Saturday, September 10, 2011

I got a place where all my dreams are dead

(Continued from part IX.)

Before we get back to the JLU controversy, City of Heroes launches Issue 21, which brings a whole new zone and an entire new power set (along with two new servers, one specifically for VIP players, and one specifically for free-to-players, among other new content) this Tuesday for VIPs in good standing. (It will be released later for everyone else.)

Interestingly enough, there will also be a game-wide war going on starting Thursday the 15th through Friday the 23rd. For those who don't already have your Defender of Primal Earth badge, line up your server and participate in the madness. This is what the City of Heroes dev team calls "product testing"--pulling their biggest, baddest war machines into contact with everyone on the server. And they do highly encourage everyone who's ever played the game (at least, everyone whose account is current) to log in during each of the peak war times. They want to know if the new additions in the background are going to break the game. They want to know if their servers can handle it.

Trust me, I went through the last Defense of Primal Earth, and it was insane, surreal, effects-laden, hard to survive (in fact, on many characters, I didn't)--and ultimately, a ton of fun to do. I highly recommend it if you have an account.

Now then. We start off with the Official Shang Stamp of Disapproval (this is not one handed out that often):
"I must say, I'm *very* disappointed with this whole matter.

"It's time to stop harvesting, databasing and redistributing information like this about people without their consent. Even if they seem to be 'the bad guys.'

"This may seem like a little detail, maybe even fair play for the 'good guys' but... it's not. At all. Full stop.

"Even if anyone disagrees with me, it's still important for them to know the true color of their own hat.

"Sincerely,

"Desmond Shang, Guvnah
Independent State of Caledon"
See, I'm in whole, utter agreement about that. Was it wrong for their wiki page to be hacked, or their internal server to be hacked, however it happened? Yes. Absolutely.

Was it wrong for them to keep that information in the first place? YES. ABSOLUTELY.

So, there was a transcript posted in the original SLU thread about something that went down in the GreenZone users group that ended up accusing a Linden of malfeasance. This, granted, is only hearsay, but even so, that's pretty big. As the incident is related:
  1. a sim got griefed
  2. the account that griefed the sim had apparently been hacked, as the sim is accessible only by group members
  3. Soft Linden contacted the sim owner to inform her that spy probes had been found on the sim, and that the account of this particular avatar had been accessed maliciously.
And that's where everyone's collective jaw dropped. Here's the thing: no one has a problem with point one. That's likely true; a lot of sims get griefed, griefers are in it for the stupid drama quotient, sometimes we don't even know why they're bothering us, they're just bothering us. Fine. Fair enough. It's a sim, there's a griefer, for whatever lunkhead reason, they go together.

Point two changes the game slightly, in that, if true, it had to be a hacked account, or someone who went turncoat on the organization, because this particular sim is locked to members of that group only. And I have no problem with the lockdown, either, some corporate sims are like that, all military sims are like that, and yeah--the only way to get onto that sim is to be a group member, so I can see why someone stole the information necessary to log in.

It's point three that's the stunner. There are several problems with point three, any way you look at it. Namely:
  1. either Soft Linden, against the rules and regulations of the Lab, gave a sim owner information about an account she did not directly manage (which was highly unlikely); or
  2. the person told this information misunderstood it; or
  3. the person telling this person lied; or
  4. the person lied for reasons unknown. (Which, even given my difficulties with this person, I find very difficult to believe.)
Again, I find it easiest to believe point three, over point one or two.
"[17:13] Misty Harley: well considering LL generally will not talk to anyone re: other peoples accounts, suspensions, hacks, etc...it DOES seem odd that a sim owner was notified that a JLU members account was hacked based on the idea that they griefed a sim while the hacking occurred."
Pretty much. Still, that's pretty worrying; even if it's an entire fabrication, start to finish, that means that someone's walking around Second Life tarnishing Soft Linden's reputation, which just causes further erosion of the resident/Linden relationship, which is thin enough as it is at times. And at least to me, Soft's one of the good ones; the concept that he'd slip around his own company's standards and practices to give a sim owner, any sim owner, personal information about another avatar's account altogether...It rings false. But it's damaging nonetheless, and worrying as well.

And by the way, if that strikes anyone else as odd coming from me, it should. On these electronic pages, I've outright called Lindens stupid for some of their decisions. I've rejoiced when some of them left the company. I've publically suggested that there may, in fact, be a drug influence at work in San Francisco.

