Bradford Mint

Probably, dunno, can't remember but in all honesty, I would be surprised if a SAR resulted in anything other than provided RL info but could also include conversations in both written and verbal form (if the call was recorded) with any employees about avatars, where the RL person was identified at the time. We'll know after Belinda has a go.

Ok Belinda so you are hereby nominated as the guinea pig! You could start by making a forum post, or one on Twitter for giggles. I'm sure they'd not spot it. If you do choose to submit a support ticket (or just an email), their next course of action will be to request from you, such evidence (and only sufficient) in order to identify you as a natural person. This is where it gets potentially interesting because if someone has signed up as a basic user, has no payment info on file, or any other documented identity information, it's pretty difficult to bind "bobjonessexyavatar" to a natural person and there the request would end. Thus the natural person making the request would need to be making a request on the basis that they could actually be identified. Further, an earlier response from Kyrah was accurate, the information that LL has is going to be what we give them. The bigger question that Lindal asked though would be interesting to find out, which is how they consider avatar information and whether it's data about the natural person and if so is chat log included? Finally, out of pure coincidence, as I was typing this, the following arrived in my email:- GDPR: Your Actual Questions Answered - no presentation, open mic Q&A (It's a session hosted by BrightTalk, just in case the link doesn't post or work)

No, the topic still says "GDPR requests". If a request is made to an organisation for such data that could not be sent via post and where they have not thought ahead and provided a publicly accessible portal, their options are limited in how they supply that information, one of them being USB sticks. In the case of a handful of organisations that have earned my venom, then absolutely, GDPR provides a vehicle to waste their time. The particular organisations that I refer to are ones with whom they have chosen to destroy any good will and are far from a normal supplier/customer relationship and many orders of magnitude beyond just being an unhappy customer, however, the specifics are irrelevant here. Given that this was already stated much earlier, I strongly suspect anyone else reading my musings could have come to the conclusion that my question "Fancy some free USB sticks?" would have been somewhat tongue in cheek. I wholeheartedly apologise for not being blindingly obvious in my prose but rest assured, I shall continue in just the same way.

Correct and that's why I originally said I think this part is ridiculous. It doesn't help anyone to have such vague processes.

Yup and if you ask a car park operator who captures your car in the street and you have that data removed but then they keep capturing it because you drive down that street regularly, why should a data subject who has no contact with them, only be permitted to check ONCE and thereafter have to pay?

No I don't think there's any need to be obtuse and say "some people", you can direct it straight to me, that's no problem and yes, when some companies play fast and loose with rules, they earn the response.

Nope, not how it works. I did ask if you've gone through this process or not? I have, numerous times. More fun to be had when the organisation points you to their form to fill in, the form itself must state on it that there's no requirement to use the form. Been there done that, got a wardrobe of t shirts.

It doesn't, that's the fun part! Here's the take on this from the UK Information Commissioner's Office, the dept responsible for enforcing GDPR, as enacted by "Data Protection Act 2018". I hope that we can agree that their opinion trumps yours? It's made quite clear:- https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/individual-rights/right-of-access/ "How do we recognise a request? The GDPR does not specify how to make a valid request. Therefore, an individual can make a subject access request to you verbally or in writing. It can also be made to any part of your organisation (including by social media) and does not have to be to a specific person or contact point. A request does not have to include the phrase 'subject access request' or Article 15 of the GDPR, as long as it is clear that the individual is asking for their own personal data. This presents a challenge as any of your employees could receive a valid request. However, you have a legal responsibility to identify that an individual has made a request to you and handle it accordingly."

I know

Top tip: read the rest of the articles before arriving at the wrong conclusion.

GDPR only applies to natural persons, I wouldn't expect an avatar chat log to be considered as data, however, some people want to believe it's aggregate data that can be related to a natural person but this is only the case IF you're LL with access to the databases. Probably one for a legal challenge to interpret accordingly. I'm not going to ask LL though, I don't harbour hateful tendencies in their direction. Those are where my requests go and usually in a deliberately obtuse way to cause the maximum disruptive effort. Example, a UK parking company that basically operates a racket, complete scum. In the UK, a person can expect to be captured on at least 30 CCTV systems PER DAY. That's not cameras, that's systems. If only everyone would submit data requests for CCTV from car parks infected by such companies, they'd go out of business dealing with the requests instead of having capacity to issue tickets in the way that do. One claimed, "we only have number plate ANPR, it's not CCTV". Then in the results of the request produced a bunch of full colour pictures of various cars that I own, including a data breach by including other subjects than me, yielding knowledge of that person's whereabouts at the time. If nothing else, by removing the previous £10 cost of accessing data, it allows for some entertainment.

