Perspective Intelligence

The European Network and Information Security Agency published a report in December 08 entitled,

Virtual Worlds, Real Money: Security and Privacy in Massively-Multiplayer Online Games and Social and Corporate Virtual Worlds.

Link here.

‘Virtual theft’ leads to arrest

From BBC -

Habbo Hotel users create a character and can buy furniture

A Dutch teenager has been arrested for allegedly stealing virtual furniture from “rooms” in Habbo Hotel, a 3D social networking website. The 17-year-old is accused of stealing 4,000 euros (£2,840) worth of virtual furniture, bought with real money.

Five 15-year-olds have also been questioned by police, who were contacted by the website’s owners.

The six teenagers are suspected of moving the stolen furniture into their own Habbo rooms.

A spokesman for Sulake, the company that operates Habbo Hotel, said: “The accused lured victims into handing over their Habbo passwords by creating fake Habbo websites.

“In Habbo, as in many other virtual worlds, scamming for other people’s personal information such as user names has been problematic for quite a while.

It is a theft because the furniture is paid for with real money Sulake spokesman

“We have had much of this scamming going on in many countries but this is the first case where the police have taken legal action.”

Habbo users can create their own characters, decorate their own rooms and play a number of games, paying with Habbo Credits, which they have to buy with real cash.

“It is a theft because the furniture is paid for with real money. But the only way to be a thief in Habbo is to get people’s usernames and passwords and then log in and take the furniture.

“We got involved because of an increasing number of sites which are pretending to be Habbo. People might then try and log in and get their details stolen.”

Six million people in more than 30 countries play Habbo Hotel each month.

Virtual theft is a growing issue in virtual worlds; in 2005 a Chinese gamer was stabbed to death in a row over a sword in a game.

Shanghai gamer Qiu Chengwei killed player Zhu Caoyuan when he discovered he had sold a “dragon sabre” he had been loaned.

Social-networking has been the dominant theme describing almost every new Internet based software application to emerge over the past two years.  MySpace, Facebook and Second Life, to name the most prominent applications, have all prospered on the promise and realization of creating a community online.  But while they have moved relentlessly forward the platforms have had to contend with anti-social elements infecting their services and communities.  The extent to which this has become a problem is demonstrated by how easily MySpace is identified as much with sex-predators as it is with any legitimate function.  Online communities are not a new phenomena, it is the scale and penetration into wider society of these systems, which is.  Previous online communities from The WELL (Whole Earth ‘Lectronic Link) to craigslist and even the mercantile EBay were largely self-policing with users ‘flagging’ inappropriate content or using internal rating systems to establish levels of trustworthiness in their communities.  These systems clearly referenced the libertarian nature of the developing web as it became dominated by the counterculture thinking of west-coast intellectuals.

To date the response to this evolving threat to online communities has not benefited from the creative and energetic thinking that has helped drive these systems into mainstream consciousness.  MySpace recently announced it had ejected 29,000 users from its system using information provided by Sentinel Tech Holdings.  This company maintains a database of known sex-offenders, provided by local state governments under the provisions of Megan’s law.  When recently faced with some of the same concerns during an investigation by Connecticut’s Attorney General, Facebook’s chief privacy officer Chris Kelly stated Facebook would introduce their own system that linked email addresses with known sex-offenders and use that link to govern access to the site.  Second Life has also suffered from a wide variety of anti-social behavior, but attempts to dampen it down have been hampered by a users ability to quickly open another free account.

The approaches taken by these social networking sites seems both ineffectual and unimaginative.  This is in large part due to the design heritage of the web, where with few exceptions (PayPal) security systems are a bolt-on afterthought.  From a very basic position the solutions attempted so far, do not address the fact that anonymity remains a key feature across the Internet –where individuals are able to have multiple online personalities including email accounts, as well as a variety of online user identities.  Basing the protection of these networks on databases of (American only) anti-social individuals and the ad hoc removal of users breaking the terms of service agreements, seems pedestrian and worse, is moving these systems away from their communitarian inheritance, which taught that an individual should not be discriminated against when joining a community.

