Privacy Research Papers

Second Life: Privacy in Virtual Worlds

Janet Lo
Law student, University of Ottawa

Commissioned by the Office of the Privacy Commissioner of Canada

April 2008

Disclaimer: The opinions expressed in this report are those of the author(s) and do not necessarily reflect those of the Office of the Privacy Commissioner of Canada.


Table of Contents

Introduction

Part I: What is Second Life?

Privacy of persons who register with Second Life

Avatar privacy: privacy of Second Life residents

Business data practices on Second Life

Conclusion: Future Work


Top of PageTable of ContentsIntroduction

Second Life is one of several popular massive multi-player online games. Due to its complex virtual economy and its integration with the real world economy, Second Life draws a diverse demographic of technologically-forward and entrepreneurial individuals who are not simply living in Second Life for the “game”. To its residents, Second Life is a virtual world where residents build a virtual life by using the platform to expand their current interests, strengthen existing real life relationships and explore real world venues. For some residents, Second Life is an opportunity to explore new interests, meet new people and experiment with new identities that they would not feel comfortable trying in real life.

But with virtual worlds come virtual problems. David Canton, a business lawyer in Canada, warns that virtual worlds will lead to more real world lawsuits and controversy, focusing on how real world laws apply to the virtual world. As people invest real time and money into virtual world, rights to virtual property will be no less important to many in the virtual world than in the real world.1

This report will examine privacy in virtual worlds, focusing on Second Life. Part I will describe Linden Lab, Second Life and activities that Second Life residents pursue in-world. Part II discusses the privacy of Canadians who register with Second Life, examining Linden Lab’s Terms of Service and Privacy Policy. Part III suggests that avatars have privacy rights and examines how residents can protect their privacy in-world. As well, I examine how easily avatars can be traced to the identity of the person controlling the avatar and the potential for in-world surveillance. Finally, Part IV briefly discusses business data practices within Second Life.

Top of PageTable of ContentsPart I: What is Second Life?

A massively multiplayer online game (MMOG) is a video game “which is capable of supporting hundreds or thousands of players simultaneously”.2 They are played on the internet, though not necessarily through a computer, as many new game consoles can now access the internet. MMOGs enable players to cooperate and compete with each other on a large scale and sometimes allow players to interact meaningfully with many people around the world, thus increasing in popularity on a global scale. There are a number of popular MMOGs, such as World of Warcraft and Habbo Hotel.3 Most MMOGs require players to invest large amounts of time into the game and often charge monthly subscription fees. MMOGs typically follow similar models of operation and control by a central entity that monitors and maintains the virtual world through a contractual relationship with the players in the End User License Agreement (EULA) or Terms of Service that are accepted by the player’s installation of relevant software or by the player logging on to the game’s website.4 The EULA and Terms of Service will also often specify that the digital world operators own all content in the world, including any content that is generated by a player, thus denying the player the right to ownership or profit from content created within the world.

Second Life is one example of a MMOG, though it has a unique operational approach. Second Life is not a “game”.5 Second Life is “an online, 3D virtual world imagined by its Residents”.6 Upon registration of a Second Life account and downloading of the Second Life client program, users can create an avatar explore the Second Life virtual world. Avatars are referred to as “residents” as they are part of the Second Life community. I will use both terms interchangeably throughout this report.

Whereas most MMOGs control and maintain their world centrally, Second Life merely acts as a platform on which residents can interact with other residents. Second Life also embraces strong economic and legal connections to the real world in order to maximize the quality and quantity of user-created content.7 To this end, Second Life recognizes residents’ intellectual property rights in their creations and allows residents to generate real-world income, thus encouraging residents to create and innovate. This is a significant difference from other MMOGs, as Second Life residents are free to design and customize their own in-world experience as they are not constrained by plot and content delivered by the world’s developers.

Linden Lab: the corporation behind Second Life

It’s our mission to connect us all to an online world that advances the human condition.” - Linden Lab8

Linden Lab was founded in 1999 by Philip Rosedale to “create a revolutionary new form of shared experience, where individuals jointly inhabit a 3D landscape and build the world around them.”9 Linden Lab is funded by a group of notable investors, including Mitch Kapor, Catamount Ventures, Benchmark Capital, Ray Ozzie, Omidyar Network, Globespan Capital Partners, and Bezos Expeditions. Linden Lab has a network of offices with over 200 employees worldwide. Originally located in San Francisco, California, Linden Lab now has a main campus in San Francisco, additional nodes in Mountain View, Seattle and Boston and is expanding operations into Europe and Asia.

Linden Lab released Second Life for beta testing in 2002. Second Life runs on an expanding grid of computers, as CPU, memory and bandwidth resources need to be limited and allocated to residents in a predictable and equitable manner.10 Second Life residents use an open-ended building and scripting tool, often stressing the client rendering and server simulation.11 Users often experience “lag”, where the client’s frame rate drops or updates from the server are delayed or blocked.12 This lag is even more noticeable when users explore popular and crowded areas of Second Life.

According to the Terms of Service, Linden Lab considers itself to be a service provider, meaning that Linden Lab does not control various aspects of the service:

1.2. Linden Lab generally does not regulate the content of communications between users or users’ interactions with the Service. As a result, Linden Lab has very limited control, if any, over the quality, safety, morality, legality, truthfulness or accuracy of various aspects of the Service. 13

Who is using Second Life?

Who are the residents?