You misunderstand the GDPR wording and don't seem to have made any requests? It doesn't state that the first person you ask has to be the person who responds, only that the data subject may position the request to anyone. It is not acceptable under GDPR to only respond by instructing the data subject to a specific entity, not to use a particular form, regardless of how the organisation processes the request internally. In your example, the waiter would need to inform an appropriate person internally who may follow up. It's quite simple, the articles defining GDPR are easy enough to read.

GDPR places no specific requirement on the data subject as to how the request is made. LL may *ask* you to fill in a support ticket but it's equally valid to make a verbal request (for example) to any employee at any level. Nor does any specific phase need to be used. It is a requirement that employees are suitably trained to recognise requests for a subjects data and act accordingly. Frankly, in my view, this is the most ridiculously unworkable methodology created but that's how it is. However, if you have a particular loathing for an organisation, it's definitely a route rich in entertainment. GDPR has certainly enabled some benefits. Banks try to charge for old statement reissue. No problem, ask for all your data. Bingo, old statement data. Fancy some free USB sticks? No problem, just make some requests to include CCTV footage. I highly recommend doing this at airports you may visit, I like to think of it as job creation for CCTV footage review operators as well as keep their identification skills fresh. What can I say but "Thanks Heathrow airport!"

Just to be pedantic, data encryption doesn't make data theft impossible. The data is in two forms, either at rest or in motion. In the case of encrypted data which is sitting on a disk which is not being powered, then it's at rest and generally pretty secure (depending on the security of the key), however, that won't be the case with a database which is being accessed all the time. In this case, the data will be accessed and a running process will have a copy of the block cipher key in memory and the data when it is decrypted will be in a clear text state in memory. The general concern is for a "database" being physically stolen where it is considered that the data is secure due to the attacker not having knowledge of the key. However, the astute attacker isn't interested in trying to brute force the encryption, that's not feasible but rather the attack is to either obtain the data in a decrypted state, i.e. while it's in that state in memory, although this is also largely pointless because the attackers view would only be of that portion of data presently being accessed. So, the attacker is really interested in getting hold of a copy of that block cipher key while it's in memory. With that and the static database then they're good to go. It would also be expected that the database is not necessarily entirely encrypted with the same key but in blocks, however each key is derived in some way from the previous one thus overall knowledge of this is where the fun happens. Anyway, the above does require an advanced attack. I'm still more curious as to whether LL will be storing the PII which is being submitted because once the user has been validated, the only thing they need to keep is the status which indicates as much. Will they be storing PII in the form of government documents which have been scanned and if so why? Overall, i'm not really fussed one way or another, just curious.

