Original URL: https://www.theregister.com/2007/05/14/virtual_safety/

Are you virtually safe in virtual worlds?

Should you care?

By David Norfolk

Posted in Software, 14th May 2007 09:20 GMT

Editor's blog We all know about the risk of identity theft in the real world, or we should know about it. But what about the virtual world?

Holger Wandt of Human Inference, a specialist in natural language processing to remove errors and duplicates from real world datasets, recently raised an interesting question concerning personal information in the virtual world.

"The average consumer feels their personal information should be stored correctly, securely, and reliably; but how does the same consumer feel about his or her data in community networks, such as the phenomenally popular Second Life?" Wandt asks. "Will we be recording 'virtual' information as well as ordinary personal data in future? And will we then proceed to link this data?"

There are many ways of using (or exploiting) data, some far from obvious.

Let's think about virtual communities such as Second Life. Could they perhaps compromise your identity? Would your Avatar leak information that could be used to steal your real world identity if asked for it by a particularly interesting – or sexy - virtual being? Are you, perhaps, less cautious in a virtual world?

Wandt takes this issue altogether more seriously than I might have done – and he may well have a good point. "What makes Second Life special is that this virtual world deals in real money," he says. "It has a completely integrated economy, in which craftsmanship, risks, and innovative ideas are rewarded. The inhabitants create their own virtual products and services and earn Linden Dollars, a virtual currency, which can be exchanged for American dollars through the LindeX currency exchange.

"In 2006, Second Life's gross national product was $64m. It is therefore not surprising that it is becoming increasingly attractive for companies to appear in Second Life. Philips, Reebok, Nike, Coca Cola, Toyota and Adidas have already created virtual sites where people can see and try out their new products. However, the interesting question is whether these will be limited to feedback for product innovation. How does Second Life [or these commercial companies] use the data from community members, and how safe is the data actually?"

Virtually Private

Screenshot of 2nd Life Privacy Policy.The first article in the Linden Lab Privacy Policy states: "We collect personal information and usage statistics to maintain high-quality customer experience and deliver superior customer service."

Wandt says this is a fairly generic statement, which can be interpreted in many ways. He goes on to say: "This is essential, because the company understands its commercial success extraordinarily well and explains to the potential participant what information will be used in what way, and how it could be made accessible to third parties.

"When registering the user decides on his/her first name and chooses a surname from a dropdown menu. The list of possible surnames is culturally very diverse. You can state your preference for names like Abdallah, Delgado, Gao, Ivanova, Izumi, Kovacs, Lehmann, Xingpeng, Young, and Zwiers. One can only speculate about the reasons for such a list, although it is likely that a user would tend to choose a name that resembles his/her own name and/or fits into his country of origin [so you might be able to obtain more information, in aggregate at least, than the user intends to give away].

"A date of birth (that is also used for verification if a user forgets his/her password - users are encouraged to use their own dates of birth) and an email address are also requested to complete the registration. Linked to the user behaviour in the community, this data provides a wealth of information for any company. The registration is also linked to an IP address, leading to speculation about the linking of virtual data with real personal data."

Of course, Wandt doesn't want to suggest that Linden Lab is involved in fraudulent, or even undesirable, practices, merely that the digital identity of consumers is closer to their real identity than they might think.

Big Brother or big reality?

Wandt then gave an example of the ease with which a real identity can be converted into a digital identity by someone you'd expect to be able to trust, and then misused - in the recent judgment against the owner of the New York company, Compulinx.

"When choosing his favourite victims this director stayed close to home and concentrated on his own employees. He used their identities to negotiate loans or make credit card applications. Together with his cousin, the fraudulent CEO made over one million loan requests in the names of the 50 employees in his company. The director was sentenced to 165 years in prison and given a fine of $5.5m. His cousin faces a possible 35 years in prison and a fine of $1.25m.

"This is certainly another of those notorious 'American cases'," Wandt admits, "but it does demonstrate that Big Brother (as in the concept described by George Orwell in his book 1984 and not the reality TV programme) is more of a reality than many might think. Personal information is indeed the most valuable information we have.

"Certainly, Second Life, and online communities more generally, raise the question of data quality in the virtual world," Wandt claims. "If 'virtual' data is tied closely to real data what are the risks? What protection should be put in place and how do organisations go about ensuring that data is correct? With identity theft a growing phenomenon in the 'real' world – how long before it becomes so in the virtual world, costing both real and virtual money to business and people alike?"

I don't have the answer – I certainly don't fancy the idea of a 'virtual police force' in cyberspace (I've read too many Judge Dredd comics; and suspect that many policemen – or home secretaries - might fancy the Dredd role).

But once Wandt has raised the issue, I'm rather more nervous than I was before. It seems to me that, in all forms of "social computing", the human issues around privacy, bullying, and the theft or manipulation of personal data are going to be far more important than the technology issues the vendors tend to bang on about. ®