Thursday, April 23, 2009

Privacy Rights in MMORPGs



Contrary to what it seems like, I do actually deal with legal stuff a fair amount. Last semester I studied copyrights and patents in video games, this semester I took a privacy law class and studied MMORPG's. Riding on the heels of being vindicated about the gaping flaw in video game copyrights and patents in the last paper, I thought I'd post this one too. If you want the complete document with footnotes, just e-mail me.

Before we begin,

I AM NOT A LAWYER. IF YOU HAVE ANY QUESTIONS ABOUT THIS TOPIC, PLEASE CONSULT A LICENSED ATTORNEY. THERE IS A SPECIAL PLACE IN HELL FOR LAW STUDENTS WHO RUN THEIR MOUTHS WITHOUT EXPLAINING THAT AND YOU DON'T EVEN HAVE TO DIE TO GO THERE.

Quick Summary

Presuming you don't feel like digging through a mountain of legal theory, the basic explanation about privacy rights in online games is that you haven't got any privacy. Your friend lists, who you're talking to, when, how long you're playing, what you say, ALL of it is owned by the company.

At the current stage that's not too big a problem. Most companies self-regulate and their in-house lawyers were not born yesterday. The problem is that there isn't anything making them regulate their conduct because they've declared ownership on everything you do in the game. Several companies stipulate that they may sell this data to researchers and several have already done precisely that. The other reason this isn't an issue yet is that most privacy disputes on the internet come from child pornography, which no one is inclined to defend. If someone is fired or gotten in trouble for something they did on the internet, they were probably broadcasting sensitive information in a public forum.

This leads to a lot of legal theory because defining what is private in a court of law is actually pretty hard. The basic formula is to gauge intent and social necessity, which pretty squarely divides people. Almost everyone in an MMORPG intends for their conduct to remain private unless they broadcast otherwise. The companies, on the other hand, need to access your data to gauge the quality of the game and make improvements.

I then outline the basic problem that the whole thing is headed towards and recommend that clear legislation be created to guarantee the privacy of users. I'll repost the last paragraph:

The problems that may potentially occur in virtual worlds is in many ways the stuff of science fiction. A prominent blogger could rise to popularity and influence only to be revealed to be a young child prodigy and immediately dismissed. An online player experimenting with both gender and identity who does not wish for others to know about it may be discovered inadvertently due to disclosed online information. An employee could be fired for things said with every expectation of privacy in a virtual world that are later discovered by the company. These are the hypothetical situations that are crossing over from fiction and into fact. As with all issues of privacy it is simply a matter of expectation and what is reasonable. What is unreasonable, just as it is in the real world, is to declare that we have no expectation of privacy at all in these new virtual worlds.

Introduction

American privacy law has always been rooted in the concept of a person’s expectations versus what is reasonable for society to allow. A person may have every expectation that his mail will not be opened, but if that piece of mail is to be read by multiple people or the recipient hands it over to the authorities, then that expectation has been voided. At some point something becomes private and at some point it ceases to be. The greatest stumbling block for this approach to privacy law has been the internet and all its various forms. Often relying on analogies and archaic legal tests like comparing user information to phone records and ISP’s to phone companies, these methods continue to endanger a new class of information that people regularly exchange with every expectation that it will remain private.

Although many cases have dealt with the rights of both the government and citizens when it comes to online chatting and e-mail, one of the most potentially problematic areas of online interaction are Massively Multiplayer Online Role Playing Games or MMORPG. In these games, users adopt an anonymous persona and role play as a character in a virtual world. Intense rivalries, charged emotional relationships, and even gender experimentation all occur in these settings while the user typically expects his interactions with others as well as his identity to remain private. The potential for discrimination and abuse, should this data be made public, is quite possible depending on the conduct a person engages with in this safe, virtual world. It is important to establish a proper legal approach while ensuring some degree of privacy for users for this growing industry to continue providing a reasonable place for people to enjoy themselves.