Well there's not really going to be much in there that's not pretty much industry standard, that is to say there's a database of our data, enciphered with an appropriate symmetric cryptographic algorithm (Likely AES256), where the key is protected by an asymmetric key pair of a modern algorithm (probably an elliptic curve), where the private key was generated in an HSM (Hardware Security Module), where the HSM may or may not be FIPS-140-2 (or now possibly even level 3) validated. All of this is pretty run of the mill for military, government, financial services. Access to the data centre itself should be mandating multifactor authentication and likewise they mention logical system access via multifactor tokens and also a large part of the overall security will be implemented not only by technical constraints but also by policy and procedure. Again, all standard operating practice for this sort of scenario. So just to throw some darts at the board... "Our engineers created a new “personal information vault” project. This vault uses modern algorithms to encrypt sensitive information in a way that would require both enormous computing power and an enormous amount of memory for an attacker to crack… if they could even get a copy of the encrypted data." We're using standard AES256 cipher for block encryption and Elliptic Curve cipher for the Asymmetric key. Private key marked as non exportable and held in an HSM. "And all of this new encryption is wrapped around the encryption we already used - encryption which was the industry standard at the time." Yeah, that's the "We already encrypted the database with standard ciphers such as AES256 but in SL we only stored the key in software". "These are entire new layers using encryption technologies which didn’t exist when Second Life was new. " Well hmm... https://en.wikipedia.org/wiki/Elliptic-curve_cryptography History The use of elliptic curves in cryptography was suggested independently by Neal Koblitz[7] and Victor S. Miller[8] in 1985. Elliptic curve cryptography algorithms entered wide use in 2004 to 2005. "Even after all of these changes, the old protection remains in place at the bottom of that stack. Figuratively speaking, we locked the old vault inside a bigger, stronger vault. We chose an approach where we didn’t need to decrypt information in order to enhance your protection. " This is consistent in my mind as to "vault within a vault" being an encrypted database with a better protection for the block cipher key. No need to decrypt what was already there, just provide stronger key protection, the symmetric block cipher key remained the same. "There is another key part of this project: Our storage mechanisms for sensitive customer information are now isolated from Second Life. The information isn’t stored at the same physical location anymore, and hasn’t been for a while. But the difference is more than physical. " Means "We had to buy a bigger USB stick to throw it across the room" "Second Life’s servers do not have direct access to Tilia information that isn’t required for daily Second Life usage. Even developers who have worked at the company for a dozen years - developers who have full access to every last Second Life server - do not have access to the servers that store and protect the most sensitive information. A policy of least privilege means fewer opportunities for mistakes. " Did those developers EVER have full access to our data and if so why? That should never have been a requirement. Even in the case of development, that should be on a development environment without live data, the live data shouldn't ever be accessible - period! "This means that compromising one database inside of Tilia is insufficient to decrypt and correlate sensitive data without compromising a different service." A segmented architecture, multiple databases, each with its own symmetric key, protected by own key pair thus would require compromise of multiple keys/systems, yes normal stuff here. "We have deployed numerous commercial products which help monitor for access, abuse, or data copying attempts for data that is made available to Tillia employees. This means that even an attacker with all employee access credentials, access to employee multifactor authentication tokens, and all Tilia access permissions would still face some challenges in avoiding early detection. " We've installed Splunk because it's free! Joking aside, they've deployed one or more SIEMs (Security Information and Event Management software) and some IDS (Intrusion Detection System) software to monitor along with probably some agent based software to monitor PC behaviour and possibly thrown in some CASB (Cloud Access Security Broker) software just for fun. What I haven't seen is any mention of how they'd handle the situation where a family member or two is kidnapped and the attackers have set up a live feed of the electric drill being held to the eyeball of the staff members youngest child. Which when the prize is rich enough is the upgraded version of:- Overall, what Soft Linden describes and what I believe (I also believe in aliens), is distilable to pretty much standard good operating practice for the service being operated. There are also existing services which allow a user to scan government documents, take a selfie, have that validated and a confidence factor returned to the calling service. No data is stored, there's no need once the ID result is validated. I'd be curious to know why LL hasn't gone down this route. I note that Soft Linden didn't explicity call out blockchain anywhere but they may or may not be playing with that too, because some people feel it's trendy! All of the above is based upon supposition and interpretation of the end user facing blurb posted below and I have no further insight other than the ability to read and interpret based upon experience.

Google is my backup, should I develop Alzheimer's.

Absolutely nothing will change due to Brexit. Each EU member state implements the EU Directives in local legislation. The UK implemented GDPR when it enacted the Data Protection Act 2018. In other words, the essence of GDPR is already and will remain UK legislation. What LL has failed to do, is describe in plain English and not legalese, the privacy terms it would seem. This is a requirement of GDPR compliance.

They will, so they'll probably just not even bother to thank you for your interest in the service, sad to see you go etc. You won't get that but if you want to be able to perform the services that they require verification for, you won't be able to use those or SL at all if compliant with the new TOS is enforced pre login. LL says "Bye"

Nowhere does it mention photographic ID, nor for UK or EU users. The started requirement is for "government issued ID" When you recently had the opportunity to vote, some areas were required to take ID. The voting form described what was acceptable in the case of no passport, no driving licence. It's not rocket science.

Nope, as previously stated by someone else, LL could just act as an identity provider. There's no reason to transfer or create anything.

Not the case at all. Edit: Fionalein, adding a laugh reaction doesn't make you any more correct. Data sovereignty and data handling are not the same thing.

Ok seriously, create a JIRA to ask for this as a new feature. That's how things get done around here. Might have to wait a decade or so and even then it still won't get done but that's the process.

Right, that's it! No Valentine's Day card for you either.

You're welcome, you wouldn't be here without our contribution.

Remind me to go and report every other thread that goes off topic. I'll expect all off topic posts to be removed from those too! Precedent set.