In December 2005, Second Life celebrated 100,000 residents. Since then, Second Life has experienced an extraordinary growth rate, announcing one million residents in October 2006. In July 2007, Second Life had 8 million residents, and at any given moment, as many as 48,000 residents would be on the grid concurrently.14 As of March 31, 2008, Second Life has a total of 13,075,885 residents.15 Estimates suggest that there are 10,000 new registrations per day.16

According to the most recent Second Life Key Metrics Report in January 2008, Canada is the 9th most active country on Second Life with 17,307 active avatars in January 2008, representing 3.18% of active avatars on Second Life.17 “Active” avatars are not defined in the Report, but suggest that these are avatars that logged in at least once during the month of January 2008. Therefore, this count does not include all Canadians who have registered an account with Second Life. These active Canadian avatars spent 992,136.37 total hours on Second Life in January 2008, representing 3.53% of the total hours spent on Second Life in that month.

More generally, age bands of Second Life users are as follows: 0.96% of users are teen (13-17 years old); 24.50% of users are 18-24 years old; 35.43% of users are 25-34 years old; 23.35% of users are 35-44 years old; 15.25% of users are 45 years or older; and 0.51% of users are in an unknown age band.18 The January 2008 report also indicates that 59.02% of users in Second Life are male and 40.98% of users are female. One report suggests that on average, users spend over 30 hours per week on Second Life.19

According to the Daedalus project, the average age of players of massive multi-player online role playing games in general is 26 years old, 50% of users have a full-time job, 36% are married, and 22% have children. The demographic of MMORPG players is diverse, and the data suggests that 80% of MMORPG players play with somebody they know in real life (such as a romantic partner, family member or friend) on a regular basis, suggesting that virtual worlds are highly social, where existing relationships are reinforced. 20

What do users do on Second Life?

There are an infinite number of activities that Second Life residents can pursue while exploring in-world. Below, I discuss economic, social, and illegal activities that residents can participate in.

The Second Life economy

A significant component of Second Life is its economy. Economic units may be bought and sold on the LindeX exchange for real currency, which is the official Linden dollar exchange of the Second Life world, or on other unaffiliated third party exchange sites. As of March 31, 2008, 265 Linden dollars (L$) were trading for 1 US dollar (US$).21 The total L$ supply was 4,723,552,096 L$. In January 2008 alone, $8,231,372 US$ was exchanged on LindeX. Media sources suggest that users conduct transactions that cumulatively involve more than $1 million US$ each day.22

Some Second Life residents actively try to generate real-world profits, using their profits to augment or replace their real-world jobs.23 Second Life is an “entrepreneur’s dream,” as there are no taxes, minimal regulation, no marginal cost of production, and subsidies to encourage innovation.24 A small percentage of residents derive net incomes from the economy that range from a few hundred to several thousand US$ per month.25 Some examples of in-world business occupations include party and wedding planner, pet manufacturer, tattooist, nightclub owner, fashion designer, custom avatar designer, architect, XML coder, freelance scripter, tour guide, dancer, musician, theme park developer, advertiser, magazine publisher, real estate speculator, private investigator, landscaper, publicist, gunsmith, and hug maker.26

Residents can purchase land, build property on their land, and create objects and actions for their avatar. Linden Lab creates new land to keep up with the demand, and now has 65,000 acres and is still growing. Users can purchase land to develop their own piece of the Second Life world for $9.95/mo and a “Land Use Fee” proportional to the amount of land they own.27

Residents retain intellectual property rights in their creations:

3.1. You retain copyright and other intellectual property rights with respect to Content you create in Second Life, to the extent that you have such rights under applicable law. However, you must make certain representations and warranties, and provide certain license rights, forbearances and indemnification, to Linden Lab and to other users of Second Life.28

These IP rights attach to avatar characters, clothing, scripts, textures, objects, and designs created in Second Life. Everything in Second Life is resident-created using flexible building tools known as “prims” which allow the user to change aspects such as lighting and texture. A creator can mark an item “no copy” (user cannot copy), “no mod” (user cannot modify) and “no trans” (user cannot give object to another). In the Second Life marketplace, residents can sell their creations at various venues, and hope to succeed because of their “ingenuity, artistic ability, entrepreneurial acumen, and good reputation of the owners.”29

Second Life bank runs: economic regulation for Second Life banking

Residents set up financial institutions in Second Life, promising high interest rates to residents who deposited money into these institutions. A dozen financial institutions were funded by actual money from Second Life residents. In January 2008, Linden Lab decided to close these institutions and institute new banking rules, triggered by complaints that some of the virtual banks were reneging on promises to pay high returns on customer deposits. Second Life depositors can no longer make withdrawals from in-world ATMs and cannot exchange the L$ they deposited into these banks back into US$. While no estimates have been advanced for the January 2008 bank run, another virtual bank run in August 2007 was estimated to have cost Second Life depositors $750,000 US$.30

As a result, Linden Lab changed its policy in order to protect residents and the integrity of the Linden economy. Now, only real life chartered banks are allowed to set up in-world. This effectively recognizes that financial services offered in virtual societies must be regulated using real world regulations. Benjamin Duranske, a lawyer who runs the Second Life Bar Association, noted, “if there is real money, there is an argument that you must follow real law.”31 The move to regulate in-world banking follows a similar regulatory move by Linden Lab in July 2007 to ban gambling on Second Life, citing conflicting gambling regulations around the world.

Social activities on Second Life

Second Life residents do not need L$ in order to participate in the Second Life community. Second Life residents can explore the dynamic world by teleportation, flying, walking, or driving if they have access to a vehicle. Residents meet with friends on Second Life and communicate using instant messaging. When talking in Second Life, avatars within 25 feet of the conversing avatars can hear the conversation. Avatars can also shout, which carries 100 feet. As well, Second Life features the ability to communicate with voice instead of typing.

Residents can attend live concerts, featuring artists who provide vocal and instrumental music from their homes and studios.32 Residents can also participate in activities hosted by businesses, other residents, or groups on Second Life. Residents can participate in public lectures presented by educational institutions or explore in-world government agencies and businesses.

As well, a number of researchers are on Second Life, observing the evolution of social norms in virtual worlds.