There are two specific parallels in American law that are applicable to the legal approaches in MMORPGs. The first is state and federal approaches to warrantless searches of electronic data. The second are the various distinctions courts have tried to draw between the content of electronic data and the labeling and origins of that data. After outlining these parallels, this article will explain the current legal and contractual situation with several popular MMORPGs. Finally, potential solutions and applications to this situation will be discussed in the conclusion.
Case Law

Much of the case law regarding electronic communications and warrant requirements has been created in the past two decades but it principally draws on the ruling in United States v. Miller . In that case, a whiskey bootlegger was arrested and accused of defrauding the government of various taxes. His bank account reports were used extensively as evidence in the case, which were handed over willingly by the bank when requested by federal investigators. The defendant attempted to argue that his Fourth Amendment rights had been violated because the investigators did not have a warrant. The Court explains, “This Court has held repeatedly that the Fourth Amendment does not prohibit the obtaining of information revealed to a third party and conveyed by him to Government authorities, even if the information is revealed on the assumption that it will be used only for a limited purpose and the confidence placed in the third party will not be betrayed”. The presence of a third party observing and handling the documents, in this case the Bank, made the exchange permissible because the third party willingly handed over the documents. The court uses language from California Bankers Assn. v. Shultz to point out that bank records cannot reasonably be called “intimate areas” of one’s life.

This principle of a third party’s rights with private information was taken into consideration in the criminal prosecution of a pedophile in Commonwealth of Pennsylvania v. Robert D. Proetto . Defendant sent several sexually explicit e-mails along with a picture of himself to a minor. The minor copied these and gave them to the police. Pennsylvania law does not allow a person to “intercept” an electronic communication and disclose this to others, so the Defendant attempted to argue this law had been violated. The court rejects this argument because an e-mail is intrinsically unlike a phone call. The e-mail has been recorded and anyone sending it is aware that the recipient may print or redistribute this data to others. They explain, “By the very act of sending a communication over the Internet, the party expressly consents to the recording of the message.” The case is important because it acknowledges both the lack of protection that is inherent when communicating online and the ability of a third party to obviate whatever protection may possibly exist anyway. The criminal circumstances of this case differ considerably from the civil issues this paper is contemplating; however the blanket declaration that there is no protection for electronic communications will come up in other states and courts.

The Sixth Circuit adopted a similar standing as the Proetto case. A federal task force seized two computer bulletin board systems (BBS) and were sued by the users in Guest v. Leis . Both BBS services contained disclaimers that privacy was not guaranteed in any communications, since a system operator could view even the “private” messages at any time if needed. The chief issue was the numerous users of either BBS who were not engaged in illicit conduct. The courts ruled that the scope of the warrant was not exceeded because innocent data was seized along with the illegal material, particularly when the service was so vast that an extensive search was required to locate the material. The court dismissed allegations of misuse, stating, “Plaintiffs are essentially relying on an assumption that because defendants could have read e-mail, there is evidence that they did read e-mail.” The courts go on to explain that the search method involved the task force using a list of files and users and then combing the system for anything using those labels. Innocent data, unless tagged incorrectly, would not be searched. Since the circumstances required removing the BBS computers the seizure was not unreasonable and probable cause did not have to be found because no search of the non-illegal material took place. In this way, the courts have established that not only is there no expectation of privacy for regular users of electronic systems, but this expectation can be obviated by the problematic nature of electronic data in the first place. The data can simply be seized because there is no other way to find what you are looking for quickly and easily.

The court for the District of Connecticut took a similar stance in Freedman v. America Online, Inc. In that case, an employee of a rival political party sent a threatening e-mail to a candidate running for a local office. The employee claimed that the e-mail was meant to be taken as a joke and argued that both his First and Fourth Amendment rights had been violated when the service provider, America Online, disclosed his private information to the authorities. No warrant was present, they were faxed a copy of the request form only and AOL obliged six days later. The information included Freedman’s name, address, phone numbers, account status, membership information, software information, billing and account information, and his other AOL screen names. The court pointed out that every single case dealing with Fourth Amendment violations and electronic communications has ruled that internet subscribers do not have a reasonable expectation of privacy with respect to their subscriber information. This is reinforced by the Electronic Communications Privacy Act of 1986 which permits Internet Service Providers (ISP) to disclose subscriber information to both third parties and the government. The court outlines the two part test for a Fourth Amendment violation: first is there an expectation of privacy by the individual, and second, is society prepared to recognize this? In summarizing the past arguments of cases like Hambrick or Kennedy the court explains, “the distinction [is] between the content of electronic communications, which is protected, and non-content information, including a subscriber’s screen name and corresponding identity, which is not.” The case is important because it expands on the limitations that the courts applied in Guest concerning what kinds of data third party ISP providers can freely distribute. Although much of users’ actual identity can be disclosed under the common law and ECPA, the actual content of their exchanges must remain private without a warrant.

