Virtual dealings in Second Life pose real-life privacy risks: study

You can shop, date and commit crimes virtually in online fantasy worlds like Second Life, but those virtual activities may jeopardize your privacy in the real world, says a study recently released by the Privacy Commissioner of Canada.

You can shop, date and commit crimes virtually in online fantasy worlds like Second Life, but you may jeopardize your privacy in the real world, the Privacy Commissioner of Canada says.

What sets such worlds apart from mere games is the fact that they involve real money and real personal information, said Janet Lo, the author of the study released late last week by the Privacy Commissioner.

'You're never really sure where you're giving personal information to.'— Janet Lo, study author

The rules and agreements concerning privacy, however, were sometimes "missing, or just a bit unclear or vague," Lo added.

In addition, those agreements are between the user and Linden Lab, the company that owns and runs Second Life, whereas the user's online alter-ego, or avatar, may interact with businesses run by other avatars.

"With all these layers, it becomes really complex," she told Tuesday. "You're never really sure where you're giving personal information to."

That information could include data to verify the participant's age and credit card information that is necessary to participate in business in Second Life, Lo said.

Real money lost

Business transactions are carried out using "Linden dollars," which are bought using real U.S. dollars.

Lo pointed to an example where being unsure of other users' identities created problems. In August 2007, people who deposited money in a virtual bank in Second Life with the promise of high returns lost an estimated $750,000 US. After a similar incident happened in January 2008, Second Life changed its policies so only real-life charter banks could operate such virtual institutions.

"You sort of start to see the regulation of virtual worlds," she said.

At least once, Second Life also lost control of users' information. During that data breach in 2006, names, addresses, contact information, encrypted passwords, and encrypted payment information of all users — about 650,000 according to one report — was exposed, the report said.

No guarantee of anonymity

Meanwhile, even in normal interactions, there aren't real guarantees of anonymity.

"It wasn't really clear to me whether Second Life keeps track of what avatars are doing," Lo said, adding that this is worrisome, because Second Life encourages users to experiment with doing things they "wouldn't necessarily feel comfortable doing in the real world."

"Always keep in mind that things … or facts or whatever you post or discuss or do could come out later," she said.

Linden Lab says in its privacy policy that it "does not guarantee the security of any user private transmissions against unauthorized or unlawful interception or access by third parties."

Lo noted that Canadians should also be concerned about the fact that Linden Lab is located in San Francisco, which is therefore where any conflicts between the user and the company would go through the courts.

Lo conducted the study last spring while she was a University of Ottawa law student. She has since graduated and is currently articling at the Public Interest Advocacy Centre in Ottawa.

As of Tuesday, Linden Lab reported that one million users had logged in over the past month.