New SL-Dedicated Social Media, Blogging, and Photography Platform PrimFeed Opens! What Are Your Impressions?

[Zrina Nebula]

I'm on Primfeed since some days now and I must admit: I like it 🙂
The maturity rating mostly works fine as well.

BUT: I'd absolutely love to be able to add tags to pictures like I can on Flickr. The way how it is designed now is overwhelming. You get everything in your gallery feed. It's nice for browsing and strolling around but sometimes I'd like to filter what I see.

Edited July 14 by Sabrina Nebula
burrrp

[missyrideout]

Hashtags, and trending hashtags. I agree it's overwhelming with the fire hose of content and no groups or lists.  Lists that can be used to seamlessly create mutliple feeds work well on Twitter/X. 

Second Life content was never really allowed to trend / reach the "interestingness" algorithm in any meaningful way on flickr. I always thought it would have been cool if they had like a Second Life switch for that page so you could see what was trending.

 

Edited July 14 by missyrideout

[Aiyumei]

11 hours ago, Sabrina Nebula said:

BUT: I'd absolutely love to be able to add tags to pictures like I can on Flickr. The way how it is designed now is overwhelming. You get everything in your gallery feed. It's nice for browsing and strolling around but sometimes I'd like to filter what I see.

It's already planned for implementing, so stay tuned. We'll get it soon 

[Tjay Wicken]

Reading through the post here, I see a lot of concerns about the compliance with GDPR (and potentially other privacy legislations, especially those "inspired" by the GDPR, such as LGPD in Brazil).

I work professionally with GDPR compliance and audits, and while I see a clear attempt at compliance through the Terms of Use, it is far from enough.

While I have a lot of concerns, and I have communicated these to Luke already - there are a few that stands out as severe and something that needs corrected without undue delay is:

• Data Protection Officer / Identity and contact details of the controller
  • Data Protection Officer is operating under a pseudonym and there are no conventional methods available to contact the entity or person acting as the controller.
    • Based on previous experiences, this would almost certainly be considered non-compliant with the GDPR’s principles of transparency and accountability. The regulation expects the DPO to be a real, identifiable person to whom data subjects and authorities can reach out.
• Transparency and Disclosure
  • Not all information collected and processed is listed under the Terms of Use.
• Security Measures not defined
  • Primfeed allows the users to define a password which they can use instead of the OTP, but the users are not informed of any controls in place to protect the data, such as whether it is encrypted and if it is stored securely.
• Data Subject Rights
  • In my opinion, Primfeed does not provide the users with appropriate methods of exercising their Data Subject Rights as the only listed method of contact is through IMs and notecards inworld. If a user for whatever reason is unable to access their Second Life account, then they will also be unable to exercise those rights.

At the end of the day, I hope that Luke can succeed with Primfeed and if he hasn't already, I strongly urge that he obtain legal advice on compliance, not just in terms of GDPR but also other legal regulations around the world.

As the social media relies upon - and is built around - Linden Lab's service and IP, I would also urge Linden Lab to engage themselves as any incident involving (the already widely used) social media could also impact their reputation indirectly as well as the confidence of their users - even if the service is not indorsed or provided by LL.

[WeFlossDaily]

On 6/20/2024 at 5:31 PM, Scylla Rhiadra said:

Have you tried it? Are you interested in trying it, if you haven't?

Tried it, cause I saw this post. Love it.

Flickr said my email did not exist.

Primfeed didn't even ask for my emal. Yay!

[Aiyumei]

6 hours ago, Tjay Wicken said:

Security Measures not defined

• Primfeed allows the users to define a password which they can use instead of the OTP, but the users are not informed of any controls in place to protect the data, such as whether it is encrypted and if it is stored securely.

This I raised on Primfeed's feedback page since day one. For me as someone who does QA for a living, the amount of data exposure is currently too great and while I know the backlog of things to implement is huge will eventually lead to it's users share more and more data that is not protected by any means, which poses vulnerability and in fact a security risk. 

[Starberry Passion]

On 7/14/2024 at 12:37 PM, Sabrina Nebula said:

I'm on Primfeed since some days now and I must admit: I like it 🙂
The maturity rating mostly works fine as well.

BUT: I'd absolutely love to be able to add tags to pictures like I can on Flickr. The way how it is designed now is overwhelming. You get everything in your gallery feed. It's nice for browsing and strolling around but sometimes I'd like to filter what I see.

Yeah, it's been great so far. Luke is coming out with updates, constantly, as well.

