Shared Media poses huge privacy risk

The blogposts of the past week are full of praise for the new "shared media" option introduced in Viewer 2.0 (and surely being retrofitted soon into 3rd party viewers). On the surface, this shiny new functionality adds a lot of benefits which have been discussed at length already. Under the surface, however, this new technology gives everybody the tools to melt away your privacy and anonymity!

How does shared media work?

With the new shared media function you can put a webpage on the face of a prim. This webpage can contain all sorts of content, up to full fledged Flash animations and sound. The prim-face assigned with shared media acts like a web browser. The webpages in question get requested from your own PC - not from a central server at Linden Lab.

How does this affect my privacy?

Whenever you request a webpage, your IP address is transmitted to the web server. Most web servers store this address in their logfiles. IP-addresses are considered personal information in many countries, especially since more and more refined techniques of IP-Geolocation allow to pinpoint the geographic location of a user with increasing accuracy. Try it yourself - click this link to have yourself IP-geolocated and let me know in the comments how accurate it was (no, I don't see the actual results).

With the shared media, a webpage on a prim loads as soon as you look at it - probably even as soon as you are in the vicinity - thus transmitting the IP address of your PC to the remote server. This is not an opt-in process! It happens automatically, and without giving you the option to accept or deny. There might be an opt-out, but it would disable all shared media for you.

Now imagine the website on a shared media prim is not a general website, but a specific website, tailored to gather specifically YOUR IP-address and related data. Would you like that?

OK, but where is the difference to requesting a website?

The holy grail for web marketers for years was to identify individual users. All sorts of more or less unethical tricks where thought of, to identify recurring visits, and to gather data about a user. Web-surfers are sensitized to the topic by now, and most users know their IP data gets logged. Privacy concerns have led to legislation in many countries. In my country, for example, collecting the IP-addresses in server logfiles is illegal in most cases now.

In Second Life however, the level of expectation is different. Second Life is NOT a webpage. While it is common knowledge that Linden Lab tracks certain parameters like your IP-address, nobody expects that any other resident is able to get this information. On top of that, shared media allows you to create exact avatar-name-to-IP-address matches.

A horror scenario

I personally have been blackmailed and RL-threatened by a SL resident who reverse-engineered my RL identity before. My friend Zonja Capalini came up with this horror scenario:

A and B are in SLove and partner. Everything is roses. A while later, the love dies and B resolves the bond, which drives A up the wall. A creates a shared media prim pointing to a specific webpage on a server A controls, and hides it where B - and only B - is about to see it repeatedly. Over the course of a few days A collects enough IP-addresses of B to not only pinpoint the geographic location but also the ISP of B and - because B logged in from work twice - also the fixed IP address of B's employer. A little more digging reveals B's realname, B's work telephone number, the name of B's boss who might be interested that B worked as a virtual stripper, and in consequence B's home phone number and B's Flickr account where B's kids are displayed.

OK, sure, you are right, B should not log in from work. And B should not have lied about about their gender and marital status. So B saw it coming, yeah? So let's look at this:

X is a fashion designer, doing some rather nice designs. Y is a drama blogger and asked X for free samples to blog them. X denies the samples and Y swears revenge. Y manages to place a shared media prim with a specifically tailored spy-webpage where X sees it. No tangible data is found though since X uses a popular ISP and has frequent changing IP addresses. However to Y's huge surprise she also tracks the IP-address of Z, another fashion blogger. And it turns out that Z's address and X's address are identical, even that web-cookies X's browser loaded are already present in Z's browser. Y has now identified an alt-account of X and uses this knowledge to spread drama.

Yeah, sure, X saw it coming. Why does she create a secret alt in the first place?

But that has been possible before!

Yes, it has been possible before. Parcel media stream settings could have been abused this way before. However it required two things: you need a parcel whose media stream you can control, and the victim needs to have media-playing switched on. Plus you need the victim to come to your land, while a shared media prim could even be worn and thus brought into the vicinity of the victim.

A similar exploit uses the webpage tab in profiles. If you have set webpages to auto-load, malicious web addresses could also be used. However this is a pretty broad approach, since you can barely fine-tune it towards one victim only.
What is novel about shared media is that those stalker-tools have been given into the hands of literally every resident. If I am alone with someone, I just need to rez or wear a prim with shared media and a specific webpage and get that person's IP address.

What can I do?

If this concerns you - and to my huge surprise it has not concerned many people I spoke with - your safest approach is to not use Viewer 2.0. Viewers based on 1.x will not display shared media, and you are safe. Of course this also prevents you from using the many new fancy features.

Viewer 2.0 has an "Allow media to autoplay" in the settings. I need to run tests to see if this attributes to shared media as well. If it does, it at least gives you the choice.