Illegal activities on Second Life

Some residents in Second Life use the virtual world to experiment with activities that they would not normally engage in during their real lives. For example, virtual prostitution and drug use has taken off within Second Life. The Second Life market offers opportunities that are illegal. Linden Lab has dealt with credit card fraud, identity theft, and PayPal chargeback.33 WIRED lists pushgun assaults, retail fraud, cyberterrorism, and mafia racketeering as major crime that occurs in Second Life.34

Residents have also seeded in adult content. Sex clubs have popped up in-world. In May of 2007, government and media focused their attention on virtual child pornography on Second Life. One questionable adult activity on Second Life was “age play”, where an avatar (that is controlled by an adult) engages in sexual activity with another avatar that takes on a child-like appearance (and is also controlled by another adult). Linden Lab reportedly cooperated with government authorities investigations into allegations of child pornography.35 As a result, Linden Lab established a policy disallowing “age play”, making participation in lewd or sexual acts in which one or more of the avatars represents minors is a violation of Community Standards.36 “Age and identity verification” was introduced in Second Life, requiring residents to provide one-time proof of identity if the resident chooses to access areas designated to be “Mature.” Linden Lab also created Teen Second Life for minors under the age of 18. Access by adults to Teen Second Life is prohibited, and minors are not allowed to the rest of Second Life.37

American intelligence officials have cautioned that virtual worlds might open novel ways for terrorists and criminals to move money, organize, and conduct corporate espionage because of the anonymity avatars offer.38 Intelligence communities have set up a presence on Second Life, stating concerns that virtual worlds may be an opportunity for religious or political extremists to recruit, rehearse, transfer money, and ultimately engage in information warfare to mimic real life terrorism. In testimony before the United States Congress, Linden Lab Chief Executive Officer Philip Rosedale stated that Linden Lab has not seen any evidence of these activities in Second Life.39

However, there have been numerous instances of fraud, harassment, or other virtual crimes, including using avatars to destroy virtual buildings. 40 In the same testimony before Congress, Rosedale described “griefing”, an antisocial phenomenon in which avatars take enjoyment from deliberately spoiling other users’ experiences. Common tactics include denial of service attacks where malicious hackers overload a Second Life sim’s capacity to shut it down or defacement of virtual property or events with racial slurs or pornographic images.41

Linden Lab has adapted the grid to respond to problematic situations as they have arisen. For example, Linden Lab banned gambling on Second Life in the summer of 2007, citing too many jurisdictional issues with online gambling. As well, Linden Lab recently required banks to produce a real world charter prior to setting up virtual banks in Second Life as a result of bank runs that cost Second Life depositors hundreds of thousands of dollars. Linden Lab responded to age-play concerns by introducing Teen Second Life and an age and identity verification system and has asked the FBI to investigate griefing in Second Life.

Real world institutions on Second Life

Real world institutions such as government organizations, businesses, educational institutions, and not-for-profit organizations are increasingly active on Second Life, using the grid to promote their real world brand, products, services and activities.42

There are a growing number of government organizations setting up on Second Life. For example, the Department of Homeland Security set up Response island in 2005 to explore the utility of virtual worlds for national defence.43 The CIA has created a few virtual islands for internal use, such as training and unclassified meetings.44 Maldives was the first nation to establish a virtual embassy in Second Life. Several countries have now set up diplomatic representation in Second Life, such as Estonia and Sweden.45

Businesses can engage in virtual commerce on Second Life. Some argue that revenue isn’t what draws the corporate crowd to Second Life.46 Second Life reaches a young, technologically-forward demographic in a unique environment. Joshua Fairfield, an Indiana University law professor, suggests that “people’s attachment to places and objects in virtual worlds can transfer to purchases in the real world.”47 Second Life requires businesses to translate their brand in a way that works on the grid. For example, Reuters assigned a full-time employee to cover in-world news, providing coverage to Second Life residents for free.48

Businesses are increasingly using in-world advertisements. Billboards are placed throughout Second Life, streaming audio/video advertisements to residents exploring in-world. AMPP Media made a deal with Linden Lab, allowing it to place digital billboards within Second Life that would serve contextual advertisements based on keywords in public conversations in that area. As well, ads could be served to residents based on their “interest profile” which includes the avatar’s user information (name and age of account), information on where the avatar spends time in Second Life, and what clothing or attachments are on the avatar.49

Global businesses can host virtual events, inviting the avatars of their real customers, clients, and senior employees. As well, businesses are using the virtual world to recruit and interview prospective employees for real world employment.50

Second Life also hosts a number of educational, scientific, not-for-profit and cultural groups. Susan Tenby, senior manager of community development for TechSoup, an organization that provides technology services for non-profit organizations, suggested that Second Life has rapidly emerged as the leading virtual world for non-profit organizations in testimony before Congress. For example, a humanitarian aid worker returning from Sudan described the plight of Sudanese refugees to an international audience through Second Life. Fundraising galas and silent auctions are hosted in Second Life for various causes, such as cancer research.51

There are a number of Canadian organizations that have established a presence in Second Life. For example, the Université Laval has a Second Life campus for the school’s communication faculty that offers tours to Second Life residents. Sam Shaw, the President and CEO of the Northern Alberta Institute of Technology, uses Second Life for meetings, teaching classes and student recruitment.52 In March of 2008, Davis LLP was the first Canadian law firm to open an office in Second Life, using the office to build rapport and credibility with video-game business clientele.53

Top of PageTable of ContentsPrivacy of persons who register with Second Life

Second Life’s Privacy Framework

Second Life’s privacy framework consists of the Terms of Service and Privacy Policy. The Second Life Terms of Service requires users to agree to the Terms of Service. If the user declines the agreement, the user is prohibited from accessing or using Second Life.54 The Terms of Service reference the Privacy Policy.

Jurisdiction: Does Canadian law apply to Second Life?