This protection of content was reinforced in the Sixth Circuit case Warshak v. United States. The facts of the case are unusual, Warshak was the owner of a pharmaceutical company being investigated for mail and wire fraud, money laundering, and related federal offenses. His ISP was ordered by the government to turn over both billing information and content of all of Warshak’s e-mails. Because the government waited a year before reporting the tapping to Warshak, it violated the Stored Communications Act which normally requires notice to be sent within 90 days. This became more problematic because the courts decided the SCA’s lower requirements to gain access to electronic data were essentially a subpoena, which requires notice so that it may be contested if a party chooses to do so. In so ruling the courts quote Miller, “”the party challenging the subpoena has “standing to dispute [its] issuance on Fourth Amendment grounds” if he can “demonstrate that he had a legitimate expectation of privacy attaching to the records obtained.” The courts contrast this expectation to the one used in Miller and in the case Katz v. United States, which argued that a pen register for a telephone call was not the same thing as disclosing the content of the conversation despite the possibility of a third party overhearing the exchange. The courts concluded, “[The government] cannot bootstrap an intermediary’s limited access to one part of the communication (e.g. the phone number) to allow it access to another part (the content of the conversation).” The expectation of privacy concerning content is not waived simply because one is using an ISP. They do note that in the instances where a user explicitly provides that digital content will be monitored it might extinguish a reasonable expectation. Simply being able to access the files in limited circumstances is not enough justification. The SCA also encourages this approach, such as section 2701 prohibiting unauthorized access to e-mail accounts and 2702 requiring ISPs to acquire user permission before disclosing digital content. However, the court does admit that if a waiver of privacy can be proven, then disclosure through notice to the ISP would be permissible.

The struggle for modern courts, upon establishing a distinction in electronic data between user information (which can be distributed how the third party sees fit) and content (which is protected), is identifying the sheer volume and types of content on the internet. Content in this essay refers to any communication or exchange with a person. Using the definition outlined in Katz, user information would be the equivalent of the telephone number while content would be the actual conversation itself. The following cases will outline a brief history of the content definitions used by various courts.

The distinction between content and data for the courts, as in the Miller case, revolves around the courts grappling with companies that owned personal information attempting to sell private content as well. An attempt at a class action law suit in Ohio serves as a prime example in the Eighth Appellate District case Shibley v. Time, Inc. The magazine was selling the personal information of their subscribers. Not only were their addresses being distributed, but profiles based on what magazines they were already receiving were compiled to identify what ads should be sent to what houses. The Ohio definition of an invasion of privacy constitutes exploitation of one’s personality that the public has no interest in such a manner as to cause humiliation to an ordinary person. The courts ruled that the right to privacy does not extend to one’s mailbox and that none of the typical conceptions of false advertising or endorsement were occurring here. What’s curious about the case is that the plaintiff’s claimed that the information the magazine was selling was a “personality profile” of their consuming habits. The courts decided this would cross into creating new law and recommended the plaintiffs take it up with the legislature.

This concept of a “personality profile” was addressed twenty years later in the Illinois case Dwyer v. American Express Company. Not only were addresses being sold, but consumer habits such as what goods were being purchased by whom were rented out as well. As in Shibley, the court draws a distinction between selling content and personal information by arguing that so long as the content remains anonymous it is not violating privacy law. They argue, “They are not disclosing financial information about particular cardholders. These lists are being used solely for the purpose of determining what type of advertising should be sent to whom.” The individual names are of no interest to merchants and there was no tortuous intent present. The courts did conclude that the company’s failure to disclose precisely what they were going to do with the information constituted a misrepresentation. However, because there were no damages from the disclosure and mental anguish was hardly induced by the conduct, the case was dismissed.

