Open letter to Linden Lab: Enforcing policies?

[LittleMe Jewell]

2 minutes ago, Rowan Amore said:

I've seen screenshots of people's profiles posted on other websites.  Not sure how LL can control something like that.  

True, though random screenshots are nothing compared to the entirety of all SL Profiles.

While LL cannot do much about random screen shots, they possibly can do something about the mass export of SL data.

[Coffee Pancake]

It's as if LL got hacked, only it's somehow ok because they forgot to get our credit card numbers and passwords.

[Rowan Amore]

4 minutes ago, Coffee Pancake said:

They can't .. but there is a big difference between one and everyones.

 

True although the premise is exactly the same.  Your profile is.not private in any way.  Is it just the vast amount of info that's been gathered and how it was gathered that's at issue?  I could hit 2 places, screenshot 100+ avatar profiles and post it all.on a website.  The only way to prevent it at all.is to do away with profiles.

[Rolig Loon]

22 minutes ago, Rowan Amore said:

However, if you create an army of alts, Linden Lab may charge a small fee of US$9.95 for the creation of each additional basic account as a way to recoup some of the cost.

and

23 minutes ago, Rowan Amore said:

Only one Access Account is permitted per unique user; additional Access Accounts for the same unique user require a one-time access payment. Uniqueness of users is determined in Linden Lab's sole discretion.

The alt policy is written quite clearly in such a way that LL can decide at their own discretion whether to allow you to have extra alts and whether they will charge you for them. Those two statements that you quoted from the policy do not imply that they will enforce a limit or that they will charge, merely that they leave those doors open.  If nothing else, they give the Lab a justification, if needed, for taking harsh measures against griefers.  We -- a small subset of the small number of SL residents who use the forums -- have no way of knowing how often they have done so. 

[Coffee Pancake]

1 minute ago, Rowan Amore said:

The only way to prevent it at all.is to do away with profiles.

Now you know why other MMOs etc don't have free form profiles you can type anything in .. even medical data.

[CaithLynnSayes]

Just now, Coffee Pancake said:

That's the thing .. we didn't.

See https://community.secondlife.com/knowledgebase/english/profiles-r395/

Public inside SL's walled garden is not public.

But it's far worse. This might be legal to do in the US. But its very much not legal to do in the EU.

It doesn't matter that the data is about avatars.

It matters that one persons data can be distinguished from another persons data - whatever that data might be, even if you can't tie the data to a specific human.

So i am European (uh oh, i'm sharing PII, lol) And i'm going to dig into this hopefully coming back with accurate legal information on this because i can see your concern.

Having said that, i had a quick look through LL's privacy policy and i can already identify something in LL's defense:

Tommy just said that they will never share your Personal Identifying Information, and that is exactly what this says so that will be LL's defense when such a thing would ever come to court.

I hate defending LL because Lord knows I've had my differences with them but i will keep hammering on the fact that it is information you've put out there. Even if you have changed the settings so nobody can see it outside LL. It is really hard for LL to police outside SL on this. 

However i do know why these 4 threads occurred and i completely understand. It is because LL "allowed" it is what people would think, and in a way this is the case. But lets not forget that because LSL allows profiles to be read is foor "good use" within SL. There are good reasons for such LSL functions to exist within SL but they can be abused. LL's ToS however also states that you should not use it's functions for bad things.

I'm not a lawyer, i'm very much interested in law but i won't claim to be well versed in it to be able to answer this one with confidence.

It's an interesting one and i will do some research on it.

[Sparkle Bunny]

3 minutes ago, Rowan Amore said:

I've seen screenshots of people's profiles posted on other websites.  Not sure how LL can control something like that.  

That's not up to LL to control. It's up to the user to contact the website and get it removed.

What is up to LL to control is the behaviour that its users (scripted or unscripted) are permitted to engage in. It's very unclear whether the owner of the profile-scraping bots consulted with LL about the legality of their activities beforehand, and equally unclear why LL agreed it was OK. I wish there was some transparency about what exactly the links are here, and whether LL are selling our data to third-parties or simply giving it away.

[Rowan Amore]

2 minutes ago, Rolig Loon said:

and

The alt policy is written quite clearly in such a way that LL can decide at their own discretion whether to allow you to have extra alts and whether they will charge you for them. Those two statements that you quoted from the policy do not imply that they will enforce a limit or that they will charge, merely that they leave those doors open.  If nothing else, they give the Lab a justification, if needed, for taking harsh measures against griefers.  We -- a small subset of the small number of SL residents who use the forums -- have no way of knowing how often they have done so. 

