Open Letter To SL from Morden Winkler

by Alphaville Herald on 08/12/07 at 9:06 am

To: Second Life
From: An Angry Canadian SL user
Re: Age Verification

For ALL Canadians, the proposed new age-verification system for Second Life is a complete failure and possibly ILLEGAL under Canadian law. Here’s why:

Integrity CANNOT VERIFY YOUR AGE using your Social Insurance Number (SIN) or your passport number, and in fact, it is probably illegal for them to do so under Canada’s privacy act. Canadians can actually make a formal complaint to the federal government about companies asking for these numbers, and I’m sure you’ll be getting a few of those.

Check for yourself if you don’t believe me:

SIN: 1-800-206-7218 (Option 3 for SIN)
Passport Canada: 1-800-567-6868

I have called these 1-800 numbers and verified that the federal government will NOT provide ANY information, including age, to ANY third-party, except for other government departments, employers, and financial institutions. Second Life/Integrity does NOT fall into any of the exception categories. The law in Canada is quite clear, and quiite strong in this area, unlike the States.

Also, in my own case, I have confirmed through a phone call to my driver’s licence bureau that Integrity CANNOT VERIFY YOUR AGE using a Manitoba driver’s licence (although they might be able to using an Ontario driver’s licence number alone, apparently your birth date is embedded within your number). I’ve heard from other Canadian Second Life users that Quebec and British Columbia have similar situations. In all cases, the licensing bureau will not provide ANY information, including age, to ANY third party except government departments, employers, or financial instiutions. The law, again, is quite clear and quite strict on this point.

The most important point I am making here is this:
************************************************************
Since Integrity CLEARLY CANNOT VERIFY MY AGE using ANY of the numbers asked for, WHY IS SECOND LIFE/INTEGRITY ASKING FOR THEM? We are explicitly warned NOT TO GIVE ANY OF THESE NUMBERS OUT to companies. And under Candian law it is at best highly questionable and at worst ILLEGAL for you to require Canadians to provide ANY of the numbers given as options in the drop-down menu on the age verification page. Expect a flood complaints to various government agencies, and official follow up by provincial and federal governments as a result of this.
************************************************************

It is clearly illegal for you to refuse to provide age-verification services to Candians who refuse to provide ANY of these numbers. You can’t wiggle your way out of that. Canada’s privacy act is quite clear on this issue.

In summary, if you are providing services to Canadians, you are going to have to come up with another way to verify age, or no Canadians will be able to verify.

25 Responses to “Open Letter To SL from Morden Winkler”

  1. Alyx Stoklitsky

    Dec 8th, 2007

    And since when was Linden Labs based in Canada?

    Never.

    Canadian law doesn’t mean jack to them.

  2. urizenus

    Dec 8th, 2007

    Canadian law may not mean jack to them, but that doesn’t mean they can break Canadian law while selling their service to Canadian citizens.

    Does anyone at Linden Lab even bother tracking the laws in other countries? I only ask because every few months LL seems to be taken by surprise when they realize that the laws in most of the places they do business aren’t like the laws in Northern California.

    Come on guys, the metaverse is international. Stick a crowbar in your wallet and pay for some lawyers that understand that the United States isn’t the only country in the world.

  3. HatHead Rickenbacker

    Dec 8th, 2007

    Firstly, I agree with this post.

    However, I don’t think the ID system is checking individual data, rather I think that the system is checking if the SIN has a valid check digit on the end*. It is possible to verify if the SIN number (or numbers from almost all issued identity and credit cards) is a valid number simply from the number itself. This number scheme is designed to prevent key entry errors and is uber-common across the globe. So the ID system doesn’t know if the SIN is for you, but it does know that it is a valid SIN.

    Of course in this arrangement, a SIN that is not yours can be also be entered – as long as it is a valid number – so not very secure. The ID company will not like to admit this though as it would diminish the perceived integrity of their service.

    Still, asking for a SIN when it is not a matter of employment is most certainly against the law in Canada.

