It really would be insane to force people to verify before using SecondLife at all, since a very high proportion of those likely to want to use the service will want to use it for free and be able to sign up with very little effort so that they can use the service with a trivial initial investment of time, and a zero initial investment of money. Only when people have been in SecondLife for a while, and have some personal investment in the environment, are they likely to be willing to bear the cost of identity verification. No doubt, this is why Linden Lab enabled free accounts in the first place, although their mistake was not to introduce a system of voluntary verification at the time.

Instead different functions will be introduced to target different identity 'entities' according to the desired level of protection. For instance, BanAvatarKey(avatarkey), say, would only ban the particular avatar associated with 'avatarkey', while BanAvatarToken(avatarkey) would ban all avatars associated with the token associated with 'avatarkey'.

Secondly, the banishment idea is an interesting one, but the difficulty is that it is reputation, too, that counts: if there is a public record that avatar A has defaulted on payment (for example) numerous times, then why should that person be able to escape that deservedly bad reputation by simply switching to avatar B undetected? For that reason, I think that I prefer Kristy's original version. An interesting idea nonetheless.

I can't disagree more on that. I strongly oppose this proposal for that exact reason. More specifically, as I specified elsewhere, one of the implications of this proposal is that identities of avatars are linked, even if weakly (depending on the implementation, but just like Chosen points out, someone with the right tools can make the link). I doubt anyone will want their Professional avatar linked to their Adult Entertainment avatar.

My bad that I suggested a technical way for implementing this.

The argument that "only people with a bad conscience have to fear an intrusion of their privacy" has been used far too often by totalitarian governments wishing to control their citizens. There is a line dividing how far it's morally acceptable to go.

Thus, I might start to have some qualms on this proposal. I had read "More complicated version: as for complicated version, except people may uniqueness verify more than one avatar, provided that each uniqueness verified avatar has a publicly visible list of all its alts" as having all uniquely verified avatars listing each other (or, using Kristy's words, all retrieving the same ID token). This would mean, for instance, that I could validate my alt, Gwyneth Lewellen, and have Gwyneth Llewelyn on the list as the "same" avatar. A protocol called XFN (http://gmpg.org/xfn/) states this as "identity", ie. listing two separate avatars as being the same person. Those would be validated through LL's system, and it would mean that one could "prove" they were the same person. This is far more useful than it seems, specially when dealing with business for instance, where you need to clear with someone else that you're the same person as the other avatar that you've met already.

Listing all alts — explicitly validated or not — is a shady area. Let's skip the privacy discussion for an instant (as a strong supporter of unalienable human rights, I can't agree to any restrictions of privacy except under a court order) and see if this makes sense at all. The world will be split among the ones that are able to get alts that do not validate as the same person, and the ones that are hopelessly unable to do so. So, suddenly, being able to have an avatar that is not listed as an alt becomes a huge advantage — namely, to the criminally-minded — since we "expect" all avatars to be listed.

How would you thus create an "anonymous" avatar under that model? Very briefly, you register it from a different place and from a different computer; an Internet café, for instance, is a good example. This "anonymous" avatar becomes then a precious asset, since most people will have all their alts linked together...

By contrast, the opt-in concept of listing the alts you wish to validate under the same "ID token" is the positive way of using validation: being able to prove that all the avatars that you've created for a specific purpose are, indeed, able to speak "for you". This is what I support.

Pre-emptively classifying residents as guilty parties just because they don't want to relinquish their privacy, or, worse, ostracising people because they are unwilling to favour accountability over the right to privacy, is unacceptable in the free world. Rest assured that if someone is proved guilty in court there are ways to subpoena LL and get the avatar's RL data; assuming from the start that everybody is guilty except for the ones willing to forfeit their privacy is definitely alien both to my mind and to the society and culture I live in.

If a scripter can find out, it's not difficult to use this information against someone! I mean, its easy to misuse information like this AGAINT people.

Hey your other alts is LESBIAN in secondlife! Shall I tell that to your parents????
Hey the miss contetstant such and so rapes cats in secondlife with her alt. lets tell tthis at the voting so she sure will not win!
If you don't give me 5000$, I will tell all of your real life friends that you play a woman sometimes! And that your fake!

Think about THAT too when you vote for this!