The Terms of Service agreement states that the relationship between the user and Linden Lab shall be governed in all respects by the laws of the State of California “without regard to conflict of law principles or the United Nations Convention on the International Sale of Goods.”55 To this end, the user agrees to resolve “any claim or controversy at law or in equity that arises from or relates to [the] Agreement or Service.”56 As well, the user agrees to “submit to the exclusive jurisdiction and venue of the courts” located in the City and County of San Francisco, but “notwithstanding this”, the user agrees that Linden Lab be allowed to apply for injunctive or other equitable relief in any court of competent jurisdiction.57

For claims where the total amount of the award sought is less than $10,000 US, the party requesting relief may elect to resolve the claim by binding non-appearance-based arbitration through an established alternative dispute resolution (ADR) provider mutually agreed upon by the parties. Arbitration would be conducted via telephone, online or through written submissions and any judgment on the award rendered by the arbitrator may be entered into any court of competent jurisdiction.58

The majority of Linden Lab’s computing takes place in the United States, thus US data protection law applies to personal information stored by Linden Lab. The Terms of Service explicitly state that resident data is subject only to US law. Clearly, Linden Lab attempts to limit its extraterritorial liability through the Terms of Service.

Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA) applies “to every organization in respect of personal information that the organization collects, uses or discloses in the course of commercial activities.”59 In Lawson v. Accusearch, the Federal Court determined that PIPEDA gives the Privacy Commissioner of Canada jurisdiction to investigate complaints relating to the transborder flow of personal information.60

Linden Lab, by operating Second Life, is conducting a commercial activity. Linden Lab collects personal information of Second Life account holders and uses this personal information for the purpose of operating Second Life. Canadians have registered accounts on Second Life. PIPEDA grants the Privacy Commissioner of Canada jurisdiction to investigate foreign organizations in their dealings with the personal information of Canadians, thus PIPEDA applies to Second Life and Linden Lab.

Given that PIPEDA applies, how do Linden Lab’s Terms of Service and Privacy Policy measure up to the Schedule 1 “Model Code” Principles? How does what we know about Linden Lab and Second Life operations compare to PIPEDA?

Application of PIPEDA Schedule 1 principles

Principle 4.1: Accountability

In the Terms of Service and Privacy Policy, Linden Lab provides contact information for their legal department in the form of email and mailing addresses.61

Principle 4.2: Identifying purposes

In the Privacy Policy, Linden Lab states that they “collect personal information and usage statistics to maintain a high-quality customer experience and deliver superior customer service.”62 Similarly, the Terms of Service state that “Linden Lab uses your personal information to operate and improve Second Life” for internal purposes only. As well, Linden Lab uses the information to learn what the user likes.63

Linden Lab defines “personal information” to mean “any information that may be used to identify an individual, including, but not limited to, a first and last name, home or other physical address, an email address, phone number or other contact information, whether at work or at home.”64

Principle 4.3: Consent of individual

By clicking “I agree” to the Terms of Service at the time of registration, the user agrees to the conditions in the Terms of Service. The Privacy Policy states: “your use of the Linden Lab websites and/or any Linden Lab products or services (including without limitation Second Life) ... signifies your assent to this Linden Lab Privacy Policy.”65

When the Linden Lab Privacy Policy is updated to reflect the types of information collected, the means used to collect information, and the usage of collected information, Linden Lab “will make reasonable efforts to alert you as to these changes.” Continued use of Linden Lab websites, products and services (including Second Life) indicate consent to changes in the Privacy Policy.

The Privacy Policy notes that anyone using the Linden Lab or Second Life websites from outside of the United States “should be aware that personal information collected on these websites may be stored and processed in the United States or any other country in which Linden Lab or its affiliates, subsidiaries, or agents maintain facilities, and by using these websites, you consent to any such transfer of information outside of your country.”66

Principle 4.4: Limiting collection of personal information

Linden Lab collects different levels of personal information, depending on the user’s relationship to Linden. Linden Lab collects personal information from seven non-mutually exclusive categories of users: (1) anonymous website visitors; (2) mailing list members; (3) registered website users; (4) Second Life users; (5) service beta users; (6) former customers; and (7) responses to job postings or unsolicited communications.67

Here, I will focus on the collection of personal information from the fourth category of users: Second Life users. I will examine the collection of personal information required at registration in order to use Second Life, the collection of additional personal information required in order to access certain features of Second Life, and the ongoing collection of personal information from residents during their use of Second Life.

Collection of personal information required at registration in order to use Second Life

At registration, users must select their Second Life name. Users are presented with a list of surnames, from which they must choose one.68 Uses must input a first name, and the user’s selected full name is checked for availability, as each Second Life resident has a unique name. Once selected, the user cannot change their Second Life name, and this name is also used as their Second Life account log-in.

The user is required to input their birthday, real name (first and last), gender, country, and a valid email address. The user is then asked to click “I agree” to the Terms of Service, which are accessible by hyperlink. The Terms of Service also stipulate that users must establish an account to use Second Life using true and accurate information. Linden Lab even reserves the right to pursue legal action against users who provided inaccurate information at the time of registration.

You must establish an account with Linden Lab (your “Account”) to use the Service, except for those portions of the Websites to which Linden Lab allows access without registration. You agree to provide true, accurate, current and complete information about yourself as prompted by the registration form (“Registration Data”) and maintain and promptly update the Registration Data to keep it true, accurate, current and complete. ? Linden Lab reserves all rights to vigorously pursue legal action against all persons who misrepresent personal information or are otherwise untruthful about their identity, and to suspend or cancel Accounts registered with inaccurate or incomplete information. Notwithstanding the foregoing, you acknowledge that Linden Lab cannot guarantee the accuracy of any information submitted by any user of the Service, nor any identity information about any user.69

Upon completion of registration, Second Life emails the user a link in order to activate their account. Users can then download and install the Second Life client.70

Thus, Linden Lab collects a myriad of personal information from users at the time of registration: first and last name, birthday, gender, country, and email address. Users do not need to pay subscription fees in order to be a resident on Second Life. The Basic account allows users to participate in-world for free.