Finally there is a "Enable Web Proxy" setting in Viewer 2.0. Again I have not yet tested if this gets used for shared media as well. At least this will be some security against direct pinpointing. Public proxy servers can be found on many lists on the web. For hardcore security fans you can use a TOR-proxy as well, however sacrificing a lot of speed.

Anything Linden Lab can do?

Linden Lab could actually remove this problem at its root by not having the individual viewers request web-content but have it centrally fetched and distributed via the SL network. This would also solve the problem that two watchers of a shared media prim might see two different things. Unfortunately this is not a feasible solution since it would put an immense strain on the LL network and would easily boost the required bandwidth beyond any sensible measure.

Living with the Pandora's Box opened

Shared media was inevitable. Users have been asking for HTML-on-a-prim for years, it is a function not only the educators need urgently, but which will find many, many uses in the coming months and which will change the face of SL in a very literal sense. It's too late to put it back in the box - the aspects of its use are just too large and thrilling.

My goal with this post is to make you aware that your privacy and anonymity has just been diminished further. Many people will applaud this in fact, advocating that avatars should come out of their hiding. Maybe I belong to an endangered species of immersionists, believing in a separation between SL and RL. But as a resident you need to know that you can - and probably will - be tracked by shared media prims.

Welcome to the new world!

Update: There has been a JIRA issue created on that matter, and in the comments there are some sensible suggestions that boil down to some sort of personal firewall inside of SL, where you are a) made aware of media surfaces that want to load and b) can decide on a case-by-case basis if you want to allow the.

200,000 Banner Impressions on XStreet SL

My translation agency is recognized as Official SL Solution Provider by Linden Lab since March 2009. During a promotion for solution providers I recently got 200,000 free banner impressions on XStreet SL. This means my banner would be shown 200,000 times - not necessarily to 200,000 different people. Excited about this opportunity I submit my banner and the link to Kimmora Linden, and a little later my banner went live.

One question was where I would like the banner to link? I checked out some banners and saw they mostly link to an XStreet item, some to an external website, and some to a SLURL. I asked on Plurk for feedback on banner ads, and most people reported they never click on banners at all. In the end I decided to link it to one of my free promotional offers on XStreet itself, so I can track if the banner ad made a difference.

I had no idea what to expect, or how long those impressions would last. Two hundred thousand sounded like a large number to me, but I could not estimate what kind of visitor traffic XStreet SL would receive. A banner on XStreet SL changes whenever you come to a new page. So if you look at 3 products, you will see 4 randomly selected banners (including the front page banner).

I was rather surprised how quickly the impressions got used up. Only a few hours after the banner went live, the first 10,000 impressions were gone already. In the end, the 200,000 impressions lasted about 3 days. Of course I was curious to see the results.

The XStreet backend gives a nice realtime overview about the status of a campaign. In the end my banner received 58 clicks - this means out of 200,000 times the graphic was displayed, only 58 people (0.029%) clicked on it. This is somewhat sobering, but then again I offer niche services only suitable for a small fraction of residents.

Of course, those 58 clicks might have resulted in additional exposure and business opportunities. The linked product - my Language Kiosk - is a useful tool and free of charge. Surely those people who clicked my banner should consider my kiosk an interesting thing and "buy" it.

Alas, it does not seem like this. While there is definitely an increased exposure - those 58 clicks really end up on the product page - it does not seem to result in an increased attractivity of the kiosk. The number of purchases stays in the range of sales outside the advertised period.

Conclusions

Without doubt, a timeframe of 3 days is way too short to draw any generally valid conclusions. My product is pretty niche - a service offering rather than a retail product. Nevertheless the pricetag for those 200,000 impressions would be 7,999 L$ - had I actually paid for them I would have been extremely disappointed. To cover a full week I would have needed 500,000 impressions at least, at a whopping 17,499 L$.

• To get a better impression, a merchant is well advised to do A/B testing with 2-3 different banners. My banner was static - the majority of banners is animated to overcome the "banner blindness" of most shoppers. A proper test would consist of various versions of the banner, animated and static, with different wording as well.
  
• One of the biggest problems I see is that the banners are not context sensitive. A merchant books 200k, 500k or 2 million impressions, and the ads get randomly displayed. It would make much more sense to ask for a list of keywords and/or categories, and only show the banners relevant to XStreet products of a certain category or keyword.
  
• A by definition intangible and immeasurable effect is exposure. My banner got shown 200,000 times, so a lot of people have supposedly seen it and might remember it in the future.

Still this has been a very interesting experiment, and I thank Linden Lab to give me this opportunity. I would be interested in hearing feedback both from merchants who use banner ads, as well as from shoppers who click or not click on them.

Have you clicked on a banner before? If yes, did you buy the product? If no, why not? Did you buy banner advertising before and where you happy with the results?

I look forward to hear your feedback!

Potential RL-identity exploit with Avatars United

For those of you using their RL-email for their SL-avatar, using the default settings of Avatars United might pose a risk of unintentional exposing the address!