On the one hand, privacy with regard to alts is valued by many. I've met a few alts of businesspeople, which are used to escape the huge demands placed on their main accounts.
There are all sorts of reasons why people might want privacy. But, fundamentally, to try to justify privacy in terms of why people want it might be missing the point.
I'm very tempted to say that to ask why someone wants privacy fails to take the idea of privacy seriously, or is at least amusing. The entire point about privacy is that you don't have to explain yourself to anyone else.
Therefore, when you are asking "why" someone wants privacy, you are asking that they "justify to you the idea that they don't have to justify themselves to you".
That seems like a fundamental clash of mindsets to me.
Personally, I have a lot of sympathy for the privacy mindset. As the old saying goes : good fences make good neighbours.

On the other hand, there are some times when you simply need to be able to ensure that, say, the three people running a company aren't really just alts of the same person pulling a scam on you.
There's also the annoying fact that one cannot ban a person in SL. One can ban an account, or a group, but there is no way of banning a person behind the keyboard in such a way that it affects all of their alts but nobody else. Griefers often abuse the fact that each alt must be banned individually.
Other situations may arise in which it would be very useful to prove that you aren't an alt of someone who looks similar to you.

This sure is a tough area. I suggest that yes, we do have some form of uniqueness verification, and it has to be really good (that is, hard to fool). At the same time though, it has to be 100% opt-in.
If certain groups/clubs/areas require unique ID, then that is fine too. But the choice of opting in must belong to the user. Once opted in, however, ALL their alts are opted in, and opting out must be possible but require giving up 'uniqueness verified' status for any of your alts that has it.

Firstly, Gwyneth and Hera: I suspect that you might be missing one of the crucial aspects of the proposal, which is that only verified avatars would be linked to other verified avatars. It would still be possible to have unverified avatars that are not linked to anything, although whether the avatars are verified or not would be stated in the profile. Thus, those people who wish to undertake what I shall loosely describe as potentially embarrassing activities can do so with unverified avatars, leaving their verified avatar or avatars to be used for serious business purposes.

After all, casual users will probably not need to verify at all: pure consumers of simple delivery services do not really need to be trusted in the same sense as people engaged, for example, in serious commerce, in positions of authority, or handling other people's money. If all that one wants to do is make a few friends, rent a small house somewhere, buy some furniture, hold a few parties, go to events, perhaps sell some clothing or articles (using the automated simple transaction model suitable for untrusted transactions) - in other words, do what most people in SecondLife do now - then there would very likely not be a need to verify. It is only if one needs seriously to trust a person - if one is renting land, for instance, delegating substantial power to that person, having them handle other people's money, and so forth, that there needs to be a mechanism to ensure that the people in such positions are truly accountable: trust of that nature is simply not possible otherwise. The idea always was, and still is, as Angel Fluffy put it, for verification to be "100% opt-in".

The only alternative to a system such as mentioned, which is very simple, and has the same effect, is for people in such trusted positions to reveal their first-life details to people in a sensibly verifiable way (home telephone number linked to a telephone directory with that name, etc.). Such a system is, in fact, used for some of the more serious commerce in SecondLife, whereby people will execute off-world contracts with each other, using their first-life identities to engage in valuable transactions. They do that because they know that it is the only way of securing the kind of accountability that they need for their businesses, and without which it would be impossible for them to do what they want. The disadvantage of that is that people may very well not want their real-life names and telephone numbers (etc.) to be known in order to be trusted: the whole idea of SecondLife, after all, was that people lead just that: a second life. So, whilst traceable revelation of real-life credentials has the same effect as opt-in verification as suggested here, it also has the unwanted side-effect of the revelation of more information than is necessary for the purpose: in other words, therefore, the absence of such a system as suggested here can in many cases diminish, not enhance, privacy, since, without the proposed model, any form of accountability verification entails the revelation of first-life identifying data.

One of the aims of my proposals, both on the JIRA, and the work that I am undertaking on the Metaverse Republic, is to create an efficient middle ground between, on the one hand, mass, automated, but extremely simplistic un-trusted, completely anonymous transactions (where all parties assume that all other parties are potentially untrustworthy and out to exploit the system if at all possible: a good first-life parallel is the vending machine), and, on the other hand, extremely high value commerce in which people reveal their first-life identities and make off-world contracts. The middle layer would be medium to high value transactions conducted entirely in-world by people who are not totally anonymous because they are tied to a specific virtual world identity, but do not reveal their first-life information, either (it is what I think that Gwyneth has in the passed called "psudonymity"), made with in-world security tools (such as in-world digital contract notarisation and payment verification systems), and enforced and adjudicated upon effectively by in-world legal systems and means of enforcement. There must be, therefore, a middle layer between, on the one hand, total anonymity, and, on the other, full revelation of firs-life information in order to complete that middle layer, and make the in-world economy function effectively for complicated and higher value transactions, as well as for the simple, low value transactions that dominate at present. Which layer of accountability to choose would be (as it is now between the two current extremes) entirely a matter for the user in question, and how to deal with other users' choices would be a matter for each other user.

