“I am who I am”

Gwyneth Llewelyn ID Card

So, identity validation is upon us “soon”. Having let the message sink in — after all, it’s no surprise, Linden Lab has been talking about it for quite a while — it’s time to try to understand the implications. In other words, like LL likes to call it, a post-mortem analysis of what this might mean for our fellow residents — the kind of thinking that sadly LL does not do a priori, or, if they do, they almost never tell us why.

The Cultural Issues

Regrettably I’m not really the best person in the world to talk about “identity validation” in general. My country, Portugal, has a very weird relationship with “identity”. Having survived 50 years of what now is called a “benign dictatorship”, the current democratic constitution of 1974 actually forbids the State to correlate any individual data, and all State-controlled identification documents are in separate databases with different ID numbers (unlike more rational countries like Spain, who have only a single number). Legally, or rather, constitutionally, they cannot be held in the same place. So Portuguese citizens (and legal residents) have at least a tax number (which is freely given to anyone, really), a social security number, a voter’s card, and a national ID card number. Everybody who has signed-in for high school will have a national ID card (and since going to high school is mandatory, this means that everybody over the age of nine will have a card). Everybody who works will have a tax number and a social security number, and this means that technically all adults — and also many teenagers, since you can legally get a job if you’re 16 — will have those other cards as well. All have different numbers and are emitted by different ministeries, using incompatible databases — from the early paranoia days when democracy was young and citizens feared the totalitarian control of the State.

Only the national ID card provides valid identification (in extreme cases, the passport will also work). Unlike what happens on most countries in the world, providing your identification is almost an universal requirement. Until recently it was a minor felony if you didn’t carry your ID card, since you would almost invariably need to identify yourself — to claim a packet on the mail, to drive, to enter a nightclub, or even to enter corporate buildings where all people are identified at the entry. You also need to show it if you want to rent a room at a hotel. Or, obviously, to go to a casino. But there are lots of other situations where you need to show it, too — when opening a bank account (obviously), signing a contract (also pretty obvious), but even when joining your favourite soccer club (ridiculous)! Or to register for a gym! So, in my country, validation is ubiquitous. It becomes so commonplace that we don’t lose our sleep fretting over it.

This means that obviously I’m used to go around with a card that looks pretty much like the one pictured above. You can observe that it has my fingerprint, too. Indeed, all 10.450.000 Portuguese (or, well, everybody over 8 years old anyway) will have their fingerprints on a national database (no, it’s not a computer-based database, so it’s pretty useless). We’re used to it. It’s a pain when you lose your ID card; it’s another pain every time you change your address, or every five years, when you need to get re-validated and spend a morning filling paperwork and stand in queues (a new automatic machine will soon replace that, but it’s not widespread yet).

In effect, on average, you’ll be showing your ID card at least once a week — more if you’re doing business, since almost every building these days will ask for your ID before letting you inside. After a while, you get used to it and don’t think twice about the implications.

More worrying perhaps is that most entities asking for your ID card will also want your tax number. Banks, for instance, will require both. Allegedly, when signing a contract, you might be taxable — so you need to show your tax card and give your number. However, since the tax card is not a valid identification card, and is not even signed, it means that you have to show both. Thus, in effect, “someone” is going to correlate data that way. And if you want to get employed, you’ll have to show your social security card as well — so at least your employer will have three numbers for you, and very likely, copies of all your cards. So will your bank. Or your credit card company. Or your insurance company. Or, well, your soccer club — since they’ll emit a receipt of the monthly fees and they need your tax number for that. So, in effect, the issue of “anonymity” doesn’t really exist in Portugal. The only reason why people are not paranoid is simply because all those systems are not really interconnected — so there are hundreds of thousands of separate databases — although this might change in the very near future. But the Portuguese are very “soft” and not keen to make a fuss about that — universal ID validation of some sort has been around since 1911 at least and nobody remembers anymore how things worked before that, when people didn’t even needed to register a last name.

Coming from this particular background —”the land of no anonymity” — it’s naturally obvious that I’ll be always biased about identity validation, since I’m so used to it on a daily basis. It doesn’t mean that I worry about what goes on in RL. Identity theft is certainly possible, but harder than most people might think.

And, of course, there are authorities that control very closely what people are doing with all those databases. All that is required is a formal complaint; the authorities are even eager to follow up on complaints!

The whole point here is that your relationship towards your identity is, first and foremost, a cultural one. You’re part of a society that establishes norms protecting and safeguarding your identity, and keeping a balance between your privacy and the requirement to provide a valid ID. More liberal (or libertarian!) states will definitely consider privacy a “sacred” issue — an unalienable right! — and will only require a valid ID in a few extreme cases. In those countries, “you are who you say you are”, and the State has no reason to mistrust you. On the other extreme of the scale, on the autocratic, totalitarian states that still exist, your ID card is a form of State control, where your movements are tracked by the State. Most countries, however, are in-between both extremes, depending on how sensible they are. Some, like Portugal, are an oddity among democracies, where a privacy-paranoid Constitution is actually completely disregarded daily, just because it’s more convenient for the State, the companies, and even the individuals, to be quickly able to prove who you are by presenting an universally valid identity card.

The Technology

Let’s see how this relates to what Linden Lab is proposing to introduce in Second Life. In essence, the technology is rather simple and even naive in its simplicity — it’s also not breathtakingly new. A “trustful” third party asks you a few questions — basically, you’re asked to supply some of your ID card numbers, or part of the number — and checks it across some “public” database where this information is “freely” available (where exactly they find these databases, is anybody’s guess, specially when we’re talking about world-wide ones). If they find a match, they’ll send an acknowledgement back to Linden Lab: “this person is known to be who they claim to be”. That’s all LL requires. LL does not need to store any personal data; and, conversely, the third party that provides a validation service has no clue what that person is going to do in Second Life. In effect, there is never an established relationship between your own private data, Linden Lab, Second Life, or the external third party validation service. All are separate and not related to each other. The only thing that LL knows is that a certain avatar, claiming to be person X, is, indeed, person X. But the data you provide to LL is not the data you provide to the validation service: in effect, only you know that both are related to each other.

This is significantly different from, say, getting a digital signature from Verisign or confirming your data with PayPal. In both cases, these entities will indeed require you to send them a lot of documents, most often by fax, proving that you are who you claim to be. The “validation” in this case is made through a thorough papel trail. You need to reveal all your information — the less you send to these entities, the less likely they are to provide you a valid digital certificate in your name, or validate your account with PayPal. In my personal case, for PayPal validation, I needed to send them about 20 pages of documentation (I’ve never applied for a Verisign certificate, so I don’t know how painful that process is). A friend of mine sent them 13 pages — copies of ID cards, proof of residence, extracts from your bank account, your credit card, and a lot of things in that style. It’s a tough process and takes days, weeks, or (in my personal case!) several months, until the “validation authority” is happy that you’re sending them everything they need in good faith.

There is still a broad margin for error and for “faking” identity, of course – short of personal presence it’s almost impossible to allow people to get “fully validated” in real life. That’s why banks still rely on looking in your eyes to make sure you are who you claim to be, even if all the rest of their transactions may occur simply via electronic means.

Linden Lab’s choice of validation service — Integrity — however, is quite different. They do not really “prove” anything. Think of them as “Google for Identity Validation”: they simply look up your personal data against several publicly available databases and see if they find a match. If they do, they can say that you “exist” and are who you claim to be. You don’t need to provide any documentation: either you are on Integrity’s database, or you aren’t — and “verification” is simply based on that.

You might now think what’s all the fuss about verification then. Keep in mind two important things here:

  1. Linden Lab will never know what data you submit to Integrity.
  2. Integrity will never know what data (ie. avatar name, credit card, PayPal account) you have submitted to Linden Lab.

So in effect, Linden Lab and Integrity never see the whole picture — Linden Lab only knows that you have “proved” to exist in Integrity’s database (but don’t have a clue on what data you have sent them!), and Integrity will only know that you’re a resident of Second Life (since they will know where the request has come from), but won’t know your avatar’s name, or the credit card you’re using for the LindeX or for paying your tier fees.

