Europe’s security recommendations for VWs

 Posted by (Visited 5861 times)  Game talk  Tagged with:
Jan 232009
 

Spotted on Metaverse Law that

The European Network and Information Security Agency (ENISA) released an interesting position paper on some of the concerns associated with virtual worlds.

A summary of the position paper’s recommendations:

  • Governments and policy making bodies:
  1. An industrywide forum for sharing of info on security vulnerabilities
  2. Fund work on clarifying legal issues around IP and personal info in VWs
  3. Encourage independent dispute resolution for player-to-player issues
  4. New financial procedures to prevent item theft using chargebacks
  5. Investigate the issues around conflicts between legislation & common carrier status for VWs
  • MMO/VW operators:
  1. Deal with item duping, end-to-end secuity, and DOS attacks
  2. Clear privacy policies
  3. Charge a token returnable fee for for all ODR complaints (to prevent false complaints)
  4. Improve user authentication
  5. A standard set of governing documents and terms, built with user input
  6. Provide bootable CD images for critical operations such as online banking
  • Awareness and research
  1. Run campaigns on account theft detection, how to handle bad behavior, in-world property risks, etc
  2. Research future trends with security concenrs, such as content filtering, security and reliability of open world formats, etc

  8 Responses to “Europe’s security recommendations for VWs”

  1. “accunt” account.

  2. Oh dear, The eurocrats want to get their fingers in this pie, be very, very wary.

  3. I was on this panel, as were some other MMO people (Eyjólfur Guðmundsson, Adam Martin, Ren Reynolds, Markku Kaskenmaa), so we were able to add some realism to the general “what if..?” line. Other people included security experts, ratings bodies representatives, people from fields with problems that overlap ours (eg. access by children), assorted academics, and some people who I never really did find out what they did.

    At times I felt that we were clutching at straws to find something to put in, which wasn’t good. Things which were definitely of concern were given the same degree of coverage as things which were more of a potential worry for the distant future. This did get addressed once the “data-gathering phase” was over, but there are still a few idiosyncrasies left. The definition of “security” and “risk” got wider and wider as time went on (or, rather, it started out broad but we didn’t really understand quite how broad until we got into it), but we did manage to arrest that trend and be more precise – the title now says “and privacy”, for example.

    On the whole, given the competing areas of emphasis preferred by some of the people on board, I think the result is roughly in line with what I was expecting at the start. It’s not perfect, but if we’d had no industry people on the committee it could have been a lot worse. There may have been recommendations for issuing people ID cards so operators could perform age checks on players, for example. Alongside suggestions like this, recommendations like those given to operators above look positively sane…

    Richard

  4. From the paper:

    Exploitation of flaws in the in-world economy. This includes so-called “duping” (illegal duplication of objects), and other forms of cheating such as illegal automation and “gold farming”, the virtual equivalent of sweat-shops where low paid workers work long hours to produce valuable assets within worlds (17). All practices of this kind usually result in inflation of in-game currency and loss of value to bona-fide players.

    Both incomplete analysis, and something of an indictment of capitalism, while they’re at it 😉

  5. Bret>Both incomplete analysis, and something of an indictment of capitalism, while they’re at it

    The analysis is incomplete because we had a deadline, a pages limit, we weren’t being paid for our time, and different people had different priorities. I agree we could have written more about this, but how long would a complete analysis take, and would you be prepared to write one for free only to have other people on the committee want to change it?

    As for the indictment of capitalism, it’s an article about risk. The risk is there: if you create a virtual economy with flaws in it, you will indeed see these effects. It wasn’t meant to say good or bad things about capitalism per se, it was just supposed to flag up the risks so that enthusiastic but unworldly-wise new developers might note that it’s an area they should examine.

    This is a document with a lot of flaws and incomplete coverage, yes, but it was always going to be like that – that’s the nature of reports written by committees. The fact that ENISA looked for and found some European virtual world experts to contribute is to be applauded, and that we were able to ring alarm bells over some of the more “out there” suggestions means we wound up with something a lot less weird than if we hadn’t been involved.

    Richard

  6. Hey Richard 🙂 I’m sorry.. I didn’t mean to trivialize your work. I just thought the quotation was funny when taken out of context.

  7. Oh, I didn’t think you were trivialising it (well, no more than it was trivialising the subject matter). I just thought you’d get a better feel for where the remark (and the paper in general) was coming from if I gave a bit more explanation.

    Richard

  8. I used to have a VW and security was terrible. It was a convertible and the roof was only held on with press-studs, so breaking in was a piece of cake.

Sorry, the comment form is closed at this time.