Jump to content

Bait and Switch


You are about to reply to a thread that has been inactive for 177 days.

Please take a moment to consider if this thread is worth bumping.

Recommended Posts

Posted (edited)
1 hour ago, Scylla Rhiadra said:

Who on earth would be interested in such information, though? What would be the point? Even Facebook, that most insidious of data harvesters, doesn't seem to much care about identities that are not RL -- as witness the fact that they delete avatar accounts.

I'm not doubting you that this is happening, but what on earth could they find out about me that would be worth having?

Even though it is a virtual account some might mind that the creator might be recording, for example, what options they are selecting, how frequently they are using their product or from which regions they are using it without their knowledge as they don't expect that from a product that isn't obviously needing to use a server to perform it's primary purpose.  The real human is performing those selections and moving their avatar around and so it is data tracking the actions of that real human even if only applied to a virtual avatar and it is still all identifiable as coming from one account.  People get stuck on the fact that no RL identity information is involved but that is a red herring and not everything around privacy only applies to RL identities.  This is often used as a way to hand wave around the privacy issue.

Now that said, SL as we know is built like a leaky boat when it comes to data about what you are doing and so it can be convincingly argued there is no expectation of that kind of privacy.  That is certainly true for a great many things but even then only up to a point.  For example: most people wouldn't want to give random people ability to track them on the map.  They want to grant that ability if at all and so without subterfuge it isn't possible for any one to track you in this way without your knowledge.  There are limits.

In the case of products that track you, there is also the expectation that those products should be performing their stated purpose plus some things to support doing that and nothing more.  So people shouldn't just have to blindly accept and pay for products that pile on additional tracking for some unknown purpose.

Simply put, there many people just don't want to be tracked this way and feel they want to be able to exercise their choice not to buy products that subject them to this.

It's not all about tracking though.

Even if someone doesn't care about tracking, there is at least the fact that the product has a potentially limited lifespan.  There is also the possibility that the creator has implemented a black list that can disable a product for a particular user if they pee them off for some reason.  It could be they want to force all their users to newer products after a while.  It can be pretty convincing (at least in their minds) for the creator to say that the product had to be disabled because it no longer works properly any more but the newer, better product is available to purchase.  Just some of the possibilities.

If it could be known that scripts in products were calling home, even if only to find out about it after buying, it would make some people contact the vendor to ask why long before the unwelcome surprise of the product ceasing to function.  People may also decide to ditch that product for another product that isn't doing this.  They may decide not to buy from that vendor again, especially if the product doesn't seem to do anything that should require that it call home.  Obviously if it is all above board and reasonable then the vendor shouldn't mind mentioning this on the product info before someone makes a purchase either.

Admittedly many people wouldn't care but for those that do, they would find it useful to know.

Edited by Gabriele Graves
corrections
  • Thanks 2
Link to comment
Share on other sites

This sort of thing is exactly why I would never purchase a Legacy body. Everything their huds do requires it to "phone home".  It's not a matter of if it will stop working one day, but when.

Now I need to know what hair-maker to avoid. I hope it's not one I've already bought stuff from.

  • Like 5
Link to comment
Share on other sites

Is there really information worth collecting, though? I feel a rational creator wouldn't be motivated to cobble together this apparatus.

(Acknowledging there are superstition-sick paranoid creators out there. Maybe some creepy pervs, too, but surely not our trusty wigmakers!)

  • Like 3
Link to comment
Share on other sites

Posted (edited)
1 hour ago, Gabriele Graves said:

If it could be known that scripts in products were calling home, even if only to find out about it after buying, it would make some people contact the vendor to ask why long before the unwelcome surprise of the product ceasing to function.

Or just have LL implement permissions the same way Android/iOS apps have varying degrees of things they can/cannot do. In most cases people will simply not care, but at least it makes things visible when those functions are used in a script where you wouldn't reasonably expect them to be.

Updo Hair, owned by you, would like to:

* track your location (=llHttpRequest)
* track the people around you (=llSensor)
* listen to local chat (= llListen)
* communicate/send information to a remote host

[ Allow] [ Deny ]

(Also updates can be done simply by redelivering an item to all people who have purchased it; no embedded scripts required)

Edited by Kitty Barnett
  • Like 3
  • Thanks 4
Link to comment
Share on other sites

1 hour ago, Gabriele Graves said:

Thanks to @Coffee Pancake for raising this issue.  I certainly wouldn't want the products I buy to do this and am glad to know so that I can give this particular vendor a hard pass.

Just curious. How would one find out if they're being tracked by something they are wearing or have attached? I kind of want to delete these items now if I have any.

Link to comment
Share on other sites

Posted (edited)
21 minutes ago, Qie Niangao said:

Is there really information worth collecting, though? I feel a rational creator wouldn't be motivated to cobble together this apparatus.