I don't think, in over five years, I've ever suggested that a single Linden (any Linden, even the Lindens I don't like) is capable, nay willing to blithely ignore company policy and reveal personal information about any resident to any other resident. Unless specifically following a formally filed DMCA order, by virtue of their safe harbor status, they can't. Not to mention their own company's internal rulings.

Yet this particular member of the JLU is willingly, one might even say enthusiastically, suggesting this very thing. Something that Soft might well be fired outright for, were it discovered to be true.

So why is this being said? At all?

Relating to this, let's talk about the Information Privacy Principles. (That's California's version, which likely applies to the Lindens, but the principle's essentially the same nation-wide.) I recommend you read this comment in full, but I'm summarizing just in case.

1. Information Gathering and Use Principle
We gather personal information only if it is relevant and necessary for us to accomplish our mission.
  • We use personal information in a responsible and lawful manner.
  • We gather personal information only after we determine we have an appropriate use for it.
  • We strive to use only information that is accurate, complete, and current.
  • If we use personal information for other than the original intended purpose, we first determine that the new use is appropriate.
What does this one mean?

The JLU needs to either erase all information that was irresponsibly and illegally gathered, and start fresh, OR go through all information gathered and verify that it is
  • accurate
  • complete
  • current
  • legal
  • appropriate
2. Information Sharing Principle
We share personal information only when we have legal authority to do so.
We do not share personal information with others unless:
  • (a) you have given us the authority to share the information, or
  • (b) the other party has legal authority to receive the information.
We educate others with whom we share personal information on the requirement to protect privacy.
What does this one mean?

The JLU needs to realize that unless they are authorized by the Lindens to investigate disputes, that they have NO LEGAL AUTHORITY to collect the personal information they are collecting. They need to seek consent to collect and/or share the information, or ensure that everyone who reads the JLU wiki page has legal authority to view personal information thus granted to the archive.

3. Information Retention Principle
We retain personal information only as long as necessary to fulfill established business needs for that information.
  • We periodically review our business needs to retain personal information.
  • We destroy the personal information we no longer need.
What does this one mean? Bad things for the JLU. They would have to completely revamp how they operate, from the ground up. To satisfy provision 3, they would need to decide on expiration dates for personal information, and draft signatory notecards accordingly. On top of that, once the information expired, they would have to destroy all of it, every single electronic record that makes use of those bits of information. (While this IS possible in the electronic age, it's also made more difficult by people who store information backups, or whose security systems are lax enough to allow easy invasion by outsiders.)

4. Information Security Principle

We have reasonable safeguards to ensure the security and confidentiality of personal information.
  • We educate our employees on the importance of protecting the privacy of personal information.
  • We protect personal information against loss or theft, as well as unauthorized access, disclosure, copying, use, or modification.
  • We provide personal information only to employees who have a business need and only when appropriate safeguards are in place.
  • We tailor our safeguards based on the type of information we maintain.
  • We periodically review our practices to ensure we have adequate safeguards.
What does provision 4 mean for the JLU? Again, bad things. To wit:
  • They have not demonstrated they possess adequate safeguards to ensure confidentiality.
  • They have not demonstrated they have instructed their group members in the importance of protecting personal information.
  • They have not demonstrated they have sufficient security to guard against unauthorized access by those outside the JLU.
  • They have not demonstrated that those group members granted access to such personal information have a genuine and legitimate need for that information.
  • They have not demonstrated any ability to ensure that their practices work, that their security is sound, and that they are willing to review these guidelines in order to properly secure personal information.
That's kind of a ton, right there.

And, as this is becoming long and involved (again), stopping it here, and I'll put up the rest of the principles in a later entry. Oh, and for anyone skimming along who may be wondering why I'm still continuing with this: yes, I did listen to you, and, in my own way, I am heeding you. Whereas before, I was covering this with moral indignation and over-emotional hurt intact, you were right. I was far too invested with something that, by and large, doesn't impact my life. And it's not up to me to drag the JLU down. Frankly, it doesn't have to be up to anyone--they'll do it on their own, because they're making some really dumb mistakes.

Including the sidewise accusation that Soft Linden is acting on an account holder's interest before the Lab's interest. That's a huge mistake if it ever hits the Lindens. And it well might, because Linden eyes are watching the drama as it unfolds on SLUniverse.

No comments: