked without knowledge or consent. Yes, laws in most sane countries prohibit mobile operators to provide any positional or identifiable data to 3rd parties, but it's still being done and the laws are getting bent and loosened when it comes to privacy. Not to mention most modern mobile applications collect detailed statistics for analytical purposes, which can also be easily used to identify or locate you by analyzing the patterns.

Nobody is doing this to us - we're doing this to ourselves by willingly deciding to give away bits of our privacy to increase our quality of life, entertain ourselves or be more connected with the rest of the world.

Now Second Life is supposed to be this virtual escape from the harshness of reality for many people - but in reality it's not (I'm sorry immersionists).

Maybe it was an isolated closed garden in the early stages, but I'm sure it was never meant to be by design, and I'm sure when Philip was envisioning Second Life 10 or 20 years in the future, he saw it intertwined with every other aspect of our reality - from the web to our mobile phones, work, education, what have you.

The fact that it was able to be this separate parallel universe for a while is simply because the platform and technology wasn't mature enough.

As with every other technology out there, Second Life either has to adapt and move forward, or it will simply fade away. No matter how we try to resist or how loud the forum or the blogosphere gets, there simply is no other way for Second Life to evolve and adapt. And now that the Shared Media can of worms has been opened, there simply is no going back.

Now I'm not saying we should just kiss our privacy goodbye or move elsewhere - there is definitely a lot of maneuvering space when it comes to LL giving us more control over it.

For example, even now I can simply disable the "Allow media to auto-play" setting and no Shared Media will load anywhere, not even on objects attached on me.

For more fine grained controls, a few important settings come to mind:

- Allow only attached media to play automatically
- Allow only media on my land to play automatically.
- Allow only media on objects created / owned by me to play automatically
- A list of trusted sites (nothing else plays, ever).

When it comes to protecting our privacy, we shouldn't expect others to protect it. If your SL privacy is important to you, make sure you disable all automatic media options and only play it selectively and only from sources you trust. Dealing with privacy and security issues with Shared Media isn't going to be that much different than dealing with those on the web. Use your head and common sense, educate yourself, use additional 3rd-party software for protecting your privacy and your computer.

This was a great read and a very informative resource for everyone concerned about their privacy in SL - thanks Peter!

Marcus Llewellyn said...

Er, seems this is a tad overblown to me.

For one thing, exploiting this would take a modicum of technical skill. One would require a webserver and the skill to analyze the logs. Not rocket science, but not for the unexperienced either.

Secondly, just because you can collect IP addresses at the web server via a shared media web page doesn't automatically mean you know who that IP belonged to in SL. Any number of people walked by your prim... which one was which? Unless they helpfully interact with the displayed pages and give you the data you need ("Hi! I'm Stoopid McNoodle!"), those IPs could be anyone. And anyone who practices safe computing online should already know better that to just hand out personal info to any old web site. If you don't know or trust the site, don't tell it who you are. This is as true in your good old browser as it is with our shiny new shared media toy.

Now, I suppose this could be an opportunity to phish for info, and it is a shame that shared media doesn't give any indication whether or not you're using a secure site or any anti-phishing tools. But an IP address is hardly a requirment for phishing.

MSo Lambert said...

Oh - a few other things come to mind after reading this (I just love articles that ignite my brain at 5am like that lol).

This might be pretty off topic, but I'm thinking with this new direction we're seeing lately, Linden Lab will have a lot of problems marketing their platform as "Second Life". The name simply has so many assumptions attached and they're mostly all wrong in my opinion.

If I had to guess, I'd say whenever someone hears about Second Life for the first time (yes even today after all this time), they immediately assume it's some sort of a virtual parallel universe that has no connection with real life whatsoever. It's an escape, a game, an immersive place... just look at all the articles written by sloppy journalists over the years.

I've dealt with quite a few real-life clients for SL over the years and mostly they all had the same initial reactions and assumptions. The more I think about it, the more I'm certain it had a lot to do with what associations the phrase "Second Life" sparkled. I believe the name simply doesn't reflect the actual product.

I might not be your average reader, but my assumptions about my Second Life being a completely separate virtual life (environment, whatever) ended pretty fast after I joined. I even got involved in a lawsuit over a dispute in Second Life back when we didn't even have parcel media (okay, we had music:) so whatever illusions I might have had about SL being disconnected from my real me have faded pretty quickly.

That's why I probably have a hard time understanding people that take the "Second Life" part so literally and have to deal with all kinds of issues when their actions in Second Life somehow bring consequences in real life (undesired or not).

