Saturday, September 29, 2007

A simpler solution to the ID verification in SL

Reading Gwyneth' stance on IDV, I started to reply, but the reply came up bit long that I am making it a separate post instead.

I am not at all opposed to having the ID verification. I am very opposed to having yet another somewhat-trusted party which holds a large entity of personal data, even if they mined it in public records - it's not quantity, it's the colocation. The total amount of uranium on earth is much more than critical mass - and it is available. But putting all this publicly available uranium makes up the nuclear bomb.... So, sorry I do not buy the argument of "the information is already there" :-)

Ok, so here goes my stance on how this could have been done without nukes :-)

It's dead simple.

1) The registration to SL remains free, but the "unverified" new residents are placed into the "welcome areas" - either controlled by the LL themselves, or subcontracted to the partners. Here the residents learn to build, script, behave, and may earn a few lindens by helping other new residents with this task.

2) The IDV is not free. It costs a few bucks, and is payable either by L$ that the resident has earned in step 1, or by credit card/paypal/whatnot.

3) The LL generates a 8-digit random number for each resident, and uses the address and the name that were entered, to send this number printed on the sheet of paper, to the human that is verifying the identity, by registered mail. The number is not stored in the profile, the cryptographic hash of it is stored instead.

4) upon the receipt of the mail (and there are mailing services that verify the recipient's identity), the user goes to IDV page and enters the number found in the envelope.

5) If the cryptographic hash over the entered data matches the one present in the profile, the name and address of the person are verified. tada.
Also, I believe that the option of accepting the registered mail is available only to those who are 18+ - so this automatically performs the age verification as well.

No extra data is stored, everyone is happy, and LL has their back covered (since that's really what it is about, in my opinion - to prevent the lawsuits by the parents who do not have time to properly raise their children).

There can be more convoluted versions of this - without the usage of the postal service, but the protection of the information there and the logistics would be bit more difficult, so I do not write it here.


Gwyneth Llewelyn said...

Ah, this is a perfect solution indeed :)

In fact, it's used in my country both for paying taxes (ie. giving you an encryption key to get access to the revenue system's website) and for all banks to give you access to their homebanking system. It's precisely the system you've described, and it works over (regular) mail.

It's efficient and simple, although around here only in very special cases you're required to personally sign the release form on the registered mail (it is an option in some cases, though!)

So, why didn't LL go with this service?

The answer is simple. Minors can still subvert the system, of course. They can just ask their parents to sign for them. The risk is far lesser, but parents are used to sign all sorts of release forms for their children (ie. for school), so this is "just another one". The whole notion of "parental guidance" is based on the assumption that your parents do, indeed, allow you access to whatever they feel it's appropriate.

However, the legal implications are complex. Many parents have no paranoid fears that their children's minds get thwarted by too much pornography, or they might not even be aware of the issue in Second Life, so they'd gladly give their eager 13-year-old permission to do whatever they please (after all, the child is their responsibility!). Now that child engages into a cybersex relationship with an adult. What happens?

Well, the parents might argue that they were clueless about what goes on in SL and predictably sue Linden Lab. While the probability of that happening is low, it's not zero, so, in effect, LL would be setting up a system that does not give them any "safeguards" against lawsuits in court.

By contrast, Integrity's system, with all its faults, has the very appealing ability to insure LL against lawsuits. So that's the reason why they signed an agreement with them. One might conceivably argue that if the "lawsuit insurance companies" were more widespread, LL could have picked among many for a far better solution. Sadly, just like LL is the only company running a virtual world with the characteristics we love and enjoy, Integrity is the only company (or so they claim) to provide insurance against lawsuits...

Dalien said...

I think you can set an option to enforce that the signed person is the same as the recipient.

And the recipient is the same person as the one in user profile... Hence - and adult :-)

If someone as a parent is allowing the kid to use *his* name, make *him* sign for the "yet another form", I wonder how well that would stand in court - since this is a crime in itself, no ? :)

And about "virtual world" - well, ping me on googletalk (dalienta at gmail), I can show you the sim, all of the content on which I "control" in full, and can physically transfer onto my laptop, into a PC in my living room, etc, etc.

It's all half working, but there're no VAT, and I do a nightly inventory/objects backup :-)

And osgrid has around 30 sims already.

Of course, it's bit "communist" as of now - the object rights are not enforced at the moment, but you can not give to anyone else items either (no code:), so it is not a big problem :-)

Vint Falken said...

I agree with Dalien on the parent's responsibility for their autograph:

State clearly on the document that whomever signs is responsible for the person allowed unto the grid being 18+. I'm indeed curious what a judge would say when a parent is suing LL for letting their teen on the main grid when he or she signed a document saying that same teen is over 18 years old.

Gwyneth Llewelyn said...

Hmm thinking twice about the subject, I guess that it would require a very, very clever and ruthless teenager to pull this off, since you're right, this might be considered quite illegal — both for the child to deliberately trick their parents, and very likely for the parent signing the release form, too.

I was thinking more on the less "criminal" aspects of it, like the parents verifying themselves but seeing "no harm in SL" and just giving their child (unsupervised) access to SL. Well, I know a few who told me they do that every day, and in some cases, their children are not even allowed on the Teen Grid... of course, I have no way to verify if they're just bragging or being serious. The notion that "I'm the parent, I decide what's harmful or not for my child" is popular among a certain sort of mentality...

Dalien said...

But then that same group should not be suing. And I guess there could be a notice included with the mail "The recipient of this MUST be 18 years or older".

Still very very doable, I think.

Well, anyway, it's not done, and I'd highly doubt they decide to change it amidst the way...

I would suspect there are other reasons behind the decisions made. Beyond the mere "verification".

But we don't know them. For better or worse :-)