    (*Typically the last digit is a modulus derived from the rest of the card number)

  4. Nacon

    Dec 8th, 2007

    Actaully…. it’s not LL to find a new way…. since they are using 3rd party company to get info for LL.

    Do your homework. SIN number isn’t the only thing you can use.

  5. Tax HotShot

    Dec 8th, 2007

    Morden is correct. In Canada, unlike the United States we have extremely tight privacy laws and it is true that the federal government nor any provincial government will be releasing verification information from Social Insurance, Passport or Drivers License information anytime soon.

    I would suspect that the only way that Linden Labs will be able to verify a Canadian in through the standard “Do you have a valid credit card, hence you must be over the age of 19″…

    I am actually glad that Canada has tighter privacy laws as it prevents our Social Insurance, Passport and drivers license information from being lost, misused or even sold once it has been provided.

    I am from British Columbia and have tried the verification process and even spoken with concierge regarding this and been told not to worry and that Linden Labs understands the issue with Canadians.

    As are far as the response before me, please remove you head from the sand, the largest growth area for new registrants is not from the United States but from countries outside of the United States. If Second Life is to continue with any sort of growth, Linden Labs has to be able to become a global company.

    So a great big EH! from this canuck…

  6. Ingrid Northmead

    Dec 8th, 2007

    LL have known this since May or so, when users not from the US first started telling them, “hey um, giving you this kind of info is illegal in my country.” You think they don’t know this? Of course they do.

    This whole thing with Integrity has been a disaster from the get-go, yet LL is hell-bent on implementing their faulty age verification, er, identity verification system. They know they gotta cover their collective ass somehow so that when little Timmy’s parents find out he’s been yiffing shemale furries for the last few months LL can point to it and say “Hey, we’ve done all we can!” Which I understand, to some extent.
    There are so many kids on the grid these days it isn’t even funny, you can’t swing a dead Tiny without hitting some loudmouthed 14 year old’s totally blinged out avatard. But I honestly think asking for credit card info, or forcing your credit card to be billed one time by LL for some negligible sum is going to keep more kids out of SL than Integrity’s system. Most parents check their credit card bills, after all. Yes I know, not everyone has a credit card. Not everyone around the world has a driver’s license or a passport either.

  7. nimrod Yaffle

    Dec 8th, 2007

    This article looks an awful lot like the OP here: http://www.sluniverse.com/php/vb/showthread.php?t=3930

    “Integrity CANNOT VERIFY YOUR AGE using your SIN or your passport number, and in fact, it is probably illegal for them to do so under Canada’s privacy act.

    Check for yourself if you don’t believe me:

    SIN: 1-800-206-7218 (Option 3 for SIN)
    Passport Canada: 1-800-567-6868″

  8. pixeleen mistral

    Dec 8th, 2007

    Nimrod,

    When the open letter arrived on the iMojo wire, I noticed it was being sent to at least two other SL media outlets – New World Notes and the Metaverse Messenger.

    Could it be that Canadian virtual privacy dissidents are starting a media war with LL? How will the fanboys fight back against this threat to LL’s sovereign powers over their world?

    You’ll read about the struggle in depth, here in the Herald – where we remain “always fairly unbalanced”

  9. FlipperPA Peregrine

    Dec 8th, 2007

    The authors are one and the same, nimrod. :)

  10. Type IX

    Dec 8th, 2007

    “Canadian law may not mean jack to them, but that doesn’t mean they can break Canadian law while selling their service to Canadian citizens. ”

    Okay then. Linden Lab will just block Canada from using SL. Problem solved!

    Lindens don’t have to worry about breaking Canadian law, and Canadians don’t have to worry about giving out their info.

    Repeat this for every country in which LL would break some law or another. I think LL would end up banning all 191 countries (who would have some inane little law that would conflict with SL), save for the US.

  11. Nicholaz Beresford

    Dec 8th, 2007

    I’m sure they’re only doing the basic checksum check as Hathead pointed out. I’m from Germany and porn sites here used to do that based on the personal ID number which has the date of birth embedded into it and has four checksum digits. That Integrity has anything beyond that is close to impossible, because even no German age verifier don’t have them … and here laws about porn access are more strict and the incentive to develop such a system is correspondingly high.