I don't understand how they assume their actions won't or shouldn't have any consequences. Of course that's strictly my view, but I personally believe *everything* you do anywhere, can have consequences everywhere.

If you can get caught cheating your partner in RL, or having cybersex over IM, why assume your SL love affair won't come around to kick you in the butt?

I guess the point I'm trying to get across is many people would be able to avoid so many issues if they didn't look at their SL identity as a completely separate entity, especially when their real life identity gets exposed somehow.

I have nothing against role-playing and immersion - in fact I love role-playing and I'm an avid MMO player. But I've seen much more immersive environments like WoW or Eve Online bring undesired real-life consequences to people and I simply don't believe any environment can completely separate us from our real selves.

Whatever your views might be, just make sure you have a speech ready for when your boss finds out about your virtual stripping and you should be okay ;)

MSo Lambert said...

Ok, one more and I'm really out of here :)

There's already a JIRA issue on this and it seems like a good place for a public discussion about Shared Media privacy-related issues and ideas: http://jira.secondlife.com/browse/VWR-17044

Tateru Nino said...

Someone apparently used the parcel media to pin down my offline identity back in 2007.

Got some death threats on the phone as a result.

Peter Stindberg said...

Thanks everybody for the feedback!

@Marcus: for obvious reasons I am not going to give a blueprint how to do it, but access to the logfiles (while desirable for the task) is not mandatory. And the whole thing can be se up to make exact 1:1 avatar-UUID to IP-address matchups.

Maybe I should make a (triple-opt-in) proof-of-concept for this...

Zonja Capalini said...

I must say that I'm getting more scared by some of the comments than by the security problem itself.

Of course we all know that every time we visit a web page we are getting cookies, that our browsing habits are being collected and that all sorts of information about ourselves is being interchanged without us being aware of it.

But I think that referring to this fact is completely missing the point.

The situation created by shared media is not that an old or new company will have more or less data about ourselves -- it's that unknown individuals will be able to get it.

Example: one thing is to browse some porn and know that the owner of the page can track you -- another, completely different thing, is to browse some porn and then to be tracked by other people that are browsing the same page.

As to the "I don't have anything to hide" people, I'd love that they explained in the comments what do they think when they make love to their wives or husbands -- or, still better, when they masturbate. After all you have nothing to hide, right?

Please don't mistake your moral ideals with a viable form of organizing society, or the internet for that matter.

MSo Lambert said...

@Peter: I would personally wait at least until the final Viewer 2.0 is released before posting detailed proof-of-concepts... No need for this to become general knowledge too fast =)

Btw, I added my proposal to JIRA on how the privacy controls could be handled for Shared Media here: http://bit.ly/bKrKrL

Eidur said...

I can only support Zonja's point of view about this matter.

Honestly I think that lots of people are underestimating the problem but then again, why should I be surprised?

It takes not more than 5 minutes on FaceBook to recognize how people are completely screwing their holy right to have some privacy in exchange of few minutes of notoriety on the web...

Oh wait, until their boss/wife/husband/lover/son-daughetr(!) doesn't stalk their habits on the net. Blame the "internet" and your boss "unethical" behaviour then!

MSo Lambert said...

@Zonja: The situation with Shared Media is not that entirely different than it might seem. You can get attacked by unknown individuals in a similar fashion everywhere on the web too, and people's security or identity can get compromised simply by clicking a shortened link on Twitter or responding to a hostile application request on Facebook.

And as far as I'm concerned, companies are mostly unknown individuals in that respect too.

Yes, you can potentially be tracked on the web by people browsing the same page by use of illegal approaches and security exploits, and it's not that different than exploiting Shared Media.

So the way I see it, it really is just an issue of providing more control and choice to residents when it comes to how Shared Media is handled.

As for your "I don't have anything to hide" comment, there really is no need to mock me for my personal views or being scared by them. With cheating and cybersex I was simply stating examples in reference to the "Horror scenario" section of the post, not to me personally(I could have used less controversial examples).

Having nothing to hide or understanding your actions can have undesired consequences if your identity is revealed are two entirely different matters in my opinion.

But I'm getting off topic - why not rather have a constructive debate on how Shared Media could be adapted to suit both, the people that want to stay away from it because of privacy concerns, and people that want to improve their SL experience with it.

Like I said, I already posted some initial proposals on the mentioned JIRA issue in form of "Trusted media" lists and additional auto-play controls, and Peter mentioned having some sort of a personal firewall inside of SL.

Both look like viable approaches, although having a personal SL firewall wouldn't be that much different than running a 3rd-party firewall on your computer directly and allowing the SL client to access only certain media / sites or blocking undesired media.