It’s also important to dispel the myth that you’re going to provide “personal data” to Integrity. Unlike what happens with Verisign, PayPal, or other similar organisations, you’re not going to tell anything that Integrity doesn’t already know about you! Put into other words: Integrity already has your personal data on their databases. All they’re saying to LL is simply: “yes, we know about this person, they’re on our database”. And they’re only going to tell LL that if you authorise Linden Lab to check you up on Integrity’s website — but without telling LL what your personal data is!

This naturally raises a few questions:

  • What happens if you’re not in Integrity’s database? (I wonder where they get all that “publicly available data anyway!)
  • How can you be so sure that Linden Lab does not store your personal data somewhere else?
  • And most important, how does this system prevent anyone to simply get the data from a friend, a parent, or some stranger they happened to meet in the street (and who, say, dropped their wallet on the ground, with an address and their social security number, and you just “happened” to get a glimpse at it)?

So, in effect, what is really being “verified” here?

Linden Lab’s Reasons for Identity Verification

Let’s try to go through LL’s argumentation and see through their curtain of smoke hidden in their words:

The IDV [Identity Verification] system aims to deliver two things.[…] This will help establish trust by removing a layer of anonymity for those they interact with. It’s much easier to trust someone who puts their name behind their words and actions.[…] The second benefit of the IDV system is to help land owners and content publishers be sure that minors do not get access to inappropriate material.

So this goes through two assumptions. One is that people now suddenly require trust to interact in Second Life — and that trust comes only from a lack of anonymity; the other is related to minors getting access to “inappropriate material”.

We’ll see these in turn. First and foremost — why is trust equated to lack of anonymity? One can consider the old argument: RL businesses and RL companies are in SL, and they need to know whom they’re dealing with. In essence, this is like claiming that you need to show your ID card when buying some groceries at the supermarket. As we all know, buying groceries is pretty much anonymous, and that never prevented any supermarket to conduct serious business.

On the service industry, however, it’s common to sign contracts between companies providing services, and these contracts, usually, are signed. The signatures are also usually verified with some form of ID (but not always; again, this is mostly a cultural issue and varies from country to country). In effect, even in my country, it has been a long time since anyone validated formally my signature — mostly when opening a bank account. But I don’t remember needing to send a copy of my ID card when buying, say, a mobile phone with the associated service plan — or installing an ADSL connection at my home. In fact, I don’t even remember needing to prove my identity when registering a trademark — and this is in the identity-paranoid country where I live! So, although I’m pretty sure I showed my ID card when registering a company with a public notary, most of the contracts that are signed by myself or my colleagues are not “verified” for identity. People enter those agreements in good faith, most of the time.

But what about the few cases where RL businesses want to make sure they’re dealing with a legitimate company in SL? Well, to be frank, whenever this happens, you’re very likely to meet them in meatspace, or send them some faxes, or letters, from your RL office. Put in other words: if someone mistrusts the avatar they’re dealing with, all they need to do is to call your office up and see if you pick up the phone.

RL businesses couldn’t care less if your avatar has a checkbox on your Profile saying “Fully-verified identity”. Actually, for the reasons I’ll soon be showing, that checkbox will highly likely be pretty much worthless. And RL businesses are not in SL for having fun with the drama, or dealing with the paranoia, or the fuss that LL and their residents make about verification — all they want is to conduct business with serious companies and individuals. And trust me, they know pretty well how that is done in real life, you don’t need “high tech” for that. A copy of the registration of your company will usually be very easy to gather (in most countries it will be public; in several, you can even look that up on a Web-based database).

So perhaps LL is hinting at SL business, ie. implying that if you sell hair or clothes for L$, and have a validated avatar, people will “trust” you more because of that. Unfortunately, that argument is ridiculous. Business ethics don’t have anything to do with your ID — people are not “more honest” because they flash ID cards at you. Criminals have ID cards, too. So “proving your identity” is definitely not a precondition for “being honest”; what one can argue is that most crooks will try to avoid giving you ID cards so that you cannot bring them to court. That’s certainly true, but it’s pretty much misleading. After all, in SL, you won’t be able to know whom you’re dealing with. You’ll just see the checkbox saying “Verified Avatar”. Not even LL will be able to help you out — they don’t know how the avatar was verified, just that Integrity told LL that this person has matched their database, without letting LL know who they’re talking about.

A very small number of people even have cynically suggested that the only people willing to verify their avatars will be crooks — since they’ll be able to leverage in the false sense of security provided by that checkbox in order to engage in business transactions in SL. I also think this is too cynical; however, if I were a crook, I would most certainly validate my avatar with fake data!

The supermarket or retail shop example shows that everyday business transactions simply don’t rely on validation to work in real life — every day, for billions of human beings. You can still be cheated by buying rotten eggs although the package claims otherwise. Most of the billions of RL transactions, however, are legitimate. All that happens without the need to show your ID card to the supermarket employee, or, vice-versa, requiring the employee to identify themselves. And, in SL, we have survived four years with mostly legitimate transactions (they far outnumber the illegitimate ones!) without validation.

Very honestly, I don’t buy that argument. Let’s see the next one.

LL claims that this mechanism will give landowners a new advantage: being able to exclude minors from viewing adult (ie., “broadly offensive” or “inappropriate”) content. This is in fact the most discussed argument in the whole SLogosphere. Usually, residents complain that the Main Grid is for adults only anyway, so this extra step is surely not needed; LL claims that they cannot use a credit card to validate the age (this is legally correct) and so have no way to keep minors out.

But sadly the issue is not so black-and-white as most people seem to be arguing these days. First of all, “getting minors out” is not LL’s major reason for introducing validation services in SL. The major reason is getting rid of the liability.

Quoting again from Robin Linden’s post,

The burden of responsibility lies with the parcel and estate owner for the content displayed and activities offered on their land.

So now we understand better what this is all about. In effect, Integrity does not really provide “just a verification service”. Their core business is actually far more interesting: they buy LL’s liability in case LL gets a lawsuit for letting minors to see “inappropriate content”. Even more interesting is that LL does not need to worry about what “inappropriate content” means: this is a cultural question, not a philosophic one, but LL does not need to care. Whatever lawsuits will come LL’s way, they will simply get Integrity to pay for them.

Put into other words: Integrity is an insurance company. In this day and age where parents basically don’t care what their children are doing, and blame the State for not taking care of a “children-friendly environment” by filing lawsuits against “the big bad companies who display terrible content”, a new business opportunity has arisen: selling insurance against the (albeit remote) possibility that you get a lawsuit for displaying “inappropriate content”.

How does Integrity work? Well, if you’re familiar with insurance companies, you know that they rarely lose any money. They employ highly-trained mathematicians and statisticians to develop a set of tables to find out how likely an event is going to happen, and how much it will cost. This is the amount that you charge as a premium, plus some extra as a profit. You buy insurance trusting that the “bad thing” will never happen, and the insurance company hopes the same. After doing business for several years, you can pretty accurately “predict the future” and establish the lowest possible value for the premium. In fact, this system is so popular that it was invented in the 15th century, and insurance companies have been fine-tuning it for over 500 years. They’re very good at foreseeing the future.

So what they do is look at LL’s resident base, and say: how likely is it that any of the 10 million users in SL is going to file a lawsuit because a minor is looking at “inappropriate content” (ie. a woman’s bare ankles, if you live in Iran), and how much could that lawsuit cost? Based on the number of lawsuits filed in the past, and the amount of expenses due to those lawsuits, they can pretty well establish a value for their insurance. And this is what LL pays. It has to be a very low value, since LL always claimed “it will be just a few L$”, and I actually trust LL when they claim that the premium is very low: the probabilities of “something bad happening” are really, really low.

Still, all it takes is a huge lawsuit to bring LL down to its knees. And very likely, just as they have insured their servers at the colocation facilities they use, they are now insured against lawsuits arising from “displaying inappropriate content”.

Why does Integrity require any data at all, if they are basically just working as an insurance company? Well, to keep the risk low, and thus provide LL with a lower premium for their insurance, they have methods to minimise their risk. Most people are honest when providing their ID data. Most of Integrity’s databases are correct. Let’s say that 99% of all the validation requests will be absolutely correct if they just correlate your address with an ID number stored on a public database for that same address. By requiring this extra test, they will dramatically minimise their own risk, and thus charge LL less for insurance. This is not different from buying life insurance and requiring a physical examination by a doctor — that way, the insurance company will know that, in exchange of providing some very personal data (your full medical records!), they will have a far lesser risk when calculating your premium, and have a higher margin of profit.