(Acknowledging there are superstition-sick paranoid creators out there. Maybe some creepy pervs, too, but surely not our trusty wigmakers!)

news.2008.741.jpg

I'm assuming you jest about the hair makers.

Edited by Gabriele Graves
  • Like 1
Link to comment
Share on other sites

Posted (edited)
3 minutes ago, Finite said:

Just curious. How would one find out if they're being tracked by something they are wearing or have attached? I kind of want to delete these items now if I have any.

There isn't a reasonable way to know this that I am aware of.  Usually people who *know* they are being tracked by a particular avatar have to remove everything they are wearing that was given to them by that person to be sure.

Edited by Gabriele Graves
  • Like 1
Link to comment
Share on other sites

1 hour ago, bigmoe Whitfield said:

I've got a nuka cat that it's hud phones home, not worn it in some time and the other night,  it's ao hud was throwing http errors.  um why would a ao hud need to call home?

some creators just like to collect statistics on their customers use of their products

other products dial home and give free updated versions

the main issue with dial home scripts is that they are written to say in chat what/when HTTP errors occur.  And continue to pound away at the server when such errors do occur

when people write scripts like this they often have this assumption that their server will always be online for the entire lifetime of the product in the hands of the customer (everlasting while SL exists). That they the creator will provide an everlasting service also. Which is not always the case nevermind our initial assumption that we are going to be an everlasting service. Creators can and do close shop or discontinue supporting a product (for any number of legitimate reasons). Server taken down, or product discontinued, yet script continues to pound away at fresh air, cheerfully chatting out HTTP errors ever after

if we are going to have our products dial home then we should factor in for the day when our business no longer supports the product

the least thing we should do is provide a way for our customers to suppress/turn off the chat from our now unsupported products. The more complete solution is to have the script stop making HTTP requests to our server when product support and/or server has been discontinued

  • Like 3
Link to comment
Share on other sites

There are a lot of people in life that enjoy "cancelling" others for sport.  Data on your avatar is just part of a mosaic.  The fact that everything is hosted on AWS nowadays provides interesting pivot points that did not exist before. 

Link to comment
Share on other sites

3 hours ago, Gabriele Graves said:

Even though it is a virtual account some might mind that the creator might be recording, for example, what options they are selecting, how frequently they are using their product or from which regions they are using it without their knowledge as they don't expect that from a product that isn't obviously needing to use a server to perform it's primary purpose.  The real human is performing those selections and moving their avatar around and so it is data tracking the actions of that real human even if only applied to a virtual avatar and it is still all identifiable as coming from one account.  People get stuck on the fact that no RL identity information is involved but that is a red herring and not everything around privacy only applies to RL identities.  This is often used as a way to hand wave around the privacy issue.

Now that said, SL as we know is built like a leaky boat when it comes to data about what you are doing and so it can be convincingly argued there is no expectation of that kind of privacy.  That is certainly true for a great many things but even then only up to a point.  For example: most people wouldn't want to give random people ability to track them on the map.  They want to grant that ability if at all and so without subterfuge it isn't possible for any one to track you in this way without your knowledge.  There are limits.

In the case of products that track you, there is also the expectation that those products should be performing their stated purpose plus some things to support doing that and nothing more.  So people shouldn't just have to blindly accept and pay for products that pile on additional tracking for some unknown purpose.

Simply put, there many people just don't want to be tracked this way and feel they want to be able to exercise their choice not to buy products that subject them to this.

It's not all about tracking though.

Even if someone doesn't care about tracking, there is at least the fact that the product has a potentially limited lifespan.  There is also the possibility that the creator has implemented a black list that can disable a product for a particular user if they pee them off for some reason.  It could be they want to force all their users to newer products after a while.  It can be pretty convincing (at least in their minds) for the creator to say that the product had to be disabled because it no longer works properly any more but the newer, better product is available to purchase.  Just some of the possibilities.

If it could be known that scripts in products were calling home, even if only to find out about it after buying, it would make some people contact the vendor to ask why long before the unwelcome surprise of the product ceasing to function.  People may also decide to ditch that product for another product that isn't doing this.  They may decide not to buy from that vendor again, especially if the product doesn't seem to do anything that should require that it call home.  Obviously if it is all above board and reasonable then the vendor shouldn't mind mentioning this on the product info before someone makes a purchase either.

Admittedly many people wouldn't care but for those that do, they would find it useful to know.

Yep, you're right about all of this.

I guess what I was asking is sort of what Qie asks: why would they bother? What value is any of this information? Using harvested data to produce marketing plans and so forth is actually something of an art form, and it's hard to imagine what data this could gather that would be of any actual financial worth. Suppose it tells you that I, and other purchasers, tend to go to a particular club? Or even shop at a particular clothing store. How would you translate that into something that was usable?