Collection of additional personal information required in order to access certain features of Second Life
Participating in Second Life’s economy

If the user wishes to participate in Second Life’s economy, additional personal information is required. The Basic account allows residents to participate in Second Life free of charge and thus does not require the collection of financial information. However, users who register a Basic account are offered a L$250 sign-up bonus, which is issued only upon confirmation of a valid credit card and identity information.

Users can upgrade to a Premium account, which allocates a weekly stipend of L$300 per week and a signup bonus of L$1000 to the resident. The Premium account costs $9.95 US per month, $22.50 US per quarter (which works out to $7.50 per month), or $72.00 US per year (which works out to $6.00 per month). In order to sign up for a Premium account, a valid credit card and address must be provided to Linden Lab.

When participating in the Second Life economy, residents can purchase Linden dollars on the LindeX, the official virtual stock exchange of Second Life. Using the LindeX, residents can purchase Linden dollars at the exchange rate for a nominal fee using PayPal, Mastercard and Visa.

There are a number of third-party Linden dollar resellers. Linden Lab does not endorse these third-party resellers and accepts no responsibility for their actions. Linden Lab has developed an Exchange Risk Application Program Interface (API) policy for third-party exchanges.71 Some of these third-party resellers accept PayPal, Mastercard and Visa for their services, but also accept other payment mechanisms, such as iDeal, payment through telephone, and by bank transfer.72 These resellers also collect personal information (specifically, user financial information) in order to provide services to Second Life residents.

Accessing areas designated to be “Mature”

As a result of questions raised concerning child pornography in Second Life in May 2007, Linden Lab created Teen Second Life for minors under the age of 18 (ages 13 to 17). Adults cannot access Teen Second Life and minors are not permitted to enter the rest of Second Life. In addition, Second Life areas are classified as safe or unsafe and mature or PG. PG areas are safe areas, while Mature areas allow nudity, bad language and violence. Unsafe areas allow violence and avatars can die.73 Second Life land owners are required to flag their land as “mature” if it contains adult content, which protects the land owner from displaying adult content to minors who may have entered Second Life.

Only residents wishing to access adult content are required to prove that they are over the age of 18 in real life. The verification system is run by Aristotle, a third party that specializes in age and identity verification. Second Life residents who choose to go through the verification process must pay a nominal fee for the service.74

In order to verify their age and identity, residents need to provide details about their identity: name, date of birth, and address. American residents are asked to provide the last four digits of their Social Security Number. Non-US residents may be required to provide other documents depending on their country of residence, such as a passport, driver’s license, or national ID number. Linden Lab states that it does not store any personal information about the resident as a result of the process, only that the resident’s age and identity have been verified.75

Voluntarily establishing layers of trust by identity verification

Linden Lab states that “trust is the foundation of any community”76 and promotes the identity verification system as providing “an additional layer of trust for in-world businesses and residents.”77 The Identity Verification system aims to give residents the opportunity to verify certain aspects of their identity, establishing trust by removing a layer of anonymity for those they interact with. Personal information provided during the identity verification process is used to cross-check against public records. Linden Lab states that neither Linden Lab nor the third-party verification specialist, Aristotle, stores this data. Aristotle assesses the consistency of the personal information provided and returns a match code and the only information Linden Lab stores is whether there was a match.

Ongoing collection of personal information from residents during their use of Second Life

Beyond the information requested at registration, Linden Lab also gathers information about its users indirectly from website traffic, users’ computer hardware, internet connection, and Second Life usage.78

In the Terms of Service, Linden Lab states that it “may observe and record your interaction with the Service” but does not expand on what they might record.79 It is not clear from the Terms of Service or Privacy Policy whether Linden Lab records what each resident is doing in Second Life, what places the resident visits, who the resident interacts with, or the content of their communications. Linden Lab should be more specific about what resident actions are observed and recorded.

When a user downloads and uses the Second Life software, Linden Lab collects and aggregates a variety of data to monitor system and simulation performance and to verify a user’s unique identity.80 This includes specific and general information about the user’s computer hardware and internet connection, which “are stored together but are not personally identifiable.” This ensures high quality interactions.

While it is not explicit in the Terms of Service or Privacy Policy, one could assume that Linden Lab collects the IP address that its users use to connect to the service. The Privacy Commissioner has determined that an IP address can constitute “personal information” under PIPEDA if it can be associated with an identifiable individual.81 Thus, while Linden Lab may consider an IP address “not personally identifiable,” it may be captured as “personal information” under PIPEDA.

Principle 4.5: Limiting use, disclosure and retention of personal information

The Privacy Policy states that “information about your account is displayed to other users in your Second Life profile” which may be available through automated script calls and application program interfaces. This information includes the user’s account name, account type, the date the account was established, whether or not the user is currently online, user rating information, group and partner information, and whether or not the user has established a payment account or transaction history with Linden Lab.

Linden Lab states that they will not display the user’s actual name, address, credit card or bank account numbers, except with express permission.