So far, so good. As a faithful resident for so many years, I’m naturally happy that LL is starting to get insured against lawsuits, something that always worried me in the very recent past, when it was clear that things were starting to become, well, messy.

This will also hopefully explain why LL banned gambling. It was not because “they were under FBI investigation”, like many (including myself!) assumed. It was not because of any “governmental pressure”. In fact, some friends of mine implied that “gambling” was not part of the “better world” that LL wants to build, and so this was a political agenda. Not at all. It’s stated on Integrity’s site: they don’t insure gambling sites. For now. This article on their website seems to promote Integrity’s own political agenda, which allegedly is that online gambling in the US should be promoted (because it provides a lot of taxes to be collected by the IRS!) but only if the websites are protected by a validation system that shuts minors off. Which is, of course, the type of service that Integrity can provide.

So it seems that LL is now part of the lobby for regulated gambling in the US, but, until the legislation changes, they play “nice” and subscribe the service that Integrity is allowed to legally offer — website insurance against minors having access, but only if you don’t offer gambling. So, the casino shutdown is just a consequence of LL signing a contract with Integrity and nothing else.

There is just a nagging issue: what about the transfer of responsibility to landowners?

The Implications, Short-Term and Long-Term

I will not repeat what others have explained in such detailed analysis in their own blogs. Basically, once LL “sold” their liability to Integrity, they gave landowners the following choice: join us in keeping unverified avatars out of your property, and we’ll give you the benefits of the insurance we bought.

This is the positive aspect of the whole issue. Right now, if a minor comes into the grid, and sees “inappropriate content”, there is a bit of a legal problem. Who is exactly liable? Well, the way things are seen by some US lawyers, the answer can be either “the kid’s parents” or “the entity having allowed the kid to join”. I believe that the real issue is: “how big can be the lawsuit against LL?” I think that very likely LL will not be criminally charged for “allowing minors in” – since they clearly state that minors are not allowed, require everybody to place their birth date on good faith when joining SL, and parents are still responsible for their children, even in the US 🙂 The fact that minors can — and will — lie about their age is of no legal concern to LL, and I’m pretty sure that the current system is strong enough to hold in court if criminal charges are brought against LL.

The problem, however, are civil lawsuits, when a disgruntled parent (or a greedy one!), having engaged pro bono one of the top lawyer companies in the US, is able to claim compensations from LL because “the inappropriate content” has “troubled their poor child”. I believe that a pretty convincing story will get a jury to shed a few tears, and LL be forced to pay a few million US$ as “compensation” for “wrecking the kid’s life” after seeing the “disturbing images”. I’m very sorry if I sound too cynical for you; but I was raised to believe that the parents are always responsible for what their children are doing, and I can’t agree with the concept that companies (or the State) are supposed to take over that responsibility. I’m also not really convinced that “nowadays parents are totally unable to control their children” or that “pornography is so widespread that you cannot prevent kids to find it”. Whatever the reasons, we have to deal with the fact that in this politically-correct age and era, the parents can sue others for things happening due to the parents’ inability to control their own children; and instead of complaining about the current mentality, we have to live by adapting to the changes. So, while LL is very likely “safe” from criminal charges, they’re still liable to litigation. And this is where Integrity will save them, by accepting that liability.

So after validation is introduced, LL is actually providing us residents with a new service (for free), which, simply stated, means: in case of doubt, you won’t be liable either if a minor watches your “innapropriate content”, if you agree to configure your land parcel to disallow not-verified avatars. This is stating it the positive way, just like LL writes on their official statements.

The negative side is, of course, that you will be held accountable and liable if any lawsuit is brought against LL because of a minor viewing “inappropriate content” and your land is open to any avatar. This means that, in effect, you can either do it “LL’s way” — get insured too, by clicking the checkbox — or you can take the risk all on your own (it’s up to you). Until now, you had a way out: if someone filed a lawsuit against you, you could still try to put the blame on LL, and thus avoid the lawsuit, basically stating that you had no reason to believe that minors could enter SL, since LL clearly stated otherwise. From now on, the tables are turned: LL will only guarantee that validated avatars are not minors (and is fully prepared to back that guarantee with money, through their agreement with Integrity), and if you opt-in for just allowing validated avatars in your own land, that “guarantee” will be extended to you as well. If not — you’re on your own, and LL will not help you!

Of course, LL is naive. They imagine that a huge percentage of residents will “validate” themselves, and, conversely, that a huge percentage of landowners will also block non-validated avatars, and thus that we can all peacefully exist in a very mature, and very adult world, safe from harm. This would be a nice counter-move to the terrifying “Disneyfication” of SL that has been going on. With a fully-validated world, shutting out minors once and for ever, we can all breathe deeply again. This rather lovely dream, alas, is just an utopia. LL does not really understand how paranoid their users are. The estimates for the number of people willing to go through validation is really quite low — nobody trusts LL any more, and much less this “strange” third party of dubious reputation (as said, where do they get all those “publicly available databases” anyway?).

There is thus a huge issue that will arise pretty soon. We’ve lost a third of the L$ exchanges at the LindeX when the casinos shut down; and there is an estimate that close to two thirds of all content developed in SL, if not straight-out “mature”, is so pretty close to “inappropriate content” that people will fear having it displaced on their land. Since residents will either self-flag content as inappropriate, but Ll will also allow others to flag it, it’s quite likely that people will be over-zealous in their flagging (or, as well, use it as a griefing tool). Merchants are very likely starting to panic: there might never be enough validated customers to buy their wares! And without merchants selling content, the economy grinds to a stop – merchants will close their shops, they will sell their land, and even if they stay in SL (assuming it is still attractive to them), they will certainly spend much less.

I don’t think that LL is ignoring the issue. I think they’re just very optimistic in the long term, ie. as always capitalising on the growth of SL. I can imagine that the new registration page will soon have an extra field saying: “Second Life is an environment with mature content. To allow you to view this content without restriction, you can safely click here to get validated as an adult. The procedure is simple and painless and will take just a minute. Please use it to get full access to all the fantastic content that millions of users have created for your pleasure!” And by the end of 2008, we’ll have ten million new, clueless users, who naturally clicked that button, never knowing what the fuss was all about.

So I guess that they’re gambling (pun intended!) on the increasing growth of SL to offset the minor collapse of the economy. Like in so many cases where people panicked and left, it will be the long-runners that will reap the benefits. The mature content providers will smugly validate themselves and flag their own content and parcels as “validated avatars only”. They will wait a few months, seeing their customer base dwindle and disappear in a few weeks, possibly with loud complains at the beginning — but then look forward as having, effectively, get rid of the competition that won’t be around selling mature items during 2008. Believe me, the ones that will patiently wait will reap huge benefits (and remember — the ones complaining about your decision today, since they refuse to get validated, will very likely not be around tomorrow to complain further, so they’ll be easily and swiftly dealt with by just waiting).

But SL is all about short-term planning. Everyone wants to make a quick buck. Nobody is really planning ahead for 6 months or a year. Even the more optimistic sellers of mature content have doubts if SL will be around by the end of 2008. So “panicking” is the natural reaction. The big question is, how many people will be still around by the end of the year selling mature content?

If the answer is “not many”, will we really have Disneyfied the whole of the SL grid? (thus making the whole purpose of the validation service basically worthless)

The Alternative That Linden Lab Never Gave Us

I wish I had an answer, of course, since the Disneyfication of SL will basically mean that other competitors, with less qualms (and probably better lawyers!) will be able to compete on a lower-quality virtual world, but one that is addressed to the mature market. On the other hand, if people came over from There.com or other worlds because of the mature content, what is the incentive now to stay? They can have “Disneyland” anywhere else. Shutting down the whole mature content industry — even if just for a while — means that SL doesn’t offer a big enough incentive for people to stay. The number of residents that are in SL “just because it allows you to exploit your creativity” is naturally less and less, in relative terms — they have changed to SL because of it — but the number of pure consumers that don’t want to create anything (either because they lack talent, time, or motivation) by far outnumbers the rest. And for the pure consumers there are so many choices around, and SL is not even the best-looking one. However, it was, so far, a good compromise: although the technology might be more unstable, and the graphics lower quality, you could engage in the hugely widespread adult environment.

