By Terry McQuay, CIPP, CIPP/C
Virtual worlds research report
The Office of the Privacy Commissioner of Canada (OPC) recently released the results of research it commissioned to examine the privacy implications of virtual worlds such as Second Life. The concluding report consists of four parts:
Part I describes Linden Lab, Second Life and activities that Second Life residents pursue in-world.
Part III examines how residents can protect their privacy in-world, how easily avatars can be traced to the identity of the person controlling the avatar and the potential for in-world surveillance.
Part IV touches on business data practices within Second Life.
What is Second Life?
Second Life is an online community where users, via their avatars, interact with other ‘residents’ and engage in real-world activities such as purchasing land, constructing buildings, and creating objects and actions for their avatars.
Although residents interact in an online, imaginary environment, Second Life retains economic and legal connections to the real world. For example, the site recognizes residents’ intellectual property rights and allows them to generate real-world income. Just like in the real world, Second Life encompasses some of a community’s less desirable attributes, such as virtual prostitution and drug use. Residents have also introduced adult content onto Second Life, prompting the creation of a Teen Second Life for those under the age of 18. Adults are prohibited from Teen Second Life and minors are not allowed on Second Life.
Real-world institutions on Second Life
The research report notes that real-world institutions such as government organizations, businesses, educational institutions, and nonprofit organizations have also established presences on Second Life. A number of Canadian organizations are among those who use Second Life to promote their real-world brands, products, services, and activities. The Université Laval has a Second Life campus where the school’s communications faculty offers tours to Second Life residents; the president and CEO of the Northern Alberta Institute of Technology uses Second Life for meetings, instruction, and student recruitment; and law firm Davis LLP opened a Second Life office for building rapport and credibility with video-game business clientele.
Second Life and Canadian law
Linden Lab’s Terms of Service state that resident data is subject only to U.S. law, and that the relationship between the user and Linden Lab will be governed in all respects by the laws of the State of California. However, the research report concludes that although Second Life creator and operator Linden Lab is located outside of Canada, the Personal Information Protection and Electronic Documents Act (PIPEDA) is applicable to its Canadian activities, stating that PIPEDA applies “to every organization in respect of personal information that the organization collects, uses, or discloses in the course of commercial activities.”
Further, in Lawson v. Accusearch, the Federal Court determined that PIPEDA gives the Privacy Commissioner of Canada jurisdiction to investigate complaints relating to the transborder flow of personal information (PI). In addition, Second Life is conducting a commercial activity and it collects and uses PI for commercial purposes.
Application of PIPEDA Schedule 1 principles
Principle 4.1: Accountability
Linden Lab provides contact information for their legal department in the form of e-mail and mailing addresses.
Principle 4.2: Identifying purposes
Principle 4.3: Consent
Principle 4.4: Limiting collection of personal information
Signing up to Second Life requires new users to input their birthday, real first and last names, gender, country and a valid e-mail address. This information provides the user a “Basic” account. Those wanting to participate in Second Life’s economy must obtain a “Premium” account, for which they must provide a valid credit card and address.
To access adult content, users are required to prove that they are at least 18 years old and must provide their name, date of birth, and address. American residents are asked to provide the last four digits of their Social Security number. Non-U.S. residents may be required to provide other documents depending on their country of residency, such as a passport, driver’s license, or national ID number.
The report assumes that Linden Lab collects users’ IP addresses. Linden Lab does not consider IP addresses to be personally identifiable, but the federal privacy commissioner has determined that an IP address can constitute personal information under PIPEDA if it can be associated with an identifiable individual
Principle 4.5: Limiting use, disclosure, and retention of personal information
The Terms of Service lists situations in which Linden Lab will disclose PI, such as fulfilling a user’s service request, or for customer support, billing, and credit-verification services. The Terms of Service also authorize Linden Lab to disclose any information about users to private entities, law enforcement agencies, or government officials when the company feels it is “necessary or appropriate to investigate or resolve possible problems or inquiries, or as otherwise required by law.”
Principle 4.6: Accuracy of personal information
Principle 4.7: Safeguards
Principle 4.10: Challenging compliance
The avatar and the person behind the avatar
Linden Lab collects certain user information, such as the extent of play, time of play, and connection location, as well as the social and economic activities users engage in. The OPC report argues that this data classifies as “personal information” under Canadian privacy legislation. Second Life residents may feel that their online conduct is anonymous and may engage in activities on the assumption that their real-life identity would not be linked to their online identity, but Linden Lab has the ability to link both.
Business practices on Second Life
The OPC researcher notes that organizations that set up on Second Life to conduct business should comply with fair information practices if they collect PI from their employees, customers, or clients on Second Life.
The OPC report also notes that there are still many unanswered questions about privacy in online worlds such as Second Life, and that sites will likely raise new and more questions regarding the applicability of real-world law to virtual world activities. It concludes with questions:
- How might Canadian privacy legislation apply to Canadian businesses and organizations that choose to establish a presence on Second Life?
- PIPEDA aside, what general data practices are recommended to protect the privacy of their clients and customers in Second Life?
For the full research results visit: www.privcom.gc.ca.
Terry McQuay, CIPP, CIPP/C, is the founder of Nymity, which offers Web-based privacy support to help organizations control their privacy risks. Learn more at www.nymity.com.