Hm. Legacy body uses Media on a Prim for their HUD, but there's no GDPR compliance statement anywhere... RedZone, anyone?

Lance Corrimal · Jul 20, 2020

So I just noticed an interesting little thing: the "Legacy" bodies use Media on a Prim for parts of the hud.
And since the skins and other "appliers" that one purchases are stored on their servers you can be sure the hud sends the UUID of the avatar using it to their servers...
And with MaxMind's geoip database you can narrow down the geographic location of an IP address quite precisely.

Smells like RedZone all over again - where is their GDPR compliance statement?

Lance Corrimal · Jul 20, 2020

I'm running the viewer through a squid proxy, and I turned on full url logging - nothing to see there, they are smart enough to go through HTTPS. All I know is that the hud talks to The Shops

bubblesort · Jul 20, 2020

IDK... I can think of legitimate reasons to use media on a prim on a HUD. For example, you can update the image whenever you want, just by changing one file, instead of dealing with some complex scripts that can break. They could also just look at the IP address to get the country in order to set up localization. They only need a GDPR statement if they collect personal data, and for all we know they could be not logging anything.

I mean, the chances are they are logging something, but there's no way to know for sure. This does sound suspicious enough to me that I would not want to use their stuff. I wouldn't want to use their stuff anyway, because they have had some shady business practices in the past. They have a weird shopping experience, and the gift card only system put me off, and then people tell me they cut off their customers from updates. This is just one more reason to avoid them, IMHO.

At the same time, this is not necessarily red zone. We would need more to draw that conclusion. Maybe catch them auto-banning alts or something?

Innula Zenovka · Jul 20, 2020

Lance Corrimal said:
So I just noticed an interesting little thing: the "Legacy" bodies use Media on a Prim for parts of the hud.
And since the skins and other "appliers" that one purchases are stored on their servers you can be sure the hud sends the UUID of the avatar using it to their servers...
And with MaxMind's geoip database you can narrow down the geographic location of an IP address quite precisely.

Smells like RedZone all over again - where is their GDPR compliance statement?

RedZone purported to detect people's alts. Are you saying that you suspect "Legacy" bodies are being used for similar purposes?

Lance Corrimal · Jul 20, 2020

Innula Zenovka said:
RedZone purported to detect people's alts. Are you saying that you suspect "Legacy" bodies are being used for similar purposes?

All I'm saying is that it would be doable, and by putting the means to do so in a hud to conrol your mesh body it would get a way larger database...

Also, they DO store data: the connection between your avatar and what "appliers" you install in their system. Which means, if they want to deal with users in europe they should be GDPR compliant.

Innula Zenovka · Jul 20, 2020

Lance Corrimal said:
All I'm saying is that it would be doable, and by putting the means to do so in a hud to conrol your mesh body it would get a way larger database...

Also, they DO store data: the connection between your avatar and what "appliers" you install in their system. Which means, if they want to deal with users in europe they should be GDPR compliant.

Possibly so, though I'd question whether an avatar's uuid is personal data for GDPR purposes, since I don't see any way anyone outside LL can use that information to identify the individual with whom that uuid is associated.

Be that as it may, what makes you say this "Smells like RedZone all over again"?

RedZone, you will remember, offered a service to third parties which purported to identify all avatars associated with a particular IP address as alts. In what way is this at all similar?

Free · Jul 20, 2020

Innula Zenovka said:
Possibly so, though I'd question whether an avatar's uuid is personal data for GDPR purposes, since I don't see any way anyone outside LL can use that information to identify the individual with whom that uuid is associated.

UUID alone might not be on its own (unless your upper level LL staff!), but UUID with IP should be considered personal data.

Personal data - EU GDPR Compliant

Personal data is a sensitive subject within the GDPR and whether you are a data subject, controller or processor, you need to know what it is.

eugdprcompliant.com

The conclusion is, all IP addresses should be treated as personal data, in order to be GDPR compliant.

Innula Zenovka · Jul 20, 2020

Free said:
UUID alone might not be on its own (unless your upper level LL staff!), but UUID with IP should be considered personal data.

Personal data - EU GDPR Compliant

Personal data is a sensitive subject within the GDPR and whether you are a data subject, controller or processor, you need to know what it is.

eugdprcompliant.com

Only if they're storing the data, though, which might be the reason for there not being any GDPR statement.