Obviously, too, this will not prevent universities or even some companies to stay around — the ones that are interested in studying virtual worlds and/or using it internally for several areas (training, communication, etc.) will not even notice that the mature content disappeared. For them, SL is the alternative to things like OpenCroquet, and they will stay around.
So the issue is really about the millions of resident that, in 2007, are not willing to trust a third party to validate themselves, even if the process is painless, quick, very easy, and doesn’t require revealing anything, either to LL, to Integrity (who has all your data anyway), or, more important, to other residents. Still, the psychological effect is the one that counts.

Linden Lab had, actually, a different way of dealing with this. Instead of relying upon a single entity to provide validation, they could create a verification API and allow several companies to provide the same service. Let me give you Verisign’s example again. Verisign effectively validates a person — not just some simple “database matching” mechanism — by requiring a lot of documentation. But in return you just get a digital certificate — no “real” data is placed inside the digital certificate. So if you don’t trust Integrity or Linden Lab, all you would need to do is to copy & paste your Verisign certificate into LL’s site, and your identity would be “certified”. Verisign is quite expensive, but there are far more similar entities providing that kind of service. In fact, even PayPal provides that service, and it’s for free — although it trades off “cost” for “bureaucracy”. But there are many many others.

If Linden Lab really, really wanted to validate avatars, they would have opened their system up to several providers. In fact, you could even start your own validation/certification service and provide it for a fee. A good example — hinted at by Zero Linden on some of his recent office hours — would be some companies “validating” their employees as being “adults”. Using OpenID or a similar mechanism this is easily accomplished. And it would also mean for us residents that we would have a choice.

For Linden Lab, however, this doesn’t work. They really don’t care if you’re an adult, certified, validated, or verified. All they really want is insurance against potential lawsuits. And I’m afraid that this is what they can get by working with Integrity, unlike what happens with other companies. So we’re stuck with this system.

It’s also important to understand that this system will not guarantee that minors won’t get into the grid: they will very easily be able to type their parent’s ID numbers and addresses on Integrity’s website, and log in safely — in fact, it’s quite possible that all teenagers will do that pretty quickly once this system is out! But, again, let me stress out that LL doesn’t care what teenagers are doing with their parent’s data — all they wish to avoid is the cost of a lawsuit. And in that case, LL would be safe — the parents can sue LL for as long as they wish, for giving access to their children so easily, but LL will simply point to Integrity to get the checks written, and go on with their business as usual.

CC BY 4.0 “I am who I am” by Gwyneth Llewelyn is licensed under a Creative Commons Attribution 4.0 International License.

About Gwyneth Llewelyn

I'm just a virtual girl in a virtual world...

5 Pingbacks/Trackbacks

  • Thanks Gywn. A lot to think about.

  • Interesting take on it. I come from a country where we’re rather strongly opposed to identity cards despite our governments desire to make us have one.

    I also come from a country where I can, 100% legitimately sign my name as Eloise Pasteur on a contract as long as I do not do so with intent to defraud or impersonate. I couldn’t, for example, pretend to be Kate Moss with the hope of stinging her with the bill, but as long as I signed it as Kate Moss and acknowledged it was my signature at a later date, it would be fine.

    However, you’ve provided the only explanation I’m vaguely convinced by for why Linden Lab want to force this on us. The hot air about “trust requires knowing who you are dealing with” is smoke and mirrors of the kind that they should be embarrassed to produce (surely you choose to trust someone, or not, far more without verifying their ID?). Keeping the kiddies out – well I can’t give a polite comment to that, it’s just far too easy to get around it. When I was 16 the internet didn’t exist, but producing my mother’s name, date of birth, passport number and address as proof of ID, no problem. Simple biology suggests she was in her 30’s at the time: easily old enough to be verified as an adult.

    But, laying off liability, if children do try to sneak in and then their parents try to blame LL, I guess that makes sense. Shame the world, well parts of it, as so twisted that this is regarded as rational, even laudable behaviour from a parent.

    Putting hard core porn on street corners in one thing, but on the internet, behind something where the child has to lie to get in, which is the situation for SL, that’s meant to be LL’s fault?! Sad. And on that note, I sound far too horribly like my mother. I’m going to go and lie down in shock.

  • Gwynyth – this is a brilliant article, and conclusively explains the whole “verification” foolishness.

    But, you overlooked a point. While it isn’t essential to your argument, it *is* essential to the evolution of identity and personality in virtual worlds.

    You said, “The only thing that LL knows is that a certain avatar, claiming to be person X, is, indeed, person X.”

    But who *does* that?

    How many of us go around making *any* claim as to an atomic-world identity, let alone any claim that might matter to anyone?

    Sure, there’s the occasional pathological liar, like the murder suspect who claimed to be an 18 year old soldier – but the numbers of these people in SL, just as in RL, are too negligible to matter.

    I *specifically disclaim* any atomic-world identity: what is there to verify?

    This isn’t just some immersionist quirk – it actually parallels something of tremendous importance in the atomic world, which is long overdue in being carried into the digital – corporate limited liability.

    Corporations are “artificial persons.” You do business with one, you’re dealing with the corporate avatar, not the atomic human employed by it or directing it. If something goes wrong, you sue the *avatar,* not the human – and getting through to the human is very.very hard under the law.

    There are good reasons for using these avatars, and they have made the modern world possible.

    Yet, LL would have us forget all this history, all the usefulness of the concept of “artificial person,” and have avatars be no more than a domino mask at a ball.

    It’s *not* good for the growth of virtual worlds, and it’s damn annoying to the great number of us who live Second Lives without making any claims about a First…

  • Eloise, thanks for pointing out that the impact due to the end of gambling was actually very minor and almost negligible; somewhere else I remember posting that the LindeX is back where we started before summer, which is always “slower” than usual. So we have to look at other causes for the stagnation of growth on simultaneously online users, active users, the reduction of Premium users, and, well, L$ transactions. Things are really not so bad since SL still gets 800,000 new registrations per month, sometimes more, and the number of new private islands also grows regularly by the usual amount, so it’s easy to claim that “SL is still growing” (just slower than usual — but so is World of Warcraft!).

    It’s too early to know what the impact on the sales of mature content will be. My judgement is based on the following assumption: the hordes of basic users contribute comparatively little to the overall economy (although, obviously, this is a gross over-generalisation — a huge chunk of the active basic users buy L$ every week on the LindeX), and it’s very likely that these will be the ones refusing to get verified. So, a segment of perhaps 200-300,000 users will certainly get verified, and what sadly we can’t figure out (we have no market data!) is how much the economy depends on them. I’m willing to believe that 80% of all sales — specially regular sales – come from these 200-300,000 residents, so, the worst case scenario would be a drop of about 20-25% of all transactions due to the lack of available mature content as merchants panic, pack, and go.

    However, as pointed out, this is just transitory. A few clever merchants will immediately verify themselves and block their shops to unverified avatars and wait until the competition goes away. They’ll be the future content barons in the adult industry. As more and more new users come to SL and click the verification checkbox on their rezday, the adult content creators willing to wait a few months will reap the benefits of having less competition. The winning strategy, as always, is not to panic and keep that smug, knowing smile in your face even when you see customers running away to play WoW or LoTR, or, well, There.com. They’ll be quickly replaced, after a few months, by people that will come to a safe SL where there is no liability attached to sell adult content, since Integrity will be around to make sure that LL is insured against any lawsuit. So, instead of “Disneyland”, I believe that there will be an “adult content boom” in a few months. Not “right now”, but perhaps in half a year, as the waves of panic have subsided.

