Spidey Linden: 10-4

Woolfyy Resident Nothing passed to discord would be considered real life information, so not understanding how those eu laws would come into play with what I'm asking. Notices/marketplace sales info. no real life info is in that...

Woolfyy Resident when it's challenged in court than I'll reconsider, but as of now, this is a function that would be useful. until than, I guess thanks for the info?

Woolfyy Resident five years later — what was the veredict on that case? I'm just curious...

That said, as @DaniSkunk already explained, whatever data is out in public is — statistics based on anonymised data will not violate any privacy laws, rather the contrary, there is no link between people's real-world data and their avatars, and this is guaranteed by LL, there is no problem whatsoever.

It's just if someone hacks into LL's servers that you have an issue :)

To be more precise, the only place where the "real world" data is stored — is on Tilia. And even there I'm not sure if you have any data. There might just be an ID ( the avatar's key, mind you!). Tilia, as a payment processor, naturally needs to know our real data but... they don't need to know what our avatar is. And, conversely, LL doesn't need that data at all — all they need is to request a payment from Tilia for a "token", and once that "token" is paid, you get your L$ (or whatever you have bought, i.e. paying region tier, or Premium, or something). Double-blind transactions!

Granted, this be hacked into, and if that happens, aye, our privacy would be compromised (as well as our credit card), and, sure, you could theoretically start having fun doxing people.

But... has that really happened?

Now that Tilia was sold, things are even more interesting, because I would claim that, in the very near future, not even LL will be able to figure out who is who in real life, since Tilia employees will not have the privilege to chat as freely with LL's employees (assuming that they did, obviously).

Woolfyy Resident:

> "there are already tons of easy ways to do it" [how to violate privacy on SL]

Extraordinary claims require extraordinary evidence ☺️

What exactly are you talking about? If you're saying that it's easy to grab a user's IP address (and thus their approximate location) and/or avatar key (UUID) and correlate both, sure, that is possible.

It will mean that you can know accurately that "a person living in this city on that country has been around SL today, for four hours, visited two shops and then teleported to Zindra to a popular bar where 'escorts' are available".

It's not "trivial" but it be done.

But that's not a "privacy" issue in terms of your real-life privacy. Whoever is processing all that data will surely know exactly what your is doing — but they have no way of telling the real person behind the keyboard is.

If you can prove otherwise, feel free to send that proof directly to the LL security team. But you really need to show compelling evidence. I remain skeptic. I believe that someone could crack into Tilia's database and access all the user information there — which would be a serious crime — but has that really ever happened? As explained, the hackers would not even have access to the avatar's key, so they would be unable to correlate one thing with the other anyway. They get a rough idea, though, if Tilia records the IP addresses from their customers (I would think so), and that information would get hacked into as well (if someone can so easily crack Tilia's database open, I'm sure that reading Web logs would be easy-peasy...). Having the list of IP addresses from logged-in avatars the IP addresses for accesses via the Tilia web browser, you correlate both, and at least in some cases, have a rough idea of who's who.

But all the above is a hypothetical attack by professional hackers with clear goals and objectives in mind, and having access to sophisticated tools. We're talking about "Mr. Robot"-class of black hat hackers, most certainly not "tons of easy ways". It's rather "a few ways which can be exploited by sophisticated hackers".

Unless you're talking about "the enemy within", so to speak — social engineering. Get a Linden with enough permissions to look things up for you, and pay them a bribe. Sure, that works, and is "an easy way". Again, if you have proof that this actually happened, and you know who has participated in such a crime, denounce them. First, of course, to Linden Lab's security team. Then to a few other figureheads at LL. If they don't respond, threaten to dump all the documentation on WikiLeaks (or any other such place) and alert the NY Times, The Guardian, or another serious international news media, and let LL know what is going to happen they respond.

Regarding "a public forum is not an area to explain how to violate privacy [in SL]" — I suggest that you do a few searches around GitHub, probably one of the largest archives of open-source (and not only open-source) software these days. The nastiest pieces of hacking software are posted there. Publicly — for everyone to see how it's done — often with on how the tool works (i.e., what methods it uses to penetrate a system's defences). Whole communities analyse these tools in detail — in public! — and discuss them openly.

One might wonder why Microsoft (GitHub's current owners) allow all that to happen — freely, openly. And I asked. Their official stance is actually very simple: they prefer that those tools are out there in the open, . That is true for companies doing security tools (including Microsoft as well), academic researchers, and cybercrime combat teams. all that wealth of information was only available via Tor in the Dark Web, then we — the public, but also the operating system and application vendors — might have no clue about what's going on. That way, everybody learns to protect themselves .

One might argue... but surely that means that there is a wealth of "script kiddies" out there, who just download the tools, without even knowing they work, and install it on their own computers to hack at their friends (or enemies)? Isn't anybody assuming the responsibility of these script kiddies actually causing some serious damage? Like giving fireguns to pre-teens?

The argument is that this is the "lesser evil". Sure, if your system is not really up to date with the latest security patches and protections, it might be vulnerable to some (or all!) these publicly available tools, to the delight of all those script kiddies. And obviously there are many corporations and organisations that never really bother with basic security issues and are therefore wide open to potential attacks.

But have a certain degree of responsibility, as well. Nowadays, almost all software being sold will include a few clauses saying that some security patches are "mandatory" — in the sense that you to install them in order to keep benefitting from the entitlements of your license (such as basic tech support by phone, for instance). If you neglect to do your part — keeping your system up to date — then you have failed to comply with the contract, and the company which sold you a license is not liable to be sued for damages.

It's like "forgetting" to put your seat belt when driving. You might try to file a claim with your insurance company, but they will pay you anything if you don't even bother with a seat belt, which is the barest minimum in terms of complying with the insurance policy (also, driving without a seat belt on might be forbidden in many jurisdictions — but insurance companies don't worry about , they only worry if you're paying the correct premium for the amount of risk that is acceptable to ).

That said...

Sure, I can believe that there are script kiddies out there who have searched for the best possible tool to penetrate LL's and Tilia's security. I can even go as far as to believe that this might have happened once or twice in the past, and LL and the script kiddies have entered an agreement to keep the news from spreading out. There is nothing "impossible" in such a scenario — but in order for me to it, I require . Just "claiming" that "it is possible to do X", doesn't mean that "X" been done — only that it's .

In LL's and Tilia's case, there are at least some adequate measures of protection from attacks. I cannot say anything about attacks, though, and, as mentioned, everybody has a price, and all that takes is to bribe a Linden employee with full access to their databases and "make them an offer they cannot refuse". As said, this a scenario, too. But... has it actually happened? Or are just speculating about such a possibility?

Sorry, I don't really subscribe to conspiracy theories of any way, except when these have substantiated data to support their claims — and data that can be (publicly) retrieved in some way or form. For instance, if you can provide my real name & address, as well as that of a handful of my close SL friends (several of which I have met personally over the years), I'll be a little less skeptic.

With Tilia getting sold, the above experiment will be harder to replicate, since LL employees will lose whatever access they might have had to the Tilia's databases.

Woolfyy Resident all I wanted from this was the ability to keep track of notices in a manner where they would not vanish after 2 weeks and then sales from the market place and you've went ahead and totally made this about something it was not. I'll never recommend another idea.