Monday, December 31, 2007

If it sounds too good to be true

Technology Review has an excellent article by David Talbot entitled "The Fleecing of the Avatars", which deals with the difficulties of consumer protection and regulatory supervision of commerce on Second Life and other virtual worlds. Financial rip-offs are hard enough to avoid in-world, and this article gives a really good description of the issues when virtual currency is in play.

5 comments:

Patient Dave said...

> when virtual currency is at play

Not to mention virtual currency that actually has a US$ exchange rate. Granted, the rate is tiny, but in massive quantities it adds up to something real.

Anonymous said...

The article is worth reading and does decribe the complexities of dealing with virtual currency well. However much of the comparison with non-virtual online commerce falls flat.

This statement in particular is absurd: A combination of technical controls, laws, and regulation makes today's online business fairly safe (or at least as safe as business in the rest of the world), with wrongdoers subject to punishment.

While it is true that some laws and regulations provide some protection where electronic commerce is concerned, they are largely ineffective. Law enforcement for online transgressions is nowhere near as effective as that for physical-world offenses. That is in no way a slight at LE; they are generally knowledgeable and hardworking and do an amazing job with the resources that they have.

But the problems are many: just gathering evidence is a problem when hundreds of computers in many different states and countries are involved in an attack or information theft. Even when perpetrators can be tracked down and evidence gathered (which is often less possible than in "real world" crimes), laws may not exist to prosecute those responsible, and even if they do, convincing a jury beyond a reasonable doubt that a crime was committed and it wasn't just 'a computer glitch' can be extremely difficult.

In the process of committing physical world crimes, crossing jurisdictional boundaries, especially multiple international boundaries, takes time and money and often subjects to security screening and monitoring processes that require effort to circumvent. Electronically, 20 minutes (or less) can yield 10 machines in 10 different countries that a perpetrator can tunnel through on the way to committing a crime. While plenty of criminals are caught and prosecuted, it is just not the case that online enforcement works as well as in the real world.

Further, the perception of online transactions as reasonably safe is at least in part due to the fact that reporting and publicization of electronic crimes is minimal. While some relatively recent legislation (notably, California's SB 1386/Civil Code Section 1798.82) requires notification of users whose private information may have been compromised, most states do not have such protections. With the big hit to reputation that comes with admitting to having systems compromised, most attacks are not publicized, and many are not even reported to law enforcement. And since online crimes are usually not witnessed by innocent bystanders, there isn't anyone to blow the whistle. Fifteen years ago, it was not common for literally millions of consumers to have their credit cards reissued because they were discovered to have been compromise. Now it happens all the time.

In summary,

- laws do not exist to prosecute many crimes committed electronically
- enforcing laws against electronic crimes is orders of magnitude more difficult than enforcing laws in the physical world
- many (most?) electronic crimes are not reported

This is not to say that you should never buy anything online (although there are plenty of security experts who consider the benefits of online banking and purchases to not be worth the risks).

But do pay attention to things like the use of SSL encryption and signed site certificates (which certainly have their own problems, but they are at least _something_). Be careful of which sites you accept javascript, java, and other code from. And most importantly, choose a credit card with good protections in the event of unauthorized charges, and avoid using debit cards online (unauthorized charges can become the credit card company's problem, but withdrawals of cash from your account ain't coming back).

If an offer seems too good to be true, it probably is. Be suspicious. Caveat emptor.

Paul Levy said...

Wow, thanks for that really informative comment.

Anonymous said...

No problem, thanks for a really informative blog! I love reading it!

John Norris said...

On a side note, Second Life is currently being used to explore and do healthcare in virtual worlds and real life.

Activities include support groups, training and education, and office visits... more at: http://slhealthy.wetpaint.com/

(I also humbly submit my own blog for info- john-norris.net