    Sophrosyne, you’re actually very correct on your analysis of “the corporate avatar”. Frustrated for getting some of my (snail) mail undelivered because it was addressed to “Gwyneth Llewelyn” — whom I claim to be! – I understood that the point here is that in my country I need legal proof of my claims. Well, I have started a long process, almost complete by now, where “Gwyneth Llewelyn” will become my business name, and like you write checks in the name of IBM or Dell, you’ll be able to write them in the name of “Gwyneth Llewelyn” as well. Right now, it’s a registered literary pseudonym (meaning I can sign contracts under it) and a fully registered trademark (meaning that nobody else can pick that name and do business under it), and there is only a final step missing: using that trademark as the business name of my (personal) consulting business, which at this point is not a completed process (yet).

    So why all this fuss, if in reality companies have long since be, in effect, “corporate avatars”? You’re so right in pointing it out. But the truth is that we’re still on unchartered legal territory here, at least, in bureaucratic countries like mine. I remember rejecting several interviews because journalists were “complied to tell the public what their sources’ real name is” (when, in fact, it’s the other way round!). Those same journalists then proceed to write articles on “Apple just announced that they’ll buy IBM”, and nobody thinks twice about ‘Apple’ and ‘IBM’ being “corporate avatars” with legal existence! As if people forget that you can set up a business with just a single person, and use any name for doing business (which is not required to be your own).

    You also remind me of a discussion I had with some jurist friends of mine in SL. They claimed that the avatar’s identity should simply be a separate legal person (I might have some doubts about it), since, like a corporation is not “just individuals” but a different entity — with quite different liabilities — the same applies to avatars. Their reasoning comes from the following point which applies to several countries (specially under civil law systems): when doing business under your own name, you’ve got unlimited liability, ie. meaning that when things go wrong, in extremis, the Law can go after your personal assets. However, if you trade under the legal persona of a corporation, the risk is reduced, since you’ll be able just to have limited liability — meaning that the Law can only go after the company’s assets, not your personal ones. This has been established long ago in most countries to allow merchants to curb their risk. And even on one-person-companies, the same applies: your legal persona is different if you trade under a company’s name as opposed to your own personal name.

    So the question that begs asking is why we can’t fit avatars in that model, too, since we know that avatars have their own assets (their inventory; their land; their L$ account) and they should legally be liable only for those as an independent legal entity. Alas, we’re on the front row of an emerging new paradigm which will take quite some time to mature and settle until all this starts to make sense to every country’s legislation…

    In the mean time, what we certainly can do is simply register a RL business using our own avatar name…

  • Gwyn, most of what you say about LL’s thinking and motivation is pure speculation. I agree, however, that the reason for IDV was avoiding legal liability.

    Integrity is not insurance though, they are merely a tool. I don’t think they have any significant liability in this, unless they screw up really badly. They only verify identities, they have no responsibility in how the identities are then used. They can be liable only if they grossly misrepresent or execute their identity verification.

    Instead, the liability has been passed on fully to those who provide “adult content” in SL. LL gives those providers full responsibility and gives them a tool to fulfill their responsibility. Again, it is not insurance and it is not offering insurance to providers. It is a way of passing the buck by giving a questionable tool. LL was giving a free service to providers until now (by taking the responsibility for age verification) and they just cancelled it.

    I agree that it should not be LL’s responsibility and that it should be the providers’ responsibility instead. The only issue with this is that LL has a monopoly on SL and is forcing HOW this responsibility is now implemented.

    No, LL is not an evil corporation that is trying to take control over our personal info. It is simply a company that acted in its own interest and that can afford to do so, without offering alternatives and without considering the opinions of its users, because it has a monopoly.

    Companies that have a monopoly always end up acting like evil corporations.

  • Well, the “insurance” bit comes actually from Integrity’s own site:

    Insured. Integrity insures transactions against fines imposed on the merchant for underage sales.

    For more on Integrity’s business model, read this article. Quoting Integrity’s CEO:

    “We’re the only ones who insure the merchant because we are confident enough in the technology we use. If a merchant uses our service and is prosecuted for allowing underage access, we pay the legal fee and we pay the fine. It has never happened.”

    Notice that they claim to be the only ones offering this service. No wonder that Linden Lab is not looking at alternatives…

    I claim that Integrity really is a form of insurance against what LL most fears: getting a lawsuit for allowing minors to view “questionable adult content”.

    Sorry if it wasn’t obvious. Notice that I’m just quoting from Integrity’s own site and the public statements of its CEO; I have no way to get access to the actual contract that was signed between LL and Integrity, but I’m pretty sure that this is what caught LL’s attention to strike a business with them.

    Also notices that “transferring liability” is exactly what is happening in this case. In theory, of course, a court might find LL liable for allowing minors in; but LL is acting in good faith to do the best to shut minors out. The worst that can happen to LL, thus, is paying fines or getting a lawsuit. And they now have it covered through Integrity’s service. It’s very unlikely that Philip goes to jail because a minor was found roaming the grid and he (Philip) didn’t do anything about it; however, it’s quite likely that the minor’s parents might sue Philip in court. Well, they can sue him at will — Integrity will pay it all, and LL will continue to do their business as usual.

    Sure, I’m “speculating”, but really, based on what is publicly available on the Web about how Integrity operates, as well as our knowledge that LL is scared about the kinds of lawsuits that can be brought to them, I’m really just adding two and two together…

  • Thanks, Gwyn. I hadn’t seen those claims from Aristotle, but they look like marketing hype anyway. I still doubt that LL sees it as insurance and I certainly would not see it as insurance if I were a provider of “adult content”. Using pretty much any reasonable form of age verification prevents legal liability. And legal liablility across borders is difficult anyway.

    In other words, I still state that LL has removed itself from any possible liability by using Aristotle (although there could have been other solutions). If they got also an insurance in the contract for the same price, then so be it. But let’s not pretend that LL has passed on an insurance to SL residents, it has passed on responsibility and liability and offered them only one questionable tool to use.

  • Well, I still think that we always had that liability, although I’ll ask one of my lawyer friends what they think about it. Put in other words, if an angry parent puts a resident in court for displaying mature content, the question remained, so far, if you could simply shrug it off and blame it all on LL who didn’t provide an adequate protection against minors on the main grid.

    I believe that with a pretty good (and expensive!) lawyer you might be able to argue today that you have trusted LL not to let minors in and convince a jury that you’re a victim of bad protection by LL.

    LL’s move in this regard is not so “evil” like it sounds. They are putting safeguards in place. And as said, these safeguards can be extended to the common resident, if she or he is willing to click on a checkbox. I mean, LL will still prevent minors from entering the grid using the system they currently have in place: requiring the resident to enter their birth date, just like any other social Web 2.0 site requires. So one’s clever and expensive lawyer might still be able to shift the blame on LL.

    There are two differences with the new system, though. First, you can shift the blame on LL as much as you want: they’re insured against it, and will be able to get Integrity to pay for everything and still keep in business. And, as a side effect, you’ll be able to do the same by checking that box saying “no unverified avatars in my land”. So the residents get additional protection.

    What remains to be discussed is how legitimate or questionable Integrity’s operation are. Here I’ll keep an open mind, like I did with Ginko: unless there is proof to the contrary, Integrity is a “honest” company, so far as nobody proves in court otherwise. Is that enough? Well, it should be for anyone who entrusts LL with their data and their IP rights… and we all have followed the case of Bragg vs. Linden Lab, where an averagely-clever lawyer is trying very hard to prove that LL has been lying to us. But so far, until that gets proved in a court, we have to assume that LL acts in good faith, although we can — and should! — question everything.

    What I’m not claiming is that this new situation is good for us. It’s only good for Linden Lab. The “extra protection and insurance” for the few residents who will have no qualms in clicking on a checkbox is perhaps too much to bargain for when we consider the (possible) results — more fragmentation on the grid, more content creators disappearing, more chaos and drama for a few months until things stabilise again. Is it worth it?

    Well, one has to wear Ginsu Linden’s shoes and think about it. What is more important for Linden Lab as a business? Losing a fraction of their customer base due to drama, paranoia, and public accusations of bad faith — or be forced to be shutdown because, say, the German government or an international Puritan association puts LL on the bench of an international court accusing LL to be “promoting” paedophilia or whatever crimes they might come up with?

    This move to a relationship with Integrity sounds like a desperate move by someone evaluating what the alternatives are, and not finding any way out — not even a hard way out.