Prokofy said...

We're all aware of this problem and we're all aware of the nasty and snarky attitude of geeks who tell us that we shouldn't care about our privacy on the Internet.

Yes, we can be geo-located to within a few digits of a zipcode or worse.

So why do people care? Because of the anonymity of Second Life means not only that they can have anonymity, but that so can griefers.

If it weren't for the death threats and threats of violence, that I, too have received, I wouldn't care about this or that display of geolocation or real life name. I've had people send me photographs of my door to intimidate and silence me in SL, and people pretend they can see me walking around on the street by my home.

So the real task here isn't to figure out which checkoff box or opt-out box to check in the confusing viewer, but for Linden Lab to step up and use the same unmasking of privacy that exposes us to catch griefers who harm people. It's simply got to work both ways.

If Linden Lab would step up and block people making serial alts and using proxy servers to log on with more thoroughness and with more alacrity, and also *keep banned* some of these characters who stalk and harass that they let back on, even after being gone for months, then we wouldn't have this level of concern about loss of privacy.

People are going to be looking to LL not just to unmask everybody's privacy with their fabulous new Shared Media (TM), but to unmask the privacy of stalkers, too, and end their harassment pronto.

Zonja Capalini said...

@MSo: I didn't intend to mock you, and I'm sorry that you got that impression. Please be assured that I respect your work a lot, and love to follow your contributions.

What I was trying to do in my (admittedly provocative) comment was to refer to the general tone of some comments (not only in this blog post, but also in other SL related places lately) where a very dangerous trend of thought is expressed. The "argument" (which is in effect a very poor form of sophism)runs as follows:

* Some people use anonymity for (supposedly) morally objectionable acts (e.g. cheating on their wifes)
* People who are not immersionists don't care if their RL and SL identities are linked
* "Ergo", all immersionists use RL/SL separation for objectionable acts and should be banned/outed/they get what they deserve, etc.

Please note that I'm not saying that you adhere to this stupidity -- I'm saying that the said stupidity is running free and that it should be combated.

Regarding your comments about privacy, of course you can use exploits to track visitors to a web page. The main point, though, is the following: SL users are not companies, they are human beings. Companies and human beings are, as you well say, both unknown individuals. But you don't talk to companies. You don't go dancing with companies. You don't partner companies. You don't make love to companies. When you leave a company, they lose a customer. When you leave a lover, they lose something completely different. What people do or desire to do when they feel abandoned/cheated/betrayed etc is completely different from what companies do.

Of course a competent user will always find ways to find your IP address if s/he is determined enough. This is even possible today in SL by using determinate exploits. But one thing is that a competent and determined user has the power to find private stuff about yourself and another one is that every jerk in SL has that power.

I think the gap between enterprise/education users and immersionists has been widened a lot by shared media. Please note that I love shared media -- it's a pretty cool and evidently very useful feature.

BTW I don't think we're getting off-topic :-) -- this was a post about privacy, and privacy always has a lot of facets. But I agree with you, the JIRA approach is the right thing to do.

MSo Lambert said...

Ouch... I just tested and posted another potential horror scenario on JIRA (http://bit.ly/dcEB7h) in regards to phishing which can be even more dangerous than your IP discoverability - potentially devastating even.

In short, the current Shared Media implementation allows creators to hide the browsing controls making the URL of the media invisible to the person viewing it on the surface. And finding the URL by digging through the advanced media controls can be pretty hard for an average SL user, especially since the title of the site is displayed there instead of the URL when the media is running.

In addition to being a huge security risk this is also a huge obstacle for developers that want to take advantage of Shared Media to create advanced products like interactive HUDs and so on.

Why? As a developer I want my customers to trust the integrity of my products and my motives behind them. When users can be victims of phishing attacks so easily, it makes it very hard to build that trust for legitimate developers.

iliveisl said...

wow! nicely written Peter!

i think internet on a prim is good, but so is privacy

LL can do most anything they want to since they are a private company. including making poor decisions

as to tracking info, google analytics on our blogs can do a good job of showing city and provider of visitors

if LL decides to sell that type of info to make a profit, don't be surprised. i don't think that is right to do your paying customers, but LL could give a poop about what i think

Marcus Llewellyn said...

@Peter - I later realized a while after commenting that I probably pressed the publish button without thinking about the issue more deeply. I pretty much forgot that with LSL scripting support that it would be possible to match up an avatar with an IP under many (but not all) circumstances.

To do a 1:1 match, though, I think you'd have to have a pretty quiet environment. The busier an area, the harder it is going to be to get a precise match.

Tateru Nino said...