When applying these concepts to electronic data, a case in the military began to impose limits on the access to content an investigation could seize without a warrant. In the case United States v. Maxwell a soldier was convicted of transporting obscene materials and child pornography. The obscene materials charge was problematic because these involved seizing e-mails that went outside the scope of the warrant. The ISP was America On-Line (AOL), whose employees do not read or monitor e-mail on the service, but gave the information away when asked by the F.B.I. The e-mails in question were between another officer discussing sexual orientation and preferences. The court argues that e-mails are analogous to telephone calls, so that like Katz their content is protected. The expectation of privacy also comes from the fact that AOL guarantees privacy by storing all e-mails on a private server. Although communicating in a chatroom or posting on a bulletin board would void this expectation, the mere possibility that it might be forwarded or hacked into does not void the expectation of privacy. This is the opposite standard adopted in Proetto, which declared that e-mails were more similar to leaving a message on an answering machine. Since the message could be heard by anyone after it was left, e-mails equally did not create an expectation of privacy. Both cases involve child pornography, but the military court is imposing limits on the government’s right to seize and charge for unrelated content discovered.

The Fourth Circuit was forced to address this issue when yet another invalid subpoena was used to seize personal information from an ISP. United States v. Hambrick is another pedophile case but in this instance it is distinct because the courts acknowledge that a person might have an expectation of privacy in the content. They explain, “While under certain circumstances, a person may have an expectation of privacy in content information, a person does not have an interest in the account information given to the ISP in order to establish the e-mail account, which is non-content information.” Relying on both Katz and Miller, the court dismissed the appeal because only the defendant’s personal data was disclosed. The content information was never used by the government in the case and thus suppression was denied.

Finally, in a case decided in January of 2007, the Court of Appeals in United States v. Ziegler acknowledged that in the event that the third party owns the computer or employs the plaintiff the content can be given over without a warrant. The court outlined that the expectation of privacy must be both subjective and objective, personal and one that society is willing to acknowledge. Interestingly, the court acknowledges that having a password on the computer is enough to establish a subjective belief in privacy. This goes against earlier reasoning of no expectation of privacy for content by establishing some standard for showing intent to keep something private. The situation does not meet the objective standard however. The court explains, “the government…may show that permission to search was obtained from a third party who possessed common authority over or other sufficient relationship to the premises or effects sought to be inspected.” Authority or some relationship with the premises gave the third party the right to distribute content without a warrant.

In conclusion, case law shows a common trend in both federal and common law that the internet does not allow privacy for one’s personal information such as addresses, phone numbers, or even spending habits. However, content information such as private e-mails do merit some form of protection. This standard has developed in both civil and criminal suits.

MMORPG’s and Potential Privacy Violations

One of the advents of broadband internet connections has been the growing popularity of massive virtual worlds. These services have existed since the late eighties in the form of text-based interactions but the increased connection speeds have allowed for their interfaces and graphics to be more accessible to a wider audience. The games typically require the users to provide their real names, credit card information, and subsequent billing data. They are then allowed to create an anonymous identity that has a name, visual representation, and can accumulate virtual items while interacting with other players. The most popular of these games has an estimated 11 million users and is played throughout the world.

The problem with these services is that they typically provide almost no privacy guarantees for player content. In February of 2009 Sony Entertainment arranged a deal with several research groups to give the entire accumulated content of a no longer active MMORPG, Everquest, for research in a wide range of fields. Much of the data was utilized by Sony to study how players group together, distribute items, or play in the game. Several psychological and sociological studies were also conducted on the content. The Privacy Policy of Sony states, “when you communicate within any game or any other communication feature within The Station (e.g. live chat, instant message services and the like), even "privately" to another person, you do so with the understanding that those communications go through our servers, can be monitored by us, you have no expectation of privacy in any of those communications and, accordingly, you expressly consent to monitoring of communications (including technical support and customer service communications) that you send and receive.” They further qualify that they will not distribute personal information such as e-mail or a billing address without consent. The content of the MMORPG, however, may be used for anything and makes no mention of requiring consent.