As to Gwyneth/Ludo's points about registration of anonymous alts, that all seems to rest on what appears to be Gwyneth's misunderstanding of the proposal, namely that all alts would be linked, rather than only those alts which users have chosen to verify as unique, which is the actual proposal. Under the actual proposal there would, of course, be far less incentive for such rogue registration, and it is certainly possible, in theory at least, to make the system quite robust such that, as Angel suggests, it is hard to fool. In such circumstances, although fraud could not be entirely ruled out, its mere possibility would not make the system worse than useless: after all, people frequently forge real-life passports, driving licences and identity cards because in real life, just as in SecondLife, it is convenient to be able to pretend to be somebody else, and not to be accountable for one's actions. That does not mean, however, that it is a bad, rather than a good thing, that, in real life, there exist such things as passports and identity cards.

As for the more philosophical discussions about privacy, there seems to be some flawed argumentation: Lem does not explain why he thinks that privacy is more important than accountability (why is it a better world in which people can hide from the consequences of their actions than one in which they are responsible for them? Does your belief as to the relative importance of privacy over accountability extend to, for example, the commission of real-life crimes, including, for example, terrorism? If not, where, exactly, do you draw the line, and what is the principle upon which you justify drawing the line exactly there rather than anywhere else?). As to Angel's point about not having to justify the principle that one does not have to justify oneself, that is logically flawed in two respects: first of all, in so far as privacy is about not having to justify oneself at all, it is only about not having to justify oneself about certain things (those things conducted in the private sphere, such as one's personal sexual relationships), not about every conceivable thing, including principled positions taken in public debates. Secondly, the reasoning is, in any event, circular: one cannot claim that any given claim that one is making in a public debate about how other people should act (remember, this debate is about whether Linden Lab should implement certain tools in SecondLife that potentially affect millions of users) need not be justified because the substance of what one is claiming is that things need not be justified. One cannot say, "X is true, and you should act on it, and I need not justify why X is true because X being true means that such things need not be justified". For it to be right for a person to make any given choice, that person must have sufficient reason (in other words, a justification) for making that choice. "Because I say you don't need a justification" is not a justification. It is ultimately a problem of infinite regress: the claim that that one doesn't need to justify things doesn't need to be justified itself needs to be justified, and so on ad infinitum.

Therefore, in so far as privacy is valuable at all, it is only valuable in so far as it procures good for particular people, and can only do that in specific ways. That can then be balanced against any bad consequences of whatever it is that brings about that level of privacy (including not being able to procure better consequences by pursuing instrumental goals incompatible with that particular instance of privacy), and only where the good exceeds the bad ought privacy, rather than its converse in any given case, prevail. Each argument for privacy prevailing in any given instance needs, therefore, in order for it to be a sufficient reason to be acted upon, a full explanation of how it is that the net good to people procured by that particular instance of privacy is greater than the net good of what is procured by any given exclusive alternative.

As to inalienable rights and court orders and so forth, it must always be borne in mind that a virtual world such as SecondLife provides for a vastly higher degree of privacy than does ordinary, physical-space interactions with people. In real-life, it is extremely difficult to appear as a different person when interacting with different people, and, even if one was to wear a disguise, one might readily be unmasked, and nobody is prohibited from trying to find out who the person under the false moustache really is. If, other than in virtual worlds, people take on multiple personae and identities people, quite rightly, become extremely suspicious, and think that the person in question is up to no good. People's criminal records, for example, often show that a person has given a whole string of false names to the police in the past in what is almost always (due to efficient computer fingerprinting technology used whenever a person is arrested) a futile attempt to deceive the police into thinking that one is of good character. The various human rights treaties and conventions were enacted long before virtual worlds, and their exceptionally high levels of privacy, were ever conceived of, let alone realised, and the standards by which they must be interpreted can only be the standards and levels of privacy that prevail in the ordinary world, physical space interactions for which such treaties were exclusively designed. (It would be another matter if a system linked people's previously unlinked alts without their consent, since people would have revealed information or undertaken activities on the basis that the linkage would not be revealed, but that is not what is proposed).