Linden Lab claims that they do not disclose personal information provided by its users to third parties without permission, except in certain limited circumstances. Linden Lab stipulates when they may disclose personal information as follows:

?if required to do so by law or in the good faith belief that such action is necessary to: (a) conform to the edits of the law or comply with legal process served on Linden Lab, this web site or any users of Second Life; (b) protect and defend the rights or property of Linden Lab, Second Life or the users of Second Life; or (c) act in urgent circumstances to protect the personal safety of users of this web site, Second Life or the public.82

In the Terms of Service, Linden Lab lists situations in which it will disclose personal information:

?as reasonably necessary to fulfill your service request, to third-party fulfillment houses, customer support, billing and credit verification services, and the like; to comply with tax and other applicable law; as otherwise expressly permitted in this Agreement or as otherwise authorized by you; to law enforcement or other appropriate third parties in connection with criminal investigations and other investigations of fraud; or as otherwise necessary to protect Linden Lab, its agents and other users of the Service.83

As well, the Terms of Service state that the user authorizes Linden Lab to disclose any information about the user to private entities, law enforcement agencies or government officials in Linden Lab’s sole discretion as it believes “necessary or appropriate to investigate or resolve possible problems or inquiries, or as otherwise required by law.”84

In addition, Linden Lab states that should they ever file for bankruptcy or merge with another company, they may sell the personal information of its users to a third party or share personal information with the company with whom it merges.

Finally, Linden Lab publicly releases metrics on its users by publishing aggregate information about the demographics of Second Life users.85 This does not constitute “personal information” under PIPEDA, but represents the aggregation of personal information collected by Linden Lab.

Principle 4.6: Accuracy of personal information

In the Privacy Policy, Linden Lab states that users will have the ability to update the personal data provided to them during registration by contacting Linden Lab via email. However, it does not appear that Linden Lab allows users to update their personal information that has been collected outside of the registration process.

Principle 4.7: Safeguards

In the Privacy Policy, Linden Lab claims that they comply with applicable laws and industry standards when transferring, receiving and storing consumer data. Access to its users’ personal information is limited to Linden Lab employees who require the information in order to provide products or services to users or to perform their jobs.86 However, the Terms of Service state that Linden Lab does not guarantee the security of any user private transmissions against unauthorized or unlawful interception or access by third parties.87

2006 Linden Lab Data Breach

In September of 2006, Linden Lab announced that they had experienced a data breach, though they did not indicate the extent of the breach or the type of data compromised. In a statement following an investigation of the security breach, Linden Lab stated that they suspected the hacker was after source code and Linden dollars, not customer information.88

Independent reports speculated that the breach affected data associated with every Second Life resident in Linden Lab’s payment database, which would include resident names, addresses, contact information, encrypted passwords, and encrypted payment information.89 One media report suggested that the security breach affected 650,000 accounts.90

When they realized the breach, Linden Lab reset all user passwords, assuming that all passwords were compromised. Linden Lab sent new passwords to the email address provided by users at the time of registration. As well, Linden Lab established a phone line for those who had questions.

In response to the security breach, Linden Lab stated that they were implementing a number of technological and policy changes to prevent a future breach, such as reducing the amount of customer personal information stored and moving the sensitive personal information into a secure back-end “vault”.91 They stated that in this case, raw credit card numbers were never exposed because they were kept in the vault.

Publication of stolen account information from Second Life could lead to embarrassing revelations as to what residents do in the virtual world. As well, the breach could have been very damaging for residents who use Second Life in an entrepreneurial manner to conduct business online. The stolen data had the potential to link Second Life residents with their real life identities.

Principle 4.8: Openness
Principle 4.9: Individual access
Principle 4.10: Challenging compliance

As stated in sections above referring to Principle 4.1 (Identifiable purposes for collection) and 4.6 (Accuracy of personal information), Linden Lab published its legal department’s email address in the Terms of Service and Privacy Policy for questions and comments surrounding privacy. As well, its mailing address in San Francisco is provided.

Top of PageTable of ContentsAvatar privacy: privacy of Second Life residents

The avatar as the extension of a person

Second Life acts as a platform for almost any interest. As a result, residents’ in-world activities will often mirror their everyday activities.92 Second Life residents may feel anonymous in their online activities and virtual worlds, thinking that their actual identity is insulated from public scrutiny, and thus might engage in activities that they would normally avoid in their everyday lives. In doing so, they would take risks they might not otherwise take in real life such as developing parts of their identity they would not feel comfortable exploring in the real world.93

As noted by one journalist, “the avatar is a symbol of the self, representing the user’s deepest wishes, aspirations, virtues and vices.”94 Nick Yee’s Daedalus Project surveyed over 35,000 massive multi-player online role-playing games and discusses the psychology behind MMORPGs. Yee suggests that for some, the avatar becomes a purposeful projection or idealization of their own identity, while for others, the avatar is an experiment with new identities.95

Second Life and virtual worlds are communities in which users can engage in various activities and communications over an extensive period of time through avatars. As noted earlier, users spend substantial periods of time in virtual worlds.96 Residents can accumulate wealth, power, and reputation throughout the virtual community by investing their personal time and money in their avatar. Users can grow attached to their virtual personas and see their avatar as a reflection of their physical selves.97 When devoting hours to interaction in virtual worlds, users develop new extensions of themselves to explore and broaden their individual identity. Tal Z. Zarsky suggests that for some players, their online avatar proves to be more central and essential than their physical avatar.98

Jonathan W. Penney reviews “New Virtualism”, a new body of scholarship that explores the legal and technological implication of cyberspace and virtual worlds as places distinct from real space.99 Penney suggests that the virtual person is an important extension of our own privacy and identity with implications for intimacy and dignity. When an individual assumes an online identity or persona, they are still a rational agent who retains a continuing memory and consciousness of life in real space and their activities in cyberspace. Through virtual worlds, the user creates a fully three-dimensional avatar with a radically new virtual bodily and personal identity through which they can live, work, and play. The avatar is a culmination of data and information, combining data provided by the person to define and shape the avatar and information relating to past and present activities of the avatar. People often become involved in virtual worlds because they offer different communities to inhabit, learn, and grow, offering a sense of belonging.100

Linden Lab on in-world privacy

Linden Lab does not directly reference in-world privacy concerns in the Terms of Service or its Privacy Policy, except to say:

