Re-entering the RedZone: the JLU

Controversy has recently been growing (yet again) around the so-called Justice League Unlimited within SL. This is a group of self-styled “law-enforcers” that has long been active in-world, supposedly protecting the innocent against dirty wrong-doers, with their avatars garbed in comic book superhero outfits.

Leaving aside their explicit violation of a certain comic book publisher’s IP rights – this group has long had a less than stellar reputation, and is not above overlooking inconveniences to their “duty” such as the Second Life Terms of Service. Evidence is now emerging that the JLU are (again / continuing to be) involved in RedZone-like data-gathering – and going a lot further in the process by attempting to put together dossiers on anyone in-world they consider a “threat”.

Avril Korman has written an excellent piece on the JLU’s activities, and it is a recommended read. For those that feel the same level of concern for the JLU’s activities as they did with RedZone, there is also an on-line petition aimed at Linden Lab to have the JLU’s activities properly scrutinised. You may also wish to consider adding your own e-signature.

Additional Reading

Update – 2nd September


Redzone: closure of a sort

As headlined by Tateru Nino, the RedZone farrago both returns and gains a measure of closure.

Michael Stefan Prime (Aka TheBoris Gothly and Zfire Xue) – identified as the man behind the RedZone tool by other SL users – has been remanded into the care of US Marshalls and a four-month prison sentence after pleading guilty to four out of seven charges of parole violation, specifically:

  • Associating with Shawn Cahill, a three-time convicted felon, in violation of standard condition 9 that he not associate with any person convicted of a felony.
  • Failing to allow the U.S. Probation Officer to inspect any personal computer owned or operated by the defendant in violation of the special condition directing him to do so.
  • Failing to notify the U.S. Probation Officer of all computer software owned or operated by the defendant in violation of the special condition directing him to do so.
  • Beginning employment without prior approval by the U.S. Probation Officer, working for cash, and engaging in employment that did not provide regular pay stubs in violation of the special condition directing him to do so.

Interestingly, as recorded in court documentation, the prosecution moved to dismiss three other violations when Prime pleaded guilty and waived his right to any evidentiary hearing relating to the four charges above. The three additional charges comprised:

  • Committing the criminal offence of Possession of Stolen Property 1st degree on or before March 23, 2011, in violation of the general condition that he not commit another federal, state, or local crime.
  • Committing the criminal offence of Trafficking in Stolen Property 2nd degree on or before March 23, 2011, in violation of the general condition that he not commit another federal, state, or local crime.
  • Associating with Shana Bobo, a three-time convicted felon, in violation of standard condition 9 that he not associate with any person convicted of a felony.

The first two of these charges relate to earlier convictions against Prime, although it is the third charge, relating to one Shana Bobo, that is liable to generate further speculation among SL users who have followed this case and the entire RedZone situation, given Prime’s involvement with a female SL user at the time of RedZone.

Details of the original case against Prime, which lead to his imprisonment and eventually the violation of the terms and conditions of his parole as a part of the entire RedZone affair, can be read on-line.

There are still issues surrounding this entire sorry affair – not the least of which are vulnerabilities within the Second Life software environment and the fact that four months down the road, Linden Lab still have yet to incorporate the Media Filter code that is readily available in all responsible TPVs, which can warn users of a potential threat to their privacy.

However, as far as RedZone itself is concerned, this will hopefully see closure brought to that particular sorry affair without people feeling the need to dig further into this individual’s past and engage in trial-by-forum, which came to undermine much of the good work carried out to try and stop such exploits and identify in-world sims where people could find themselves open to data-scraping by the RedZone tool.

The Privacy Zone

It is now some 20 days since the RedZone farrago came to an “end”. While that tool has now gone from Second Life, the wider issue of people’s right to a reasonable expectation of privacy while using the platform remains wide open – and Linden Lab remains resolutely silent on the matter.

Some might argue that the reason RedZone was removed isn’t important; it’s simply enough that it was eventually taken down. But the fact is, we do need to know why it went; was it finally considered to be in violation of the Terms of Service (ToS), or was it simply that the signal noise from the community reached a pitch where removing the device was viewed as the most expedient means of getting everyone to quieten down?