[Tjay Wicken]

Following my initial forum reply a bit further up in this thread about my GDPR compliance concerns with Primfeed, I wanted to provide a quick update.

Despite communicating my concerns directly to Luke Rowley, I have not received any response or any indication that these issues will be addressed. As a result, I have decided to escalate the matter by lodging formal complaints with the relevant data protection authorities.

I am going to be filing complaints with the following authorities:

• Swedish Authority for Privacy Protection (Integritetsskyddsmyndigheten - IMY)
• Commission Nationale de l'Informatique et des Libertés (CNIL) 

I believe it is important to take these steps to ensure that my own, but also other European data subjects' data privacy is protected and that Primfeed operates within legal requirements.

If any other European residents feel concerned about the protection of personal information in relation to Primfeed, I strongly encourage you to lodge a complaint as well, you can do this either through your local authority, or any of the available EU data protection authorities - In my case I will be lodging a complaint with the Swedish and the French authorities.

At the end of the day, I still hope that Luke can succeed with Primfeed. However, the lack of response, action or any communication around the concerned matter leaves me no other option but to take this route.

[JacksonBollock]

I apologize in advance because I always seem to be coming across as a Negative Nelly.

However at the moment this is a huge amateurish black hole of 💩, which will in all likelihood hit the fan.

When it does you might as well call Ghost Busters, because a ghost is what 'Luke' will become if/when you try to contact him.

But, you know, All the best with it you guys who signed up all so excitedly and decided to surrender all common sense , what could possibly go wrong ? 😁

[Bartholomew Gallacher]

On 7/15/2024 at 11:38 PM, Tjay Wicken said:

Reading through the post here, I see a lot of concerns about the compliance with GDPR (and potentially other privacy legislations, especially those "inspired" by the GDPR, such as LGPD in Brazil).

I work professionally with GDPR compliance and audits, and while I see a clear attempt at compliance through the Terms of Use, it is far from enough.

While I have a lot of concerns, and I have communicated these to Luke already - there are a few that stands out as severe and something that needs corrected without undue delay is:

Hi, another "negative nelly" here. IMHO you should add 3 more points to your list, namely:

1. Undisclosed usage of Cloudflare
Using Live HTTP Headers it clearly shows that Cloudflare is being part of the internal infrastructure of the system. The IP address of cdn.primfeed.com is 104.26.8.111 and does clearly belong to Cloudflare (Check: https://search.arin.net/rdap/?query=104.26.8.111). This means that Cloudflare is at least used here as CDN.

Having said that, the usage of Cloudflare is something which under EU legislation must be disclosed and as well explained in the ToS, which clearly is missing right now.

2. Undisclosed usage of Canny.io
This is the system powering the feedback page. Even when just watching primfeed.com it is being called frequently. Therefore the same like above for Cloudflare does apply.

3. Missing cookie banner on landing page
Another must under the legislation of the EU: people must be informed upfront about the usage of cookies, be given a choice and have to approve it. This is clearly missing as well.

 

Edited July 18 by Bartholomew Gallacher

[Tjay Wicken]

3 minutes ago, Bartholomew Gallacher said:

Hi, another "negative nelly" here. IMHO you should add 3 more points to your list, namely:

1. Undisclosed usage of Cloudflare
Using Live HTTP Headers it clearly shows that Cloudflare is being part of the internal infrastructure of the system. The IP address of cdn.primfeed.com is 104.26.8.111 and does clearly belong to Cloudflare (Check: https://search.arin.net/rdap/?query=104.26.8.111). This means that Cloudflare is at least used here as CDN.

Having said that, the usage of Cloudflare is something which under EU legislation must be disclosed and as well explained in the ToS, which clearly is missing right now.

2. Undisclosed usage of Canny.io
This is the system powering the feedback page. Even when just watching primfeed.com it is being called frequently. Therefore the same like above for Cloudflare does apply.

3. Missing cookie banner on landing page
Another must under the legislation of the EU: people must be informed upfront about the usage of cookies, be given a choice and have to approve it. This is clearly missing as well.

 

Thanks! all valid points and I will include these.

[JacksonBollock]

1 hour ago, Bartholomew Gallacher said:

Hi, another "negative nelly" here. IMHO you should add 3 more points to your list, namely:

1. Undisclosed usage of Cloudflare
Using Live HTTP Headers it clearly shows that Cloudflare is being part of the internal infrastructure of the system. The IP address of cdn.primfeed.com is 104.26.8.111 and does clearly belong to Cloudflare (Check: https://search.arin.net/rdap/?query=104.26.8.111). This means that Cloudflare is at least used here as CDN.