World of Warcraft follows a similar pattern but instead claims that they themselves own all of the user content being generated. Their Terms of Use outlines that the player never actually owns the game or anything they create or accumulate within it. They are instead licensing the product in an arrangement that can be terminated at their discretion. Specifically, “Blizzard may, with or without notice to you, disclose your Internet Protocol (IP) address(es), personal information, Chat logs, and other information about you and your activities: (a) in response to a request by law enforcement, a court order or other legal process; or (b) if Blizzard believes that doing so may protect your safety or the safety of others.” Both the chat logs and “other information about you and your activities” constitutes what would be the actual player’s content. Like an e-mail, a chat log is the means of communication for a player by typing in what they want to say to other players.

The activities aspect would be a novel definition of content in the legal sense but it is functionally similar to the definition of content in that what you are doing in the game is still a form of communication. Just as conduct such as bartering, fighting, or exchanging goods could considered the activities one would do in an e-mail, so too are they a form of content in this instance. The following section of the User Agreement further modifies this right to player content by adding, “BLIZZARD MAY MONITOR, RECORD, REVIEW, MODIFY AND/OR DISCLOSE YOUR CHAT SESSIONS, WHETHER VOICE OR TEXT, WITHOUT NOTICE TO YOU, AND YOU HEREBY CONSENT TO SUCH MONITORING, RECORDING, REVIEW, MODIFICATION AND/OR DISCLOSURE.”

Although the disclaimer that they can reveal all player content at will without notice is somewhat troubling given the growing case law arguing for an inherent right to protection, Blizzard is equally careful to ensure they are not liable for any damages these disclosures may cause. The EULA states, ““IN NO EVENT WILL BLIZZARD BE LIABLE TO YOU FOR ANY INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY OR CONSEQUENTIAL DAMAGES.” Given the potential damages that disclosing private content could have on a player, both the Terms of Use and EULA give Blizzard open discretion to do as Sony has done with Everquest and disclose or sell this information with no consequences to themselves.

Other MMORPG’s are slightly more conservative in the right to player content. Another game, Lord of the Rings Online, still declares ownership of all player content but have also created an active privacy policy. Should a user broadcast information in a public manner then that is susceptible to disclosure but otherwise the content will not be traceable back to the user. They are clear that such content will in no way be traceable back to the user in either its aggregate or individual form. What is problematic is that these protections are in no way guaranteed should the company running the game be sold or disbanded. Their privacy policy states, “In the event of a merger or consolidation of Turbine, or the sale of all or substantially all of its stock or assets, or the transfer of the operation and distribution of certain products or services to a third-party, or bankruptcy of Turbine, your personally identifiable information may be transferred to Turbine's successor or assign resulting from such events.” As Sony has done with their defunct game’s data, Turbine may also consider doing in the coming years.

Turbine’s privacy policy is interesting when compared to Blizzard’s because they make a distinction between private and public content in their game. In the average MMORPG it is possible to engage in a private conversation with another player that people around them cannot hear. They can also broadcast information to large groups around them and even to every player in the game via a global chat system. Turbine declares these large broadcasts can be disclosed at will while they will not disclose the private communications in a way that can ever be traced back to the user.

The possibility of identifying a player from disclosed content such as Turbine’s proposed method or Blizzard’s blanket declaration is not improbable. Players in MMORPG’s must often join organized groups that work together otherwise known as guilds. Although the template for creating one’s appearance in these games is limited and thus repeats, the outward appearance changes based on what equipment the player is wearing in the game. Many of these items are statistically rare to come by and are often worn along with other statistically rare items. This creates the possibility that a person observing a published picture or reading a disclosed conversation, even when the user name is masked, could potentially identify the user based on the rareness of the items in their appearance. Factors such as who they are with, where they are in the game, or what they are doing would also make them recognizable. Other telltale signs may simply be the wealth they have accumulated, the resources they have invested in, or the other players they have fought in the game. Disclosing this kind of content is in many ways analogous to publishing a photograph of a random person for mass publication. The majority of the population will be unaware of the identity of the user, but their close friends within the game may recognize who they are.