There is clearly an urgent case for defending the growing online social communities from criminals, sex-offenders and other extremist elements.  The solution that potentially offers the most effective response is currently being developed by the platforms themselves – in the marketing department.  Both Myspace and Facebook are on the verge of introducing systems to monitor their users online activity in order to better direct advertising toward them. It doesn’t seem long before this kind of marketing system will also be applied to virtual worlds.  The process of distilling an individual’s online behavior into a digital profile is currently driven by the commercial needs of advertising — it is possible to imagine it being used to protect virtual communities.  The software used to track the online behavior of users within in particular system (virtual worlds or social networks) could be modified to highlight online behavior that is specifically banned within the virtual community.

A reference set of online behaviors within a specific community could be created that corresponded to a user who was likely to, for example, target under-age children.  These communities are after all social systems and therefore, any user seeking to ingratiate themselves with younger users would have to join certain groups and take certain online actions to achieve their aims.  Once a user begins to fulfill the online behavior that would suggest they are likely to be of concern, then their account could be temporarily suspended until the problem was resolved.  If the user was incorrectly flagged, the reference set of online behavior could be adjusted; similarly, if the virtual community reported the existence of new anti-social techniques, the reference data would also be updated keeping the protective system relevant.

This system could be applied across the universe of social-networking sites and virtual worlds with adaptations for each genre and network.  As well as being a more effective protective tool in the defense of online communities, the application of online behavioral analysis also returns these communities to their original cultural home –whereby users would be judged only by their behavior within their online community and not screened out due to their use of a particular email address.  A smart system of this kind would also address the fact that multiple online identities can be continuously used to re-enter systems.  Repeat accounts would repeatedly be flagged by the behavioral model if they moved in anti-social directions.  The definition of what would constitute anti-social behavior is a potentially contentious point but most of these sites already have defined what is acceptable within their communities in the Terms of Service agreement users agree to when they join.  The problem has been in enforcement of these terms.

Online communities deserve protection but they should also remain as free as possible in order to retain the culture which makes them compelling in the first place.  As well as this being an issue of defending creativity it will also become a financial one as the companies that can best guarantee the safety of their online communities will likely win the battle for users, as the virtual community space becomes increasingly competitive.

The Symantec Corp’s latest report on the security threat to the Internet (Vol.XII) has some interesting detail on the increasing attempts to hack virtual worlds and the lure of their virtual currencies.  Link here.

The excellent commentator on Second Life — Gwyneth Llewelyn recently published a piece in her blog entitled: From Welfare State to Laissez-Faire Capitalism.  The blog itself is always worth reading for the insight it provides relating to the history and future of Second Life.  Of interest to MetaSecurity was the section of the article relating to Second Life griefers (aka cyberbullies) :

“A side-effect of this laissez-faire attitude is the very high tolerance of griefers. Griefers are just cyberbullies, an illegal activity in several countries, and even the US National Crime Prevention Council advertises strongly against them. However, in SL, they’re rampant, and there is almost nothing that can be done to prevent them, beyond a temporary parcel ban. Private islands fare a little better, if they’re able to deal with 24/7 supervision by an Estate Manager. But this is just prevention, not dealing with the issue. Linden Lab’s Abuse Report system is totally unable to deal with this kind of situation, since it requires effective policing, which they’re not doing. After all, who cares if your account gets banned?… you can get a new one in 3 minutes, get a friend to deliver you the “griefer pack”, unpack it, and attack the next victim again. It’s so easy tha a child can do it — and that’s why childs do it at all.

Is there a way to prevent it? Well, adult validation will in a way minimise things, but some people, fearing a loss of customers, will allow unvalidated avatars. The only effective way to deal with this kind of crime and vandalism is making an example: get the FBI to arrest a few cyberbullies and make a huge press release as an example. Getting ten years in jail for attacking a live concert with live penises floating around until a sim crashes is sure to make a point — “remember, you can be the next one”. Right now, you can only temporarily remove a single alt here and there, which just has the cyberbullies laughing at LL’s backs and prepare the next big attack. “

In world  crime such as cyberbulling of this kind will have to be regulated if virtual worlds are to grow.  State law enforcement agencies are not yet equipped to investigate virtual crimes.  However, virtual game companies such as Linden Lab could take a lead by making it clear that they would pursue legal means against user in cases of serious inworld crime ( economic damage, hate speech, stalking, bullying).  This would go beyond being banned and start a regulatory process, which would enable virtual worlds to grow.  The July issue of  Forbes reportsthat certain companies are pulling out of Second Life because it was like a, “virtual Iraq” – while this is hyperbole it is clealry in all users interest to have somemeaningful intervention against griefers damaging the environment – this doens’t have to wait for the FBI.