Having said that, the usage of Cloudflare is something which under EU legislation must be disclosed and as well explained in the ToS, which clearly is missing right now.

2. Undisclosed usage of Canny.io
This is the system powering the feedback page. Even when just watching primfeed.com it is being called frequently. Therefore the same like above for Cloudflare does apply.

3. Missing cookie banner on landing page
Another must under the legislation of the EU: people must be informed upfront about the usage of cookies, be given a choice and have to approve it. This is clearly missing as well.

 

Thanks Bartholomew,

Let's face it most of this sort of stuff isn't going to faze most of the people on this thread, until they need it that is.

I can even get on board with a hobbyist (I'm giving benefit of the doubt here) taking a crack at something like this.

However Luke Rowley - Second Life avatar and entrepreneur about town, can't be a legally responsible entity for jack 💩 in the real world, which kind of makes everything else including the ToS and his associated legal posturing pretty meaningless and, more importantly, unactionable.

Edited July 18 by JacksonBollock

[Bartholomew Gallacher]

Well, might be that most people don't care about it.

My take on it is simple: Primfeed's aim is to be a fully fledged social network including adult rated material, so over time it will gain more and more data automatically. So this become over time a very big pile of data, some of it might be very sensitve, which could be used/mined for all types of purposes.

On top of it since additional services are being offered so it is a business site.

So meeting the legal minimum meaning knowing who is running the show, where my data might get exposed/is being shared with, which data is being collected etc. is stuff that I want to know.

Especially the part "Primfeed does not share or sell any information to third parties." is probably true, but then again also only half the picture. What is not being told is that Primfeed used different 3rd party services, and is exposing my IP address/web browser to them.

Cloudflare recently came into the focus when their DNS over HTTPS (DoH) Server became the default without upfront notice in Mozilla Firefox. Let's just say many people were not happy about that suddenly Cloudflare was put into a position to log every DNS query of them without them knowing before reading some articles. Also Bert Hubert ranted against is with passion: https://labs.ripe.net/author/bert_hubert/centralised-doh-is-bad-for-privacy-in-2019-and-beyond/

So when viewing pictures over cdn.primfeed.com my IP clearly gets exposed to Cloudflare systems, who are doing whatever they want do with it. At least I would like to know about that without having to take a look at Live HTTP Headers.

When using the Feedback system https://canny.io/sdk.js is being invoked, so a Javascript. So again being exposed to another 3rd party system, which is delivering a script for whatever purpose I do not nothing know about because not mentioned in the ToS. Again I should ideally know about why again.

To make it clear: I am not against using CDNs or other stuff a site owner wants/needs to run the show; but I want to be informed about it, namely which 3rd party services are being used for specifically what purpose, which clearly is not happening in the ToS/data protection paragraph of Primfeed.

 

Edited July 18 by Bartholomew Gallacher

[Tjay Wicken]

3 hours ago, Bartholomew Gallacher said:

When using the Feedback system https://canny.io/sdk.js is being invoked, so a Javascript. So again being exposed to another 3rd party system, which is delivering a script for whatever purpose I do not nothing know about because not mentioned in the ToS. Again I should ideally know about why again.

 

It goes even further than that as the Canny SDK also stores a unique token in your browser's local storage, which in turn appears to be used to identify you on the Canny/Feedback (feedback.primfeed.com - a CNAME DNS entry pointing towards cname.canny.io) which once visited, effectively transfers at the very least your avatar name to Canny.

Not only should this be clearly defined in the privacy policy, but it should also be possible to opt out from through a cookie consent form in accordance with the ePrivacy Directive as it is absolutely not essential for the functionality of the website.

 

 

 

Edit:
After revalidating the above, it may not be the correct order of the events, however the same logic still applies.

Additionally, a Canny user also appears to be created on your behalf with a non-existent e-mail address. This is another potential violation as I as the data subject have no access to withdraw that consent, nor do I have any ability to exercise my rights via Canny as I have no effective means if evidencing that this account created on my behalf belongs to me.

 

Update 2: I have lodged a complaint with Canny as a potential violation of their terms of use and privacy policy, they have acknowledged the complaint and assigned it to their operational team for investigation.

Edited July 18 by Tjay Wicken
Added additional update

[WeFlossDaily]

I feel like the privacy concerns are being overblown here. Is this really the battle that matters in a world filled to the brim with propaganda designed to make us hate each other and turn a blind eye to the suffering of others?