Yes, I noticed the ambiguity in the statements, also.  In all my years here, I've never encountered anyone who paid for an alt.  

[Coffee Pancake]

5 minutes ago, CaithLynnSayes said:

Tommy just said that they will never share your Personal Identifying Information, and that is exactly what this says so that will be LL's defense when such a thing would ever come to court.

If you buy a travel card to use the train, even if its not linked to your name, the details of when that specific card is used counts as private data.

Even when someone could follow you and watch where you go, because you're doing it all in public.

An individuals data can not be shared or scraped like this.

 

Edited January 23, 2023 by Coffee Pancake

[CaithLynnSayes]

Just now, Coffee Pancake said:

If you buy a travel card to use the train, even if its not linked to you name, the details of when that specific card is used counts as private data.

Even when someone could follow you and watch where you go, because you're doing it all in public.

An individuals data can not be shared or scraped like this.

 

The train ticket isn't personally identifying me though.

[Scylla Rhiadra]

If I might reframe this in  the terms of the OP of this thread . . .

LL permits bots, but those bots have to be registered, and, by implication with reference to the proscription against using them for gaming traffic, they have to be put to a "legitimate" use.

What needs to be defined, still, is what exactly constitutes a "legitimate" use.

So long as a bot (or army of bots) is operating solely within SL, it is accessing and deploying information within that "walled garden," and its activities thus legitimate, in large measure because they are still limited by the LL ToS, and by the capacities of the platform (i.e., what can and cannot be done with LSL, the limited means of communicating large masses of information, and so forth).

But we're in a bit of a quandary when that data, scraped "legitimately" within SL, finds its way outside of the platform. LL will make no move, in large measure because it can't, against violations of the ToS, as for instance disclosure of RL info, that occur off platform. But at what stage, in the transfer of that data from in-world bots to an outside platform, such as a web page, can LL argue that the violations are outside of its jurisdiction?

Again: is data scraping for export off-platform a legitimate use of bots? I don't think you'll find the answer to this in the ToS.

Which is what makes this interesting:

59 minutes ago, Tommy Linden said:

As we previously mentioned, all of the information that is currently being displayed on a third party website, is all accessible via lsl script call, and is considered to be public information. I understand there are some of you that don't agree with that decision, but at this time that information is considered public.

[TimKoul]

I consider ones account status (premium, plus, basic) to be private since there's no way to able to show that on our profiles or anywhere else on any SL website so it's basically hidden information.

But apparently Lindens made it public info via a script so it doesn't violate their privacy policy? So bots can just harvest it and post it on a 3rd party website?

I'm really confused.

[Coffee Pancake]

2 minutes ago, CaithLynnSayes said:

The train ticket isn't personally identifying me though.

That's the point - it doesn't have to.

So long as your travel card data can be distinguished from another, it's covered by the GDPR.

[Sparkle Bunny]

2 minutes ago, TimKoul said:

I consider ones account status (premium, plus, basic) to be private since there's no way to able to show that on our profiles or anywhere else on any SL website so it's basically hidden information.

But apparently Lindens made it public info via a script so it doesn't violate their privacy policy? So bots can just harvest it and post it on a 3rd party website?

I'm really confused.

Apparently, scripters had already figured out ways to access your subscription status (it needs to be visible to both the client and the server, so, yeah). The new function just makes it more straightforward to do what they were already doing.

And even those who don't script know that 'no payment info on file' means you're looking at a basic account and all owners of Linden homes are premium, so... not really hidden, no.

[CaithLynnSayes]

Just now, Coffee Pancake said:

That's the point - it doesn't have to.

So long as your travel card data can be distinguished from another, it's covered by the GDPR.

I will have to look this up. You can be right on this, i'm not saying you're not. All i'm saying is that i don't see this as personally identifying information.

I know you from here on the forums and i know you've made a viewer and i know your views on things more or less. that's about it. I have no clue who you are in real life and i'm pretty sure this is going to be LL's defense. Nobody can personally identify anyone here unless such information is specifically shared by that person itself.

Again, you can be totally right and if so that would be very interesting to learn.

[Silent Mistwalker]

4 minutes ago, Scylla Rhiadra said:

Again: is data scraping for export off-platform a legitimate use of bots? I don't think you'll find the answer to this in the ToS.

