Monday, December 31, 2007

Finger pointing

There seems to be a need among some people to always have an enemy to blame for every little thing. Somewhere down the line we've become a culture of finger pointers, and you can see evidence of it all over the place.

I'm referring, in this instance, to Jira Web 382, which in its original form was quite deliberately worded to be finger-pointing. While I have nothing against backing up a proposal with factual information, finger pointing is always subjective. One persons enemy is another persons friend. To say a group of people you don't like is responsible for something that is somehow sinister and conspiracy-theory isn't a seemly way to conduct yourself in a public forum setting.

Unfortunately the shield the internet provides us all makes that kind of thing much easier. You wouldn't go up to a belligerant drunk who is holding a smashed bottle and shout at him for being wrong about something unless you were prepared for him to take a swing at you, because that's exactly what he'd do - but on the internet it's easy to take vicious swipes at someone just because they disagree with you, and for this reason everyone with even the smallest of grievances can cause an escalation of these grievances to sometimes monumental proportions.

In the case of Jira 382 I've apparently become a hostile tribemember who purely wants to get her own way in everything. I've even been referred to (by inferrence) as a Nazi because I'm taking what I see as a stand for what I see as right. Suddenly there are battle lines being drawn, and I'm taking quite vicious fire from people I don't even know. Aside from reading with some amusement, odd comments on the Linden Blog about how Ann O'Toole keeps commenting a lot, I'd never heard of her, and I've never met her. Yet according to her, I'm a Nazi. According to her and Ciaran Laval I'm part of the "cabal" (Prokofy's term) that is involved with this, despite the fact that I've never actually closed a JIRA issue (other than trying to close this one), which you can see from my JIRA profile.

So we get a situation that's gone from factual to hearsay to bitter contention. People aren't researching before they shout their mouths of. If we were all in the same room, I wonder, would that happen? In my RL job I have had to deal with drunks wielding broken bottles, and let me tell you it isn't a situation you really want to be in. But the confrontation is limited to those who can see what's going on - the whole picture - and still want to risk being hurt if they become involved. Not so these internet confrontations, where anybody can - and does - wade in, often far more viciously than they'd ever dream of doing IRL.

I'm sure they get something out of it. They must do, otherwise they wouldn't do it. But it seems a really sad aspect of the internet, reflected in some ways in Second Life that those who would be sitting quietly at their chairs looking the other way in a confrontation, are at the forefront of finger pointing and shouting from the safety of their keyboards on the internet.

Friday, December 28, 2007

Could this be the most reliable form of age verification yet?

I have some of my best ideas while lying in the bath. This one came about as a result of me thinking that if I wanted to start a “mature” MMORPG, how would I go about age verification in such a way that it was the most secure and policeable ever? I then attacked it with two criteria: How would I implement it, and if I was deliberately setting out to abuse it, how would I do so?

And then it came to me.

What I would do would be to make a deal with a telephone service company that provided specialist premium rate numbers. I’d tie my computer system to theirs in a similar but more extensive way that Ebay and Paypal use. The age verification routine on my website would give the person about to go through the check a unique identifying number. It would also feature prominently the warning “CALLING THE AGE VERIFICATION NUMBER WILL COST $5 PLUS APPLICABLE LONG DISTANCE CALL CHARGES. YOU ARE RESPONSIBLE FOR THIS CHARGE, AND BY CALLING THE NUMBER AND PROCEEDING YOU ACCEPT LIABILITY FOR ALL CHARGES RESULTING FROM THIS CALL.”

Here’s the thing. The number it gave me to call and give my identification number that I’d just been given can ONLY be called from a domestic residential landline. It can’t be called from a mobile, and it can’t be called from a public callbox or a business landline. It can only be called from a domestic landline, which, correct me if I’m wrong requires the owner of the landline to be over the age of consent in their country.

So, I call the number, and I enter my code, and I’m age verified. I haven’t passed ANY identifying information that could be abused to any third party, and by verifying that I called from the number at that address, I do provide a method for legitimate law enforcement to track me down should that ever be necessary.

Now here’s the kick. I know you’re all thinking “How does that prevent my 12 year old calling the number?” Well, the answer is, it doesn’t. BUT, when the parent/owner of the bill gets their monthly telephone bill, ONE call costing at least $5 is going to stick out like a sore thumb. What happens if my 12 year old has done this? Here’s part two of my idea.

Say my underage son/daughter has done this, and I get my bill and find out someone made a call to “ age verification” which cost me $5. I contact my phone company, and ask who the hell this is? They do a check their end, and they say “Well, we can’t refund the money, but there IS an abuse line on their record for people who feel that they’ve been the victim of fraudulent use.” I call that number, and register my telephone number, then I go and ground my kid.