I suspect that you misinterpreted me there. I did not say that privacy (the idea that you don't have to justify yourself to others) is self-evident (aka: needs no further justification).
What I said was that I find it amusing that certain people (not including you) underestimate how some privacy advocates regard privacy.
Have you ever heard the saying "freedom and justice are more than words, more than beliefs, they are perspectives"?
A similar thing is going on with the beliefs of some privacy advocates. To them, privacy is not so much the result of choosing the course of action with the best consequences for society, nor is it a right to be defended.
Rather, it is a perspective. It is a special sort of foundational belief by which most other things are evaluated.
Asking certain privacy advocates why they believe privacy to be important is rather like asking certain religious believers why they believe in God. For them, it appears self-evident and due to its position as a fundamental belief by which other beliefs are judged, it is extremely hard to convince someone to change their mind about.

I am NOT saying that this approach (taking privacy as a perspective not just a belief) is justified, or for that matter, that it is not justified.
Nor am I saying that I take this approach.

What I am saying is that persons arguing with strong privacy advocates often make the mistake of underestimating how foundational the belief in privacy is for those advocates.
What I am saying is that you should be aware, when you are debating this topic, that there will be people who will be completely unmoved by your consequentialist arguments because they are not using consequences as the selection criteria to determine which belief they adopt or course of action they take.

This is why I said I find this approach tempting (as it gives privacy a special sort of importance, and I feel privacy is very important), and this situation amusing (because I feel that due to this perspective, many privacy advocates will never be convinced and many who try can be seen to be wasting their time).

The point of this is that I think allowing the debate to be framed as "pro privacy VS anti privacy" is a mistake. I suspect that internet culture encourages people to regard privacy as a perspective, and therefore it is unwise to allow yourself to be portrayed as anti privacy in any sense.

That is why I made the point about this system being opt-in.

IMHO, if you want to convince people, the issue you must work on is showing that this is irrelevant from a privacy standpoint. That is, IMHO, the way to get rid of a lot of resistance to this proposal.

There are some unavoidable crunch points where you will not be able to dodge the privacy issues. For example, say I ban person X from my land. They have three alts, named A, B and C. I have the ban on person X as the ONLY ban on my land. I teleport alt A to the land, to check the ban works and does affect them. Then I wait until suspected alt B comes online, and I teleport them. If they accept the teleport but cannot access the parcel I have learned that B and A are the same person's alts.
This is an abuse of the system but it does have potential privacy implications, and is practically possible.

Personally, I think the argument needs to be made that landowners have the right to ban people, not just avatars from their land, and expect the SL system to enforce this. If I ban a griefer I am not banning the account name, I am banning the person, and if they manage to get back, using whatever means, on an alt, this is a problem. Once banned they should stay banned.

The only way to do this is to automatically associate different alts with some central identifier. Effectively : to tie peoples' alts together so when one alt is banned, the system knows which other alts are owned by the same person, and bans them too.

Now, there will probably be some privacy advocates who oppose that idea. Personally, it strikes me as a reasonable compromise between privacy (landowners don't know who a griefer's alts are) and security (landowners can ban all the griefer's alts without knowing who they are by banning one of the alts). I think Kirsty suggested it first with the hidden keys idea. People can already compromise their privacy by leaving their IPs in websites' logs, via signing off and on their alts in quick succession while they are being tracked by online notification scripts, etc. Fundamentally privacy requires some diligence and we should not expect privacy to mean that no matter what we do, our information is protected. Rather, I think of privacy as something that protects us by default but we can lose via our actions.