? [users] may choose to disclose personal information in our online forums, via [a user’s] Second Life profile, directly to others users in chat or otherwise while using the Second Life service. Please be aware that such information is public information and you should not expect privacy or confidentiality in these settings.101

The Terms of Service require Second Life users to abide by certain rules of conduct. For example, users must not impersonate any person or entity without their consent or take any action that is “invasive of another’s privacy”, “stalk” or harass another user.102 The Terms of Service also requires Second Life users to abide with Linden Lab’s Community Standards, which are hyperlinked from the Terms of Service.103 The Community Standards set out the “big six” behavioural guidelines for in-world activities: intolerance, harassment, assault, disclosure, indecency, and disturbing the peace. “Disclosure” states:

Residents are entitled to a reasonable level of privacy with regard to their Second Life experience. Sharing personal information about a fellow Resident – including gender, religion, age, marital status, race, sexual preference, and real-world location beyond what is provided by the Resident in the First Life page of their Resident profile is a violation of that Resident’s privacy. Remotely monitoring conversations, posting conversation logs, or sharing conversation logs without consent are all prohibited in Second Life and on the Second Life Forums.104

The Second Life Support Portal lists suggestions to allow users to maximize their privacy while in-world.105 For example, Second Life residents can choose to appear offline when another resident searches for them or hide their online status and location from other residents who add them as friends. If residents own virtual land, they can use tools to block access by other residents and avoid casual scrutiny. Private islands can be configured for “geographical privacy” so that residents cannot determine where a particular resident lives. As well, residents can own “skyboxes”, a private residence in the clouds that hovers at a level that normal users cannot find them. However, residents do not have the option to hide their activities from the scrutiny of any resident with developer-level access to the virtual world.106

Privacy in the Second Life community

Second life residents maintain profiles that can be viewed by other in-world residents. Residents can choose to include information about their “First Life” in their profile.

When exploring in-world, the name of the Second Life resident is prominently displayed above the avatar to all other avatars in the same area.107 Users cannot change their Second Life account name. EPIC notes that inhabitants of virtual worlds may want to maintain separate identities and choose the identity they use based on the context of their interaction with the environment but Second Life does not currently allow this.108 As the virtual world has uses for work, social, and home lives, people are more likely to adopt multiple virtual personas, but Linden Lab’s policies do not allow multiple personas.109

One blog notes that there is no such thing as complete privacy in Second Life.110 To help protect avatar privacy, users have created privacy tools in Second Life. For example, at Mystical Cookie’s Shop, residents can purchase a “Mystitool”, which gives the resident the ability to know who is within 96 m of their avatar, how far away they are, and if other avatars are approaching. As well, residents can purchase private changing rooms. On the other hand, some users have created tools that can be used to invade an avatar’s privacy. For example, residents can find user-created scripts that enable them to listen into conversations between other residents.

No anonymity: connecting the avatar to the person behind the avatar

A user’s Second Life account name is the same name of their in-world avatar. As a user’s account has the same name as their in-world representation, the user’s personal information is directly associated with their in-world identity. Linden Lab’s policy requiring accurate personal information upon registration prevents users from safeguarding their real-life privacy and identity.111

As discussed above, there has one known instance of a security breach of Linden Lab data. It is unclear whether the breached data was stored in a manner that associated the personal information with account names. Regardless, the breached data could embarrass users if it were to be published and information about avatar activities were traceable to the person behind the avatar.

A myriad of information is available to Linden Lab, such as information regarding the extent of play, the time and the location from which the user connects to the game, and the times of day the resident engages in play. As well, every specific move a user makes or word spoken in the virtual world can be logged, including facial and body gestures. The activities of the resident in Second Life could also be logged, such as what parts of the virtual world the resident visits, the products and services the resident purchases, exchanges, and consumes, and the identities of other avatars the resident chooses to interact with. The scope of information collected amounts to avatar profiling over an extended online experience, as the collection of data spans a prolonged period of time and includes several forms of social interactions.112 It is arguable that this data classifies as “personal information” under Canadian privacy legislation.

Tal Z. Zarsky calls this data “player data,” which has a specific set of privacy concerns that are different from those surfacing in the general “online world”, such as personal information that is directly linked to the physical individual.113 He compares the distinction between personal information that is directly linked to the individual and “player data” to the distinction between “identifiable personal information” (or IPI) and “non-identifiable personal information” (or non-IPI) in online settings.114

IPI is defined as “data used to identify, contact or locate a person, including name, address, telephone number or email address,” whereas non-IPI is defined as:

? not linked to a particular person and is typically compiled from click stream information compiled as a browser moves across different web sites (or a single web site) serviced by a particular network advertiser or from information provided by third parties (so long as that information is not personally identifiable to the network advertiser).115

Non-IPI is generally afforded a lower level of privacy protection. This lower level of privacy protection is often criticized because of fears that non-IPI can be aggregated with other IPI databases to trace non-IPI back to individuals. Privacy concerns with collecting “player data” are similar to privacy concerns with the collection of non-IPI. While “player data” may not be personal in the sense that it does not point to an identifiable physical individual, it continuously refers to a constant avatar and therefore can provide the holders with meaningful insights about the identity of the person behind the avatar.116 Zarsky also warns that if developers of virtual worlds decided to collect and analyze “player data”, they might be able to engage in effective and unacceptable manipulative practices without requiring any personal information as it is categorized in the real world.117

Thus, Linden Lab could link online and offline identities and behaviours in ways that users are unaware. Second Life residents may feel that their online conduct is anonymous and may engage in activities on the assumption that their real life identity would never be linked to their online identity.

However, Second Life does not operate in a confined area of cyberspace. Several Second Life residents blog about their experience and discuss Second Life in online forums that exist all over the internet, which can be accessed by a simple query on Google. Often, these residents blog and post under their Second Life resident name.118 Though Linden Lab “Community Standards” ask users not to disclose personal information revealed on Second Life, there may be “leakage” of conduct that is perceived to be private in Second Life to the public internet.

