A report commissioned by the Office of the Privacy Commissioner of Canada concludes that Canada's Personal Information Protection and Electronic Document Act (PIPEDA) applies to Second Life, a massively multiplayer online game (MMOG) operated by Linden Lab, which is based in San Francisco, California. The report also concludes that the centralized collection of content, personal information, and "player data" in Second Life, and other MMOGs, may raise significant privacy concerns.
The original report, written by a law student at the University of Ottawa, is available here. The Office of the Privacy Commissioner of Canada is inviting responses to the report on its blog.
PIPEDA and Jurisdiction Over Transborder Flows of Private Information
According to the report, PIPEDA applies to "every organization in respect of personal information that the organization collects, uses or discloses in the course of commercial activities." The Canadian Federal Court has determined that PIPEDA therefore gives the Privacy Commissioner of Canada jurisdiction to investigate complaints relating to the transborder flow of personal information.
The report acknowledged that the majority of Linden Lab's computing takes place in the United States. Since, however, Canadians have registered accounts with Second Life and PIPEDA grants the Privacy Commissioner of Canada jurisdiction to investigate foreign entities in their dealings with the personal information of Canadians, the report concluded that PIPEDA applies extra-territorially to Second Life and Linden Lab.
Personal Information, "Player Data," and Real World Privacy
The report raises several concerns about centralized data collection in MMOGs: (1) the volume of information available to Linden Lab; (2) Linden Lab's ability to misuse the collected information; (3) the lack of privacy protections within Second Life; and (4) the potential for government and private party in-world surveillance.
First, the report raises concerns about the sheer volume of information available to Linden Lab and Linden Lab's failure to disclose what types of information it monitors and collects. In describing the types of information collected, the report notes that Linden Lab may require Second Life players to submit personal information, including their name, birth date, address, gender, country, email address, credit card or other financial information, passport number, driver's license number, social security number, or national ID number, as part of a registration process.
In addition to the registration information, the report claims Linden Lab may also gather "player data" from users, including actions taken within the game, information about a user's computer hardware and Internet connection, extent of play, and time and location from which the user connects. Linden Lab, and other entities that maintain MMOGs, could posses an enormous amount of content and information about each of its users.
Second, aside from the volume of information, the report also raises concerns about potential misuse of the collected information by Linden Lab or an entity that breaches an MMOG's data security. The report cautions that Linden Lab could use "player data" to fashion insights about the user's identity and engage in manipulative practices without requiring any personal information as traditionally understood. Also, the report claims that Linden Lab could link online gaming habits, behaviors, and transactions to a person in real life.
Third, the report spends some time addressing privacy controls within Second Life. It acknowledges that the MMOG offers its users several privacy protections, such as the ability to appear as "offline" even though they are online and block access by other users, but faults Linden Lab for not allowing users to hide their activities from other users with developer-level access. Also, the report faults Linden Lab for not allowing Second Life users to change their account names or use multiple personas.
Finally, the report addresses the emerging issue of government and private party surveillance over virtual worlds and online games. The report does not provide guidance on whether or what types of in-world surveillance may be appropriate but does note that Linden Labs acknowledges their built-in capability to monitor Second Life residents' conduct and communications and identify risky behaviors. The report notes that the extent of Linden Lab's monitoring is unclear but that the use of collected information for government intelligence purposes or targeted advertising could raise several privacy concerns. Conclusion
Although the report does not paint a complete picture of potential liability or guidelines for compliance, it does offer companies that maintain MMOGs ideas to consider when collecting, processing, using, or disclosing MMOG content or the personal information or "player data" of its users. The report has identified several specific steps that it believes Linden Labs, and presumably other MMOGs, could take to better protect the privacy of its users' information.
For more information about the collection, appropriate use, disclosure, and security of gaming content, personal information, and "player" data, please contact Al Gidari
or Susan Lyon