    Are there alternatives to Integrity that will protect LL in the same way? If there are, where are day? (Put into other words, is Integrity’s CEO lying when they claim they’re the only verification entity that puts their money on their claims?)

    If there are, then LL should explain why they picked Integrity and not any other company. They were very vague by saying that Integrity offered the best value for their money out of several possible options. If they were talking about insurance against lawsuits, I can very well believe they weren’t exaggerating at all.

  • Becky Tardis

    Maybe I am clueless, but I cant find anywhere on the SL webpage where I can look at the info that they need from me to verify. Is the process not up yet, or is there a select group of people who are testing it?

    Becky

  • Indeed, Becky, the process is being tested by a “select group of people”, namely, private island owners — they’re the only ones that are allowed access to the system for now. Since there are perhaps around 10,000 or so private island owners, this is a group large enough to help LL fix any problems the system might have.

    I wish I were one of them, I’m pretty good at making software crash :))

  • Actually it’s any concierge member who can test the service.

    You need RL name, dob, address, and one of a number of ID forms, driver’s license number, SSN/NI number or similar, passport number and a few other things (ID card number I think).

    Last I heard, it’s not working for Canadian’s at all, all of Europe is having no problem, USA too.

  • “is Integrity’s CEO lying when they claim they’re the only verification entity that puts their money on their claims?”

    No, that’s not lying, it’s just marketing spin. He said himself that it never happened. I’ll take the claim seriously if there have been any successful lawsuits against any online merchants that use a reasonable age verification. Heck, can someone tell us if there have been any successful lawsuits even against someone who just makes users declare that they’re of legal age, like SL is doing now? Otherwise, this is like insurance for the end of the world coming.

    BTW, see for instance: “Provisions of the Community Decency Act and the bench’s opinion that MySpace could not be expected to perform such age verification led to that dismissal.”

  • Hmmm, I’d better add the link the right way. See MySpace Faces Age Verification Law for that quote about the Myspace lawsuit.

    Gwyn, we could use a Preview feature for the comments 🙂

  • Double hmmm, the hyperlink tag didn’t work so I’ll do it this way: http://tinyurl.com/2gseqo

  • And furthermore, the SL IDV would not even prevent any lawsuits like the one against MySpace because this IDV is voluntary. Underage people can still get in and can end up involved with people of legal age.

    And the liability is indeed with the providers in SL because they are the ones who have to figure out what constitutes “adult content”. There is no definition so far, so if you want to be really safe you’d better flag almost everything. And if you have a multilevel mall, you’d better flag the whole plot because of the club on the top floor, affecting also all the stores below it.

    This makes less and less sense to me.

  • Well, in an ideal platform, everybody would get validated and would only have access to a Mature SL, end of story…

    In practice, this is asking way too much from the poor residents. After all, so much in SL is PG anyway, so it doesn’t make sense to “force” the residents to get verified for watching perfectly appropriate material.

    Yes, I agree that a “better safe than sorry” will be the option for the most worried and paranoid types, flagging basically everything they see around themselves as being Mature. And I agree that this makes little sense, but it might become the usual procedure for the ones staying around on the “verified adult grid”…

    Thanks to Eloise for clarifying the issue about who was allowed to participate in the beta testing.

  • Emily

    Thank you for this analysis Gwyn, but I’m sorry I still don’t understand some things.

    If I didn’t give LL my real name when I signed up, can my avatar still be validated with my real identity?

    And if so, if I have two avatars with different RL names and email addresses in SL’s database, can they both be validated or should I pick my favorite?

    Thanks.

  • KMeist Hax

    From what I’ve heard, it’s illegal for Canadians to be verified. Something about the legalities of tracking people in an ID database.

  • Pingback: Virtually Blind - Virtual Law | Legal Issues That Impact Virtual Worlds » Blog Archive » Age Verification as Insurance()

  • Hi Gwyn!

    That is a very insightful article. Surely this issue has a lot of people really stirred up passion-wise.

    I have been on the internet about 20 years (well it was ARPAnet and BITnet in 1987 when I logged in to USENET newsgroups and such back then) and realized very quickly that privacy on the internet is more or less an illusion.

    I would agree that Linden Labs is preventing itself from getting sued – but as a landowner, I wouldn’t be quick to assume that *you* would be protected by Linden Labs as well. If it would serve their interest, certainly, but their umbrella of protection won’t be yours!
    (If you are named in a lawsuit, then you are being sued as well, and many of those things are done that way)

    I know a lot of people are decrying the “Disney-conversion” of SL. I am not convinced it will happen, regardless of ID verification, the same way VOICE hasn’t taken control of the net. (Turns out that the studies of the Beta grid in voice didn’t take into account that people were there to specifically try out voice!)

    So … we will see as this medium matures how things proceed forward.

    Live Long and Prosper!

  • There a few glaring flaws in your post Gwyn but I agree with you on many points.

    Integrity do not have all that data. The UK passport office have informed me that Integrity have no authority whatsoever to check UK passport numbers. Indeed if you go to Aristotle’s website you will find that in the UK, driving licence and passport numbers are suggested information, not required.

    Now why are they suggested? They’re suggested because Integrity don’t have legal access to check them. However if people voluntarily hand over that information, Integrity can store it and use if for future reference as a further check.

    However as of right now, Integrity don’t have any real extra information on me. What they do have is my name, address and date of birth. That was all I provided them with and I’m verified. So all this talk of extra checks with id numbers is I’m afraid null and void.

    Aristotle page

    That page tells you what information is required. Everyone who wants to verify should first try verifying with the required information for their country.

    As for your main premise, yes it’s about LL passing the buck. The resident to resident trust angle is not only misleading, it’s also dangerous. Trying to imply that someone who is verified is automatically trustworthy is not a clever path to tread.

    However you haven’t address how, if this information is not stored anywhere, can residents display their real name, rough age and country they live in (if they choose). That information has to come from somewhere, doesn’t it?

  • Gwyn, you made a very good point explaining how the personal info is not shared between Integrity and LL. For those technically challenged, let’s also reassure them that it is indeed possible to verify personal info and let you make it available to anyone you want without either Integrity or LL saving that info. The info can reside just on your computer, in a form that cannot be tampered with so it stays authenticated and you can give it only to those you want to have it. However, when it comes to LL’s motivation, Gwyn, you are putting a positive spin on it that I don’t agree with.

    I’ll speculate too about LL’s motivation for how they are handling IDV. LL cannot afford to make IDV mandatory for everyone because it would kill their business. After all, they are losing premium users because LL can’t handle foreign banks everywhere in the world. Never mind then ID verification all over the world.

    Instead, they pass the buck to SL residents who become responsible for deciding what to flag as “adult content”. And residents are really liable now because they do have a tool and they do make the choice of flagging or not flagging their land. If anything happens on my land because I didn’t flag it then I am almost automatically liable because I made the choice of not flagging. You think that’s paranoia? Let’s wait and see what IBM will do. I think that the same IBM lawyers and executives that brought the code of conduct in virtual worlds may also act prudently and flag all their sims, not because there will be anything risky on the sims themselves, but because it will remove any risks.

    Therefore, forget that you may not be interested in ever going to the red light districts. We may end up having to verify our age to get in almost anywhere. And speaking of red light districts, once IDV will be in, I guess we will have to ask for age verification before cybering with anyone. Forget verifying gender, verifying age will be more important in order not to be sued for statutory rape. So forget IDV being really voluntary. It will be as voluntary as having a driver’s licence in the US. It is not mandatory but your life is very much limited without it.

    And let me speculate again with yet a different scenario. LL doesn’t really mean to implement IDV. They will go through the beta testing, knowing that there will be problems. Can’t ID Canadians, IDs easily faked, etc., etc. And then they will cancel the IDV program, but their behind will be covered in case of a lawsuit. They did their best, they tested a “state-of-the-art” system and it doesn’t work.

    So better let’s stop speculating about LL’s motivation. LL will do whatever they want. They’re not evil, but they just don’t listen to us. As for us, it’s too soon to decide what course of action will be best to take, to age verify or not and to flag our land or not.

  • Ciaran, one way of storing the personal information on your computer while still ensuring the authenticity of the data is using . I am not aware of such a specific use, but it is a possibility.