What potential damage could erupt from such a disclosure and recognition? Joseph Blocher argues that reputation itself can be considered a form of property. He explains, “What that economy demonstrates, especially in its virtual form, is that reputation itself—social status and the respect of others—can usefully be understood as a form of property. Strands of this theory appear in law and scholarship, but they have not been tied together in a way that shows that reputation can be property-like even without demonstrating economic value.” In a virtual world, one’s reputation is the only thing that makes it possible to stand out amongst a large group of similar characters. If this were not the case, why do most MMORPG’s and Online services not allow two players to have the same name? A virtual reputation, despite its artificial nature, takes time to accumulate and is actively relied upon by a player. They may be the leader of a guild, be allowed access to rare portions of the virtual world, or simply enjoy a close association with likeminded people. By disclosing their private content and having it recognized by their fellow players, that reputation can potentially be damaged. An insult that was only sent privately to another player may be discovered and dissolve a guild. A disruptive act that went unpunished may be discovered and cause the player to lose clout.

Obviously this would probably not pass as damage in a court in the real world but the psychological problems that it can cause most certainly can. One of the fastest growing areas of therapy is learning how to treat traumatic events or losses that occur in virtual worlds. Jerald Block is one of the first clinical psychologists to begin actively treating pain and loss that occurs in a virtual context. The biggest problems for these players is even finding validation for the losses that occur in this realm. There is often a great deal of shame to admitting they care about what has happened in this virtual world despite the fact that they invested years of their lives into it. Block humorously notes that people who are addicted to internet pornography suffer less shame than the average player who needs therapy. He explains one particular case about an Eve Online player, “He was one of the most powerful characters in the universe of this game. He had played for years and accumulated great wealth; he would have been worth about $17,000 if he sold his character and all his virtual assets on eBay. Well, within the game someone took out a contract on his life. And in the span of one night, this guy lost thousands of dollars, lost his alter ego, and was betrayed by everyone he knew in this world.” Even though none of this actually happened and he does not own the assets despite their black market value, the mental loss is still very real psychologically. At the very least, the insurance industry is going to start taking notice when they want to know who is responsible for their clients requesting therapy coverage.

The particular discussed event does not necessarily relate to a privacy violation, but the potential discovery of which anonymous player betrayed the organization could have repercussions. When several players of an MMORPG were elected to represent the various factions and attend a meeting with the creators of the game, it was discovered that several of the characters who were women were played by men. Many players engage in transgender conduct and even develop relationships without ever telling the player of their true identity. A transgender player, after trying to form a guild based around this, had the guild dissolved and banned when the content was discovered by the company. What would happen if a guild, titled something innocuous, still revolved around transgender players? The loss of prestige would not even be the biggest problem, these groups would be subject to harassment and cruel treatment in the virtual world. Equally possible is that the player has disclosed their true identity to the group so that it may even have repercussions in the real world. With the number of firings based on information found on Facebook growing, the potential experimental conduct in games inducing prejudice and problems in the work place and private life are also possible. Several divorces have occurred due to a spouse discovering their partner was having a purely virtual relationship with someone else. What if they discovered this because a company disclosed private content?

Conclusion

There are several laws that apply to different industries that could be fruitful for protecting the privacy consumers. The Cable Communications Policy Act prohibits a cable television company from using the cable system to collect personal data without prior consent and bars them from disclosing such data. It authorizes punitive, costs, and attorney’s fees against cable television companies that violate the act. Since these online games are more analogous to television as sources of entertainment than a communication service like AOL, it would make more sense to apply such rigid restrictions since there isn’t really a reason to allow these companies such wide access to user content.

Another analogous law would be the Customer Proprietary Network Information Act which applies to telegraphs, telephones, and other radio communications. The general prompt explains that every telecommunication carrier has a duty to protect the proprietary information of customers. The law expressly forbids releasing individual customer’s data while still allowing them to use aggregate data for limited purposes so long as it is not prejudicial to other carriers.