My kid throws an almighty sulk, and decides that while grounded they’ll play the mature game. They go to sign on – and their account has been banned. Raising a query about the number automatically results in an account ban for the misusing account. Furthermore, the telephone number is ALSO banned, so when (s)he goes to open a new account and tries to age verify again, the number won’t connect from that landline. Without it connecting, they can’t verify.

I’m not claiming this is foolproof. I don’t know any system that WOULD be foolproof and implementable across the globe. But as far as I know It’s the best I’ve seen to date… I would welcome feedback on this, and if anyone wants to knock the idea around a little, I think this is a firm foundation for a secure method of age verification that doesn’t require giving away potentially illegal information, it would work worldwide, it wouldn’t require very much in the way of equipment to make it work and I recommend this idea to the population!

Saturday, December 22, 2007

It figures

The latest big thing in gaming for virtual world enthusiasts is bringing your avatar to life in the form of a miniature figure. I didn't realise that a company called "Fabjectory" has already been producing Second Life figures for almost a year, so when the news broke that my other favourite virtual world, World of Warcraft, now also had a company producing miniatures I thought this was completely new.

I have to say, I am surprised that Linden Labs didn't link it from their blog. A quick search on the official Linden Blog confirms that no, I didn't miss it, there never was a link about it.

I have to say, though, you can see where business backers and professionalism tell. The Figureprints site is slick, modelled on the WoW site and the quality of their models is fantastic; as you might expect from a company set up by the former VP of Microsoft Gaming. Figureprints got a whopping ONE MILLION hits in the first week to their website, and are now so popular that they actually have to have monthly draws to decide who gets the figures. The figures are manufactured by a 10,000 line script that actually grabs the exact details of the original avatar from Blizzard's studios and renders it in dull grey. It's then hand painted and finished, lacquered, placed in a glass display dome and shipped out to the lucky recipient. Signs are that the other big boys, including Sony Interactive Entertainment are very interested in Figureprints, and looking to get avatars from their world produced too.

Which begs the question, since Fabjectory have already been around for a while - why aren't they getting all the good press? Chances are it's at least partially down to their presentation. Fabjectory meet your avatar within SL and take pictures and measurements, dimensions and details required to make your avatar from scratch. They save the time in the print process, by having the miniature made from coloured materials, but the end result isn't as pretty and they also charge substantially more if you have a complex avatar. My normal wood elf avatar in Second Life would cost around $99, but my furry complex werehouse avatar would cost quite a bit more because of its complexity and detail. In comparison, Figureprints charge a flat $95.

I can speculate that Figureprints also have a much better, newer, next generation printer than Fabjectory (four of them, in fact, each costing $50,000) and this is also bound to influence the quality of the finished figure. While I'd like to see a Fabjectory model "in the flesh" so to speak, a quick youtube search doesn't turn up any hits, which again would probably decrease their marketing traffic.

By contrast, look at this guys jaw drop when he sees his WoW figure. While I'm already in the draw for a Figureprints WoW figure, I think I'll give Fabjectory a miss...

Wednesday, December 12, 2007

Cory Linden leaving: could this result in a viable rival to Second Life?

With official confirmation that the Chief Technical Officer of Linden Labs, Cory Ondrejka (a.k.a. Cory Linden, the Spaghetti Monster) is leaving the company at the end of the year, this has the potential to have serious repercussions to Second Life.

I can't help but wonder if Cory and Phillip have had a falling out over Age Verification. There have got to be some Lindens who think that going against the wishes of the majority of Residents is a seriously bad idea, and when Cory joined the fledgling team (he was the fourth ever employee to join Linden Labs) back in 2000, the emphasis was on a company that interacted with its userbase, something that has lessened increasingly in the past year, first of all with Lindens being able to make their online status hidden, then with contact directly with Lindens being removed via the live help vanishing, and now with them being unwilling to listen to their userbase over age verification.

Which begs the question, since Cory did a LOT of the coding for SL (he also wrote the LSL) - what will he do now, and is it likely he will join a company, or even found one himself, that produces a rival to Second Life? Certainly he's got the technical know how to do that, and maybe even develop something better starting again from scratch, because part of the reason he coined the term Spaghetti Monster was that the coding for SL was becoming so twisted and difficult to follow that a bug wasn't easy to find and eliminate purely because the code of the monster was no longer simple and neat.

