DPC15_300x250_ads_FINAL
PSR15_300x250_ads_FINAL
PrivacyTraining_ad300x250.Promo1-01

CANADA
By Terry McQuay, CIPP, CIPP/C

Virtual worlds research report

The Office of the Privacy Commissioner of Canada (OPC) recently released the results of research it commissioned to examine the privacy implications of virtual worlds such as Second Life. The concluding report consists of four parts:

Part I describes Linden Lab, Second Life and activities that Second Life residents pursue in-world.

Part II discusses the privacy of Canadians who register with Second Life, examining Linden Lab’s Terms of Service and Privacy Policy.

Part III examines how residents can protect their privacy in-world, how easily avatars can be traced to the identity of the person controlling the avatar and the potential for in-world surveillance.

Part IV touches on business data practices within Second Life.

What is Second Life?

Second Life is an online community where users, via their avatars, interact with other ‘residents’ and engage in real-world activities such as purchasing land, constructing buildings, and creating objects and actions for their avatars.
Although residents interact in an online, imaginary environment, Second Life retains economic and legal connections to the real world. For example, the site recognizes residents’ intellectual property rights and allows them to generate real-world income. Just like in the real world, Second Life encompasses some of a community’s less desirable attributes, such as virtual prostitution and drug use. Residents have also introduced adult content onto Second Life, prompting the creation of a Teen Second Life for those under the age of 18. Adults are prohibited from Teen Second Life and minors are not allowed on Second Life.

Real-world institutions on Second Life

The research report notes that real-world institutions such as government organizations, businesses, educational institutions, and nonprofit organizations have also established presences on Second Life. A number of Canadian organizations are among those who use Second Life to promote their real-world brands, products, services, and activities. The Université Laval has a Second Life campus where the school’s communications faculty offers tours to Second Life residents; the president and CEO of the Northern Alberta Institute of Technology uses Second Life for meetings, instruction, and student recruitment; and law firm Davis LLP opened a Second Life office for building rapport and credibility with video-game business clientele.

Second Life and Canadian law

Linden Lab’s Terms of Service state that resident data is subject only to U.S. law, and that the relationship between the user and Linden Lab will be governed in all respects by the laws of the State of California. However, the research report concludes that although Second Life creator and operator Linden Lab is located outside of Canada, the Personal Information Protection and Electronic Documents Act (PIPEDA) is applicable to its Canadian activities, stating that PIPEDA applies “to every organization in respect of personal information that the organization collects, uses, or discloses in the course of commercial activities.”
Further, in Lawson v. Accusearch, the Federal Court determined that PIPEDA gives the Privacy Commissioner of Canada jurisdiction to investigate complaints relating to the transborder flow of personal information (PI). In addition, Second Life is conducting a commercial activity and it collects and uses PI for commercial purposes.

The report also provides a detailed overview of how Linden Lab’s Terms of Service and Privacy Policy map to the requirements of the CSA Model Code for the Protection of Personal Information, included in PIPEDA Schedule 1.

Application of PIPEDA Schedule 1 principles


Principle 4.1: Accountability
Linden Lab provides contact information for their legal department in the form of e-mail and mailing addresses.

Principle 4.2: Identifying purposes
Linden Lab states in its Privacy Policy that it collects PI and usage statistics to maintain a high-quality customer experience and deliver superior customer service. The Terms of Service state that PI is used to operate and improve Second Life and to learn what the user likes. “Personal information” is defined by Linden Lab to mean “any information that may be used to identify an individual, including, but not limited to, a first and last name, home or other physical address, an e-mail address, phone number, or other contact information, whether at work or at home.

Principle 4.3: Consent

By clicking “I agree” to the Terms of Service at the time of registration, the user agrees to its conditions. The Privacy Policy states that the use of the Linden Lab Web sites and/or any Linden Lab products or services signifies the user’s assent to the Privacy Policy. Users outside of the U.S. are also made aware that PI may be stored and processed in the U.S. or any other country in which Linden Lab maintains facilities, and by using these Web sites, the user consents to such information transfer.

Principle 4.4: Limiting collection of personal information
Signing up to Second Life requires new users to input their birthday, real first and last names, gender, country and a valid e-mail address. This information provides the user a “Basic” account. Those wanting to participate in Second Life’s economy must obtain a “Premium” account, for which they must provide a valid credit card and address.
To access adult content, users are required to prove that they are at least 18 years old and must provide their name, date of birth, and address. American residents are asked to provide the last four digits of their Social Security number. Non-U.S. residents may be required to provide other documents depending on their country of residency, such as a passport, driver’s license, or national ID number.

The report assumes that Linden Lab collects users’ IP addresses. Linden Lab does not consider IP addresses to be personally identifiable, but the federal privacy commissioner has determined that an IP address can constitute personal information under PIPEDA if it can be associated with an identifiable individual

Principle 4.5: Limiting use, disclosure, and retention of personal information
The Terms of Service lists situations in which Linden Lab will disclose PI, such as fulfilling a user’s service request, or for customer support, billing, and credit-verification services. The Terms of Service also authorize Linden Lab to disclose any information about users to private entities, law enforcement agencies, or government officials when the company feels it is “necessary or appropriate to investigate or resolve possible problems or inquiries, or as otherwise required by law.”

Principle 4.6: Accuracy of personal information
In its Privacy Policy, Linden Lab states that users will have the ability to update the personal data provided to them during registration by contacting Linden Lab via e-mail. However, it does not appear that Linden Lab allows users to update the personal information that has been collected outside of the registration process.

Principle 4.7: Safeguards
In its Privacy Policy, Linden Lab claims to comply with applicable laws and industry standards when transferring, receiving, and storing consumer data. Access to users’ PI is limited to Linden Lab employees who need the information in order to provide products or services or to perform their jobs. The Terms of Service, however, state that Linden Lab does not guarantee the security of any user’s private transmissions against unauthorized or unlawful interception or access by third parties.

Principle 4.10: Challenging compliance
Linden Lab published its legal department’s e-mail address in the Terms of Service and Privacy Policy for questions and comments surrounding privacy and provided its mailing address in San Francisco.

The avatar and the person behind the avatar

Linden Lab collects certain user information, such as the extent of play, time of play, and connection location, as well as the social and economic activities users engage in. The OPC report argues that this data classifies as “personal information” under Canadian privacy legislation. Second Life residents may feel that their online conduct is anonymous and may engage in activities on the assumption that their real-life identity would not be linked to their online identity, but Linden Lab has the ability to link both.

Business practices on Second Life

The OPC researcher notes that organizations that set up on Second Life to conduct business should comply with fair information practices if they collect PI from their employees, customers, or clients on Second Life.

The OPC report also notes that there are still many unanswered questions about privacy in online worlds such as Second Life, and that sites will likely raise new and more questions regarding the applicability of real-world law to virtual world activities. It concludes with questions:

  • How might Canadian privacy legislation apply to Canadian businesses and organizations that choose to establish a presence on Second Life?
  • PIPEDA aside, what general data practices are recommended to protect the privacy of their clients and customers in Second Life?

For the full research results visit: www.privcom.gc.ca.

Terry McQuay, CIPP, CIPP/C, is the founder of Nymity, which offers Web-based privacy support to help organizations control their privacy risks. Learn more at www.nymity.com.

 

0 Comments

If you want to comment on this post, you need to login

Related