Massively^™

As the fur continues to fly over Second Life's beta age-verification system, one of the aspects that has only really been lightly touched on is informed choice.

Before offering your identity documents and personal data to any third-party, there are things you need to know, otherwise you cannot be said to be capable of making an informed choice in the matter. So far, that information hasn't been comprehensively provided to you.

The provider for the verification service, we already know, is Aristotle/Integrity. According to their website the Integrity Direct verification service has verification data for 152 countries (out of a total of 194).

There doesn't seem to be information on which countries they don't have information for, but those missing 42 countries apparently account for 48.8% of the Earth's population, using Aristotle/Integrity's own figures.

You might reasonably point out that they say over 3.4 billion citizens. We reasonably point out that almost nobody says "over 3.4" if the number is 3.5 or more. Aristotle/Integrity repeatedly use "over 150 countries" when they mean 152. We feel it is reasonably to assume the true number of citizens in their database to be between 3.4 and 3.5 billion as, if they exceeded 3.5, they'd be saying "over 3.5 billion". You might also point out that many of those missing citizens are actually within the 152 countries - which then begs the question - why are some citizens included and others not?

Aristotle/Integrity claims to have some "government issued ID data" as a part of their database. Government authorities who have been contacted in the UK and Australia flatly denied that their passport and drivers license data was available to third parties, and seemed offended by the notion. We were cautioned against sending our identity data for verification - more on that in a minute.

It could well be that some of this data comes from public court records.

"Available data sets may include (1) full name, (2) full address, (3) year of birth, (4) phone number (when available) and (5) cell phone number (when available)."

The word "may" is fully reversible. You can also read this as "Available data sets may not include (1) full name, (2) full address, (3) year of birth, (4) phone number and (5) cell phone number" with equal validity. It doesn't sound half as good that way, though, does it?

Assuming they 'may not' have a full name, and a year of birth, then the rest of the claimed data is available by digesting phone directories, electronic listings of which are available from most countries for a reasonable fee.

So - they've got some data on some citizens in some countries. Maybe it's gleaned from the phone book. Maybe it's supplemented from public court records. Maybe they've bought some direct mail lists.

Citizens outside the USA have verified (in only small numbers to date) with a variety of correct and incorrect data. It appears that if your information at Aristotle/Integrity is incomplete, their system more or less takes a guess.

What do they do with the data you send them for verification? Well, they have a privacy policy.

"Personally identifiable information provided for purposes of age and identity verification to Aristotle and its Integrity unit is used only for that purpose, and is not transferred or retained, except as required by law." (our emphasis)

We've been told that they are sent for matching is archived in case USA law requires access to the data or for auditing purposes in the event of some dispute between Linden Lab and Aristotle/Integrity. Of course, your data is only one of (over) 3.4 billion database records. Probably nobody is interested in your data.

If you're in the European Union, your data is subject to the European Commission's Directive on Data Protection (1998). Your personal data cannot lawfully be transmitted to a non-European Union nation unless they comply with certain "adequacy" standards for privacy. In the USA that is implemented by the Safe Harbor framework.

Linden Lab isn't a participant, and even though they state quite firmly that they don't retain your personal data when performing a manual verification, it is quite likely unlawful to send it to them. You should check with your relevant local authorities if you are in any doubt.

Aristotle/Integrity, however, is a participant in the Safe Harbor framework, and even though the data for online verification is routed almost directly to them, it is possible for Linden lab to transparently record or intercept that data between their web-service and Aristotle/Integrity's.

We don't think for a moment that that is likely - but our opinion doesn't change what is or isn't. This is all about trust, and law, and you have to form your own opinion on the former, and find out about the latter.

Just as a side note, Aristotle/Integrity failed to answer the final question on their Safe Harbor information submission. When asked, "Do you agree to cooperate and comply with the European Data Protection Authorities?" Aristotle/Integrity failed to provide an answer.

Conveniently, though, there is a list of EU/EEA countries from which Aristotle/Integrity receives personal information: Cyprus, Finland, Hungary, Latvia, Malta, Portugal, Spain, Austria, Czech Republic, France, Iceland, Liechtenstein, Netherlands, Romania, Sweden, Belgium, Denmark, Germany, Ireland, Lithuania, Norway, Slovakia, United Kingdom, Bulgaria, Estonia, Greece, Italy, Luxembourg, Poland, and Slovenia.

The last thing you may need to consider is that - what, with the War on Terror running on overtime, and no end in sight - that it may be unlawful for citizens of other countries to send identification data such as passport numbers, drivers license numbers, national ID numbers, social-security numbers and so forth to foreign countries with or without the accompaniment of other identifying information.

Massively reader, Ryan Schultz has has contacted the Canadian authorities. Canadian Citizens are encouraged by the authorities to lodge complaints about any company (within Canada or without) who requests or requires these numbers.

Canadian readers can call:

SIN: 1-800-206-7218 (Option 3 for SIN)

Passport Canada: 1-800-567-6868

Whatever you do, you should make an informed choice, aware of your options, of what you are doing and whether your actions are lawful or unlawful. We at Massively aren't here to make decisions for you (sorry, but that service costs extra) - you have to do that yourself, but as we said at the beginning, you can only make an informed decision if you are properly informed. Regretfully, we believe that a user that is marked as successfully verified is no more necessarily linked to their true identity than an unverified user at this time. What you think, is up to you.

We have additional queries pending with Linden Lab about this matter. We will pass on further information as and when it becomes available to us.