    However, the format of the checksums is well documented and there are even generators for it out there, so the practical effect is zilch.

    Current age/identification services here in Germany here AFAK are based on a service offered by the ex-federal postal services or are based on a credit background check (which itself is based on name and the date of birth as provided through ID and necessary when you open a bank account).

  12. Mrrr?

    Dec 8th, 2007

    The word “ILLEGAL” is being thrown around this letter in big capital letters like you were trying to drive the fear of prosecution into the heart of LL. However, preceding each big “ILLEGAL” claim with words like “possibly”, “probably” and “at best” sounds like you really aren’t too sure about this. It sounds like what you’re saying is that it’s illegal for these agencies to provide age information, however it’s not illegal for LL to ask for this information.

    “It is clearly illegal for you to refuse to provide age-verification services to Candians who refuse to provide ANY of these numbers.”

    This is the only time you use “illegal” without uncertainty. However, it sounds like LL is not refusing you these services- you just don’t have access to use them. As well, even if LL did refuse those services, I don’t see how they’re obligated by law to provide them for you, especially when you reside in a completely different country.

    Any real lawyers around who can provide some real information and not just conjecture?

  13. Magnum Serpentine

    Dec 8th, 2007

    The Social Security Administration advised me not to give my SSN to any company.

    They say the threat of Identity Theft is too great and that Privacy concerns might also factor in.

  14. Spankubux

    Dec 8th, 2007

    Pixaleen “Can’t Write for Shit” Mistral continues her virtual crusade against, well, nothing in particular, with loyal Peter Ludlow at her side.

    Bitch Cassidy and the Sim-Dunce Kid, together 4 EVAH.

  15. chmarr walcott

    Dec 8th, 2007

    Canada has laws which are identicle to uk laws since it was the uk that introduced the DPA (Data Protection Act) many many years ago
    and like canda the uk laws are now MEGA tight on data protection, in other words thanks to the many years of troubles and bombed from the IRA many years ago the DPA was tightened to the extreme levels and now with the war in iraq (thanks bush you c**t) the uk Data protection is now even tighter.
    from 1981 upto this month of 2007 and with new tighter laws coming into force in 2008 it seems LL would be “up shit creek without a boat as well as a paddle and the aligators n bears are ready to eat em”

    the DPA is as follows

    Plain Language Summary of Key Principles

    This section provides a quick overview of what the Key Principles of information-handling practice mean. The Key Principles themselves are discussed below in the context of their definition in law.

    Data may only be used for the specific purposes for which it was collected.

    Data must not be disclosed to other parties without the consent of the individual whom it is about, unless there is legislation or other overriding legitimate reason to share the information (for example, the prevention or detection of crime). It is an offence for Other Parties to obtain this personal data without authorisation.

    Individuals have a right of access to the information held about them, subject to certain exceptions (for example, information held for the prevention or detection of crime).

    Personal information may be kept for no longer than is necessary.

    Personal information may not be transmitted outside the EEA unless the individual whom it is about has consented or adequate protection is in place, for example by the use of a prescribed form of contract to govern the transmission of the data.

    Subject to some exceptions for organisations that only do very simple processing, and for domestic use, all entities that process personal information must register with the Information Commissioner.

    Entities holding personal information are required to have adequate security measures in place. Those include technical measures (such as firewalls) and organisational measures (such as staff training).

    History

    The Data Protection Act 1984 was an implementation of the 1981 European Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data. It provided for a regulatory authority, the Data Protection Registrar, to oversee the implementation of and adherence to the Act. The 1984 Act was repealed by the Data Protection Act 1998.

    The Data Protection Act 1998 expanded on the 1984 Act, and was an implementation of European Union Directive 95/46/EC which, amongst other measures, expanded the remit of the Data Protection Registrar and renamed the position to the Data Protection Commissioner.

