Saturday, January 17, 2009

Security of Virtual Worlds

The European Network and Information Security Agency (ENISA) released an interesting position paper on some of the concerns associated with virtual worlds. The report published in November 2008 is entitled:

"Virtual Worlds, Real Money: Security and Privacy in Massively-Multiplayer Online Games and Social and Corporate Virtual Worlds"

Link here

ENISA an EU agency created to advance the functioning of the internalmarket. The agency is a centre of expertise for the European Member States and European institutions in network and information security, giving advice and recommendations and acting as a switchboard of information for good practices. Moreover, the agency facilitates contacts between the European institutions, the Member States and private business and industry actors.

The report identifies 12 recommendations to tackle some of problems:

To the European Commission and National Governments (Government Policy Recommendations)

1. Support the setting up of an industry wide forum for MMO/VW service providers to share information and best practice on security vulnerabilities. In such a competitive sector there is a clear need for a neutral forum to exchange information on security incidents for the benefit of all concerned. Given its mandate to foster a culture of information security and bring together stakeholders in Europe, ENISA would be in a good position to stimulate such an initiative.

2. Fund work on legal clarification of key issues, such as the status of intellectual property, acceptable risk and personal information in MMO/VWs. Although this is not an information security issue per se, a lack of legal clarity is at the root of many information security problems identified in this report and therefore an effort to address this issue by appropriate bodies should be part of the solution. NB: This is not a call for extra legislation but only a call for clarification and interpretation of existing legislation.

3. Encourage and fund independent dispute resolution for player-to-player disputes.

4. Create financial procedures appropriate to MMO/VWs in order to prevent virtual asset theft using chargebacks. Again, this is not an information security issue per se, but it is a root cause of the information security problems identified in this report. This should be in partnership with MMO/VW providers, banks, credit companies and online payment services.

5. Investigate and address MMO/VW provider concerns about conflicting obligations brought about by legislation on common-carrier status.

To MMO/VW providers

6. The five most important technical issues to be highlighted in this area (see full report for more details) include item-duping, end-to-end security and MMO/VW specific denial of service. In general, providers should create an appropriate balance between security measures aimed at detection and response and those aimed at prevention.Detection and response is often a more effective means of addressing security issues in MMO/VWs than prevention.

7. Privacy policies should clearly specify data collected as part of anti-cheating measures and data available to other users (eg, via eavesdropping), including any information which might identify a user uniquely.

8. Providers should consider charging a token, returnable lodgement fee for all ODR complaints to prevent false complaints (eg,€50).

9. Any initiative which increases the strength of user authentication (while maintaining an appropriate balance between usability and cost) should be encouraged.

10. We recommend a standard set of governing documents and terminology, a single point of reference where governing documents may be obtained, and the input and participation of end-user groups in their design and development.

11. As an option formore security-conscious users, in certain MMO/VWs, a bootable CD image (LiveCD) containing necessary software can be made available; this is already a well-known measure to improve security in critical online operations such as online banking.

Awareness raising and research

12. Awareness raising: We describe issues to be highlighted in awareness raising campaigns, such as how to detect account theft, how to deal with inappropriate behaviour, privacy risks, in-world property risks, etc.

Research: The group has identified some future trends emerging in MMO/VWs which have important security implications, including effective content filtering for MMO/VWs, security and reliability issues of open world formats, and security vulnerabilities in corporate worlds.

3 komentarze:

Anonymous,  January 17, 2009 at 4:57 PM  

Surely the first legal issue that precedes all the others is that of jurisdiction. Virtual worlds span current legal jurisdictions. Fully distributed systems like or Opensim + Hypergrid enable situations where a concert might be held at the intersection of four regions hosted in four separate legal jurisdictions, while each performer is in hsi/her own jurisdiction and the audience is scattered around the globe. Which laws control the resolution of a "Janet Jackson" wardrobe mulfunction?

Lincoln Beck January 18, 2009 at 9:44 PM  

You have absolutely right peterquirk!

In my humble opinion jurisdiction is an unappreciated problem of VW's legal landscape.

We have already branch of law called Conflict of laws (or private international law). These rules should be applicable in three-dimensional Internet the same as they are now applicable in two-dimensional Internet.

But there are also rules of International Civil Procedure Law. In some particular Internet-related disputes the substantive law (law of which state is applicable) and procedural law (which court has has jurisdiction) may be the rules of different states!


The content of this website is not legal advice. It only constitutes commentary on legal issues, and is for educational and informational purposes only. Reading this website, replying to posts, or any other interaction on this website does not create an attorney-client privilege between you and the author. With any legal issue that may confront you in a particular situation, you should always consult a qualified attorney familiar with the laws in your State. Any hyperlinks which may appear on this website imply no association with or approval of this website's content, unless expressly noted.


The names of actual companies and products mentioned herein may be the trademarks of their respective owners. The example companies, organizations, products, people and events depicted herein are fictitious. No association with any real company, organization, product, person, or event is intended or should be inferred. Any rights not expressly granted herein are reserved.

  © Blogger templates The Professional Template by 2008

Back to TOP