Security and Responsibility on the Virtual Frontier

Sometimes, you ask questions and you get answers.

Other times, you get answers, and you wind up with questions.

This week has generated a lot of questions about the responsibility of the provider of a virtual world commerce platform (in this case that would be Linden Lab) in regards to security and protection from fraud and IP theft, as well as other types of criminal activity.

It’s not an easy subject and there’s a lot of room for debate. So it has has raged on in various forums and I’m sure here will be no exception. However, it’s important to remember that even though Second Life is nearly 8 years old, in many ways it’s still on the frontier of virtual commerce. When you’re the first group of people trying anything (no matter what it is), you know what? You’re going to screw it up. A lot. Often and sometimes with great fanfare. It’s true- Linden Lab does screw up. Often. And sometimes with great fanfare. But they’re not exactly working from a well thumbed playbook here. Sometimes they’re just winging it, writing the rules as they go. As infuriating as it is sometimes (okay, a lot of the time), if we’re really honest with ourselves, that’s true of pretty much any emerging entity, from people, to governments, to all kinds of businesses, to the simple act of learning how to cook or ride a bike. Unfortunately, when the Lab falls off the bike, they tend to take a lot of us with them. But the question is, how much responsibility is it reasonable to insist they take on?

Answers Create Questions

So let’s start with some answers. In this case, some answers about the guy known in SL as zFire Xue (in real life as Mike Prime), the creator of RedZone. “Wait. I thought this was over with already?” Well, yes and no. RedZone is still gone from the grid (and if for some reason I’ve just lost you, feel free to readup) and so are the accounts of its creator. However, there was a question of zFire’s criminality. Despite having a criminal past (proven by public records, though for some reason I can’t explain there are still some people who refuse to believe the patently obvious), two questions remained- 1. Was zFire still under supervision of the court (and if so, was what he had been up to actionable due to that status) and 2. What, if any legal repercussions would there be?

Guess who has the answers to both these questions, guys? *waves*


The RedZone Epilogue

I’d been asked previously about whether or not zFire was stil under supervision of the court weeks ago. At the time, I had no idea and mentioned that since I’m not local to him (there’s a whole country’s worth of distance between us), I didn’t think I’d find out. But I did find out- funny how life works. The answer is yes, he is still under supervision of the court, in the form of Federal probation. The feds were not real happy with what he’d gotten up to. Furthermore, what he’d been doing in SL was not nearly as interesting (so far, anyway) as what he’d been up to in real life.

On April 20, 2011, a violation report (for anyone truly that interested, the case number is U.S. District Court, Western District of Washington, case number 01CR00310RSL- and this information is public- call them yourself if you want) was submitted alleging that zFire (Mike Prime) had violated his conditions of supervision by:

  1. Committing the criminal offense of Possession of Stolen Property 1st degree;
  2. Committing the criminal offense of Trafficking in Stolen Property 2nd degree;
  3. Associating with a convicted felon;
  4. Associating with a convicted felon; (note these are two separate charges, which would indicate two separate people/felons)
  5. Failing to allow the U.S. Probation Officer to inspect any personal computer owned or operated by the defendant;
  6. Failing to notify the USPO of all computer software owned or operated by the defendant;
  7. Beginning employment without prior approval of USPO and working for cash.

A warrant was issued for his arrest and on May 2, he surrendered to U.S. Marshals. He appeared before a U.S. Magistrate Judge and denied the allegations. An evidentiary hearing is currently scheduled for May 18, 2011. At this time, pending that evidentiary hearing, he remains in custody.

The only violation which relates to SL is the income he generated from his products which he did not report to his USPO as is required. Other activities remain under investigation by another federal investigative agency.

Before anyone asks, I do not know which federal investigative agency is still digging. I have two guesses though, and neither one of them sound like a lot of fun for zFire. Either one could be rummaging rather thoroughly into his activities within Second Life, and I don’t think that will go well for him. But as I said at the beginning, these answers only lead to more questions. Not necessarily about this particular case (though I’m sure people will have those, and seriously, I don’t know more than I’ve said here about the status of this case), but about the larger issues that it brings to the table.


