The Alphaville Herald

LL Swings Ban Stick, Stays Mute on Chat Log Leaks

by Pixeleen Mistral on 12/09/06 at 8:22 am

Asking questions that Linden Lab will not answer

by Pixeleen Mistral, Herald National Affairs desk

This week started on a happy note, as the Lindens completed their temporary weekend ban from answering the phones and began nibbling their way through the monumental task of resetting passwords for 660,000 avatars (or is it really 260,000?) after the SL customer database was compromised last week. Friendly queries from the SL Herald and others to determine if IM and chat logs were also exposed in the database leak have not been answered as of press time, but this is easily explained. Either Linden Lab simply refuses to answer, or they’re too busy threatening to ban good upstanding Second Life citizens for expressing dissenting opinions on the new and exciting Official Linden Blog.

Now that the noisiest SL forums are being shut down, comment cleansing and threatening in-world disciplinary action for unhappy comments on official blogs seems to be the order of the day over at Linden Lab. With the move, Second Life joins the sterling ranks of Project Entropia (now Entropia Universe, for some reason), where dissent on any Web-based forum, whether run by the company or not, is grounds for the ban-stick. LL ain’t quite that bad, but they’ll ban you when you least expect it, apparently, rather than let people have their say on the shiny new blog. Wouldn’t want it to get tarnished by the truth, after all.

In spite of all this good news, some normally reliable metaverse citizens seem uneasy. For instance, Cristiano Midnight said, “Someone does need to take responsibility for this mess at Linden Lab, and that includes replacement of leadership. Customer trust has been severely damaged, and no amount of “it’s the fault of the hackers, not Linden Lab” is going to change that fact. Only a swift, definitive, and visible action to address this and take responsibility for it has any hope of restoring customer faith.” Indeed.

To get some clarification on exactly how much of the in-world user experience the Linden leaks exposed, I posted a question to the SL Answers forum asking if the IM and chat logs are stored in the compromised database. In the two days since the question was posted, all leak-related questions have been answered very quickly, except for mine and John Horner’s question asking if the compromised database holds historical payment information. I’m sorry to report Linden Labs is now exhibiting a pattern of compliance with with relevant law concerning account number, payment, and RL address information, and complete silence about what other information was exposed. This does not inspire much confidence. What has happened to Linden Lab’s normally overactive PR operation? Please try and help make Cristiano feel better, OK?

Last month’s SLStats controversy and AOL’s release of user search information are recent examples of how online behavior information can reveal more than most users would like. With this in mind, making a clear and verifiable statement about how exposed or secure chat and IM logs are would seem to be in Linden Lab’s best interest. However, the Lindens have a history of simply ignoring direct privacy policy questions, such as those raised by the Herald and Rickel Petion about third-party data mining in the SL Answers forum over a month ago. So don’t hold your breath.

Late saturday, I happened to speak with Mr. FlipperPA Peregrine, a noted raconteur and member of the Electric Sheep development group – a good source of information on SL technology. Mr. Peregrine told me that chat logs are retained for about 24 hours. This seems credible, and would explain why the Linden Police Blotter seems to only deal with a small number of crimes: the evidence for most evaporates after 24 hours. The Linden policy of not notifying the victims of abuse on the outcome of their abuse report would also make it easy to simply drop reports that are not acted on immediately.

Mr. Peregrine also said that IMs are stored for 60 days to help resolve issues. This also seem credible, since IMs may need to be stored for emailing to offline avatars and for display at your next login. Apparently, scripters are told to use IMs for critical transactions so that the Lindens can help sort things out in the event of an “incident”. This is all fine from the perspective that SL is a business/commerce platform, but what about avatars that want a little privacy for say, cybersex social interaction? Chat is hopeless, since invisible chat spys are routinely sold and used in-world. Thomas Conover’s Secret Agent HUD typically ranks in the top 30 in terms of popularity at slexchange.com. Its popularity is based in the extraordinary measures it takes to both hide itself and follow avatars in their travels. This all seems wrong based on the ToS, but the Lindens explicitly allow people to own these sorts of devices, just do not misuse them. Right. IM might seem better, but since the Lindens have issues with protecting their databases, and IM is stored for months, this seems less than ideal as well. What’s an avatar to do?

With much of the SL experience revolving around roleplay, and 1/3 of the economy somehow related to the sex industry, the possibility for mischief, blackmail or worse is certainly present, as Vladimir Cole wrote on the Joystiq site. Writing about the Linden leak, TechCrunch’s Marshall Kirkpatrick said, “A company representative wouldn’t tell me whether behavioral or attention data tied to users was exposed in the breach”. So its not just the Herald that is being stonewalled. Great.

In any case, the week is off to a fine start. As we wait, mostly likely in vain, for Linden Lab to come clean on the extent of the information exposed, comfort yourself with the thought that at least you don’t have to work the call center doing password resets. Oh, and Cristiano needs a hug too, if anyone see him.