That said, I do entirely get not wanting to be tracked. I know for a fact that I was being tracked by someone with a HUD recently -- not by location, but to determine whether I was online or not. It was annoying rather than sinister or stalkerish, but it wasn't very nice in any case. The person doing that has now been blocked, and I think that is preventing the HUD from detecting me. Or not. In any case, yes, being tracked can be creepy.

  • Like 2
Link to comment
Share on other sites

1 hour ago, Scylla Rhiadra said:

I guess what I was asking is sort of what Qie asks: why would they bother? What value is any of this information? Using harvested data to produce marketing plans and so forth is actually something of an art form, and it's hard to imagine what data this could gather that would be of any actual financial worth. Suppose it tells you that I, and other purchasers, tend to go to a particular club? Or even shop at a particular clothing store. How would you translate that into something that was usable?

I don't know why for sure and yet we have products dependent on calling home when there is no need nonetheless.  I doubt we would ever get a clear answer from a creator doing this either.  I suspect paranoia of some sort does play a large part.

  • Like 3
Link to comment
Share on other sites

Posted (edited)

I think only data they collect avatar name.. for forced subscription message spam.. But they don't have to use hair for it. "Removing its name :P" vendor even marketplace can provide this data.

4 hours ago, Kitty Barnett said:

Updo Hair, owned by you, would like to:

* track your location (=llHttpRequest)
* track the people around you (=llSensor)
* listen to local chat (= llListen)
* communicate/send information to a remote host

[ Allow] [ Deny ]

This explanation misleading for new residents and technical explanation will be confusing.

llListen.. it might be HUD or expecting a command input or menu input from owner etc.. It doesn't means it is reading you daily local chat (but it is doable).

llHttpRequest can only reveal data about your SIM it cannot track your RL location unless external link involved.

llSensor It also tracks objects (pet food and pet etc..) tracking people around you not suitable explanation.

I think this idea nice but they really need to think about clarification.

Edited by RunawayBunny
Link to comment
Share on other sites

Posted (edited)
4 hours ago, Gabriele Graves said:

I don't know why for sure and yet we have products dependent on calling home when there is no need nonetheless.  I doubt we would ever get a clear answer from a creator doing this either.  I suspect paranoia of some sort does play a large part.

Content and IP theft is always going to happen if the product in question is even half good. That's going to range from stuff that's very similar all the way up to asset flips, trying to detect 'errant' behavior via script is fruitless, even if they did find someone doing something truly weird, that alone isn't grounds for anything.

Maybe by having a huge database and creeping round the grid on alts, trying to identity weird people doing weird things, can help a creator be one step ahead once in a blue moon when it turns into something actionable. But that's not what get's anyone into making things for SL. If anything it feels like it would be a distressing distraction that undermines the motivation and enthusiasm for making things in the first place.

Fair use, unintended use, all happen and personally, If someone is going to the time and effort to haul something of mine off the narrow intended track I imagined when making the thing, I at least want to make it easier for them (some of the most fun and rewarding times as an SL merchant have been getting asked to help someone do something I'd previously written off as madness).

Actual Theft that goes beyond personal use is something else and I've had to deal with that too, it's a pain in the butt. If someone's going to rip my actual work off, to hurt my business, I don't want to know about it on step 3. I want to know about it on step 10 after they have put the most effort in and all that's left is for me to write up a DMCA at my leisure. Every time it's gotten this far, someone has ratted the perpetrator out to me. Every. Single. Time.

Edited by Coffee Pancake
  • Like 2
  • Thanks 2
Link to comment
Share on other sites

Posted (edited)
6 hours ago, Scylla Rhiadra said:

I guess what I was asking is sort of what Qie asks: why would they bother? What value is any of this information? Using harvested data to produce marketing plans and so forth is actually something of an art form, and it's hard to imagine what data this could gather that would be of any actual financial worth. Suppose it tells you that I, and other purchasers, tend to go to a particular club? Or even shop at a particular clothing store. How would you translate that into something that was usable?

if we took this to Facebook/Google data scraping levels then our very popular clothing line could scrape a whole lot of quite valuable data on what our customers are wearing and what everybody else on the region is wearing

this could help inform in the design planning for our new season lines

 

edit more:

have talked about this at different times on various scripting boards.  A thing could be (or maybe even should be) a prim property: DO NOT SCAN ME which applies to the whole linkset

when the property is set then the linkset is not returned in llGetAttachedList

Edited by Mollymews
  • Like 1
Link to comment
Share on other sites

7 hours ago, Finite said:

Just curious. How would one find out if they're being tracked by something they are wearing or have attached? I kind of want to delete these items now if I have any.