I've said all along that in my opinion, Age Verification when it's made mandatory could conceivably destroy Second Life. Cory, who has always been an advocate of the Open Sourcing of Second Life, may already be planning to make his own version of it, and if he does AND leaves out Age Verification... well, a few years down the road it might be HIM that's the CEO of the successful company, him doing the hiring and firing while the memory of Linden Labs is consigned to computing history and an article on Wikipedia.

Watch out for Cory Ondrejka. He might be leaving Linden Labs, but I really doubt very strongly that this is the last Second Life residents will here of him.

GOOD LUCK WITH THE FUTURE, CORY!

Monday, December 10, 2007

Robin Linden confirms today, what Daniel Linden said a while back.

Taken from today's post, written by Robin Linden:

Voluntary Status
As currently implemented, age verification and parcel flagging to create adults-only restricted areas rely completely on voluntary participation. However, there is no assurance that either feature will always be voluntary for all Second Life Residents. It’s possible, for example, that we could be required at some point to make one of these features mandatory for the citizens of a specific country. Should that happen, we will do everything we can to provide maximum advance warning.


This echoes Daniel Linden's position from way back, that they'd make Age Verification mandatory across the board if they felt self-regulation had failed.

From Aristotle/Integrities point of view, this is an absolute goldmine. They collect a huge amount of new information, then if at some point LL goes bust they're free to do whatever they want because of the clause in the ToS that says in the event of LL's bankruptcy, there will be no liability for misuse of any data collected during SL's existence.

I may be a little paranoid, but I can actually picture Aristotle being poised to make a grab for ALL the data for a sum of money, in the event Linden Labs goes into receivership. From their point of view, it's a win-win situation.

Hat tip also to Nika Talaj, who points out:

May 2007:“[10:12] Daniel Linden: it’s vaulted to provided a government-required audit trail for two years, but neither Linden or Integrity can access that data unless an audit is initiated.”

Which is essentially my beef with them about the PATRIOT act. They HAVE to store this data. Just dumping it is against the law. You can't claim that just because it's 'sealed in a vault' it doesn't exist. Either it's being retained or it's not, and by the PATRIOT act's requirements it has got to be retained, for two years. Vaults can be cracked. A lot can happen in two years. We've been lied to a LOT by Linden Labs over this. Our details will be retained for two years, as is the law where Linden Labs is.

Sorry, but no. This won't work voluntarily, at which point they'll make it mandatory. Then push will come to shove, and those who are serious in their threat to leave - myself included - will do so. At that point, either LL will survive, or it will fold. If it folds, I'm betting Aristotle will get all the data that's ever been held by Linden Labs in whatever form, and hold a bidding party over who gets it first.

This isn't the way to treat your customers, Linden Labs.

Saturday, December 8, 2007

Here it is - confirmation that Age Verifcation WILL be mandatory

"In the event we encounter abuses of self-regulation, Second Life may have to require age-verification throughout the world."


Thus saith Daniel Linden. And it's the first clue that Age Verification WILL become mandatory. HAVE to require, not keep optional. Just like when Linden Labs first said "We are considering a method of Age Verification using a third party" they didn't mean 'we are considering', they meant 'we are going to do this'.

Age Verification argument rages on

There seems to be three camps developing among residents with reference to age verification.

The first want it, have done it (or not, depending on whether Integrity actually has their information) and are annoyed at everyone else who doesn't want it.

The second is those who are generally okay with it. These are normally non-US residents whose only reservation is whether or not they are breaking the privacy laws in their own countries. More often than not, the age verification process fails for them anyway, but they're willing to try it.

The third camp is the one that I - and the vast majority of Residents - are in. That is, we don't want it, we won't use it, we won't flag our land and we'll inform relevant authorities where we see breaches of the law. In my case, since I live in Canada, I don't break the law if I voluntarily give my Social Insurance Number (SIN) to Linden Labs or Integrity, BUT, if I choose not to, Linden Labs DO break the law in Canada the moment that they deny me access to something on the grounds I haven't given my SIN number to them.

A pattern is beginning to emerge about Integrity's database. A number of people have failed to verify with their current data, but have managed to verify with data several years out of date. This indicates that Integrity are gathering public records to add to their database, but these records are often out of date. In the UK, for example, they buy data from the credit check company Equifax (which performs credit checks on consumers) however, Equifax only have data about those who have applied for credit in one form or another, or who have home facilities. Take my 42 year old brother, a sad individual who still lives with his parents. He's never applied for a credit card, hasn't bothered to tell the Driver and Vehicle Licensing Agency the last three or four times he's moved house, doesn't bother with bank accounts (he lives off welfare, cashing his cheque every two weeks at a post office who know him and never bother to ask for ID) - He wouldn't be on Equifax's database. He holds a driving license and passport, but has never had the internet at home. He is on the electoral roll, but the list that is not available to the general public (only available to government bodies).

