Hm. Legacy body uses Media on a Prim for their HUD, but there's no GDPR compliance statement anywhere... RedZone, anyone?

Lance Corrimal

New member
Joined
Sep 21, 2018
Messages
45
So I just noticed an interesting little thing: the "Legacy" bodies use Media on a Prim for parts of the hud.
And since the skins and other "appliers" that one purchases are stored on their servers you can be sure the hud sends the UUID of the avatar using it to their servers...
And with MaxMind's geoip database you can narrow down the geographic location of an IP address quite precisely.

Smells like RedZone all over again - where is their GDPR compliance statement?
 

Lance Corrimal

New member
Joined
Sep 21, 2018
Messages
45
I'm running the viewer through a squid proxy, and I turned on full url logging - nothing to see there, they are smart enough to go through HTTPS. All I know is that the hud talks to The Shops
 
  • 1Thanks
Reactions: bubblesort

bubblesort

Well-known member
Joined
Nov 16, 2018
Messages
983
IDK... I can think of legitimate reasons to use media on a prim on a HUD. For example, you can update the image whenever you want, just by changing one file, instead of dealing with some complex scripts that can break. They could also just look at the IP address to get the country in order to set up localization. They only need a GDPR statement if they collect personal data, and for all we know they could be not logging anything.

I mean, the chances are they are logging something, but there's no way to know for sure. This does sound suspicious enough to me that I would not want to use their stuff. I wouldn't want to use their stuff anyway, because they have had some shady business practices in the past. They have a weird shopping experience, and the gift card only system put me off, and then people tell me they cut off their customers from updates. This is just one more reason to avoid them, IMHO.

At the same time, this is not necessarily red zone. We would need more to draw that conclusion. Maybe catch them auto-banning alts or something?
 

Innula Zenovka

Nasty Brit
VVO Supporter 🍦🎈👾❤
Joined
Sep 20, 2018
Messages
12,346
SLU Posts
18459
So I just noticed an interesting little thing: the "Legacy" bodies use Media on a Prim for parts of the hud.
And since the skins and other "appliers" that one purchases are stored on their servers you can be sure the hud sends the UUID of the avatar using it to their servers...
And with MaxMind's geoip database you can narrow down the geographic location of an IP address quite precisely.

Smells like RedZone all over again - where is their GDPR compliance statement?
RedZone purported to detect people's alts. Are you saying that you suspect "Legacy" bodies are being used for similar purposes?
 

Lance Corrimal

New member
Joined
Sep 21, 2018
Messages
45
RedZone purported to detect people's alts. Are you saying that you suspect "Legacy" bodies are being used for similar purposes?
All I'm saying is that it would be doable, and by putting the means to do so in a hud to conrol your mesh body it would get a way larger database...

Also, they DO store data: the connection between your avatar and what "appliers" you install in their system. Which means, if they want to deal with users in europe they should be GDPR compliant.
 

Innula Zenovka

Nasty Brit
VVO Supporter 🍦🎈👾❤
Joined
Sep 20, 2018
Messages
12,346
SLU Posts
18459
All I'm saying is that it would be doable, and by putting the means to do so in a hud to conrol your mesh body it would get a way larger database...

Also, they DO store data: the connection between your avatar and what "appliers" you install in their system. Which means, if they want to deal with users in europe they should be GDPR compliant.
Possibly so, though I'd question whether an avatar's uuid is personal data for GDPR purposes, since I don't see any way anyone outside LL can use that information to identify the individual with whom that uuid is associated.

Be that as it may, what makes you say this "Smells like RedZone all over again"?

RedZone, you will remember, offered a service to third parties which purported to identify all avatars associated with a particular IP address as alts. In what way is this at all similar?
 

Free

Antifa-tigued
VVO Supporter 🍦🎈👾❤
Joined
Sep 22, 2018
Messages
18,341
Location
Moonbase Caligula
SL Rez
2008
Joined SLU
2009
SLU Posts
55565
Possibly so, though I'd question whether an avatar's uuid is personal data for GDPR purposes, since I don't see any way anyone outside LL can use that information to identify the individual with whom that uuid is associated.
UUID alone might not be on its own (unless your upper level LL staff!), but UUID with IP should be considered personal data.

The conclusion is, all IP addresses should be treated as personal data, in order to be GDPR compliant.
 

Innula Zenovka

Nasty Brit
VVO Supporter 🍦🎈👾❤
Joined
Sep 20, 2018
Messages
12,346
SLU Posts
18459
UUID alone might not be on its own (unless your upper level LL staff!), but UUID with IP should be considered personal data.

Only if they're storing the data, though, which might be the reason for there not being any GDPR statement.

If anyone has any concerns, then it's open to them to ask the Information Commissioner's Office to investigate (at least if they live in the EEA it is), as I did with RedZone (and was told, since this was pre-GDPR, that they didn't have jurisdiction, since the data wasn't being collected or stored in Europe, though now it would be different, of course).

But it's the ""Smells like RedZone all over again" that puzzles me -- RedZone was a service that explicitly purported to identify people's alts to third parties by holding IP addresses and matching them with avatar UUIDs, while this MOAP HUD uses an internet connection to communicate with a database that links the HUD's owner with the skins and appliers she's purchased, and the two seem to me to be very different indeed.
 

Free

Antifa-tigued
VVO Supporter 🍦🎈👾❤
Joined
Sep 22, 2018
Messages
18,341
Location
Moonbase Caligula
SL Rez
2008
Joined SLU
2009
SLU Posts
55565
Only if they're storing the data, though, which might be the reason for there not being any GDPR statement.
Just a note, but all web servers maintain logs.

(Not sure why I have to say this, but that's not to say anything nefarious is going on here!)
 

Summer Haas

Scripted Agent
Joined
Sep 23, 2018
Messages
59
SL Rez
2007
Fun Fact: Log into beta and live grid at the same time. Change your skin on one and watch it change on the other. After seeing that, they got a big fat NOPE from me.
 

Kamilah Hauptmann

Shitpost Sommelier
Joined
Sep 20, 2018
Messages
9,028
Location
Cat Country (Can't Stop Here)
SL Rez
2002
Fun Fact: Log into beta and live grid at the same time. Change your skin on one and watch it change on the other. After seeing that, they got a big fat NOPE from me.
Waiting for some galaxy brain to make a body that has its skins media on a prim.
 

Lance Corrimal

New member
Joined
Sep 21, 2018
Messages
45
Just a note, but all web servers maintain logs.

(Not sure why I have to say this, but that's not to say anything nefarious is going on here!)
..which actually is not GDPR-compliant unless you explicitely do not log the client IP, which, of course, makes the whole log pointless from the point of view of the guy who has to fix things :/
 

Free

Antifa-tigued
VVO Supporter 🍦🎈👾❤
Joined
Sep 22, 2018
Messages
18,341
Location
Moonbase Caligula
SL Rez
2008
Joined SLU
2009
SLU Posts
55565
..which actually is not GDPR-compliant unless you explicitely do not log the client IP
No. Because something is to be considered "personal data" does not mean you cannot make use of it, or "process" it, under the GDPR.

Art. 6 GDPR – Lawfulness of processing | General Data Protection Regulation (GDPR)

And (at the very least) recital 49 specifies network/info security as an overriding interest, allowing for at least temporary logging/use of something like an IP.