Disclose web activity in objects
tracked
Journey Bunny
( apparently all feature requests are bug reports now >< grrr )
Feature Request premise:
It's very simple and easy for objects to track us in-world. It would be useful to have some insight into this so that we can make informed decisions as users.
Bit of an example, my understanding of the balance of issues, then proposal:
Example: A simple script inside a dress can use existing LSL functions to detect region change, and on each change, send a message to an external server to tell it the UUID of the wearer and the name of the region. Just that simply, that clothing-maker would have a continuously updating database of where an avatar lives, where they spend time, their interests and hobbies (based on social themes of regions), where their friends live, etc. It's a simple example, but scripts can get lots more details as well.
Balance:
So, we can't get rid of this--it's a fundamental piece of functionality, and staggering volumes of gaming/shopping/breedable content would break if the simple ability for scripts to call to the internet were to suddenly change.
And, we can't suddenly disclose the servers being touched either. The scripts ask the Simulator to go touch the website for us, and this effectively masks the ultimate URL. While that prevents us from knowing where our data is going, it also protects our small community's creators from having their servers exposed. Lot of complicated issues there, places where server hosting has to have RL names attached etc--the current setup has its uses.
Proposal:
A new floating window to replace or supplement the interestingly non-intuitive and wonderfully outdated "About Land > General > Script Info > Avatar" menu. (Is there any wonder that scripts are a mystery to people? Why isn't this under the Avatar menu?)
In this new/updated window, we get a kind of aglomerative log about scripts on our avatar:
First, while we're updating things, scripts might accurately represent their memory useage (instead of just saying 64 all the time, or being tricked into saying small numbers by in-script methods that balloon memory then shrink it again to hide the impact). Perhaps each time the simulator allocates more memory to a script, it updates the viewer with the new "maximum" memory ever used.
But also, scripts
should
indicate that they have reached a URL. When the simulator fetches an address for the script, that script should have an entry saying, at an absolute minimum, that an internal (SL domains) or external url was fetched for the script. If we're getting ambitious, do it by protocol/method too. Eg:
Script Name | Max RAM | Web Activity
humbleResizer | 36 Kb | Internal:[], External:[http,mms,GET,POST,Email]
Reflection:
In this way, no existing functionality is blocked. No creator privacy is exposed. No servers are opened to doxxing. BUT, users are able to make informed choices, and honesty and transparency prevail.
Yes, this could cause some scare-mongering. But it could also cause creators to disclose when and why they have scripts that reach outside servers. Either way, users need to learn to examine the risks and make choices with better information. And transparency is the first step in building ~Trust~ (ofc, we also have to like what we see when we look through the walls). At present, we can see bots, complain, get LL to investigate... I acknowledge that opinions vary about trusting how well LL vets bot operators that are handling our data, but the key here is that the discussion
does
happen, and keeps happening.We can't see scripts phoning home. We can't even start to ask LL to review the private user data collection practices that we don't know about. We can't ask the T&S team to verify a creator's stated policy on where our data goes if we never knew it went anywhere.
Log In
Pazako Karu
Since the biggest issue is undue tracking, perhaps multiple http/im requests which include the user key in url/data submission should be detectable? Perhaps it could be further honed in by if the destination is in sim or not.
I don't think a single http ping on attach/rez/error is a big deal, especially if the user's key is just a hash. The ToS does forbid storage of chat externally to SL at least, but we have no way of detecting that.
Journey Bunny
Pazako Karu Mm, I agree in principle about some data being of greater concern, but all URL requests already transmit that info :D https://wiki.secondlife.com/wiki/LlHTTPRequest
Owner, region, etc are included in the head of every single request, so a script can basically just say "hi" and it has transmitted quite a lot of user data!
Very good point about the count because, as you mention, discovering that a script has made a single ping is often no biggie, and discovering that it goes "ping" every time you say something in chat would be more concerning to a user--possibly causing them to avoid wearing / rezzing such items in future.
I'm going to add that to the OP! ♥
Edit: Orrrr, I can't edit it anymore, so I'll just wish I did it!
Drake1 Nightfire
Is this really something that happens? A merchant putting tracker scripts in a dress? I get that its in most collars, but a dress?
Journey Bunny
Drake1 Nightfire customer analytics are extremely valuable. While this
is
done in some cases (there are few group-and-product-management script businesses that phone home when you unbox, wear etc), you and I are not able to know the extent of this kind of activity in the current state of things. It's a legitimate thing for a seller to want, but it ought to be knowable to the consumer.RestrainedRaptor Resident
Drake1 Nightfire Not only does this happen, but I've also seen cases where a seller abused such a feature to remotely disable a product one of their customers had bought, because they had a grudge against them.
Feral Ninetails
This is not really solving any problem though; if a creator really wishes to obtain information for unscrupulous reasons, such information could be relayed to a bot or another object not owned which could export the data to an external server. Think doing something similar to Android's PlayStore that lists the product permission requirements would suffice enough; the user/customer can make the decision (with maybe a list of trusted creators) to trust using the product (or any product) from the particular vendor/creator, simple as that.
Don't add complexity to an already mostly ignorant userbase, people only know how to fear what they don't understand and don't want to understand what they fear; honesty is best policy.
Jeremy Duport
Feral Ninetails
Very much this. A paranoid ask, trivially circumvented.
Journey Bunny
Feral NinetailsI agree that the userbase is kept ignorantly in the dark about what happens. You and I disagree about keeping them that way.
misstoriblack Resident
Probably not something to do. It would break several things. It's the equivalent of being able to do a man in the middle at the script level.
Just knowing "This script makes an HTTP request" or "This script listen to a channel" would not be enough in my mind.