As a test, I asked him to try age verification. Surprise surprise, it failed, despite the fact that the data he provided was correct. However, what was most interesting was he provided state information (passport number and driving license) - which would NOT normally be available to anyone but the UK government. It wasn't in Integrity's database. Which leads me to have serious doubts that their claims their data is taken from governments worldwide is genuine.

To me, Integrity has always seemed like a data mining company, that gets its profits by acquiring tiny pieces of the huge jigsaw that is a persons life, putting those pieces together and selling the completed picture for far more than the individual pieces cost. By age verifying, what a person actually does is to alert Integrity to their existence. Nobody has been able to find a privacy policy for Integrity, but my guess is that it's something like the policy for facebook; by providing them with ANY information, you expressly authorise them to collect any and all information they can about you, including but not limited to, credit card data, bank data, address data, religion, voting preference, membership of clubs etc etc. In other words, anyone trying to age verify with Linden Labs systems, whether they pass or fail, is actually authorising Integrity to start data mining on them. Again, this IS only my guess, but until someone can find a privacy policy I'm standing by this opinion, bearing in mind the discovery that it was indeed the case for Facebook.

And this is what makes it dangerous. Particularly the section in Linden Labs own terms of service, that states in the event of bankruptcy, Linden Labs can no longer be held responsible for anything done with ANY data collected by the Second Life system. Linden Labs remains completely silent on the questions being thrown at them by residents along the lines of "What guarantee do WE have that your third party company (Integrity) won't misuse or sell our information." And the answer to that is simple. None at all.

Looking at it from a legal point of view, a resident makes a contract with Linden Labs when they sign up, for the provision of a service called "Second Life" in return for complying honestly with their terms of service (it's far more complicated than this, of course, but this is what it boils down to in its simplest form) - This means that the resident, as a consumer, and Linden Labs, as a service provider, can hold one another liable in the event that one breaks the conditions. As it's part of the terms of service that users of the adult grid are over 18, anyone who isn't and uses the service is in breach from the moment they log in for the first time. Bringing a third party into it, however, muddies the waters.

Since a resident has not agreed to anything with this third party, there is no contract, and nothing to regulate the residents behaviour toward the third party or the third parties use of any collected residents data. Effectively what this means is a resident is perfectly at liberty to be totally dishonest with the third party, because there's no agreement to stick to, but it also means the third party is equally at liberty to do whatever the hell it wants with whatever data it does get provided. No agreement, no contract, no protection.

Some Residents will sign up to age verification right away (and indeed, some already have). Some will be willing to sign up when the database is more complete and they're likely to be on it. Most will refuse point blank to give this data. When push comes to shove, and it becomes mandatory, Linden Labs will risk their existence as a corporate entity on getting enough people to use the system. Ultimately, if enough rebel and leave, the costs of running Second Life will rapidly overtake the revenue - at which point, bye bye Linden Labs.

In closing, try this for a bit of fun. I created a facebook based on my best friend from school's details, except in the facebook account she lives in Canada, has a much more glamorous job, is a member of a number of respectable organisations and is most definately over 18. I created this facebook account when Age Verification was first being discussed for Second Life, so it's a over six months old now. Using a fictitious Ontario driving license number and a fictitious passport number, both authentic in the layout of their numbers and special characters, I tried to take her through Age Verification, using the same details with Integrity as I had put on her Facebook profile - and passed, proving that one of Integrity's sources is indeed facebook. The only problem with this is - she doesn't actually exist as a Canadian citizen, and her birthdate as given in her facebook account is one day wrong from her actual birthdate. Also, her address is the middle of a cemetery, but the postcode and street number do exist.

She's now verified. The thing is, she doesn't actually exist (with the details I provided to Integrity) so she should not have passed the age verification. I'm betting somewhere there's a very puzzled computer failing miserably to put together the missing pieces on her. This just shows how much of a sham Integrity's system is, and in my mind vilifies my position: I'm not using this system, ever, and if it gets made mandatory, I'll say goodbye to Second Life.

Wednesday, December 5, 2007

Another nail in the coffin

The storm has once again broken out on the official Linden Blog with the announcement that age verification will be introduced with viewer version 1.18. Predictably, Linden Labs have released this well before it's ready (as usual) and there are a mass of problems with it, even if you don't count the fact that the actual age verification system doesn't work.