    Paper-based health, education and social work records which were created before 24 October 1998 are subject to slightly different provisions in the Act which will apply until 23 October 2007.

    Most recently, the Freedom of Information Act 2000 further expanded the role to include freedom of information; the job title of the DPR/DPC was changed once again, this time to Office of the Information Commissioner.

    Following the practice of taking fingerprints of children without parental consent in school, it has been established that the latter was not necessary under the DPA. 3,500 schools in the UK have such fingerprint locks or databases in 2007.

    Personal data

    The Act covers any data which can be used to identify a living person. This includes names, birthday and anniversary dates, addresses, telephone numbers, Fax numbers, e-mail addresses etc. It only applies to that data which is held, or intended to be held, on computers (‘equipment operating automatically in response to instructions given for that purpose’), or held in a ‘relevant filing system’.

    Subject rights

    The data protection act creates rights for those who have their data stored, and responsibilities for those who store or collect personal data.

    The person who has their data processed has the right toView the data an organisation holds on them, for a small fee, known as ‘subject access’
    Request that incorrect information is corrected. If the company ignores the request, a court can order the data to be corrected or destroyed, and in some cases compensation can be awarded.
    Require that data is not used in a way which causes damage or distress.
    Require that their data is not used for direct marketing.

    Data protection principles

    Personal data shall be processed fairly and lawfully and, in particular, shall not be processed unless-

    at least one of the conditions in Schedule 2 is met, and in the case of sensitive personal data, at least one of the conditions in Schedule 3 is also met.

    Personal data shall be obtained only for one or more specified and lawful purposes, and shall not be further processed in any manner incompatible with that purpose or those purposes.

    Personal data shall be adequate, relevant and not excessive in relation to the purpose or purposes for which they are processed.

    Personal data shall be accurate and, where necessary, kept up to date.

    Personal data processed for any purpose or purposes shall not be kept for longer than is necessary for that purpose or those purposes.

    Personal data shall be processed in accordance with the rights of data subjects under this Act.

    Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data.

    Personal data shall not be transferred to a country or territory outside the European Economic Area unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data.

    Conditions relevant to the first principle

    Personal data should only be processed fairly and lawfully. In order for data to be classed as ‘fairly processed’, at least one of these six conditions must be applicable to that data.

    The data subject (the person whose data is stored) has consented (“given their permission”) To the processing;

    Processing is necessary for ‘the performance of a contract (any processing not directly required to complete a contract would not be “fair”);

    Processing is required under a legal obligation (other than one stated in the contract);

    Processing is necessary to protect the vital interests of the data subject’s rights;

    Processing is necessary to carry out any public functions;

    Processing is necessary in order to pursue the legitimate interests of the “data controller” or “third parties” (unless it could unjustifiably prejudice the interests of the data subject).

    Exemptions

    The Act is structured such that all processing of personal data is covered by the act, while providing a number of exemptions in Part IV.[1] Notable exemptions are:

    Section 28 – National security. Any processing for the purpose of safeguarding national security are exempt from all the data protection principles, as well as Part II (subject access rights), Part III (notification), Part V (enforcement), and Section 55 (Unlawful obtaining of personal data).

    Section 29 – Crime and taxation. Data processed for the prevention or detection of crime, the apprehension or prosecution of offenders, or the assessment or collection of taxes are exempt from the first data protection principle.

    Section 36 – Domestic purposes. Processing by an individual only for the purposes of that individual’s personal, family or household affairs is exempt from all the data protection principles, as well as Part II (subject access rights) and Part III (notification).

    Offences

    Section 55 – Unlawful obtaining of personal data. This Section makes it an offence for people (Other Parties), such as hackers and impersonators, outside the organisation to obtain unauthorised access to the personal data.

    Section 56 – This section makes it a criminal offence to require an individual to make a Subject Access Request relating to cautions or convictions for the purposes or recruitment, continued employment, or the provision of services. As of 2007 this section has not yet been enabled. According to the government, this section will not be enabled until the Criminal Records Bureau is providing a Basic Disclosure service. The provision of a Basic Disclosure service is dependent on s.112 of the Police Act 1997 being enacted, which provides for “Criminal Conviction Certificate”.