 

 

[Tjay Wicken]

20 minutes ago, WeFlossDaily said:

I feel like the privacy concerns are being overblown here. Is this really the battle that matters in a world filled to the brim with propaganda designed to make us hate each other and turn a blind eye to the suffering of others?

 

 

It’s not a matter of anything being overblown, it’s a matter of a website potentially breaking the law.

in some parts of the world, and especially in the European Union, privacy is a fundamental - and legal right.

[WeFlossDaily]

6 minutes ago, Tjay Wicken said:

potentially

. . . potentially.

[JacksonBollock]

1 hour ago, WeFlossDaily said:

. . . potentially.

Everyone can accept their own level of risk I guess, after all that's the basis of the insurance industry - I'm guessing you don't insure your car on the basis you could 'potentially' be involved in an 'accident' 🙂

Nevertheless Luke is providing a service which 'potentially' will process large amounts of personal data and even financial transactions without fulfilling his legal or governance obligations, and not even under a legally accountable identity.

As I say, from my perspective it at best looks amateurish and ill considered, at worst quite suspicious.

As I've said before, secondlife avatars aren't legally accountable entities and famously difficult to track down.

But if you're completely ok with all of this that's fine, in fact I have a rather large bridge in San Francisco you might be interested in buying 🙂

 

[Scylla Rhiadra]

6 minutes ago, JacksonBollock said:

financial transactions

I'll agree that there are security concerns with the app -- Cathlea and others have raised them here. And presumably Luke will need, at some point, to meet the legal requirements in the EU and elsewhere.

I'm less worried about the information that might potentially be gathered, given the nature of the site, and the fact that, although it is "linked" to in-world identities and accounts, it's not actually accessing any of that beyond name and perhaps some elements of the public profile. If one is revealing personal RL information, and so forth, then obviously one is putting oneself at more risk, but that's not a function of the site itself.

Genuine question, though: what "financial transactions"? So far as I know, payment for "Premium" or whatever it's called can only be performed in-world, using Lindens. What are the financial liabilities here that I'm missing?

Overall, though, yes. This has been cobbled together very quickly, and it's changing fast. There are unquestionably potential issues.

[JacksonBollock]

3 hours ago, Scylla Rhiadra said:

I'll agree that there are security concerns with the app -- Cathlea and others have raised them here. And presumably Luke will need, at some point, to meet the legal requirements in the EU and elsewhere.

I'm less worried about the information that might potentially be gathered, given the nature of the site, and the fact that, although it is "linked" to in-world identities and accounts, it's not actually accessing any of that beyond name and perhaps some elements of the public profile. If one is revealing personal RL information, and so forth, then obviously one is putting oneself at more risk, but that's not a function of the site itself.

Genuine question, though: what "financial transactions"? So far as I know, payment for "Premium" or whatever it's called can only be performed in-world, using Lindens. What are the financial liabilities here that I'm missing?

Overall, though, yes. This has been cobbled together very quickly, and it's changing fast. There are unquestionably potential issues.

Thanks Scylla,

I mean there's so much to cover, all of which is detailed and addressed by visiting the websites of the governing bodies mentioned by TJay and Bartholomew above.

But look, it's not too much of a stretch in imagination to consider all the potential interactions between users of the platform, the scope in nature of the images potentially uploaded and shared on such a platform, and where the risks arise for criminal activity across multiple jurisdictions.

In terms of financial accountability, just off the top of my head, let's just say Luke provided a paid tier which can be paid monthly or annually.

Just to make the sums easy, let's say he has 1000 users who all paid equivalent of $60 for the year (regardless of currency), and the site mysteriously disappears tomorrow, at roughly the same time that Luke goes AWOL from SL, never to be seen again.

It doesn't really matter what protocol or payment platform is used, it's still money which Luke can cash out with very little oversight or real practicable traceability.

LL's ToS have themselves pretty much covered in any case

'However, per the Second Life Terms of Service, Linden Lab is a service provider and is not responsible or liable for the Content, conduct, or services of users or third parties. Linden Lab cannot verify, enforce, certify, examine, uphold, or adjudicate any oath, contract, deal, bargain, or agreement made by the Residents of Second Life. Nor does Linden Lab enforce or uphold rental agreements between Residents. 

While you may have a valid agreement with another person, Linden Lab is not a party to and cannot resolve your dispute. Please contact the Resident involved and resolve the issue with them. '

Finally, just to make everyone's day,  all images and conversations with links back to their associated SL accounts are published to the public domain, just because Luke fancied doing it as a parting F*** you.