Firstly they've bought a registered digital certificate with their entire domain in it, which isn't accepted by most modern browsers. Firefox in particular refuses to take "secondlife.com" as valid when it's visiting a site where some of the features in a page are secure and some are not. The result of this is that Firefox displays a warning that the certificate may not be genuine, because some of the content comes from http: and some comes from https: - users aren't told by the browser what the difficulty is, only that the certificate is not fully valid to cover the page that is being loaded, but this is the page that they are being asked to put their personally identifiable information on - not a good sign.

Secondly, it's illegal in some countries to provide this information, and this means that even if someone does so it can't legally be verified. Aristotle/Integrity will add it to their database, but they have no means of verifying it. Although they claim to have data from all over the world, I do seriously have doubts about the legality of verifying such data.

Thirdly, 90% of Second Life users DO NOT WANT THIS. Some - myself included - won't be able to verify anyway, due to things like only just having emigrated from one country to another. When I came to Canada, I gave my UK license to the Ontario ministry of transportation, who then issued me with a driving license number in Ontario - but if you cross reference my driving license with any other database, you won't find a match, because as of yet I still don't have a Canadian passport. So you can't check my Canadian driving license against my UK passport because they don't share that information, and you can't verify my UK license against my UK passport because my UK license has been canceled due to having an Ontario license instead. So even if I wanted to do this, I'd fail the procedure, and several people have already responded to the Linden Blog posting with tales of woe about using genuine details and being declined.

This will kill Second Life off. It's going to be the final nail in the coffin. As sim owners are threatened with banning for not marking their entire sims as "adult" just because one vendor, somewhere on their sim, sells a prim-penis or cage, so the revenue from these land owners will die. As organizations like CARP can't raise their tier because half their members no longer play owing to either being against age verification altogether, or unable to verify - so those sims will also vanish because their owners can't afford to pay tier. Newcomers to Second Life will be asked to age verify immediately or threatened that they can't see some content, and either they'll refuse to verify and not sign up, or they'll fail verification and not sign up, so the new revenue stream will dry up.

Seriously, Linden Labs, you could achieve a much better method of disclaiming responsibility for underage misuse of the grid if you made everyone type a declaration manually into a textbox. Something along the lines of "I hereby certify that I am the account holder, over the legal age of consent in my country, and absolve Linden Labs and all their employees and representatives of responsibility for any actions that I may engage in when linked to this service." Granted you couldn't sign it, but if anyone accused Linden Labs of letting underage users in, what's the difference between someone typing that sentence into a box and someone providing details when you can't see that person? How does a child with their parents driving license and a child entering this paragraph differ?

Age verification cannot work over the internet. Not with the current technology. Maybe in years to come when everybodies details are on computer, and you can verify yourself by fingerprint, retina scan or facial scan, then there would be a foolproof way of making sure that an internet user was who they say they are, but that time isn't yet, and probably won't be for at least a decade. Even then it will be America, Canada, the UK and other such countries that will get it first, with other countries lagging behind by many years if not decades.

In the meantime, Linden Labs just banged another huge nail into the coffin that Second Life is destined to be buried in.

UPDATE: Take a look at this site, published by the Government of Canada - it proves that what Linden Labs is asking for is NOT something the Canadian Government agrees with:

The Personal Information Protection and Electronic Documents Act (PIPEDA) sets out ground rules for how private sector organizations may collect, use or disclose personal information in the course of commercial activities.

Since January 1, 2001, the Act applied to personal information about customers or employees that is collected, used or disclosed by the federally-regulated sector in the course of commercial activities. It also applies to information that is sold across provincial and territorial boundaries. As of January 1, 2004, the Act covers the collection, use and disclosure of personal information in the course of any commercial activity within a province, including provincially-regulated organizations, except in provinces that have enacted legislation that is deemed to be substantially similar to the federal law.

Under the new law, organizations like banks, telecommunications companies and airlines cannot require you to consent to the collection, use or disclosure of your personal information unless it is required for a specific and legitimate purpose.

This means that unless an organization can demonstrate that your SIN is required by law, or that no alternative identifier would suffice to complete the transaction, you cannot be denied a product or service on the grounds of your refusal to provide your SIN.

In other words, if Linden Labs refuse me access to a SIM on the grounds I won't provide my Social Insurance Number to them, they are committing an offense by Canadian law. And why is it so important?

Computer technology makes it possible to use the SIN to find and match your information from one database to another; without your knowledge, a detailed profile could be drawn about you. This amounts to "data surveillance" or monitoring of your daily life, which can pose a serious threat to our privacy and autonomy.


I don't see why other countries wouldn't have similar legislature.