  16. Razrcut Brooks

    Dec 8th, 2007

    BOTTOM LINE: The residents who are the most vociferous (google it) against age verification are the ones who enjoy PORN,ESCORTS,STRIPPERS,RAPE/ROLE PLAY,AGE PLAY…etc…. Period.

    ~~~~~~~~~~~~~~~~~~~~~~ The rest do not care either way. ~~~~~~~~~~~~~~~~~~~~~~~~~~

    Mature land and age verification will not affect the positive aspects of SL…only the darkside.

    ************** Think About IT**********************

    Merry Christmas , Happy B-DAY J.C. :)

  17. Prokofy Neva

    Dec 8th, 2007

    Magnum, you aren’t being asked to give your whole US Social Security number, you’re being asked to give the last 4 numbers. And if you think it violates privacy or harms you in some way, I guess the next time you call your bank or credit card company and they ask for the last 4 digits of your social to verify you, as they routinely do, you won’t be able to cooperate with them. Ok, then, don’t, then don’t expect to get their services. It’s a wonder how you live in the modern world then.

    I find the word ILLEGAL is being bandied about far too much here as well by scare-mongerers whose really issue is that they don’t want to face up to their second lives and what they mean in real-life terms.

    There’s a simple solution here: if Linden Lab can’t get international verification to work, then they simply stop attempting to verify it. After all, they are doing this not for their own sake, and not even to “keep out kids,” but to make adults accountable and also to give them some protection against liability for minors. The countries that are more aggressive about prosecution of fictional child pornography are in Europe anyway, so let them prosecute away, and let those unverified people who have adult content face the music as they will. LL can point out to any authorities who come calling that they have a system to verify, but privacy laws of countries in the EU or in Canada don’t cooperate, so they can only go so far. Then it will be up to that law-enforcement agency and its target of investigation within SL to work it out as they may.

  18. Maria Leveaux

    Dec 8th, 2007

    I don’t Really believe that either LL or Integrity Intended to Contravene any Laws, nor do i think Integrity Intends to use the information for any purpose other than they State.
    However, They Have Fallen for a common misconception, Canada is NOT The USA, and despite some Commonalities in our language and culture we ARE a foreign country, with a Very different legal, and governmental structure.
    Someone, working for Integrity, Rather than properly researching his Task Simply assumed that the Canadian Social Insurance Number served the same function, in the same manner as the American Social Security Number, and that Information about the Holder could be accessed in the same way. In truth, the Information Connected with the SIN Number cannot even be accessed if the holder Provides Written Authorization. They didn’t Realize that we have an entire Governmental Branch dedicated to preserving Canadians Right to Privacy.

    There wasn’t any Sinister Intent, it was Just Sloppy Work. I’m sure Now that LL and Integrity are, or soon will be aware of the Difference, they will Attempt some other Avenue by which they can verify Age. But in doing so they Will discover it isn’t nearly so Easy as it is in the USA, and Canadians Aren’t the Only people who’s rights are so well guarded by their Government.

    The Other point made, About Canadian Law not mattering,, Well, LL would Not be the First Foreign owned business to get Spanked by our Privacy Commission, You see, NAFTA Has provided avenues, and mechanisms to deal with cross boarder trade problems just like this IF it becomes a “denial of service” issue. But, i don’t think it will ever get nearly so far as that.
    This was Just a Screw up, Nothing more.

    Maria.

  19. Jamie David

    Dec 9th, 2007

    See comments of other story. images.google.com will provide Drivers License and anyone can verify. So there is no trust left in IDV/Verification.

    On canadian issue. The issue I see is, how did Aristole get the personal ID’s to verify against. If canadian government handed it over then issue is with Canadian Government. Why did they do so? Verification is a new service and there is no need for the SIN if Aristotle provide Voter Profiles for Canadain MP’s. If they don’t have the SIN numbers then it is false advertising that is making Canada look bad.

