The blogposts of the past week are full of praise for the new “shared media” option introduced in Viewer 2.0 (and surely being retrofitted soon into 3rd party viewers). On the surface, this shiny new functionality adds a lot of benefits which have been discussed at length already. Under the surface, however, this new technology gives everybody the tools to melt away your privacy and anonymity!
How does shared media work?
With the new shared media function you can put a webpage on the face of a prim. This webpage can contain all sorts of content, up to full fledged Flash animations and sound. The prim-face assigned with shared media acts like a web browser. The webpages in question get requested from your own PC – not from a central server at Linden Lab.
How does this affect my privacy?
Whenever you request a webpage, your IP address is transmitted to the web server. Most web servers store this address in their logfiles. IP-addresses are considered personal information in many countries, especially since more and more refined techniques of IP-Geolocation allow to pinpoint the geographic location of a user with increasing accuracy. Try it yourself -Â click this link to have yourself IP-geolocated and let me know in the comments how accurate it was (no, I don’t see the actual results).
With the shared media, a webpage on a prim loads as soon as you look at it - probably even as soon as you are in the vicinity – thus transmitting the IP address of your PC to the remote server. This is not an opt-in process! It happens automatically, and without giving you the option to accept or deny. There might be an opt-out, but it would disable all shared media for you.
Now imagine the website on a shared media prim is not a general website, but a specific website, tailored to gather specifically YOUR IP-address and related data. Would you like that?
OK, but where is the difference to requesting a website?
The holy grail for web marketers for years was to identify individual users. All sorts of more or less unethical tricks where thought of, to identify recurring visits, and to gather data about a user. Web-surfers are sensitized to the topic by now, and most users know their IP data gets logged. Privacy concerns have led to legislation in many countries. In my country, for example, collecting the IP-addresses in server logfiles is illegal in most cases now.
In Second Life however, the level of expectation is different. Second Life is NOT a webpage. While it is common knowledge that Linden Lab tracks certain parameters like your IP-address, nobody expects that any other resident is able to get this information. On top of that, shared media allows you to create exact avatar-name-to-IP-address matches.
A horror scenario
I personally have been blackmailed and RL-threatened by a SL resident who reverse-engineered my RL identity before. My friend Zonja Capalini came up with this horror scenario:
A and B are in SLove and partner. Everything is roses. A while later, the love dies and B resolves the bond, which drives A up the wall. A creates a shared media prim pointing to a specific webpage on a server A controls, and hides it where B – and only B – is about to see it repeatedly. Over the course of a few days A collects enough IP-addresses of B to not only pinpoint the geographic location but also the ISP of B and – because B logged in from work twice – also the fixed IP address of B’s employer. A little more digging reveals B’s realname, B’s work telephone number, the name of B’s boss who might be interested that B worked as a virtual stripper, and in consequence B’s home phone number and B’s Flickr account where B’s kids are displayed.
OK, sure, you are right, B should not log in from work. And B should not have lied about about their gender and marital status. So B saw it coming, yeah? So let’s look at this:
X is a fashion designer, doing some rather nice designs. Y is a drama blogger and asked X for free samples to blog them. X denies the samples and Y swears revenge. Y manages to place a shared media prim with a specifically tailored spy-webpage where X sees it. No tangible data is found though since X uses a popular ISP and has frequent changing IP addresses. However to Y’s huge surprise she also tracks the IP-address of Z, another fashion blogger. And it turns out that Z’s address and X’s address are identical, even that web-cookies X’s browser loaded are already present in Z’s browser. Y has now identified an alt-account of X and uses this knowledge to spread drama.
Yeah, sure, X saw it coming. Why does she create a secret alt in the first place?
But that has been possible before!
Yes, it has been possible before. Parcel media stream settings could have been abused this way before. However it required two things: you need a parcel whose media stream you can control, and the victim needs to have media-playing switched on. Plus you need the victim to come to your land, while a shared media prim could even be worn and thus brought into the vicinity of the victim.
A similar exploit uses the webpage tab in profiles. If you have set webpages to auto-load, malicious web addresses could also be used. However this is a pretty broad approach, since you can barely fine-tune it towards one victim only.
What is novel about shared media is that those stalker-tools have been given into the hands of literally every resident. If I am alone with someone, I just need to rez or wear a prim with shared media and a specific webpage and get that person’s IP address.
What can I do?
If this concerns you – and to my huge surprise it has not concerned many people I spoke with – your safest approach is to not use Viewer 2.0. Viewers based on 1.x will not display shared media, and you are safe. Of course this also prevents you from using the many new fancy features.
Viewer 2.0 has an “Allow media to autoplay” in the settings. I need to run tests to see if this attributes to shared media as well. If it does, it at least gives you the choice.
