February 27, 2010

Shared Media poses huge privacy risk

The blogposts of the past week are full of praise for the new "shared media" option introduced in Viewer 2.0 (and surely being retrofitted soon into 3rd party viewers). On the surface, this shiny new functionality adds a lot of benefits which have been discussed at length already. Under the surface, however, this new technology gives everybody the tools to melt away your privacy and anonymity!

How does shared media work?

With the new shared media function you can put a webpage on the face of a prim. This webpage can contain all sorts of content, up to full fledged Flash animations and sound. The prim-face assigned with shared media acts like a web browser. The webpages in question get requested from your own PC - not from a central server at Linden Lab.

How does this affect my privacy?

Whenever you request a webpage, your IP address is transmitted to the web server. Most web servers store this address in their logfiles. IP-addresses are considered personal information in many countries, especially since more and more refined techniques of IP-Geolocation allow to pinpoint the geographic location of a user with increasing accuracy. Try it yourself - click this link to have yourself IP-geolocated and let me know in the comments how accurate it was (no, I don't see the actual results).

With the shared media, a webpage on a prim loads as soon as you look at it - probably even as soon as you are in the vicinity - thus transmitting the IP address of your PC to the remote server. This is not an opt-in process! It happens automatically, and without giving you the option to accept or deny. There might be an opt-out, but it would disable all shared media for you.

Now imagine the website on a shared media prim is not a general website, but a specific website, tailored to gather specifically YOUR IP-address and related data. Would you like that?

OK, but where is the difference to requesting a website?

The holy grail for web marketers for years was to identify individual users. All sorts of more or less unethical tricks where thought of, to identify recurring visits, and to gather data about a user. Web-surfers are sensitized to the topic by now, and most users know their IP data gets logged. Privacy concerns have led to legislation in many countries. In my country, for example, collecting the IP-addresses in server logfiles is illegal in most cases now.

In Second Life however, the level of expectation is different. Second Life is NOT a webpage. While it is common knowledge that Linden Lab tracks certain parameters like your IP-address, nobody expects that any other resident is able to get this information. On top of that, shared media allows you to create exact avatar-name-to-IP-address matches.

A horror scenario

I personally have been blackmailed and RL-threatened by a SL resident who reverse-engineered my RL identity before. My friend Zonja Capalini came up with this horror scenario:

A and B are in SLove and partner. Everything is roses. A while later, the love dies and B resolves the bond, which drives A up the wall. A creates a shared media prim pointing to a specific webpage on a server A controls, and hides it where B - and only B - is about to see it repeatedly. Over the course of a few days A collects enough IP-addresses of B to not only pinpoint the geographic location but also the ISP of B and - because B logged in from work twice - also the fixed IP address of B's employer. A little more digging reveals B's realname, B's work telephone number, the name of B's boss who might be interested that B worked as a virtual stripper, and in consequence B's home phone number and B's Flickr account where B's kids are displayed.

OK, sure, you are right, B should not log in from work. And B should not have lied about about their gender and marital status. So B saw it coming, yeah? So let's look at this:

X is a fashion designer, doing some rather nice designs. Y is a drama blogger and asked X for free samples to blog them. X denies the samples and Y swears revenge. Y manages to place a shared media prim with a specifically tailored spy-webpage where X sees it. No tangible data is found though since X uses a popular ISP and has frequent changing IP addresses. However to Y's huge surprise she also tracks the IP-address of Z, another fashion blogger. And it turns out that Z's address and X's address are identical, even that web-cookies X's browser loaded are already present in Z's browser. Y has now identified an alt-account of X and uses this knowledge to spread drama.

Yeah, sure, X saw it coming. Why does she create a secret alt in the first place?

But that has been possible before!

Yes, it has been possible before. Parcel media stream settings could have been abused this way before. However it required two things: you need a parcel whose media stream you can control, and the victim needs to have media-playing switched on. Plus you need the victim to come to your land, while a shared media prim could even be worn and thus brought into the vicinity of the victim.

A similar exploit uses the webpage tab in profiles. If you have set webpages to auto-load, malicious web addresses could also be used. However this is a pretty broad approach, since you can barely fine-tune it towards one victim only.
What is novel about shared media is that those stalker-tools have been given into the hands of literally every resident. If I am alone with someone, I just need to rez or wear a prim with shared media and a specific webpage and get that person's IP address.

What can I do?

If this concerns you - and to my huge surprise it has not concerned many people I spoke with - your safest approach is to not use Viewer 2.0. Viewers based on 1.x will not display shared media, and you are safe. Of course this also prevents you from using the many new fancy features.

Viewer 2.0 has an "Allow media to autoplay" in the settings. I need to run tests to see if this attributes to shared media as well. If it does, it at least gives you the choice.

Finally there is a "Enable Web Proxy" setting in Viewer 2.0. Again I have not yet tested if this gets used for shared media as well. At least this will be some security against direct pinpointing. Public proxy servers can be found on many lists on the web. For hardcore security fans you can use a TOR-proxy as well, however sacrificing a lot of speed.

Anything Linden Lab can do?

Linden Lab could actually remove this problem at its root by not having the individual viewers request web-content but have it centrally fetched and distributed via the SL network. This would also solve the problem that two watchers of a shared media prim might see two different things. Unfortunately this is not a feasible solution since it would put an immense strain on the LL network and would easily boost the required bandwidth beyond any sensible measure.

Living with the Pandora's Box opened

Shared media was inevitable. Users have been asking for HTML-on-a-prim for years, it is a function not only the educators need urgently, but which will find many, many uses in the coming months and which will change the face of SL in a very literal sense. It's too late to put it back in the box - the aspects of its use are just too large and thrilling.

My goal with this post is to make you aware that your privacy and anonymity has just been diminished further. Many people will applaud this in fact, advocating that avatars should come out of their hiding. Maybe I belong to an endangered species of immersionists, believing in a separation between SL and RL. But as a resident you need to know that you can - and probably will - be tracked by shared media prims.

Welcome to the new world!

Update: There has been a JIRA issue created on that matter, and in the comments there are some sensible suggestions that boil down to some sort of personal firewall inside of SL, where you are a) made aware of media surfaces that want to load and b) can decide on a case-by-case basis if you want to allow the.
Post a Comment