Snickers Snook posted an insightful article about "Spam via Avatars United", where she explained that since joining AU she receives significantly more spam on her supposedly undisclosed email address. She dug a bit into the settings and found that the default is that even non-installed AU-widgets can access certain data and send emails.

While Snickers primarily saw the spam problem, my friend Zonja Capalini pointed out that while being spammed is a nuisance, the bigger threat lies in the unsolicited disclosure of a potential RL email address and thus disclosure of the RL identity.

So if this concerns you, do two things:

1. Read Snickers article and adjust your Avatars United settings
2. Go and finally get a GMail/Yahoo/Hotmail/whatever address for your avatar

The Lion and the Prime Minister

My friend Zippora was in the good position to have been able to quit her job and become a professional storyteller, and every time I hear about this my interest is piqued. She took me to some events in SL already, and shared some web resources with me. I think telling stories is a beautiful thing to do. So when my friend PanPan IMed me last night and vented off about her RL boyfriend, I took the opportunity to soothe her with a story I read. The problem was that after a few lines I realized I forgot about most of the story, so I had to make my way up as the story continued. Still I think it went fairly ok:

The Lion, king of the animal, looked for a new prime minister, since he was unhappy with the old one and ate him. So he assembled the animals around him, and demanded that new candidates for prime minister came forward. The Hyena came forward and said "I'll do the job". The Hyena was wicked, and thought with the Lion as protector she can be even more wicked.
The Lion looked her up and down, and then blew his breath into her face, and it stank and the smell of the old prime minister who the Lion ate was still there.

"How do I smell?", growled the Lion
And the Hyena - not dumb - said "Oh king of the animals, your breath is like a fresh morning in the desert, like the rain in the forest, like flowers in full bloom."
And the Lion stared at the Hyena and growled "you are a sweettalker indeed, but when you talk like this to other mighty animals, to heads of state, they will feel like you make fun of them. you are no use to me."
And he hit the Hyena with his paw and killed her.

Then he looked at the other animals, and growled "I still need a prime minister".
The animals were all scared and look at each other, and finally the wildebeest came forward. "I be your prime minister." The Wildebeest - also known as the McDonalds of the steppe - hoped for protection as well, and courageously smelled the breath of the Lion.

"What do you think of my breath?" demanded the Lion.
And the Wildebeest considered this and then took all its courage and said "With all due respect, my lord, but your breath is quite bad. It smells of rotten flesh, its foul stench keeps everybody at bay, and the animals know from far that you are coming because you smell so bad."
The Lion looked at the trembling animal with a long and sincere stare. And finally he growled "Do you want to INSULT me? And do you want to insult visiting kings and princes and politicians? Honesty is not what is needed in a prime minister!"
And he hit the poor Wildebeest with his paw and killed it.

Again the king looked at the scared animals and growled "Anybody else wanting to become prime minister?" Nobody moved, fear hang in the air, sweat poured from faces, nervous coughs all over. And finally a tiny swallow flew up, circled twice through the air, and then landed in front of the Lion.

"You?" growled the Lion and laughed a deep rumbling laugh.
"Yes, my Lord, I want to be your prime minister."
The Lion took a deep breath, blew up his lungs, and then blew the air against the tiny bird, making it tumble all over. He laughed as the bird finally got back on his feet and came back to the huge Lion.

"So, what is YOUR take on the smell of my breath?" he demanded.
And the swallow replied "What, oh Lord, is your breath supposed to smell like? I am just a small swallow, but if you tell me what it smell like, I make sure to tell every other animal, so they all know about it."
The Lion stared at the bird in disbelief, and then started to laugh and laugh and laugh, and when he finally stopped laughing he looked at the assembled animals and announced "Bow to the new prime minister!"

And since this day, the swallows always fly between Europe and Africa, to bring the words of the Lion King to all the other animals.

The original - or at least the version I knew before forgetting half of it - can be found here.

The 2500 prim skeleton

Approximately 2500 prims were used for the huge Leviathan skeleton on the new Ahab's Haunt sim. Of those 2500 prims, quite literally only a handful are sculpts. All the other prims are regular prims. Not a single prim I found is larger than 10x10x10 meters or - in other words - this humongous build was constructed without a single megaprim.

The skeleton was built by "moles" - content creators contracted by Linden Lab. It is a safe assumption that the moles know what megaprims are, and how to use them. At the same time finding a Linden build (or Linden contracted build) that uses megaprims is like searching a needle in a haystack.

I am not a pro builder, but my guess is that the leviathan skeleton could probably be built with 75% less prims if megaprims could have been used. And probably with 90% less prims if sculpted megaprims would have been an option. This means the asset browser, the SL databases and the viewers of everybody coming close to that island would only need to store, transmit and render about 250-350 prims, instead of 2500.