Beyond this is the fact that RedZone was not the only system grabbing information; some have been removed, others haven’t. Gemini CDS is still in use, for example; whether it is capable of account matching or not is irrelevant – it is sending information to a database under the control of a private individual outside of SL. Together with LL’s relatively low-key toughening of the Community Standards, it sends the message that the non-consensual havesting of user data – including that which might be regarded as “private” – for whatever purpose, is perfectly OK.

“Privacy is not something that I’m merely entitled to, it’s an absolute prerequisite” – Marlon Brando

While it is true that some link real life to Second Life as a natural part of their work, hobby or whatever, the vast majority are involved in SL as a means of stepping back from the realities of life and indulging themselves – and anonymity is important to this ability to do so. This point seems to be lost on the likes of Hamlet Au, with their constant (and completely inaccurate) cry that it is avatar anonymity that is “holding back” Second Life.

Even where people do link real life information with a Second Life account for business or other professional reasons, they may also wish to use alternative accounts to explore opportunities, activities and lifestyles that might cause them untold embarrassment if known to peers, family or friends. As such, there needs to be firm Chinese Walls between the accounts they create, and an assurance from Linden Lab that it is doing all it can to maintain those walls.

In short, any linking of real life to Second Life should always remain a matter of choice for the user, and never something thrust upon them by Linden Lab – and it should never be a matter of covert linking carried out without any form of explicit formal consent.

“The first duty of government is to protect the citizen from assault. Unless it does this, all the civil rights and civil liberties in the world aren’t worth a dime.” – Richard A. Viguerie

Linden Lab’s response to RedZone has been weak. There has been no public clarification of what will and will not be tolerated in terms of data harvesting within Second Life. While section 4 of the Community Standards now includes a reference to the sharing of avatar account information, it misses the point entirely – possibly deliberately so.

Attempting to regulate the sharing of data is about as effective as shutting the stable door when the horse has not only bolted, but is sitting on an exotic beach somewhere enjoying a quiet cocktail in the sun. Once data has been successfully culled from Second Life, then there is no way Linden Lab can prevent it from being howsoever those gathering it desire; and as RedZone ably demonstrated, when it comes to private individuals gather said data, it can never be assumed they are doing so with any honourable intent. Ergo, the issue is the gathering of such information in the first place that must be addressed.

Of course there are times when some information needs to be made available elsewhere – as the Linden Lab privacy Policy explains, certain services require data to be passed elsewhere in order for users to benefit from those services. There are even arguments to be made for LL pushing things like Profiles out to the web not only to ease server loads elsewhere, but to enable them to draw on possible advertising revenues through the use of the space on Profile pages. This is all understood and accepted.

What is not acceptable, however, is allowing people to attempt to drill through the existing Chinese Walls simply because it can be done (due to weaknesses in the Viewer software), or as a result of some unsustainable excuse (“the existing security tools aren’t good enough” – a weak excuse used when in fact someone is unwilling to take the time to use said tools properly, as this would inconvenience them far too much).

“I believe in a zone of privacy” – Hillary Clinton

A zone of privacy must exist for users of Second Life in order for us all feel confident that activating one aspect or another of the Viewer’s features is not going to end up in something unpleasant happening – or that we are being spied upon or possibly stalked.

While it is fair to say that no-one expects anything to happen overnight, the fact remains that time is passing – time in which Linden Lab have had the opportunity to do more to reassure the user community that they are in fact working to give each and every one of us a reasonable expectation of privacy. And yet, as it stands:

  • The Media Filter is still not available in Viewer 2, despite the code being available to Snowstorm for nigh-on a month. Instead we have bouncy bits; and while these may have a short-term “wow” factor, as soon as the code is available in the likes of Firestorm and Dolphin 2, which do have the Filter code, people will quickly switch away from Viewer 2
  • JIRAs such as SVC-6751, SVC-6793, and VWR-24807 – all common-sense measures to help provide areasonable expectation of privacy remain unassigned
  • Sections 4.3 and 8.3 of the ToS remain somewhat in opposition to one another
  • The Community Standards remain vague and the Privacy Policy barely offers any firm comfort to users in terms of safeguarding privacy.