If all this sounds hunky dory, then all power to you. But perhaps the idea the Luke 'presumably will need'  to meet his legal obligations at some point in the future won't be much consolation to others.

In any event I'm not sure of the legal precedent which allows a person to decide on the date that laws start to apply to them 🙂

Anyway, this is just me musing scenarios at 6:30 am before heading to work, not meant to be a legal argument in support of GDPR or other associated legal governance requirements 🙂 

Edited July 19 by JacksonBollock
Misquote

[Tjay Wicken]

4 hours ago, Scylla Rhiadra said:

And presumably Luke will need, at some point, to meet the legal requirements in the EU and elsewhere.

Not presumably.
I for one can say with certainty that he must. I work with GDPR compliance auditing professionally and I would happily validate that with a Mole or Linden if they reach out. 

Data privacy is not something you figure out along the way, there are already tens of thousands of data subjects using the service and while I cannot speak for other legislations, the GDPR does not provide any grace periods - if you're not ready to be compliant, you are not ready to run your social media service.

The fact that Luke is not answering inworld contact attempts regarding this matter, nor taking any time to participate in the discussion on this forum does not exactly convey commitment.

The terms of service have not been updated for 29 days to provide data subjects with better insight into what is going on, and at this point it is clear that there is a concerning lack of information provided.

The vast majority of the items pointed out by others, and I can easily be rectified.

As mentioned further up in this response, there is no grace period for being in compliance with the GDPR and if Luke for whatever reason cannot rectify the lack of privacy transparency and controls pointed out in a timely manner, then the processing should at the very least halt until he is in a position to make the rectifications.

[Bartholomew Gallacher]

5 hours ago, Scylla Rhiadra said:

I'm less worried about the information that might potentially be gathered, given the nature of the site, and the fact that, although it is "linked" to in-world identities and accounts, it's not actually accessing any of that beyond name and perhaps some elements of the public profile. If one is revealing personal RL information, and so forth, then obviously one is putting oneself at more risk, but that's not a function of the site itself.

And here I disagree. The site is using Cloudflare as service. Cloudflare is really everywhere on the web nowadays, mostly as CDN as well reverse proxy to real web servers to offer security, most notably protection against DDoS attacks.

You might be aware about this here, this is Cloudflare in action:

Also Cloudflare is running a DoH DNS server, which is the default in Firefox and some others.

They are a company offering tons of services to anyone for free. This always is suspicious, and indicates that you are not the customer, but the product. In other words I don't trust Cloudflare at all, and they are probably a big data collector and hoarder. And since they are everywhere, they can collect tons of data about you without you even noticing it. They are in the position to do it, and I am pretty sure they do it. This is why I view using Cloudflare's CDN without notice as very problematic.

Anyway talking about the GDPR: the GDPR also gives users the right to request and get a copy of all their data saved on a web site.

Edited July 19 by Bartholomew Gallacher

[discussionbot]

23 hours ago, JacksonBollock said:

Luke Rowley - Second Life avatar and entrepreneur about town, can't be a legally responsible entity for jack 💩 in the real world, which kind of makes everything else including the ToS and his associated legal posturing pretty meaningless and, more importantly, unactionable.

It’s honestly genius. Start a business tied to an online platform in the name of a fictional avatar on said platform, staying completely separate from your legal RL identity that no one knows about so there’s 0 legal scrutiny or repercussions if it comes to it. Genius!

[JacksonBollock]

31 minutes ago, Tjay Wicken said:

The vast majority of the items pointed out by others, and I can easily be rectified.

As mentioned further up in this response, there is no grace period for being in compliance with the GDPR and if Luke for whatever reason cannot rectify the lack of privacy transparency and controls pointed out in a timely manner, then the processing should at the very least halt until he is in a position to make the rectifications.

Hi TJay,

These issues can only be rectified if Luke draws a visible and transparent connection between his anonymous SL account and an RL identity (personal or corporation), and he really, really doesn't want to do that.

At the end of the day though the potential liability is small here.

A few SL avatars might have unsavory predilections publicly exposed which neither LL or Flickr wanted to accommodate, a few potentially unsavory conversations might be exposed, some people might lose upwards of a couple of dollars.

Everyone seems happy with the risk reward arithmetic, so what you gonna do 🤷‍♂️

I mean apparently  by doing what he's doing, Luke is in someway contributing to a kinder more caring universe, and I can't argue with that - not while maintaining my own sanity anyway 🙂

All the best

Jackson

Edited July 19 by JacksonBollock

[JacksonBollock]

unnecessary

Edited July 19 by JacksonBollock