You'd want to know where does the request go. Is it to a linden domain, is it to an other server ? etc.
Same thing for the channel, you'd at least want to know which channel was being listen to. Which means that you'd be able to break several system on purpose since the "security" of communicating via channels often rest on the "I dunno which channel is used" more than any encryption.
Journey Bunny
misstoriblack Resident Consumer awareness is enough, and I described, with some detail in the original post why and how I would not want the things you went on to say I would want. After pretending I want these additional requests, you've used
those
as a strawman argument for why this is a bad idea. I agree, entirely, that your additional ideas are poor additions. Keeping people informed is not the enemy, and knowing something doesn't mean that LL has to add additional code to take action on that knowledge, as you suggest.misstoriblack Resident
Journey Bunny not I'm pointing out that not seeing them makes the tool kinda useless if it's "reactive". It's the same as when you open the developer tab on your browser, you can see all the requests. What makes it interesting even if you do not look at the content are the endpoints and the frequency.
Being able to see that an object does with http request or whatever is at the end of the day the "interesting thing". Without more context, you're basically aiming in the dark and saying "oh this object is bad" or "this object is good". While maybe the "good one" track out and uploads once a day the places you visited while the "bad one" look for update on a server.
Also great job on personal attack instead of addressing the issue ...
Minuit Ferina
I completely agree with your premise, especially the need for transparency to foster trust. Simply put, I believe that objects/scripts should explicitly request user permission before accessing anything that could be considered personal information. This would include HTTP requests, positional data, listening on channel 0, and any other actions that may feel invasive to users.
Woolfyy Resident
Let's be clear in terms of security / privacy, any sniffer on user side can grab tons of non authorized data and i don't even talk about custom compiled versions of viewers. Moreover media prims and so on are an open bar, knowing that the web viewer features on LL side are super slim.
And i don't even talk about all those silly avatars wanting to use Discord for groups etc.
So if you want to really start having a more secured viewer and easy web browsing control on user side, a few things to add :
- have a button with a light blinking when http features are used in scripts
- have a dedicated window with fields like object name / uuid / http request / parameters / server / ...
etc.
and either a more complete web browser on viewer side or systematically using the external web browser.
Said differently security / privacy = making things simple to understand and visualize on user side + avoiding open holes everywhere.
And in the meantime, if you want to have fun with security, relax looking at David Bombal's YouTube channel or Mr Robot explained : https://www.youtube.com/@davidbombal
PS: A huge security hole for now is the poor security of creators servers as they are not security experts ... that could be greatly solved if LL was proposing better features for creators, using LL's servers in spite of creators owned web servers.
Extrude Ragu
I don't particularly mind something like this being implemented, HOWEVER:-
Speaking as a merchant,
We currently don't have any way to notify customers of product updates from products without using http requests. The majority of my products uses http capabilities by virtue of using CasperUpdate for example.
I can imagine the resulting paranoia backlash from this causing issues in the long term and some users will inevitably decide not to use my products if it uses http capabilities, even if I tell them it's for casper update.
When you give people information, regardless of what information it is there will inevitably be a segment who discriminate based on that information.
I think we should at least first have a solution for product updates before such information is exposed such that merchants have an opportunity to move away from using HTTP for product updates.
SparkleSpice Resident
Extrude Ragu It sure would be nice for Linden Labs to utilize the caspertech software which they aquired in 2022 and make a universal standard that directly links to the marketplace. Something which a merchant could link an inworld vendor to a marketplace listing. That'd solve all vendor / purchase requirements from http requests altogether.
Pazako Karu
Extrude Ragu Honestly, an http ping on attach versus one on teleport/timer is already a drastically different thing. Knowing that a customer is using a product, not anything about them otherwise, is still a nice metric. And, presuming they write with security in mind, it doesn't have to include their key.
Casper Linden
SparkleSpice Resident This would still need http, unless I'm misunderstanding your suggestion!
Zi Ree
Scripters can just switch to in-world llEmail and have their own object do the actual URL fetching later if they want to hide these activities. You can already see that an object has a URL allocated to itself, so you can decide if you believe this object should be contacting an external service or not and keep using it, remove it, or delete the script of possible.
Journey Bunny
Zi Ree ? Some transparency ought to be better than no transparency, but also, I don't find these reseons cogent to the request.
* llEmail is 20-second rate limited and requires a person to have an in-world persistent presence. These additional requirements place different limitations and accountability on tracking, and are separate from what I've requested.
* "You can already see that an object has a URL allocated to itself" ... LlRequestURL() and LlHTTPRequest() are not the same.
* Keeping everyone completely in the dark because it's impossible to light every corner at once does not make progress. The request is for the server to let a user know what a script is doing. If you can think of 'one more thing' a user should be aware of, then please add it to the list of potential tracking disclosures this feature should encompass.
Peter Stindberg
Journey Bunny Events are raised in all scripts in an object. If you suspect an object sending information to an external server, you can put a small listener script inside of it, which has its own https://wiki.secondlife.com/wiki/Http_request, so you can see the answer from the remote server. That might shed some light on it already.
Tenaar Feiri
Peter Stindberg Not that you should buy no mod objects anyway, but no-mod really puts a kink in that.
Transparency is good, http activity for attached objects should be tracked separately as well.
SL Feedback
tracked
SL Feedback
Hello, and thank you for your detailed feature request regarding disclosing web activity in objects. This idea has been brought up in the past and is currently tracked. We understand the importance of transparency and user privacy, and your proposal adds valuable insights into how this could be implemented. While we have no estimate when it may be addressed, please keep an eye on future updates. We appreciate your input and hope you continue to share your ideas to help improve Second Life. Thank you!
Load More
→