New Feature: Scripted Agent Estate Access Discussion

[Sid Nagy]

56 minutes ago, xDancingStarx said:

Being allowed to process and store data outside of SL without prior consent hasn't hindered Casper from becoming this big. Lucky for them since this new policy would create lots and lots of issues otherwise. And yet, if this example alone doesn't prove legitimate reasons then I don't know.

Times change. Internet data stealing has become big business. It needs adaption.
And that is what LL is doing: adapting to a changing world.

What Casper did, is no longer allowed without permission if I read the new rules correctly.
He was lucky that he started his business at the right moment at the right place.

A lot of businesses had to close over the years because of changes or being late to the party.
Prim merchants felt the pain when sculpties and meshes showed up.
Home rentals felt the pain when Belli and other premium home rentals by LL showed up.

Changes mean one has to adapt.
Some things can't be done any longer, but other new possibilities will show up. That's how things work everywhere.

56 minutes ago, xDancingStarx said:

Not really, though. The data must be processed and saved during the time of purchase, which means that you have to click before you purchase. Hence my question, do you wanna disallow the user to buy an item before he has clicked the the "I agree" button? I'm just curious how this is supposed to look like.

"You are about to purchase a product through a vendor that gives you the right of redelivery.
For that reason we have to store your UUID on a server outide Secondlife. 

Please click "Purchase with redeliver rights" to give us permission.
Please click "Purchase without redeliver rights" if you want nothing stored about you.
Please click "Cancel" if you want to cancel your purchase at this point. "

Or something similar.

Edited April 1, 2023 by Sid Nagy
It is my Saturday hobby to edit my texts.

[Rowan Amore]

1 hour ago, xDancingStarx said:

Hence my question, do you wanna disallow the user to buy an item before he has clicked the the "I agree" button? I'm just curious how this is supposed to look like.

Right now, the Firestorm viewer has an option where you can get a pop up before making a purchase.  Seems to me it would be easy enough to implement the same kind of thing for any purchase where your info is stored offsite.  If you click yes, you can make your purchase.  If you click no, you can't.  Easy peasy.

ETA...Just logged in and honestly, there are alerts for EVERYTHING.  One more ON by default would satisfy me when my purchase will be logged offsite.  If you don't care, simply turn off the alert.

 

Edited April 1, 2023 by Rowan Amore

[xDancingStarx]

On 4/1/2023 at 2:10 PM, Sid Nagy said:

Changes mean one has to adapt.

Have to adapt because the recent policy changes can create substantial issues. I have said nothing else. But this needs to be acknowledged, and I have the feeling that this isn't easily acknowledged when there's the tendency to immediately paint parties in a bad light. It's definitely not "easy peasy". And there always have been legitimate interests to process and store data outside of SL. I've always advocated for privacy rights. This doesn't mean that I don't acknowledge that there's a risk of driving development and business away from SL when things are getting more complicated.

Here's my solution, though: If LL offered (virtual) servers themselves for reasonable prices, data wouldn't need to be stored outside of the reach of LL. This is utopic, of course, but would rather encourage development than hinder it. (Again, I can admit that privacy rights can hinder development and still advocate for privacy rights.)

 

Edited April 2, 2023 by Quartz Mole

[Sid Nagy]

4 minutes ago, xDancingStarx said:

Here's my solution, though: If LL offered (virtual) servers themselves for reasonable prices, data wouldn't need to be stored outside of the reach of LL. This is utopic, of course, but would rather encourage development than hinder it. (Again, I can admit that privacy rights can hinder development and still advocate for privacy rights.)

I agree, that could be a good possible solution, if it comes with mandatory use for bots.

But that would put an awful lot of reprogramming on LL's plate I guess. So yeah, utopia.
And it would not stop illegal bot use either of course.

[Love Zhaoying]

1)  I'm not sure this came up in the thread yet but - Any data that "Scripted Agents" send to external servers via llHttpRequest() can supposedly be "checked" by Linden Lab. Because the outbound HTTP calls must be going through LL's "proxy servers".