If anyone has any concerns, then it's open to them to ask the Information Commissioner's Office to investigate (at least if they live in the EEA it is), as I did with RedZone (and was told, since this was pre-GDPR, that they didn't have jurisdiction, since the data wasn't being collected or stored in Europe, though now it would be different, of course).

But it's the ""Smells like RedZone all over again" that puzzles me -- RedZone was a service that explicitly purported to identify people's alts to third parties by holding IP addresses and matching them with avatar UUIDs, while this MOAP HUD uses an internet connection to communicate with a database that links the HUD's owner with the skins and appliers she's purchased, and the two seem to me to be very different indeed.

Free · Jul 20, 2020

Innula Zenovka said:
But it's the ""Smells like RedZone all over again" that puzzles me

You're expecting Lance to post about something in a non-over-the-top way?

Free · Jul 20, 2020

Innula Zenovka said:
Only if they're storing the data, though, which might be the reason for there not being any GDPR statement.

Just a note, but all web servers maintain logs.

(Not sure why I have to say this, but that's not to say anything nefarious is going on here!)

Summer Haas · Jul 20, 2020

Fun Fact: Log into beta and live grid at the same time. Change your skin on one and watch it change on the other. After seeing that, they got a big fat NOPE from me.

Kamilah Hauptmann · Jul 20, 2020

Summer Haas said:
Fun Fact: Log into beta and live grid at the same time. Change your skin on one and watch it change on the other. After seeing that, they got a big fat NOPE from me.

Waiting for some galaxy brain to make a body that has its skins media on a prim.

Free · Jul 20, 2020

Kamilah Hauptmann said:
Waiting for some galaxy brain to make a body that has its skins media on a prim.

MOaP Ready!

Lance Corrimal · Jul 20, 2020

Free said:
You're expecting Lance to post about something in a non-over-the-top way?

hey, this is a forum, isnt it?

Lance Corrimal · Jul 20, 2020

Free said:
Just a note, but all web servers maintain logs.

(Not sure why I have to say this, but that's not to say anything nefarious is going on here!)

..which actually is not GDPR-compliant unless you explicitely do not log the client IP, which, of course, makes the whole log pointless from the point of view of the guy who has to fix things :/

Free · Jul 20, 2020

Lance Corrimal said:
..which actually is not GDPR-compliant unless you explicitely do not log the client IP

No. Because something is to be considered "personal data" does not mean you cannot make use of it, or "process" it, under the GDPR.

Art. 6 GDPR – Lawfulness of processing | General Data Protection Regulation (GDPR)

And (at the very least) recital 49 specifies network/info security as an overriding interest, allowing for at least temporary logging/use of something like an IP.

Lori Claremont · Jul 20, 2020

Summer Haas said:
Fun Fact: Log into beta and live grid at the same time. Change your skin on one and watch it change on the other. After seeing that, they got a big fat NOPE from me.

Your avatar UUID is the same on beta and live, so this is hardly surprising.

Gear · Aug 11, 2021

So here's some comedy. It's come out that Legacy has the ability to brick their mesh bodies based on user UUID.

Aribeth Zelin · Aug 12, 2021

I wouldn't use them when it was The Mesh Project or whatever it was, and I'm not doing it with this rebrand either.... I don't care how popular they are, just.... I don't like their business practices, and seen nothing that indicates those have approved.

Adeon Writer · Aug 12, 2021

Media on a prim can also display internal, LSL-hosted webservers. So just because there's MOAP doesn't necessarily mean it's reaching out outside of the grid -
- though it probably is.

But I am long tired of worrying about people sniffing my IP and figuring out I live in California. When I don't even.

Summer Haas said:
Fun Fact: Log into beta and live grid at the same time. Change your skin on one and watch it change on the other. After seeing that, they got a big fat NOPE from me.

That means that your mesh script will just randomly accept unprompted skin changes from an outside server. Which, is even worse.

If it were even remotely coded right, it would save and expect a matching request/response key.

No mod content is a mistake. Just sell the dang textures. They aren't "securing" anything from theft.

Hm. Legacy body uses Media on a Prim for their HUD, but there's no GDPR compliance statement anywhere... RedZone, anyone?

New member

New member

Well-known member

Nasty Brit

New member

Nasty Brit

sapiens gratis

Nasty Brit

sapiens gratis

sapiens gratis

Scripted Agent

Shitpost Sommelier

sapiens gratis

New member

New member

sapiens gratis

Active member

Resident Anime

Faeryfox

Member