@Marcus Using the old parcel media system will give you 1:1 matching automatically if you want it. As far as I know, you can't get it automatically with Shared Media.

Zonja Capalini said...

@Marcus, Tareru: http://jira.secondlife.com/browse/VWR-17044 details a method by which you can get a 1:1 matching pretty easily.

Zonja Capalini said...

I realized that most of the described horror scenarios involve some form of immersionism. Here's a completely business oriented horror scenario. A certain company uses SL and shared media for work meetings -- some people attend the meeting from their offices, and some other people telework from home. Employee A holds a grudge since several years towards B, and would very much like to bed C, who doesn't correspond to his advances. Using the exploit described in http://jira.secondlife.com/browse/VWR-17044 or a similar one, A uses the work meeting to grab the IP addresses of B and C, then does some reverse DNSing and finds out that B complements his salary by hosting nudehotbarely18schoolgirls.com at home; B's boss is promptly made aware of this fact. C's address is geolocated with great precision, and then C begins to be stalked in RL.

Since neither A, B or C are immersionists, and their company is using SL for "serious" things, nobody has cared much about configuring their viewers, (falsely) assuming that the default setup is "safe" for people who "have nothing to hide".

What worries me the most is that this kind of attack is something that does not require a lot of technical skills.

Iggy O said...

Some educators--for reasons they best know--do not reveal their RL identities.

Most of us do link or RL and SL identities, so this is not an issue for us. Still, this security hole is not one I consider trivial; it has too much potential for abuse.

By the way, the IP locator got as close to me as the local Verizon office

Tateru Nino said...

If the risk isn't acceptable for Shared Media, then it shouldn't be for parcel media either, I'd think. Both contain the same issue, whether you consider it a problem or don't.

Peter Stindberg said...

I agree, Tateru, and if Linden Lab gives us something like a "Firewall for SL", then this (and profile web page exploits) could be fixed in one blow.

Zonja Capalini said...

@Tareru: I agree that technically speaking the risk for shared media and parcel media are equivalent and the same. But -- one thing is to trust the parcel owner and another is to trust everybody. The griefing/stalking potential for shared media is hugely bigger than for parcel media, because you're suddenly open to ip-grabbing by everybody, not only the owners of certain parcels.

Tateru Nino said...

I'm not sure that makes a difference, Zonja. If someone actually gives a darn what your IP is, I'm sure they'd go the extra mile to get it.

I'd be less concerned about Shared Media than parcel media, because - at the end of the day - your IP address is of no use to someone who doesn't have a use for it, you see? It doesn't really change the odds if it falls into the hands of people who don't care what it is or who you are.

I'm sure I don't know the owners of every parcel I stand on in the course of a day - even my neighbors.

Zonja Capalini said...

Still another horror scenario: since the default setup for shared media is to load all pages without asking, a number of people can program "bad" pages that use exploits in the browser code, and you'll be loading them without being even aware of it. Normally you don't click on determinate links, by fear that they could point to bad pages. With shared media you won't even be presented with an option or a warning -- the page will be loaded and that's it. And every avie you meet can be a potential source of infections...

Kate Miranda said...

I feel two ways about anonymity in SL. On the one hand I know it allows people freedom to explore and talk about things they feel inhibited about in RL and I think a lot of that is healthy.

On the other hand it allows people to pull a lot of nasty crap on other people, particularly through the use of alt accounts. The possibility that alts might be caught red handed at this trouble-making could inhibit some of the time-wasting (at best) and traumatic (at worst)behaviours.

Anonymous said...

Thanks for another great post, Peter. The second thing I said after "wow" when I tried this feature was "now how do I check my privacy settings?" There was nothing to be found aside from turning off cookies in Preferences > Privacy and I'm not sure this applies to Shared Media anyway.

When I tried the IP trackback on an in-world prim it was accurate enough to show a pic of me in my jammies as I was reading your post. Well, more like the ISP hub for my area, but close enough to show my town.

Fortunately, everyone I know really well in SL knows the my town anyway. In fact, hang out with me long enough and you might learn the town name. I'm not that worried about that. What I am worried about is the transmission of things I might add to entry fields on Web sites and browsing history. And I vote for Zonja Capalini suggestions (see Comments). the Lab should give us more tools to control our privacy.

Godeke said...

While I understand the concern for privacy of in world avatars, every poster here gave up that same level of privacy to simply leave a comment on a blog.

Nearly every single action taken in a browser is traceable to IP, and when using an account like the ones here the tie-back to a virtual persona is trivial.