2) Also not sure this came up in the thread yet but - the "industry standard" way of dealing with PII includes both "hashing" and "obfuscating" data (hiding all but a few characters / replacing with "*") before storing it in any database, then using different methods to represent that data instead of using the actual PII data. At least, that is my own personal experience as an IT professional.

So, the data could be both "checked" and "scrubbed".  I am not going into details of "how" or "who would do this", because there are many, many solutions (and of course, fewer "best practices").

 

 

[xDancingStarx]

10 minutes ago, Sid Nagy said:

So yeah, utopia.

Then again, we're already renting regions from LL that can also be seen as a virtual server with a specific OS. So maybe not that extremely far fetched as it would seem at first glance.

 

2 minutes ago, Love Zhaoying said:

Any data that "Scripted Agents" send to external servers via llHttpRequest() can supposedly be "checked" by Linden Lab. Because the outbound HTTP calls must be going through LL's "proxy servers".

I sincerely hope that people have been using HTTPS and this of course in itself clarifies that nothing can be checked by proxy servers.

 

5 minutes ago, Love Zhaoying said:

dealing with PII includes both "hashing" and "obfuscating" data

Pseudonymizing was already brought up in this thread as someone mentioned encrypting data before it's stored, and someone responded that this still falls under GDPR since the data can be transformed again to identify the original data/user.

There is little value to the data if it is anonymized. To take an obvious example, if you anonymize the UUID of a visitor, you will never know if that visitor showed up a second time to your place. If you pseudonymize the data, you still have to ask permission according to GDPR.

[Paul Hexem]

3 hours ago, Qie Niangao said:

And as much as I love what Tyche has done for us for all these years, if bots are all or nothing, I'd now choose nothing

That's really what's at the heart of this.

If LL decides to try to ban all bots they'd have to deal with the consequences.

If they decide to ignore the issue and let bots continue to roam, that comes with different consequences.

This half implemented solution we've got now is their way of trying to avoid both.

[Scylla Rhiadra]

6 hours ago, Randy Pole said:

Parcel level tools for bot access will not work.

A scripted agent simply needs to be anywhere on the sim to perform the tasks it does so someone having the ability to deny scripted agent access to their parcel on that sim will not deny said scripted agent from gathering data on every item and person in their parcel.

Granted it can be used to prevent them from accessing the parcel itself but it will not stop their - other - activities.

This is a huge issue for anyone who owns land on the mainland. Many want the same privacy as has been made available to those on private islands and linden homes but many businesses based on the mainland use bots and should not be punished.

I do not foresee scripted agents being banned from the mainland unless LL gives notice of that happening and relocates established businesses who use scripted agents (greeter bots, models etc.) to alternative scripted agent friendly locations at no additional cost to the customer.

I don't think LL would ever apply a blanket ban on bots to the Mainland (outside of Bellisseria of course): it would almost literally leave bots nowhere to go, and would essentially kill them functionally.

You're right that parcel controls won't stop data harvesting. I wonder -- as someone above suggested -- whether it might be possible to prevent bots from scanning into a parcel, though, in much the way that you can currently make it impossible to see avis inside them. That might be a great deal of work, though. And it would have deleterious effects on the operations of legitimate and non-invasive data collecting bots (i.e., grid surveys, and properly anonymized data).

[Scylla Rhiadra]

5 hours ago, NARF Wonder said:

This NEEDS to be a thing for ALL of SL. I have a premium home and get about 10 bonniebots poofing in in a day. PLEASE make this available for everyone who has land of any kind. OR just remove bots outright. They serve no real purpose.

Your experience is a not uncommon one, and one of the reasons there is so much vociferous opposition to bots right now.

On the positive side, you won't be getting them popping into your LH again.

[Rolig Loon]

7 minutes ago, xDancingStarx said:

To take an obvious example, if you anonymize the UUID of a visitor, you will never know if that visitor showed up a second time to your place.

Actually, that's not quite true.  Many years ago (2009), Becky Pippin published an article describing a method for hashing and compressing 72-byte avatar UUIDs into three Unicode characters. I used her methodology to write a greeter-counter that is still in the wiki's script library. The script can easily identify when a repeat visit has taken place but the stored Unicode characters can't tell you the UUID of the visitor. Compression leaves a small chance that the stored UUIDs will not be unique, but for an application like a greeter that is going to store only a few thousand values for a reasonably short amount of time (months, perhaps) before they are no longer of interest, that chance is vanishingly small. 