This is another reason to be deeply suspicious of any no-mod object containing a script: One reason to make it no-mod is to prevent us adding a script that can detect any http_response events flowing to it.

Nonetheless, Coffee was alerted to the (possible) tracking here because the hair script would eventually hit a built-in throttle on the llHTTPRequest function when she touched the HUD too many times in too short an interval. It might be possible to force that sort of thing to happen: Make an open-source device that people can wear (and own) on some region they visit just for this purpose* where the device spams a known non-existent server URL with doomed HTTP requests until it hits the (per-user) throttle, and then determines if it hit the throttle too soon, indicating that something else that owner is wearing is doing HTTP requests, contributing to triggering that throttle.

I'm not sure that's really practical, though. I don't think a properly scripted phone-home object necessarily reveals that it has hit the throttle, which is why the testing device would do the counting. So then it could be any other device owned by the same person contributing to that throttle being hit, so the testing avatar would need to wear no other attachments than the one suspected of phoning home. Also, I've never been able to predict with any precision when my scripts would hit that throttle, documentation notwithstanding, but somebody may have more insight, or more testing may reveal the precise throttle behavior.

Also, a real phone-home obsession could be satisfied without the device itself doing any HTTP requests at all. They could use llEmail() to an in-world object (that may then do undetectable http out to an external service). There have long been very intermittent problems with llEmail (a bug that may or may not have followed sims into AWS?), so such a system would need monitoring and occasional repair by our pervy creator, just as old-timey vendors would occasionally go off-line when their llEmail server threw a sprocket. In theory that email could be replaced by updates to an Experience Key-Value Pair store (an amazingly efficient and elegant way to do inter-sim communications, btw) but that would require the owner to agree to a (grid-scope) Experience, so there'd be nothing secret about such tracking anyway.

____________________
* to not interfere with legitimate HTTP requests their objects may make on a region they care about.

  • Like 1
Link to comment
Share on other sites

9 hours ago, Gabriele Graves said:

There isn't a reasonable way to know this that I am aware of.  Usually people who *know* they are being tracked by a particular avatar have to remove everything they are wearing that was given to them by that person to be sure.

Idea: Add a viewer debug setting that turns on HTTP call logging for all attachments. With details hidden as needed (just show URL, etc.). 

Link to comment
Share on other sites

1 hour ago, Love Zhaoying said:

Idea: Add a viewer debug setting that turns on HTTP call logging for all attachments. With details hidden as needed (just show URL, etc.). 

Predatory competitors will find out where they have to DDOS exactly :P revealing URL nothing but headache and additional cost for creator (backup server / cloudflare).

Link to comment
Share on other sites

The fact that the hair contains scripts that contact a server bothers me far less than the fact that they sold a copy/mod product, broke it on purpose, and replaced said product with a copy/no mod product. Now that so many hair creators have gone to selling no mod hair, I hardly buy new hair. I quite often have to set alpha strands in hair to mask mode so that it doesn't have alpha clashing issues with my clothing so no mod equals no sale in most cases. 

  • Like 3
  • Thanks 5
Link to comment
Share on other sites

Yes, that's the crux of it for me too.

Making a point of buying mod is pointless when a creator can brick your product remotely and swap it out with lesser permissions.

The phone home aspect just makes it clear they set out with the intent of being able to deny functionality from the outset, which inevitably brings up further questions around trust.

  • Like 2
Link to comment
Share on other sites

Posted (edited)

I honestly do not (bar items that rely on servers) understand why a creator would put this in.  No creator (worth their salt) needs any of that info.  We get it from our specific channels eg groups on Facebook with direct engagement with customers on what they want, features, how they want to use products etc.

 

I can’t help but think this is the same folk who spread misinformation about perms, copybot impact and won’t let you Rez something on the floor.  Just poor practice and education.   I made this point before though, so many of these types of creators base their approach on folklore not fact.  The reason they do this is the documentation and information for creators is appalling from LL.   There is a closed creator group on FB and it took us literally months to debunk many of these types of misunderstandings from how to use Lindex limit sells through to specific risks on IP (commercially less than you think)....  we can all do better for our customers. 

Edited by Charlotte Bartlett
  • Like 1
  • Thanks 3
Link to comment
Share on other sites

Posted (edited)
5 hours ago, Sid Nagy said:

I'm I a lucky fellow or what?
I haven't used a wig in SL since 2010 or so.

Bald is beautiful.

 

 

baldness-is-for-womens-crotches-not-mens-heads.jpg

Edited by Sorciaa
  • Confused 1
Link to comment
Share on other sites

You are about to reply to a thread that has been inactive for 177 days.

Please take a moment to consider if this thread is worth bumping.

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share

×
×
  • Create New...