    Integrity can encrypt the data that you provided into a message using a private key. They can send you then the message without them or LL keeping a copy. Anyone can have the public key to decrypt the message (it could be incorporated into the SL client) and you can send the message to anyone you want. The message is still authenticated even though you have control over it because only Integrity has the private key to encrypt it.

    Mind you, this is a very simplistic implementation and there could be some refinements to make sure that the message cannot be intercepted, for instance. But it gives you the basic idea that it can all be implemented through encryption. HTH

  • Yay! Preview! And I will try it first, to rectify the previous comment. Once again, the link didn’t work. Please read “one way of storing the personal information on your computer while still ensuring the authenticity of the data is by using Public-key cryptography.”

    And the Preview worked and the link worked too. Thanks, Gwyn!

  • Lem, I’m not sure how private/public keys will work within SL and I’ve seen nothing to suggest they are moving to such a solution. I don’t believe they have the security or technology to support that concept inworld.

    However the data is going to be stored somewhere, someone is being a little misleading. The Lindens have been quoted as saying the information will be vaulted for two years to comply with US laws and can only be opened in case of a government led audit. Now whereas that suggests the information is not going to be widely available, it will be more than a match code otherwise that information is useless to any government led audit.

    Unfortunately the beta testing of the id verification hasn’t dealt with the concept of revealing your name, city and age group so I can’t even begin to speculate as to how they can link this information to your AV, but as this information is supposed to be verified information, it has to be linked to the information we provide Integrity otherwise it’s surely wide open to abuse?

    Maybe I’m just overly cynical.

  • Does anybody have any information, incidentally, about data (a) distribution and (b) retention policies on the part of Aristotle? LL has stated theirs, but unless I have missed something, I have heard nothing more than that Aristotle “complies with all relevant US law” (so basically they do pretty much what they want with it).

  • Pingback: Financial Cryptography()

  • Ciaran, there is public key encryption already in your web browser. It is practically trivial to add it to the SL viewer (if it’s not already in). It does not have to be “inworld” after all, it only has to be in your viewer and only for exchanging personal info.

    I don’t know how LL will implement this but I will speculate in order to demonstrate that something like this is feasible. The way I understood it from LL, BTW, it does not involve your personal info showing publicly in your profile. If that’s what you want, then LL will *have to* hold that info and they might as well do because it is public anyway. I don’t think that is desirable though.

    The personal info would be private and you could send it only to selected people. A rudimentary way would be to keep the info on your computer and send it to others by email, so it doesn’t even go through LL’s network. But it would be more convenient to have it in your inventory (that is in LL’s databases) with another level of encryption so that only you can access it with a password. Disclaimer: I am not an expert in cryptography but I am not just making this stuff up either, stuff like this already exists and it is not rocket science to implement it.

    The link between your RL info and the SL info can be made either by the fact that you send it from the SL account or it can be simply by including both the SL info and the RL info in the same encrypted message. In the latter case, Aristotle does get the SL account info at the time of the authentication, but they can be obligated to discard it from their databases once they make the authentication.

    You mention that the info is vaulted. If that’s the case, I assume it is vaulted by Aristotle, because they are the ones who are responsible for the authentication. They may keep all the info that they authenticated, what info they used for verification, time it was done, and maybe more. However, they can be obligated to keep that off their databases and on something like tape. All that is info that is public anyway, except the act of the authentication.

    It can get and it is probably more complicated than that but my point is that it is all feasible and it can be safe. I would not trust a company in eastern Europe to do that, but I would not lose much sleep over it with a US company. Although I’d rather not have to and mostly out of principle I will not verify my identity unless I will be really pushed in a corner.

    You may also want to keep this in mind. I haven’t seen the verification process, but if you have to declare that you are legally responsible for the accuracy and the truthfulness of the data that you provide, then the info that is vaulted may include also your IP address. And someday you may actually be legally responsible.

  • Great treatise on many sides of the identity/trust/verification cluster of topics.

    And, while I agree, that he current “solution” chosen by Linden Lab for these issues is not a perfect one, I think its a step in the right direction. Because, as virtual worlds grow in size, and become more important for relationships and business transactions, too, we need a set of rules – laws, actually – which govern them. And in the long run it seems neither feasible nor desirable to me, to have the companies behind these worlds creating and enforcing these rules. It is not necessary either, because these rules and authorities which enforce them already exist: in the physical world.

    Furthermore, the authorities of the physical world will not allow Companies like Linden Lab to provide a platform, where their citizens can do things which are illegal in the respective juridictions.

    Verification systems like the one implemented now (even if imperfect) are they only way how providers of platforms like Second Life can “escape” this pressure. Age verification is just a first step.

    Another important aspect of an avatar’s physical identity is “location” for example. Why? Simple.

    I, as a German, have to obey different laws than someone in the USA. It would be illegal for me, for example, to depict a swastika on my website – or on my land in second life – while this would be perfectly legal for a french or US citizen. So, to be able to judge, if something I do is illegal, my identity is needed again – or at least the information where I reside in the real world.

    This is just one more example. Others can be constructed easily.

  • Lem I think we’re sort of missing each other’s point slightly. I’m talking about LL and their blog comment:

    “The IDV system aims to deliver two things. First, for Residents, it gives them the chance to independently verify certain aspects of their identity (their name, age, location and sex for instance) if they choose to. This will help establish trust by removing a layer of anonymity for those they interact with. It’s much easier to trust someone who puts their name behind their words and actions.”

    Now how can you place trust in someone unless the information provided has came via the verification process? Otherwise I could put my RL details in to verify (Which I have done) and then put phoney ones into SL. Something is missing in the chain here.

    The only reason I did verify is because someone had informed me that UK residents only had to supply their name, address and date of birth. This was indeed true for me. I objected strongly to sending my passport or driving licence details to Integrity, I don’t believe they have those details, the UK passport office tell me that Integrity aren’t authorised to check these details and if Integrity did already have these details they would only have needed to ask me for a part of that number to verify, instead of asking for all of it. The fact that they don’t even check this anyway (if they did I’d never have got verified as I didn’t enter anything in that box) makes me feel this process is very flawed.

    Deep breaths Ciaran 🙂

    So my question is, how can we provide the trust aspect that LL are getting at, if the information we can share with other residents isn’t the verified information?

    In terms of vaulting, you are quite correct, Integrity will be storing that. I believe LL when they say they won’t receive any information from Integrity.

    However something is very amiss with this whole process.

    I don’t recall reading any comment regarding legally being responsible for the information you request, the form was very basic and I can’t get back to it now because I’ve already verified. However I chose to provide my real details, but only those details that I thought were fit for purpose and that I believe Integrity could legally check.

    Some people have provided false details just to prove a point regarding how flawed the system is. However this brings us back to Gwyn’s main point that this is more of an insurance policy than an ID verification policy and I wish people would be open about that. If you prove false details and find yourself in trouble, then you’ll have no insurance.

  • Ciaran — my point exactly 😉

    “Integrity” should just be renamed “Verification Insurance Co.” 🙂

    Although I’m not part of the “beta” project to test the way the system works, I looked up my country on Aristotle’s map, and they seem to ask very very little… I feel very tempted to do a fake test with one of the alts that I couldn’t care less if it gets blocked or permabanned, etc, and just use some fake data.

    As you pointed out correctly, the data you give to LL does not need to correlate to the data you give to Integrity. This is, at least, amusing. At worst, it’s quite dangerous.

    However, LL has a solid contract with Integrity — and I’m pretty sure that, whatever comes out of a lawsuit, LL won’t really care about anything but where to send the bill 🙂

  • “I could put my RL details in to verify (Which I have done) and then put phoney ones into SL. Something is missing in the chain here.”

    No, that is not what I’m saying. What you will have and what you will be able to reveal to other people in SL will be the information that you verified with Aristotle. Think of it as a message in an envelope. Aristotle puts your info in the envelope and put a seal on it. You can give that envelope to anyone and they can open it and read it but no one else, including you, can change the information in the envelope without breaking the seal.