The Balancing Act

We live in strange times. In the digital realm, of which Second Life is merely a small part, we have seen over and over again the need to carefully balance security with convenience. Let’s face it- strict security is really, really inconvenient. If you have any doubts about that take an international flight out of JFK sometime, or try to negotiate your bank’s online payment system if you’ve forgotten one of the endless series of codes, passkeys and questions. As more people live more of their day to day lives amongst the online community, no matter what form it may take- your online banking system, your twitter account, your Playstation Network account, whatever- it’s clear that there need to be security measures in place to keep data and money secure, as well as to protect people from fraud. But all those things come at a price, in both real money and in time/convenience.

However, virtual worlds have an added twist. They are not banking systems- but money travels through them in both directions. They are not social networks, but people interact socially within them, and sometimes share sensitive information. They are not traditional video games, but people play games within them, as well as amass large amounts of inventory that cost real money. But added to all of that, they are also commerce systems. So the question arises- in what form should consumer protection take within that commerce platform, and conversely, what protections should be afforded to merchants on the platform as well? Ultimately, how much responsibility should Linden Lab (in this case) be expected to take on vis a vis monitoring and policing these things? What is reasonable, and what tips over the line to “fundamentally not cost effective” and “would make the entire system unworkable”, in terms of the cost and convenience factor? Well I’ll tell you up front- I don’t know. I do know that a lot of people are talking about these questions, and they’re certainly worth hashing out in discussion.


The International Factor

Part of the problem of any platform that has a global audience and community is that it’s really very difficult to try and police the planet. While it’s easy to say “everyone who visits an adult venue should be over the age of 18 and you’ll need to show ID.”, it’s entirely unreasonable to expect a single entity to know or be able to discern with any degree of precision, speed or accuracy the validity of every form of legal identification on Earth. That’s before you even get to “who checks it, how do they receive it, and how fast is the turnaround time?” Yet this is one of the many problems with which Linden Lab as a global virtual platform have struggled. To not attempt to do this would be putting themselves (never mind potentially underage people) at risk- something they cannot do. Yet this simple problem seems almost impossible to manage, conceptually, unless you were to have various offices throughout the world whose very job was to handle international issues. Since the Lab has pulled back to their San Francisco headqurters, this is not possible, and various age verification frustrations are an ongoing problem.

Speaking of ongoing international problems, there is the problem of payment- in this case, to the Lab. How do international users buy Lindens (the currency within Second Life) and cash them back out again? Prior to last summer, it was much simpler. But that changed, and since then international users have come up against enormous frustration in terms of being able to not only buy Lindens, but to even pay the Lab itself. The billing issues are known by the Lab, but frustrations have become so great that at least one large group with a number of sims have decided to close up shop and head elsewhere.



Policing the Marketplace, Oh- And The Grid, Too

Bearing in mind that the Lab laid off a third of its staff last year, I’d like to point out that this is not the only front on which they’re fighting a frontier style battle. There’s also the issue of policing what gets sold (and who is allowed to buy it) in SL as well. Issues of snake oil (products being sold claiming to do something they can’t- something that RedZone was, in spades) are only the tip of the iceberg. There’s also a question of concerns over the same media protocols hole that RedZone exploted in the first place, being exploited in other ways by other devices- perhaps entirely surreptitiously. Since there is no vetting process to put scripted objects on Marketplace (see: not cost effective/wildly inconvenient) the only way to know about damaging products or fraudulent merchants is often long after the damage has already been done. Several people have suggested a “registration system” of sorts for merchants, like an additional verification system, but this has been met with a mixed response, as many people don’t want to compromise their RL privacy and/or don’t believe that any such registration as done by the Lab would be meaningful. After all, let’s remember that zFire himself had signed a contributor agreement with the Lab. Other objections have been raised about how this type of registration process would create a caste system in and of itself- that merchants would wind up being only those who could afford to maintain premium accounts, own land/their own sims, or some combination of both, favoring larger or more wealthy merchants over smaller “hobby” people. On a platform that is supposedly devoted to creativity, this could have the effect of stifling the very thing Second Life was intended to create. You lose freedom, in the name of security. See Benjamin Franklin for details.