[Love Zhaoying]

1 hour ago, Rowan Amore said:

Right now, the Firestorm viewer has an option where you can get a pop up before making a purchase.  Seems to me it would be easy enough to implement the same kind of thing for any purchase where your info is stored offsite.  If you click yes, you can make your purchase.  If you click no, you can't.  Easy peasy.

ETA...Just logged in and honestly, there are alerts for EVERYTHING.  One more ON by default would satisfy me when my purchase will be logged offsite.  If you don't care, simply turn off the alert.

 

Wow!!! This is a great feature!

[Love Zhaoying]

9 minutes ago, Scylla Rhiadra said:

On the positive side, you won't be getting them popping into your LH again.

I thought it was only enabled for Bellisseria, not "all Linden Homes"? (I did not scroll back to see if Narf said their "LH" is in Belli or not.)

Sorry if I lost track. (Thought I paid attention!)

[Scylla Rhiadra]

Just now, Love Zhaoying said:

I thought it was only enabled for Bellisseria, not "all Linden Homes"? (I did not scroll back to see if Narf said their "LH" is in Belli or not.)

Sorry if I lost track. (Thought I paid attention!)

You may be right, actually. The 512s, for instance, are not covered. And of course nothing on Mainland (where I have my home) is.

[Scylla Rhiadra]

I'm just waiting to be told that the new rules are an April Fool's joke.

🙃

[xDancingStarx]

15 minutes ago, Rolig Loon said:

for hashing and compressing 72-byte avatar UUIDs into three Unicode characters

And this is sufficient for being GDPR compliant? Theoretical example. If you get the same 15 visitors every day for a week, at different times, you hash them this specific way. Then you decide, wait a minute, tomorrow I'm gonna implement a function in the script that tells me what UUID was translated into what three characters. Then you can still identify all of the past visits, right? I'm definitely not a GDRP expert, but I would have my serious doubts about this method. Unless I misunderstood you.

Edited April 1, 2023 by xDancingStarx

[Love Zhaoying]

Just now, Scylla Rhiadra said:

I'm just waiting to be told that the new rules are an April Fool's joke.

🙃

It's all a dream, and you (Dorothy) will wake up in your bed surrounded by whoever you dreamed were the Tin Man, Cowardly Lion, Scarecrow, and Wizard.

[Love Zhaoying]

14 minutes ago, xDancingStarx said:

And this is sufficient for being GDPR compliant? Theoretical example. If you get the same 15 visitors every day for a week, at different times, you hash them this specific way. Then you decide, wait a minute, tomorrow I'm gonna implement a function in the script that tells me what UUID was translated into what three characters. Then you can still identify all of the past visits, right? I'm definitely not a GDRP expert, but I would have my serious doubts about this method. Unless I misunderstood you.

If you don't "unhash" the data (and your algorithm does not include a way to "unhash" the data) - then it is "everything compliant" because you don't actually have the original data. The hashed data cannot be related to the "actual" data.

@Rolig Loon, did I get that partly right, at least?

Edited April 1, 2023 by Love Zhaoying

[Phil Deakins]

4 hours ago, Qie Niangao said:

Meanwhile a larger corner whispers "these new bot runners are dumb as bags of rocks."

LMAO!!!

Edited April 1, 2023 by Phil Deakins

[xDancingStarx]

10 minutes ago, Love Zhaoying said:

If you don't "unhash" the data (and your algorithm does not include a way to "unhash" the data) - then it is "everything compliant" because you don't actually have the original data. The hashed data cannot be related to the "actual" data.

This is not true according to my knowledge and information, though.

"In comparison, in the context of the European GDPR, the Article 29 Working Party[6] considered hashing to be a technique for pseudonymization that “reduces the linkability of a dataset with the original identity of a data subject” and thus “is a useful security measure,” but is “not a method of anonymisation.”[7] In other words, from the perspective of the Article 29 Working Party, while hashing might be a useful security technique, it is not sufficient to convert personal data into deidentified data."

https://www.gtlaw-dataprivacydish.com/2021/03/what-is-hashing-and-does-it-help-avoid-the-obligations-imposed-by-the-new-privacy-regulations/

[Love Zhaoying]

1 minute ago, xDancingStarx said:

This is not true according to my knowledge and information, though.