This takes us right back to RedZone. At the time the TOS was changed to reflect that, at its most basic, exporting info from within SL to an external site was not a legitimate use of a bot. In essence, RedZone was a bot. I think that wording has been changed since then and is no longer as clear cut as it once was. 

So, let's try answering the question, what are legitimate uses of bots? I've already offered several legitimate uses, but it seems to have been ignored mostly.

LL does need to be a bit more clear on what exactly constitutes legitimate uses of bots in the TOS.

[TimKoul]

3 minutes ago, Sparkle Bunny said:

Apparently, scripters had already figured out ways to access your subscription status (it needs to be visible to both the client and the server, so, yeah). The new function just makes it more straightforward to do what they were already doing.

And even those who don't script know that 'no payment info on file' means you're looking at a basic account and all owners of Linden homes are premium, so... not really hidden, no.

I just assumed all that info stayed within SL boundaries though.

[LittleMe Jewell]

15 minutes ago, Rowan Amore said:

Yes, I noticed the ambiguity in the statements, also.  In all my years here, I've never encountered anyone who paid for an alt.  

My understanding is that people did pay, but that was back in SL's early days - definitely before I got here in Mar 2007.

[LittleMe Jewell]

1 minute ago, Silent Mistwalker said:

LL does need to be a bit more clear on what exactly constitutes legitimate uses of bots in the TOS.

^^ This. 

Though as with many LL things, they prefer to be a bit ambiguous because it gives them more latitude in things.  They have said as much when we have asked for specifics related to various rules.  

[Coffee Pancake]

@Tommy Linden

"The fact that data is public doesn't automatically make it non-private data though. The fact that it's possible to limit who can see your profile would give a reasonable person the expectation that they have some control over who gets to access what personal data they share via their profile.

Personal data shared with LL for the purpose of being displayed to other residents doesn't mean blanket permission is granted to LL - or anyone else - to do with that information as they please (and I'm referring to profiles that mention age, gender, sexual orientation, medical information such as a disability or a disease, not the profiles with an ASCII bunny on them) as far as I understand the GDPR.

A bot army roaming the grid could compile a list of residents that have been to a parcel that appeals to a particular protected class using nothing but LSL. The bot operator could then offer services to target those specific classes with advertising or hate speech or offer live updates of their in-world location to the world or specific indivudals. All because all LSL data is "public domain" data.

Surely there can't be any argument that this would fall under GDPR's "(contract/service) consent" or the catch-all "legitimate interest" (for EU residents)?"

[Silent Mistwalker]

2 minutes ago, LittleMe Jewell said:

My understanding is that people did pay, but that was back in SL's early days - definitely before I got here in Mar 2007.

Yes, we did have to pay, which is why I never had an alt until we didn't have to pay. lol

[Sparkle Bunny]

Just now, TimKoul said:

I just assumed all that info stayed within SL boundaries though.

So did we all.

I have never posted any RL info on my profiles whatsoever, but it could be argued that the existence of the '1st life' tab encourages people to do so. Nor have I ever reused a username from another website in SL, but I'm sure that's happened too. All those people have now had their privacy compromised, because the walled garden they thought they were interacting within doesn't have functioning walls.

I agree that this is not a legitimate use of bots.

[CaithLynnSayes]

1 minute ago, Silent Mistwalker said:

LL does need to be a bit more clear on what exactly constitutes legitimate uses of bots in the TOS.

Totally agree. As i said before, that policy was last updated January 2014.

I'm 'too young' to have seen RedZone but I've heard about it from the 'elders of SL' lol. The BBots whom shall not be named and RedZone undeniably have a lot in common.

[Prokofy Neva]

4 hours ago, Rowan Amore said:

Not sure if LL search has been fixed but it had issues the last couple of years returning irrelevant results as Prok mentioned more than a few times.  I rarely use anything in search other than the destinations guide so if the TPVs did away with Legacy search and LL search works properly, I could get behind them dumping legacy search.  

The only reason we still have an economy is because the TPVs still have legacy search. The Lindens themselves don't seem to acknowledge this.

[Love Zhaoying]

21 minutes ago, Scylla Rhiadra said:

So long as a bot (or army of bots) is operating solely within SL, it is accessing and deploying information within that "walled garden,"

So, gardening is a legitimate use for Bots!