Part of the problem is that individually, transactions are so small that they are not worth fighting over- and this is the biggest reason why so few major court cases (though there have been some rather notable ones) appear involving Second Life and other virtual world platforms. Few people are losing (or making) enough money to make the legal fees involved in the pursuit of a civil case worth it, or the time it would take. The principles are large- but the amounts, individually, preclude hiring a lawyer to sort it out. Because of this, issues that would more likely be brought before the court are never shown the light of day. But the anger, resentment and frustration they cause are cumulative and can result in people leaving the world of virtual commerce entirely.


The DMCA Debacle

But what happens when vendors are accused of ripping off one another, or perhaps a third party? Because the goods are all virtual, this very often comes down to an accusation of intellectual property (IP) theft, which falls under the purview of the DMCA. However, Linden Lab is not a law enforcement agency or a court. They cannot adjudicate Digital Millenium Copyright Act (DMCA) violation claims. They can only respond to them within the boundaries of the law. This can get very tricky, as we have previously seen from the Ozimals vs. Amaretto case. Mostly, the Lab’s role in all of this seems to be less policing, and more shuffling papers around. Unfortunately, it doesn’t look like they’re doing a very good job of shuffling those papers. There’s a (admittedly rather nasty) debate going on about this issue here, and a secondary discussion about how DMCA claims can (and are they?) being used as a weapon here. But the upshot of both discussions, in a meta sense, is how DMCA, as the “law of the west” on the digital frontier is being used and misused, and Linden Lab either a) doing the best they can with inadequate tools or b) bungling the hell out of the entire thing, depending on which side of the aisle you’re on.


How Much Is Realistic?

At a certain point though, you need to step back from your own individual frustration (and don’t get me wrong, I have them too- it took me five months to fix DGD’s listings on Marketplace after the merger) and start to ask a larger question- how much is a realistic amount of responsibility for the Lab, as the platform provider to take on? Are we expecting the impossible? Sure, in an ideal world the answer might be “all of the responsibility belongs to the Lab.”, but last I checked we didn’t live in one, and I have never been known for being an idealist. Or is it more to the point to say “All of it, to one extent or another”, with that extent being determined on a case by case basis?

For example, yes, the Lab did remove RedZone and its creator from the grid. But it took quite some time to do it, and the media protocols hole that allowed this problem to exist in the first place still remains with no word whatsoever on what, if anything will be done about it. Is this enough? (In my case on this particular issue I’m going to say no, but I’m trying to speak abstractly here.) At what point do we decide that we need to trade some security, for cost effectiveness and some marginal degree of convenience? How responsible should the Lab be for dealing with policing marketplace, and DMCA issues? At what point does it become too much, and the demands too unrealistic, no matter where they come from?

These questions are important. Not just today, and using these examples given here. But in a larger sense, of the frontier of digital commerce. This is by no means a small industry. Virtual goods are trading globally at a rate of billions of dollars a year. Clearly, there needs to be some accountability and consumer (and merchant!) protection. But because we are dealing with a digital, and international community, the ragged edge of how to protect people while still allowing for creativity and freedom (and the potential to make a whole lot of money, which I admit, is something I completely support) is a difficult balance to achieve.

Linden Lab is by no means the only company struggling with these issues. They are being faced by any organization dealing with digital commerce at the global level. This is a period of growth and learning. After all, companies are made up of people, who at the end of the day had to learn how to ride a bike the same as the rest of us. They make mistakes. They screw up. They fall down. They sit around thinking “I have NO IDEA what to do about this…” and millions of people expect them to know how to deal with all those issues, magically, as if they sprung fully formed out of their heads like Athena from Zeus.

Don’t get me wrong- I’m as critical of the Lab as the next person. In fact, generally more so than the next person. But this week’s spate of debates truly has me asking “At what point is this too much to ask? What is reasonable? What is realistic? What is even POSSIBLE?”

We’re sitting on the back of the bike, too. We’re going to fall down a lot until we learn how to ride.

Related reading

Simple Share Buttons