  • Gwyn, we don’t know what is the “solid contract” that LL has with Integrity. Here is one of Integrity’s contracts: “VerifyME insures the merchant against fines up to $10,000 imposed by any federal, state or local government law enforcement agency for an underage sale of the merchant’s products and $1,000,000 in legal fees for covered transactions.” I think I have tracked this VerifyME safely enough to Integrity. The “insurance” is for fines (probably only the US) and capped at $10,000 and for legal fees capped at $1M. That’s not even the kind of risks that LL is facing.

    And I still maintain that it’s just a marketting gimmick.

  • Ciaran, based on the link from Integrity that you posted yourself, for the UK, they require only first name, last name, postal code and DOB. Passport number is only suggested. Address is not required at all. Yes, that data is probably easy to fake and Integrity probably doesn’t have your DOB. So I agree the process is flawed.

    The insurance that Gwyn is talking about is not offered to you for verifying yourself. You are insured if you are an escort and if you provide your services only to those who are age verified by Integrity, but you don’t have to be age verified to be an escort. So if you are an escort and you have sex with a minor and you are sued for statutory rape, then Integrity will pay up to $10,000 for whatever fine you may get in the US and up to $1M for your legal fees. They will not go to jail for you and they will not cover the $30M that LL will be sued for.

  • Lem the envelope proposal you put forth actually sounds rather good. I’ve never seen anyone from LL describe it in such terms, it was more in terms of being able to display this information but to be fair to LL they did start talking about this before details were firmed up.

    Maybe the next stage of beta testing will deal with that.

    As for postal code, with a postal code you can pinpoint an exact street in the UK. The postal code tells you all parts of an address except for the house number and if Integrity can’t match a name with a postal code then they have pretty poor means of verification. However maybe I didn’t need to verify my D.O.B with them, maybe they can access information that proves I’m 18 or over, such as the electoral register. I didn’t mind giving out my D.O.B and address though, that sort of information is easily found.

    In terms of insurance I was thinking more along the lines of if I flag my parcel as restricted and a minor gets access, I’ve done about as much as could be expected, it’s Integrity’s fault if a minor manages to get verified and access content flagged as restricted.

  • Only an insurance? And how do you explain this?

    Robin Linden:
    First, for Residents, it gives them the chance to independently verify certain aspects of their identity (their name, age, location and sex for instance) if they choose to.

    So: name, age, location and sex. And that also means your personal data (name) is connected to your avatar. If you decide so.

    So….?

  • Sleazy W.

    Holy sh – do I have to read all of this? Nice authograph 🙂

  • Fabio, although that’s technologically possible, and thus feasible as part of someone’s wish list, I don’t think that LL will go for it.

  • Gwyneth, could you please elaborate that?

    I mean, they announced this service, they can do it, and for many reasons that whould be too long to explain here, I think this was one of the main goals of the VID itself.

    So, why shouldn’t they do it now? What kind of information do you have about it?

    And another thing… The VID will require a fee. Then, more and more users with paymnet info. And this is, according to me, another very imposrtant aspect that you din’t take into account (and that can be related to what I’m saying above).

    I’d really like to have a more detailed opinion by you, since I just wrote a couple of articles about the VID’s strategy.

    Thanks and Regards, Fabio.

  • Well, basically, the issue is how this is implemented now: no information gets sent to Integrity and no information is returned from Integrity back to Linden Lab except for an “acknowledgement” that the user was validated. This is the simplest form of validation:

    Linden Lab: Redirects user to Integrity’s site; they locally store just the avatar’s name for this particular validation session
    User: Types their own data on Integrity’s site. Integrity only knows there is a session associated with the dat, but has no clue what the avatar name is.
    Integrity: Returns a token to Linden Lab saying: “user validated in our database” or “not validated”. Linden Lab knows now that the avatar for this specific session has provided enough data to Integrity to get validated. But Linden Lab has no way of knowing what data was provided.

    So, in essence, as a resident, you provide avatar data to LL and RL data to Integrity. Neither exchange information. Although from a visual point of view, it all happens on the same browser for the resident, they are actually sending different data to different providers, and there is no link between both.

    As said, this is the “best” model, since it doesn’t require LL to store any RL data (beyond already-stored billing data, which might be completely different anyway), and it doesn’t require Integrity to send back any data whatsoever. So, if LL’s databases are broken into, the cracker still doesn’t know what data was used for validation. Your identity is not compromised. (Granted, in many cases, your billing data might be the same data as what you’ve provided to Integrity; however, things like ID card numbers will never be stored by LL, and they won’t get anything from Integrity either). On Integrity’s site, there will be no additional data for their database: either they already have you on the database, or they don’t — so you’re not telling Integrity anything they don’t already know about yourself! More important, Integrity will not know your avatar’s name at all.

    Changing all the above requires, of course, way more development, as well as local storage of additional data by LL. It is thus unlikely — but technogically possible — that LL will ever go that way, since for what they require — insurance against lawsuits — they don’t need any more information from Integrity. Additionally, in order to store more data beyond the necessary billing data, and being able to display that information to other users (ie. “this is the avatar’s age; this is their sex; etc.”) might require Linden Lab to register their own databases with several different agencies and regulatory bodies that control the amount of private data they can legally hold on their residents.

    That’s why I don’t think this will come soon.

    As for the fee, Robin implied that this fee would be paid with L$, not US$:

    – age verification will have a one time fee associated with it. For those with premium accounts Linden dollar fee will be nominal. Basic accounts will pay a higher, but still relatively small Linden dollar fee. These fees haven’t been set yet.

    This means that if you’re a Basic user and don’t trust LL with your billing data, you can still validate your avatar for age.

  • Gwyneth, thank you very much for your answer. So… you don’t have any information about that, you are just guessing, aren’t you?

    OK. Well, the same identical system works as well if I decide to have my name on my profile. Or my gender, or my age, or my location. I write it (or all of them), Integrity just checks it and sends to LL a code saying it’s correct. No data is stored anywhere, like you love so much (if you believe so… I will never buy this one, not from Integrity, but that would be a too long topic to be discussed here).

    And there is no further development required. Not at all. Why should it be? And then again, this still is not a data base, so there is no need to comply to all privacy laws of the world (hmmm… BTW there are not so many laws about that in USA, I think…)

    Regarding the fee: OK, I’m a basic user, they are just asking for a few lindens, so I could find them, somehow. But if I’m not a kid willing to waste some days on camping sites, I will just use my credit card. Don’t you think so?

    Let’s say that I basically agree on your analisys, but in ny humble opinion you are missing some important parts of the “big picture”.

    Thanks and Regards, Fabio.

  • Pingback: blog.veyronsupercharge.com » Linden Labs’ Identification Verification Plans?()

  • Pingback: The Otherland Group - Blog()

  • Gwyneth, interesting point. And very nice of you to try to think of good intentions of LL – but until those are explicitly communicated, they do not exist. One can as well go in the other direction and build the whole conspiracy theory behind 🙂

    They need one day to learn how to talk to the customers. I can see some nice examples when it comes to new features, but when it comes to communicating the policy decisions and customer support – it’s an absolute disaster.

    I am personally not opposed to IDV. I am opposed to having yet another “treasury” which concentrates the personal information about the people. There are no absolute locks – all depends on the value of the information behind the door.

    And the verified data about a few million individuals is something definitely interesting for the miscreants.

    If all LL wanted to do is to verify the identity and the age for the human behind the account – why not go for a much simpler solution ?

  • Hmm I’m not so sure about LL’s “good intentions”, just that they’re not really concerned about paedophilia in SL, or protecting minors, or doing the parent’s job of keeping SL safe for children — but only about one major issue: avoiding lawsuits, and making sure they can be around and provide access to SL even in the face of a major class-action lawsuit against them.

    Huge megacorps can basically deal with anything that’s thrown against them and survive. Small corporations, well, buy insurance! 🙂 And that’s what I believe that Linden Lab is doing.

  • Update: http://blog.secondlife.com/2007/12/05/age-verification-enters-grid-wide-beta/

    The first impressions are the following: US residents get validated no matter how many typos (or deliberately faked data) they type; Europeans can’t get validated, no matter how often they try!

    Exceptions exist on each side, of course, but I haven’t found many yet!

  • Pingback: Age and Treachery()