    Bad either way you look at it.

  20. pornlover

    Dec 9th, 2007

    Well, the darkside is the fun side.

    Also, it will affect people who happen to have mature land and are renting it out,
    or those that have uhm… I dunno… other mature stuff that is non sexual?
    Combat sims? wouldnt want kids there specially with the heavy RP going on there.
    if you think mature parcels that will have to be flagged only are the ones with sexual stuff on it… Get your ass out of the welcome area for once and actually have a look around.

    and yes… I like sex. Heck, everyone does. I bet your mom and dad enjoyed it. Else you wouldnt be sitting there behind your computer. Be glad your father wasnt celibate.
    And I bet he’s also got a stash of mags hidden somewhere. Probably hidden under your pile of Disney magazines in your room…

  21. Chmarr walcott

    Dec 9th, 2007

    you forgot the UK , GREAT BRITAN SCOTLAND england IERLAND WALES

    our data protection is much more stricter and tighter than canadas and the lindens in the uk are being ignored by there vosses

  22. chmarr walcott

    Dec 9th, 2007

    wow bet ya dident know this
    integrity / Aristotle USED to be http://www.kidsheriff.com here is a direct C&P from there website

    Privacy Statement
    for Integrity.Aristotle.com

    Integrity has created this privacy statement in order to demonstrate our firm commitment to privacy. The following discloses our information gathering and dissemination practices for this website: Integrity.Aristotle.com.

    Website Visitor Information Collected
    Our site’s Registration Form requires users to give us information (like their name and email address).

    Security
    Integrity.Aristotle.com operates under industry standard security measures including the use of https, firewalls and a server security password system to protect from loss, misuse or alteration the information under our control.

    Confidentiality of Information/Correction
    Integrity only uses data collected from visitors and customers for the purpose of conducting Integrity Services and does not provide information to third parties except pursuant to subpoena or court order.

    Contacting the Web Site
    If you have any questions about this privacy statement, the practices of this site, or your dealings with this Web site, you can contact:

    Integrity
    205 Pennsylvania Avenue, SE
    Washington, DC 20003
    E-mail address: info@VerifyMyIdentification.com

    http://www.kidsheriff.com/version2/privacy.htm

    look at that and tell me wtf

  23. Bee Mizser

    Dec 9th, 2007

    >>

    BOTTOM LINE: The residents who are the most vociferous (google it) against age verification are the ones who enjoy PORN,ESCORTS,STRIPPERS,RAPE/ROLE PLAY,AGE PLAY…etc…. Period.

    ~~~~~~~~~~~~~~~~~~~~~~ The rest do not care either way. ~~~~~~~~~~~~~~~~~~~~~~~~~~

    Mature land and age verification will not affect the positive aspects of SL…only the darkside.

    ************** Think About IT**********************

    Merry Christmas , Happy B-DAY J.C. :)

    Complete bollocks matey.

    Because this age verification is purely voluntary, then the sex/porn industry will continue on SL in the same way it always has. They just won’t mark the land as having mature content and carry on as before.

  24. Ari

    Dec 10th, 2007

    LOL!!!!!

    I just *LOVE* how all the whiners always say ‘PROBABLY ILLEGAL” – well, find out, idiot. Your letter looks like a 10-year-old whining because he can’t have his cake and eat it too.

    You want to whine about it – whine to Integrity.
    Dipshit.

  25. Tycho Beresford

    Dec 10th, 2007

    Nacon, I don’t understand when you say “I am actually glad that Canada has tighter privacy laws as it prevents our Social Insurance, Passport and drivers license information from being lost, misused or even sold once it has been provided.” Laws can’t prevent crimes and accidents.

    Consider: “The Passport Canada website was found to be leaking applicant data last week. One site visitor discovered that by altering a character in the URL, he could view other applicants’ social insurance numbers, driver’s license numbers, and other sensitive personal information.”
    http://www.theregister.co.uk/2007/12/04/canadian_passport_site_breach/

Leave a Reply