At the core of the problem with MMORPG’s is that there are no laws of any kind regulating their conduct. They are not exactly ISPs, cable systems, or telecommunication services. Nor does the consumer technically own the software or what they are producing, since most companies label the user as a licensee. The Electronic Communications Privacy Act does not apply to these groups because the person accessing the content must not have authorization, which doesn’t help since the company can obviously authorize itself to access whatever it pleases.

In order to remedy this situation three specific areas need to be clearly addressed by the legislature in order to ease the court’s burden of interpreting this new data. First, clear laws at both the state and Federal level must be established that define the difference between content and user data. Greater protection must be placed on content and it should require a warrant in order to be seized. Second, online games must be required to clearly inform their players about what is considered content and what is user data. It cannot be tucked away in a EULA or Terms of Service that people read, but should be explained throughout the game through warning messages or carefully explained during the game’s introduction. Third, control over this content must be guaranteed. Companies who are sold en masse must stipulate that the contract with the user cannot change without their consent. So if Turbine were to be sold, the users must have the right to destroy content should they not agree to the new Terms of Service.

The problems that may potentially occur in virtual worlds is in many ways the stuff of science fiction. A prominent blogger could rise to popularity and influence only to be revealed to be a young child prodigy and immediately dismissed. An online player experimenting with both gender and identity who does not wish for others to know about it may be discovered inadvertently due to disclosed online information. An employee could be fired for things said with every expectation of privacy in a virtual world that are later discovered by the company. These are the hypothetical situations that are crossing over from fiction and into fact. As with all issues of privacy it is simply a matter of expectation and what is reasonable. What is unreasonable, just as it is in the real world, is to declare that we have no expectation of privacy at all in these new virtual worlds.

13 comments:

Unknown said...

Fuuuuuuuuuuuuuu... no pictures dude? Wall of text is a wall. Or whatever dumbass kids say on the Internet.

In any case, I'm reading this right after finals are over. There's no way my eyes can even focus on it right now.

Unknown said...

Ooh my pitch for the PopMatters Pixelated Brain series got accepted!

Kirk Battle said...

Sorry man, there's no pictures in legal texts. It's mostly a technical document that a lawyer would read and know how to extract info from, I guess I just post these because it reminds folks that I do actually plan to practice law someday.

Unknown said...

You know what's weird? Most books about games don't have pictures either, presumably because game companies don't feel it's in their best interests to let people publish images of their games for free. Or maybe because the publishers don't think they'll sell enough copies to justify the printing costs? When I studied film, it would've been virtually impossible to read the introductory texts without pictures. Imagine trying to analyze the lighting in The Godfather without being to show it.

Don't apologize for publishing this stuff! I put stuff on my blog that I write for school, meaning it's far too long and serious to be enjoyed in a blog setting. I sincerely plan on reading it once school is out.

Unknown said...

I lied. I read it, you bastard! Why can't I quit you? So, yeah, the whole time I was thinking, "why the hell didn't anybody request a warrant in all those AOL cases?" Then you address that at the end.

Then while reading the MMO portion, I was like "Jesus I can't believe L.B. actually read the entire EULA on those games." I feel like you're making a controversial claim there: why exactly should they have to spell out this information when it is readily available within the code and text of the exact same product? It'd be different if you had to follow a link to the agreement, but you have to click to agree to it... so maybe the issue is that people need to be better educated and not that game companies be subjected to some strange law that singles them out for more transparent disclosure.

The stuff about insurance and therapy is, I believe, going to turn out to be remarkably prescient on your part. I need to read A Rape in Cyberspace again to see if Mr. Bungle ever got taken to court. Did you ever read about that? This dude performed a crazy rape in a text game. Then it turned out that he was in fact an entire hall of NYU students who thought it was awesome to crowd around a computer and rape people.

Anyhow, thanks for sharing this thing. It really wasn't that bogged down in legalese. Maybe I'm just used to stuff like this from being a philosophy student.

