In an odd turn of events that is all too common online these days, an ingenious system created for Second Life land holders to reduce incidents of harassment and abuse by malicious griefers has itself turned out to be a potentially nefarious tool of harassment and abuse. zF RedZone is a tool that was designed to help Second Life users identify and block problem users from entering their territory and wreaking havoc. If you were looking for a way to get rid of griefers (miscreants who live for the sheer joy of making life miserable for others on the Internet) and copybots,(copyright infringers who use special scripts to rip off others intellectual property) RedZone was one of the best ways to fight back. It helped users by uncovering the IP addresses of avatars that visited a certain piece of land in Second Life (which it achieved through a scripting trick that exploited a hole created by audio and multimedia streamers, allowing the program to make the user’s computer access a certain website, thereby revealing their IP address).
Once in possession of an avatar’s IP address, the program created a database of SL avatars associated with the same IP address. By matching up the information, users could then create a list of banned avatars and prevent them from entering their territory. This allowed landholders to exclude any malefactor, regardless of which avatar/identity the person was hiding behind. The incredible thing about this is that it worked–but there was a catch. The IP addresses that RedZone captured were not necessarily unique to the individual at the keyboard. Because of dynamic IP address generators, such as those found in many wireless routers, among others, there were a lot of erroneous correlations of avatars and “alts” (alternative avatars created under one unique account). Anyone who shared a server or router with other SL users would most likely have their accounts lumped together, creating all sorts of problems that goes well beyond the annoyance of spammers.
Because RedZone gathered this information in the background, without users’ consent, it created a fairly significant privacy breach, particularly for users in the EU. As was described in a blog post recently at Dwell On It, EU data privacy laws include IP addresses as personal data that may not be collected without prior authorization if they can be linked back to an individual user. Because RedZone collects IP addresses indiscriminately, it is likely that it picked up personally identifiable data potentially in violation of EU law. U.S. laws are a bit more squishy on the subject, but a recent change (as of Feb. 25, 2011) to Second Life’s Community Standards Policy requires that any disclosure of IP address information is prohibited without first obtaining each user’s consent:
Residents are entitled to a reasonable level of privacy with regard to their Second Life experience. Sharing personal information about your fellow Residents without their consent — including gender, religion, age, marital status, race, sexual preference, alternate account names, and real-world location beyond what is provided by them in their Resident profile — is not allowed. Remotely monitoring conversations in Second Life, posting conversation logs, or sharing conversation logs without the participants’ consent are all prohibited.
All of this is particularly interesting because of the way it has come about. I don’t know how much of a threat the previously gathered information will pose. According to the reports, it is a violation to reveal any of the previously gathered info, but it isn’t a violation to possess it. What people can do with that info may be limited, based on the fact that the data was fairly unreliable to begin with–any griefers worth their salt already know how to get around IP address barriers in less time than it takes to brew a pot of coffee. The commenter who brought this matter to my attention said that litigation would be forthcoming, but as yet, I don’t see what their damages are. If they are threatening litigation in the EU, where the courts are fairly toothless in my understanding, I still don’t see the benefit. Since RedZone has adapted to the new rules, it seems like it may be a moot point.
Then again, there could be a lot more to this than I am seeing at the moment. As one person put it, the threat from cyberstalking and harassment is real and there are few tools available to help users fight back, since blocking an offending avatar will only stop the abuse for the amount of time it takes to log in with a new alt. People were willing to pay $20 US for RedZone because it made SL more enjoyable. Short of a subpoena for the user’s MAC address and a restraining order, it seems like the policy against RedZone was one step forward and two steps back…