It is understandable that the last two of these bullet points will take time to resolve – assuming they are being worked on at all. But given all that has happened around RedZone, keeping silent or avoiding the JIRAs and pushing back on the Media Filter – even as an interim solution – does not give any kind of indication that LL take people’s privacy seriously.

Frankly, people need the assurance that Linden Lab will not tolerate:

  • The creation, distribution and use of any device that seeks to link and / or make available information on alternative accounts by any means, either directly as an in-world device, or via any method using the Second Life Servers or via transmission to any third party database or server
  • The creation, distribution and use of any device that seeks to link avatar accounts with other ancillary information related to user accounts, such as IP addresses, for the purposes of alternative account detection or which may be considered by Linden Lab to infringe on the privacy and security of other users.
  • That such infringements of privacy include the subsequent distribution of any gathered information, either directly (by providing online access to the data) or indirectly (through the transmission of the data to any devices held in-world).

People need to see this enshrined in the Privacy Policy and linked to from the ToS. Beyond this, they need to have the assurance that both the gathering and the sharing of any information relating to their accounts over and above that which is available within the bounds of SL cannot take place without their explicit consent.

Privacy is extremely important for anyone putting themselves out there, expressing themselves, or expressing a side of themselves through an avatar. People don’t want other people to connect the dots from their avatar to their real life person – or even, for that matter, to an alt. One of the ethical obligations we have is to protect people’s privacy.”

– Rod Humble to Dusan Writer, 12th Feb, 2011.

In an age where people’s right to privacy is increasingly being looked upon disparagingly – often by those who will go to great lengths to protect their own privacy – Rod Humble’s comments to Dusan Writer have considerable resonance among the Second Life community. It’s really about time that Linden Lab gave some indication they are taking this position to heart – not just with regards to integration with Facebook or whatever – but in giving us the fundamental assurance that our privacy when in-world is being duly safeguarded.

Further Reading

zFire Xue gone

The account belonging to zFire Xue, creator of RedZone, together with at least one of his alts, “theBoris Gothly”, has gone from Second Life.

So to have the contents of zFire’s store. The news came at around midnight, UK time with posts appearing both in the ever-Epic SLU Thread and people Tweeting on the matter as well.

As the news spread, people started heading for the sim where zFire had his shop – and sure enough, the place was empty.

So – is this a cause for celebration? Is the great hoo-haw over and done with?

Well…sadly, no.

Sure, there is some reason to celebrate; RedZone has been the focus of a lot of effort, and deserves a moment of celebration; but the fact remains that at the time of writing:

  • Certain locations across the grid were apparently still running RedZone
  • RedZone remained available on SL Marketplace
  • Others whom seem to be involved with zFire Xue remain active in Second Life – indeed, one such individual ejected the 30-or-so people checking over zFire’s shop…

That the product is still on the Marketplace could be down to nothing more than a delay in getting things sorted over at LL. That those associated with him have not gone could be down to just that – they are associated with him and his device, rather than clearly and unequivocally part and parcel of its creation or a part of selling it directly in-world or via the Marketplace (where zFire Xue used his “TheBoris Gothly” alt). That RedZone devices are still appear to be functioning in-world is again a little confusing: unless purging them from the LL servers is taking time as well.

Assuming that zFire has gone, and that RedZone is to be removed from the Grid and the Marketplace, than there is cause for celebration to a point. However, the media exploit still exists, there are other devices still out there, and so there is still more work to be done.

Addendum 16th March 16:45

A further quick tour of sims known to be using / hiding RedZone showed that none of them caused a media filter alert of any kind that pointed towards the RedZone URL, or anything of suspicious concern.

Elsewhere it is reported that RedZone devices have had scripts pulled from them. Given that RedZone users were previously instructed by zFire to move the scripts from his own device to prims of their own making, this would seem entirely logical: zapping the scripts would be more effective that simply pulling devices tagged with zFire Xue as the creator.

zFire Zue himself went on the warpath prior to his ban from SL (the interview took place on the Saturday prior to him being banned, but was published – ironically – on the day of his ban), and indicated a potential link between himself and the Knights of Mars, a vigilante group that can allegedly  – and for a fee – get any user banned from SL. Given his companions are still involved in world, some are speculating on whether this matter has entirely closed with regards to RedZone.