LL Swings Ban Stick, Stays Mute on Chat Log Leaks
by Pixeleen Mistral on 12/09/06 at 8:22 am
Asking questions that Linden Lab will not answer
by Pixeleen Mistral, Herald National Affairs desk
This week started on a happy note, as the Lindens completed their temporary weekend ban from answering the phones and began nibbling their way through the monumental task of resetting passwords for 660,000 avatars (or is it really 260,000?) after the SL customer database was compromised last week. Friendly queries from the SL Herald and others to determine if IM and chat logs were also exposed in the database leak have not been answered as of press time, but this is easily explained. Either Linden Lab simply refuses to answer, or they’re too busy threatening to ban good upstanding Second Life citizens for expressing dissenting opinions on the new and exciting Official Linden Blog.
Now that the noisiest SL forums are being shut down, comment cleansing and threatening in-world disciplinary action for unhappy comments on official blogs seems to be the order of the day over at Linden Lab. With the move, Second Life joins the sterling ranks of Project Entropia (now Entropia Universe, for some reason), where dissent on any Web-based forum, whether run by the company or not, is grounds for the ban-stick. LL ain’t quite that bad, but they’ll ban you when you least expect it, apparently, rather than let people have their say on the shiny new blog. Wouldn’t want it to get tarnished by the truth, after all.
In spite of all this good news, some normally reliable metaverse citizens seem uneasy. For instance, Cristiano Midnight said, “Someone does need to take responsibility for this mess at Linden Lab, and that includes replacement of leadership. Customer trust has been severely damaged, and no amount of “it’s the fault of the hackers, not Linden Lab” is going to change that fact. Only a swift, definitive, and visible action to address this and take responsibility for it has any hope of restoring customer faith.” Indeed.
To get some clarification on exactly how much of the in-world user experience the Linden leaks exposed, I posted a question to the SL Answers forum asking if the IM and chat logs are stored in the compromised database. In the two days since the question was posted, all leak-related questions have been answered very quickly, except for mine and John Horner’s question asking if the compromised database holds historical payment information. I’m sorry to report Linden Labs is now exhibiting a pattern of compliance with with relevant law concerning account number, payment, and RL address information, and complete silence about what other information was exposed. This does not inspire much confidence. What has happened to Linden Lab’s normally overactive PR operation? Please try and help make Cristiano feel better, OK?
Last month’s SLStats controversy and AOL’s release of user search information are recent examples of how online behavior information can reveal more than most users would like. With this in mind, making a clear and verifiable statement about how exposed or secure chat and IM logs are would seem to be in Linden Lab’s best interest. However, the Lindens have a history of simply ignoring direct privacy policy questions, such as those raised by the Herald and Rickel Petion about third-party data mining in the SL Answers forum over a month ago. So don’t hold your breath.
Late saturday, I happened to speak with Mr. FlipperPA Peregrine, a noted raconteur and member of the Electric Sheep development group – a good source of information on SL technology. Mr. Peregrine told me that chat logs are retained for about 24 hours. This seems credible, and would explain why the Linden Police Blotter seems to only deal with a small number of crimes: the evidence for most evaporates after 24 hours. The Linden policy of not notifying the victims of abuse on the outcome of their abuse report would also make it easy to simply drop reports that are not acted on immediately.
Mr. Peregrine also said that IMs are stored for 60 days to help resolve issues. This also seem credible, since IMs may need to be stored for emailing to offline avatars and for display at your next login. Apparently, scripters are told to use IMs for critical transactions so that the Lindens can help sort things out in the event of an “incident”. This is all fine from the perspective that SL is a business/commerce platform, but what about avatars that want a little privacy for say, cybersex social interaction? Chat is hopeless, since invisible chat spys are routinely sold and used in-world. Thomas Conover’s Secret Agent HUD typically ranks in the top 30 in terms of popularity at slexchange.com. Its popularity is based in the extraordinary measures it takes to both hide itself and follow avatars in their travels. This all seems wrong based on the ToS, but the Lindens explicitly allow people to own these sorts of devices, just do not misuse them. Right. IM might seem better, but since the Lindens have issues with protecting their databases, and IM is stored for months, this seems less than ideal as well. What’s an avatar to do?
With much of the SL experience revolving around roleplay, and 1/3 of the economy somehow related to the sex industry, the possibility for mischief, blackmail or worse is certainly present, as Vladimir Cole wrote on the Joystiq site. Writing about the Linden leak, TechCrunch’s Marshall Kirkpatrick said, “A company representative wouldn’t tell me whether behavioral or attention data tied to users was exposed in the breach”. So its not just the Herald that is being stonewalled. Great.
In any case, the week is off to a fine start. As we wait, mostly likely in vain, for Linden Lab to come clean on the extent of the information exposed, comfort yourself with the thought that at least you don’t have to work the call center doing password resets. Oh, and Cristiano needs a hug too, if anyone see him.
Mr F.'s Mom
Sep 12th, 2006
Hey, can we get some, you know, reporting here and less, you know, editorializing?
Prokofy Neva
Sep 12th, 2006
Why are we to trust what FlipperPA Peregrine says? How does *he* know? If he has it from verifiable Linden authority that chat is only kept for 24 hours….then just how is *he* able to get that information that is withheld from the general customer base?
I frankly don’t buy it. It costs them nothing in bytes or work to save chat for more than 24 hours. We’ve heard them say they don’t save the world itself, i.e. you couldn’t dial back and get the 2004 version in a box, I guess, but surely they save chat.
I think their paucity of police blotter incidents has more to do with their notion of wanting to keep for themselves the right simply to delete or “disappear” people without due process. They have such a load of griefers and their alts that they want to do it that way. They talk a good game about treating each alt as if it were a new family member with a clean rap sheet, but in reality they look at the hash marks and IP and whatever they need to look at, and delete without putting really unseemly incidents on the police blotter, which might scare some people if they saw how much crime there is in SL; and saw how vicious and nasty and evil it is – and how rampant, and how much it’s boomed since 6/6/06.
I don’t see how collecting chat or for that matter a record of every single transaction/movement/location/ etc. for every single avatar 24/7 would pose a problem. It’s not like these people don’t know how to run servers. They have loads of servers, and no doubt loads of back-up tapes. It may be hard to get a chat record so they don’t bother for the garden-variety police-blotter type offense, but surely they save chat. Philip probably wouldn’t be able to know something like what he told the Herald about the forum closure, regarding the amount of words and the novels written every day in SL, if he didn’t save and look at chat.
Urizenus
Sep 12th, 2006
>Hey, can we get some, you know, reporting here and less, you know, editorializing?
Pix did what she could here. If Linden Lab won’t answer her questions then that becomes the story and it begs for editorializing.
Fiend Ludwig
Sep 12th, 2006
The honeymoon is over for the LL PR & Marketing (or should I say Damage Control) staffers. I faced the same stone wall when I asked for basic abuse report numbers for my article Negative Coordinates(www.secondlifeherald.com/slh/2006/08/negative_coordi.html).
The info that Pixeleen and Rickel requested, as well as the stats I asked for should have taken only a few minutes to prep. ‘Yes’ or ‘No’, or a quick query report from a database search would have gone a long way in allaying (or exacerbating – but there, perhaps, is the rub) the concerns of SL residents.
Mr. F
Sep 16th, 2006
I didn’t know I had a stalker posing as my Mom. Hi Mom!