The potential for in-world surveillance

An October 2005 example of surveillance in the popular World of Warcraft game highlights potential privacy dangers in massively multi-player online role-playing games. The game’s programmers, Blizzard Entertainment, installed a monitoring program on players’ computers called “The Warden.” The Warden was designed to alert Blizzard to signs of cheating or abuse and allowed programmers to access almost any program on a player’s machine. World of Warcraft players used the Sony BMG rootkit to circumvent “The Warden,” allowing these players them to perform online monitoring of other players’ actions.119

Online gamers have not paid much attention to the privacy of in-game communications. But conversations have become intimate and on a platform such as Second Life, which is more accurately construed as a “virtual world” than a “game”, conversations between residents have the potential to be deeply intimate. What privacy protections are given to in-world communications?

Because of the architecture of virtual worlds, central entities can see and record everything its residents do within their world. Thus, what residents choose to do in Second Life is not free from Linden Lab view. Linden Lab Terms of Service and Privacy Policy do not address the extent to which it has the ability to monitor residents’ in-world activities. Linden Lab policies do not prohibit investigative inquiry as long as remote conversation monitoring and conversation logs are not used.120

With the ability to collect a vast amount of information about its residents, virtual worlds are potentially very powerful surveillance tools. In fact, the Washington Post has already noted that virtual worlds are the “next battlefield in the struggle over proper limits of the government’s quest to improve security through data collection and analysis and surveillance of commercial computer systems.”121 Intelligence officials say that the spread of virtual worlds creates additional challenges, as commercial services do not keep records of communications between avatars, thus creating the opportunity for residents to exchange messages in private channels that will remain secret. However, officials from Linden Lab state that systems that monitor avatar activity and identify risky behaviour are built into the technology. For example, all financial transactions on Second Life are reviewed electronically, and Linden Lab employees review some transactions. CEO Philip Rosedale testified that Linden Lab closely scrutinizes all transactions worth more than $10 US. In response to questions from Congress, Rosedale testified: “When people extract money from the virtual world, we run it by several complex systems. ? It’s likely that the law is more enforceable in virtual worlds than the Internet in general.”122 Thus, Second Life has the architectural capacity to trail resident in-world conduct, as avatars leave behind a range and depth of electronic footprints. The real question is: to what extent will the private entities that operate virtual worlds monitor their residents’ conduct and communications?

Monitoring resident in-world conduct also could be used by virtual world developers for advertising and marketing initiatives that enable the tailoring of specific content for every user on the basis of their personal profiles. Linden Lab has already partnered with advertising company AMPP Media to place digital billboards in Second Life that serve contextual ads by scanning keywords of public conversations in the area and scanning residents’ “interest profile”, which includes the resident’s user information such as their account name, age of account, details on where the resident spends time on Second Life, and what clothing and attachments are on the avatar. Targeted advertising directed at avatars raises several privacy concerns.

Top of PageTable of ContentsBusiness data practices on Second Life

Businesses on Second Life interact with residents by offering services and products to promote their brands. Using the Second Life platform, they may interact and conduct transactions with residents. Entry costs on Second Life are not a barrier to businesses on Second Life. A plot of Second Life property can be purchased for just over $200 and has low maintenance costs, ranging from $25 to $100 per month, depending on the amount of server capacity used to upkeep the virtual property.123 As well, there are a number of solution providers who create content for Second Life, such as event planning and building islands.124 Given these low entry costs, many organizations are keen to establish a presence in Second Life.

Collection of personal information on Second Life

The Linden Lab Privacy Policy does not apply to organizations that operate in the virtual world. Linden Lab absolves itself from responsibility for resident interactions with service or product providers, stating: “Linden Lab is not a party to your relationship with such other providers.”125 In the Community Standards, Linden Lab states that they will make no specific efforts to review the textures, objects, sounds or other content created within Second Life, suggesting that the buyer beware.126

Due diligence is a must for any organization that decides to set up on Second Life to conduct business.127 Whether the organization is using Second Life to collaborate between global offices, conduct product simulations with virtual customers, conduct employee training, receive product feedback from clients, raise funds for a philanthropic or political cause, or build community around a brand, the organization should comply with fair information practices if they collect personal information from their employees, customers, or clients on Second Life.

However, it is unclear how organizations would collect personal information when conducting business in Second Life. Businesses know the names of their client and customer avatars. As well, any communication between the business and the client or customer would be logged. Generally speaking, there are no privacy policies posted in the virtual world.

Top of PageTable of ContentsConclusion: Future Work

Second Life is a dynamic world that is experiencing a remarkable growth in residents and organizations. As more inhabitants settle in Second Life, its geography evolves just as quickly. With increased media attention, we can expect Second Life to raise more questions regarding the applicability of real world law to virtual world activities.

Most of the ground work is here to create a public education facts sheet that outlines privacy concerns with Second Life and provides privacy protection tips for Canadian Second Life users.

I believe that more work could be done to investigate the data practices of businesses and organizations that use Second Life as a platform to communicate with clients, customers and the general public. In my research, I came across a number of pieces that discuss how Linden Lab handles customer information and privacy. However, there seems to be a void in the literature in addressing how third parties on Second Life deal with customer privacy in Second Life. From browsing Linden Lab resources, there appears to be no formal information on how Second Life businesses can collect resident information to maximize their profits. As more organizations set up in Second Life, this will be a key question.

How might Canadian privacy legislation apply to Canadian businesses and organizations that choose to establish a presence on Second Life? PIPEDA aside, what general data practices are recommended to protect the privacy of their clients and customers in Second Life? With more information, these questions can be addressed and could be usefully presented in a public education fact sheet for Canadian organizations who want to establish a Second Life presence.