"In comparison, in the context of the European GDPR, the Article 29 Working Party[6] considered hashing to be a technique for pseudonymization that “reduces the linkability of a dataset with the original identity of a data subject” and thus “is a useful security measure,” but is “not a method of anonymisation.”[7] In other words, from the perspective of the Article 29 Working Party, while hashing might be a useful security technique, it is not sufficient to convert personal data into deidentified data."

https://www.gtlaw-dataprivacydish.com/2021/03/what-is-hashing-and-does-it-help-avoid-the-obligations-imposed-by-the-new-privacy-regulations/

Sorry, but "hashing" means something different if there is no way to "unhash", in other words, "decode" the data. Perhaps "hashing" was not the correct term for me to use, in this context.

I meant- completely transform the data by obfuscating it in such a way that it cannot be transformed back to the original data- because the "hashing" algorithm used has no corresponding "unhash" algorithm at all. 

The best I can do, sorry.

[Rolig Loon]

15 minutes ago, Love Zhaoying said:

If you don't "unhash" the data (and your algorithm does not include a way to "unhash" the data) - then it is "everything compliant" because you don't actually have the original data. The hashed data cannot be related to the "actual" data.

@Rolig Loon, did I get that partly right, at least?

Right.  Thanks to the way the data are hashed and compressed, you can't undo the process. I am not a cryptologist, so I say that without the 99.9999% assurance that a real pro might have.  I am reasonably confident, though, that it would take way more effort than it is worth for someone to identify a SL avatar. 

[Ceka Cianci]

From my understanding of what soft said, the only change has been to the adding of the estate management..

They moving a section of the privacy rights to the scripted agent policy to have it seen there as well..

I didn't hear of any change to the privacy rights, just that they made what was already there available from another section..

From my understanding  the collection of information is ok, the sharing of it is where it becomes a violation..

So if say a redeliver service needed my UUID for me to get a redeliver it wouldn't be a violation, unless they made public say, showing my uuid getting a redeliver..

If they made it to where I am the only one that can see it then I don't believe that is a violation.

Unless I misunderstood something..

 

[Scylla Rhiadra]

4 hours ago, Qie Niangao said:

A tiny paranoid corner of my brain whispers "psst. false flag. more bots to force bigger badder bot bans."

I don't know that they are intended as "false flags," but there certainly are accounts -- not all of then bots -- that are spoofing BB and maybe other operations.

It IS odd that there has been such a huge increase in the number of apparent bots recently, far more than can be accounted for by the projects about which we know.

[Love Zhaoying]

4 minutes ago, Scylla Rhiadra said:

I don't know that they are intended as "false flags," but there certainly are accounts -- not all of then bots -- that are spoofing BB and maybe other operations.

It IS odd that there has been such a huge increase in the number of apparent bots recently, far more than can be accounted for by the projects about which we know.

Someone forgot to shut off the "bot-making" bot software?

ETA: I can see someone creating hundreds of bots and spoofing BB just because that helps them get away with it.

Edited April 1, 2023 by Love Zhaoying

[Ceka Cianci]

5 minutes ago, Scylla Rhiadra said:

I don't know that they are intended as "false flags," but there certainly are accounts -- not all of then bots -- that are spoofing BB and maybe other operations.

It IS odd that there has been such a huge increase in the number of apparent bots recently, far more than can be accounted for by the projects about which we know.

This was a concern of mine.. What is to stop someone just wanting data for outside reasons to get stats in this world with unregistered bot?  Someone could do it and not even need a presence or interest in this world other than information for say a college project or what ever reason really..

Maybe another world getting stats or just someone that wants to stay underground..  I think if we look at it as just users here as the only ones with bot armies, then we might be seeing only the trees and not the forest..

We'll find out soon enough if they stop showing up I guess..

Just guessing on maybe why there could be more is all..hehehe