Unknown said...

Oh reading it also led me to take down a post I had with a picture of a dude I didn't know in it. I know my blog isn't exactly mass market, and I might be protected based on the fact that I just Google image searched it and don't make money off my site... but being safe, because I'm such a crazy outspoken douche bag.

Kirk Battle said...

I don't think there's anything strange about a law that forces a game company to NOT disclose private information. As it stands now, they can do whatever they please, which is bad for everyone.

Unknown said...

I was more talking about this line:

"It cannot be tucked away in a EULA or Terms of Service that people read, but should be explained throughout the game through warning messages or carefully explained during the game’s introduction."

I agree that your privacy should be protected. I don't agree that the information needs to be outside the EULA. The only argument you have for doing that is that people are stupid and don't read things that they sign. I'm not gonna argue law with you though, that's what your school buddies are for :)

Unknown said...

What standards of privacy exist in the US today for snail-mail? Intuitively, I would want to apply the same standard to e-mail. In the MMO context, I prefer the direction in which LoTRO seems to be heading, but agree that some solid legislative support would be better than leaving it up to capitalism. Ability to destroy content if the company changes hands (or changes its mind), along with basic protection of private conversations/messages could be useful.

The identity issues you raise (nice Card/Ender reference, btw, if that's what you were going for) are interesting, but I'm not sure what the next step would be. What other contexts grant rights to anonymity? I can think of businesses which offer anonymity/discretion as part of their service, but I'm not familiar with the legal context (because, obviously, IANAL).

On the subject of shinkwrap/clickthrough/EULAs, any opinion on their legality/enforceability? Hearsay, and my vague memory from a business-law course, inform me that they're questionable.

@Simon: I find it contradictory for you to exclaim surprise that the author would read an entire EULA, and then bash the plebes for failing to read them. Do you read your EULAs? I, for one, don't read software EULAs, but I have read every single one of my apartment lease contracts. Does that make me stupid?

Kirk Battle said...

@ Simon

The tricky thing about a EULA is that even to a well-educated person a lot of it is difficult to comprehend. I don't mean that in the sense that they don't understand it, I mean they don't know when the company is completely talking out of their ass in terms of legal theory and declaring rights that people would not normally give away. And like Geoffrey said, that's even assuming someone bothers to read the EULA or TOS.

@Geoffrey

Orson Scott Card is up there with William Gibson for writing sci-fi that actually captured modern problems with the internet.

As far as EULA standards go, there really is no precedent for MMO games in law. You're not exactly talking on a phone or sending an e-mail when you use one, you could argue that the main purpose of the game isn't even communication, it's entertainment. A EULA becomes more legit the more you use the product without complaining, but a privacy violation in an MMO isn't going to arise immediately. By their nature it would be years before damaging info could be revealed. So the EULA is locked in and binding but...that's not really fair.

Applying RL law to MMO's is tricky because the main concepts governing snail mail are how many people are exposed to the information. If I mail you a letter, you have the right to disclose it. If a stranger opens that letter before it gets to you, they do not. Everything in privacy is governed by the intent of the person broadcasting information.

Were I a corporate attorney gunning for Activision, I'd simply argue that the very act of logging into an MMO is sending data to the company and they can do whatever they like with it based on the same principles.

So yeah, the only real bet is legislation.

Unknown said...

@ Geoffrey:

"Exclaim surprise" at this: I consider myself stupid for not reading them. I don't know anything about you, but reading your apartment leases sure sounds nice. The class thing sure was a kicker, except I said "people are stupid," not "poor people are stupid."

Unknown said...

@ L.B.

Okie dokie, we're in agreement that there needs to be a plain English version of the EULA. What are the precedents for other legal documents that are required to be converted to plain speech before being distributed?

Ben Abraham said...

I think my jaw hit the floor as I OMG'd my way through this piece.

I always knew MMO's were a bit of a legal black hole, but the idea of having to prove that you assumed something was "private" totally blows me away. That seems totally at odds with the spirit of "innocent until proven guilty" that the western legal system is supposed to be built upon.

Craaazy.