I guess I don't see it as a crisis because my virtual and real world identities are intertwined *already* (I did the SL talking circuit for a while) and my prior experiences with Internet Anonymity have lead me to conclude that it isn't all that great of an idea.

For those with a more bright line virtual / real world distinction I can see the concern, but if you really want to protect yourself you can firewall outbound connections from the viewer (or entire machine for the duration of the session). White-listing the Linden Labs domain is pretty easy: the major consumer firewall products can do this in a way accessible to even the moderately computer savvy. If you can handle the viewer, such a configuration should be doable with a tutorial at worst.

As it was pointed out in the article, none of this is new. I have run shoutcast streams and every visitors IP was plainly visible (including exact connect, disconnect times).

More pervasive, yes it is. Less controllable, yes, but it can be mitigated with garden variety security software. Finally, if this is a real concern, I hope you are using an anonymizer to post to blogs and do garden variety browsing.

Peter Stindberg said...

Good comment, but two remarks:

1)Expected behaviour: every halfway educated web surfer KNOWS that their IP address is logged in logfiles (but see my comemnt about country legislation on that aspect). However a SL avatar does NOT expect this.

2) This blog runs on Blogger, and in contrast to (hosted) Wordpress, the IP-address of comments gets NOT shown. So while it is true that every commenter here has given that information, they did not gave it to ME, but "only" to Google (who knows it anyways). In Wordpress blogs the blog owner gets in fact the IP address in the comment form.

Sinome said...

The only sure way you will not get geo-ip traced etc is not to use any electronics device - and then some.

The issue described here is real, but demanding Linden to fix this is a bit like trying to patch one hole in a sieve.

Download charles from http://www.charlesproxy.com or another proxy tool and just watch traces going off to analytics engines and loggers while you are using Google, FaceBook, YouTube, etc. Think your regular browser behaviour even with with Norton or the likes active is protecting your privacy? Think again.

This is a much bigger issue than just SL and the reality is you ARE already being traced all over the place. If you carry your cell phone you can be pinpointed much more precise than with GeoIP. And before you say they can't trace your cellphone's UUID to your person, or even correlate it with your PC's IP address, check what analytics data companies are buying from QuantCast and the likes. There are much easier pickings than having to figure out who's behind a SL avatar we're serving them on a silver plate already.

Genevieve said...

that link is pretty accurate for the most part. though, it did have a couple of minor errors. Which is pretty scary.

Memorial Dae said...

Well, I seem to be having a massive case of paramnesia. Did we not have these exact conversations back when we could first plaster a webpage on a prim via parcel media? Granted now we can interact with said webpage via shared media and that requires people to actually think about what they are doing. Much like they do when surfing the intrawebz! The big solution for parcel media was having a tic box to disable it as well as the autoplay option which we already seem to have on shared media as well. As it was with web on parcel media the tool is not the fault but the potential misuse which requires thought and systems far outside of Linden Labs control. Anything can be bastardized for improper use but should anyone let the potential for that happening keep them from utilizing a tool. If one has issue with that question they shall do as others in the past have done and disable the potential threat in permissions and go along their merry way. I do however love the example of a client side safe list(firewall) and popup for utilizing content because it just makes good sense.

Fred said...

Right country.... wrong location! Way out! I think if we allowed our lives to become dominated by all the possible ways in which our identities could be discovered we would stay inside a locked house with no computer or telephone, shredding every piece of paper with personal details on it and wearing a giant condom to ensure total protection! Life's for living, not for hiding!

Prim said...

also lets not forget the secondlife terms of service, there are some people that created a security orb that polls this information and identifies and bans alts of people youve banned, the problem is its a privacy violation and uses the method described here to identify alts, the developers of this orb(which i will leave unnamed so their product isnt promoted here) think the line in the privacy policy that indemnifies Linden Labs from use of this information indemnifies them as well, it dont, if you encounter this exploit, stay calm, file an AR and site that its a violation of terms of service(section 8.3)

http://secondlife.com/corporate/tos.php

worse part yet, as mentioned in the article above developers of such malicious objects can do this without the users noticing, but heres a tip

if it claims to detect alts,it is likely using the exploit in this method and detecting IPs of anyone who crosses the path of any instance of this script

so if you encounter anything that claims to detect alts for the sake of security, remember its spyware and a bigger threat to you than whatever its designed to protect you against.

Tateru Nino said...

Here's a list of what information leaks through the viewer's HTTP functions, how it can be used to detect alts, and a demo so that you can see the information: http://bit.ly/c3e4WA

KarenR said...

The geo locater on the google map pointed to my neighbors house up the street where the cable junction box is for my neighborhood. A little to close for my liking.