Finally there is a “Enable Web Proxy” setting in Viewer 2.0. Again I have not yet tested if this gets used for shared media as well. At least this will be some security against direct pinpointing. Public proxy servers can be found on many lists on the web. For hardcore security fans you can use a TOR-proxy as well, however sacrificing a lot of speed.
Anything Linden Lab can do?
Linden Lab could actually remove this problem at its root by not having the individual viewers request web-content but have it centrally fetched and distributed via the SL network. This would also solve the problem that two watchers of a shared media prim might see two different things. Unfortunately this is not a feasible solution since it would put an immense strain on the LL network and would easily boost the required bandwidth beyond any sensible measure.
Living with the Pandora’s Box opened
Shared media was inevitable. Users have been asking for HTML-on-a-prim for years, it is a function not only the educators need urgently, but which will find many, many uses in the coming months and which will change the face of SL in a very literal sense. It’s too late to put it back in the box – the aspects of its use are just too large and thrilling.
My goal with this post is to make you aware that your privacy and anonymity has just been diminished further. Many people will applaud this in fact, advocating that avatars should come out of their hiding. Maybe I belong to an endangered species of immersionists, believing in a separation between SL and RL. But as a resident you need to know that you can – and probably will – be tracked by shared media prims.
Welcome to the new world!
Loading ...
My IP address places me about an hour away from my actual location, and plops me into one of the biggest cities in the country. I can live with that.
And X is doing a very poor job of having a secret fashion blogger alt if she’s using the same browser for both. Wouldn’t she get sick of constantly swapping identities? Easier to assign one to IE and one to Firefox, I would think.
@Blingtardette
It depends on what geolocation database is used. Mostly mine shows up as a city a couple hours away as well, but sometimes it is dead on balls.
—-
off topic:
You are not safe even in 1.0 thanks to parcel streaming media. I can set up a stream server and when you TP to my parcel and stream my parcel media I automatically have your IP address. I personally don’t stream media in SL b/c I can use the bandwidth elsewhere. I also don’t stream media on my parcel because I just am too lazy to find something to stream when I won’t listen to it.
I’ve never actively searched server logs except once- when I was required by subpoena.
Worry about social engineering. That has gotten people more info than IP address or anything else.
Just my 2L
“For hardcore security fans you can use a TOR-proxy as well, however sacrificing a lot of speed.”
Some proxies allow you to set up your computer itself so just certain ports are masked. In this case port 80 is website traffic. This would still give you full speed in SL and keep your web surfing within the viewer anonymous.
So first person to write the web code to scare the shit out of internet noobs and gives the link away so people can put it on prims all over SL that have a warning to disable media and never buy from anyone that has shared media on their parcels wins.
Let me add that someone that sought to be self prominent in SL as a hero really fucked up recently. The information published on the internet led me to a satellite picture of his house withing 60 seconds. As I looked at the dead grass in the yard and the shitty orange compact car in the driveway I felt really bad. Obviously this person’s life has been ruined by SL. But at least that person is not homeless yet as far as anyone knows.
SL ruins lives.
SL induces mental illnesses.
LL is incompetent and now apparently dedicated to exposing identities with this facebook crap.
SL & LL should be closed.
Peter, it’s even easier than you describe; with a modicum of scripting knowledge, your media prim can also scan the nearby avatars, removing the need for you to place the prim where only your victim will see it. You can then do some correlation between the harvested IPs and the nearby avatars; any time only one avatar is in range, you know with some certainty that avatar’s IP address.
Worse, you can play Flash on a prim face. People think of Flash as a video player, but in fact it’s a whole application framework, and has been the source of malware in the past. Proxying will not help you if the Flash application phones home with your IP address and potentially other personal information. With no automatic update mechanism to Flash, security vulnerabilities linger for years.
Oh dear God! You can play Flash on a primface in 2.0?!
WTF were they thinking?!
Facebook games, maybe.
Stindberg – you are a complete cock anyway. None of us are secure on the internet. Learn to deal with it, stop being so precious. Or you could do everyone a favour and just leave.
That was rude and uncalled for. He is expressing his beliefs. And even if you don’t agree with him it doesn’t justify this kind of response.
lol – exactly!
This post is total bs and you are PARANOID, sir!
my IP location is a city with a million or so others, no exact pinpointing even to suburb. must say none of this is a worry to me.
It was very helpfull thank you so much for sharing. I will share it with my friends. Thanks
Good topics, it open my eye , thanks
It was very helpfull thank you so much for sharing. I will share it with my friends. Thanks
I will make sure and bookmark this page, I will come back to follow you more.