To understand the (I assume deliberate) decision to not use megaprims, we need to take a step back. Megaprims were never regularly available in Second Life. Initially, the SL viewer limited the maximum size of a prim, and some clever person managed to circumvent this restriction and injected the first batch of megaprims which then got handed down from builder to builder. As a result, the check for the prim dimension was included in the server side, and megaprims could not be generated anymore. A while ago, a bug in the server code made the creation of megaprims possible again, and the second wave of prims became available. At the time of this writing, there are about 36,000 megaprims known and available in SL.

There is all kinds of rumours regarding megaprims. They allegedly cause lag. They allegedly steal sim resources. They allegedly influence the physics model badly. They allegedly are illegal and can get you banned using them. Indeed, the status of megaprims is a fuzzy one. Linden Lab never outright forbid their use. Neither did they take technical steps to restrict the usage. But also they never gave the "green light" for their usage. Megaprims are tolerated, but not loved. And because of this, Linden Lab will be careful not to set a precedent and use these prims in their own builds.

Update February 8:

[11:24] Silent Mole: It's true! Mole builds don't use megaprims.
[11:26] Peter Stindberg: Thanks! Can I quote this?
[11:27] Silent Mole: Yep.
[11:29] Silent Mole: Andrew Linden is the company expert on megaprims. His office hours are at Denby (213/45/34) 11:00 - 12:00 Tuesdays and 16:00 - 17:00 Fridays.

Top 5 Requested Second Life Features

Caleb Booker is a metaverse developer and a professional writer on the topic of virtual worlds. I stumbled across a guest post of his on Hypergrid Business, which was originally published on his own blog. Caleb claims that in discussions with business/educational clients, the following 5 things were repeated over and over as the most urgently missing ones in Second Life:

1. A collaborative whiteboard
2. A PA-System for voice chat to assign an "open mic" to persons
3. Separate voice-channels in different floors of a building
4. Realnames for avatars
5. File Transfer between avatars

The thing with these 5 requests is that they are highly biased towards a specific purpose. I personally know of a handful of whiteboard applications. I think voice conferencing is best realized with 3rd-party-offworld tools. As is file transfer. And as far as realnames are concerned, I recently stumbled across Xerox' SL presence and they use names along the lines of "FirstnameLastname Xerox". But I digress.

While I am sure those 5 might definitely be pressing issues from a business point of view, I can't accept them in their absolute approach as THE 5 most requested features for SL. In my point of view, the 5 most urgent things are:

1. Inventory Loss
   It is an unacceptable situation that inventory gets lost in the first place. And the reports of lost inventory and the Lab's reaction to it - which almost come at a weekly basis - are plainly said a disgrace. I really can't understand why inventory gets lost at all. But if it happens, I can't understand why the Lab is not able to restore it easily. I have seen people leave SL over losing their entire inventory. I have friends who experienced multiple inventory losses. I have friends who followed the knowledge base steps meticulously, only to hear from the Lab they should in the knowledge base upon which the support person simply closed the ticket. Inventory not only has a monetary value (in many cases substantial) but also a commemorative value. WHY DOES INVENTORY GETS LOST AT ALL?
2. Teleport
   Why do teleports fail? Why do they sometimes fail so drastically that you crash? Why do I appear perfectly ok to my friends after a teleport for up to minutes, while on my end still the odometer bar crouches slowly? Why am I sometimes completely immobile after a TP? Why do I sometimes need to do a 3-way-teleport to reach my destination? Why can't I sometimes not teleport at all to a destination, but a log-off with subsequent log-in to the very place works?
3. Scalability
   The landlady of my home sim built a club there a while ago. Unfortunately it is very successful. Which means that when there is an event going on, the rest of the sim lags horribly. Which is annoying when you try to build or have a business meeting. Prims won't rez, scripts crouch. And we're only talking about 25 people on the sim. The adjacent sim is usually empty. Why do empty sims not contribute their resources to full sims? Why do 25 avatars throttle a sim down, why do 40 avatars turn a sim into syrup? Why can't we have 100 or 200 avatars on a sim AND have smooth motion and quick rezzing? Why is a sim limited to a processor core, instead of requesting as much processing power from the SL grid as it needs?
4. Prim Sizes
   I want to make prims in any arbitrary size. Allowing sizes larger than 10m - with full support - would make building so much easier and efficient. It would be so much more efficient for the prim economy too. It would even reduce load on the asset servers.
5. IM Subsystem and Inventory Transaction
   As I wrote back in November, almost every inventory action results in an IM behind the scene, and this is the reason inventory transactions routinely fail. Besides that, the current IM/chat system has a whole lot of issues annoying residents on a daily basis.
   

Yes, I am aware that this is probably not the top 5 requested features, but rather the top 5 requested remedies.

What are your top-5 requested features or bugfixes?