Summary :
1) I think you misinterpreted me there.
2) I don't think I said that privacy is self-evident in the way you outline.
3) The point I was making was that people often underestimate the way privacy advocates consider privacy - it can be a foundational belief, not just a consequence of other beliefs.
4) I would suggest that you try to avoid getting into a "pro privacy VS anti privacy" battle. There are some cases where your proposal does have privacy implications. Nevertheless, so long as you can argue that people under this system will only lose privacy if either they opt-in to the system and choose to publish their information, or they do something that LL will probably advise residents not to do (like accept TPs from landowners under multiple alts who are "testing a parcel ban"), then your proposals seem fine
5) All that said, good luck with the proposal. Personally I don't think I would have any use for it except possibly to avoid griefers evading my parcel/estate bans, but I can see how it would probably be useful to other people. Perhaps if you want Linden attention on this, you could aim to make the case that this is useful to everyone in SL, or at least, a large proportion of people? LL might (I don't know) be more willing to give this idea dev time if it was seen as something genuinely useful for most/all SL residents. To present it in that way, it might help if you outlined why current workarounds (business owners knowing each other in RL, or giving some RL info) are so badly flawed that they need to spend dev time on making something better. Good idea to do this by arguing it protects the privacy of resident RL info while still enabling more trust in social relationships.

(Now I'm signing off, it is late!)

thank you for the comment: I think that I did indeed misinterpret you as espousing, rather than merely describing, the privacy-as-foundational argument. Such an argument is, of course, incoherent, since privacy is conceptually incapable of being the sort of thing that can be foundational: it is not an inherent feature of the universe, nor is it something that is prerequisite to being able to make sense of anything. Those who argue that something such as privacy is foundational seem to be doing so simply in order to evade scrutiny of their ideas, and impose their will on other people without reasoned debate, just as if somebody said, "it is my foundational belief that I should be ruler of the world". Nothing is beyond question or analysis: even foundational beliefs must be justified as necessarily foundational (in the sense described above).

But, in any event, I suspect that you might be at least largely right about the main point, which is that, fascinating though this debate is, the issue does not need to be resolved either way in order for this suggestion to be a good idea, since (1) the revelation of information (links to avatars) would be voluntary, and would be made in full knowledge of the consequences; and (2) it can actually help increase privacy, as stated above, by allowing for trusted transactions without revelation of real-life data.

Privacy is fundamental to freedom. Freedom of speech, freedom of convictions, freedom of religion. Freedom of political orientation and of sexual orientation. Freedom to be politically incorrect and tell a woman that she looks hot or that her ass looks big (and mention stuff like that here). Freedom to get drunk. Freedom to be promiscuous. And freedom to do all that kind of stuff in SL and with a verified account (without which we soon may not be able to do much), without the fear of affecting my professional life or even other parts of my personal life or even other parts of my second life. Private life is separated from professional life and public life in RL too.

I am willing to allow some restrictions on these freedoms in special cases, for instance, to fight terrorism. But I will not accept such restrictions merely to improve business in SL or to enable an experiment or a game in SL governance or to avoid giant penises. I will also give up some of my privacy to my government, my bank, my ISP, even maybe to Integrity but not to every Tom, Dick and Harry who can run an ID scraping bot. And, yes, whatever will enable the ban tools that you're looking for will also enable such bots.

And, Ashcroft, it is you who is imposing a point of view on us and only you therefore need to justify it to us. I shouldn't have to justify why I disagree with you and why I don't accept your argument. But I did it anyway.

Not good enough. An ID scraping bot could still generate lists of avatars that have the same ID token.

Mercia

1. Griefer creates an account and verifies it as unique using a driving licence
2. Same griefer creates an alt and verifies it as unique using a passport
3. As many countries lack a common identifying tag between driving licences and passports, there is no way to link 1 and 2.

Another scenario further undermines this approach:

1. Griefer creates an account and verifies it as unique using a driving licence
2. Griefer behaves irresponsibly.
3. Griefer cancels account and the LL assurance that details will be removed from database within (I think) 24 hours.
4. Greifer creates an account and verifies it as unique using a driving licence

So if the system cannot work anyway, why wreck everyone else's Second Life.

If cannot trust people, just don't trust them, there are already systems in place to protect buyers and sellers (Buy Object, Buy Land, etc).

Mercia

What is the garuntee that this third party will
respect the privacy laws and NOT store he info unless
requested?

Is LL Monitoring this third party? Why should we
entrust our privet info to a third party we know
nothing about?

What about security? how securer is this third party?
Who do we hold accountable if a security breach occurs
at the third party?

What about third party credentials?

I believe we have the Legal right to view those too.

What garuntees do we have against Identity theft?

I refuse to submit any of my privet info to The third
party until you guys address ALL my concerns and
questions regarding this issue.
I do NOT feel safe nor secure releasing my privet info
to a third party I know nothing about.

How much do free accounts have to pay? what about
those of us unable to get a credit card for what ever
reasons or can't access pay-pal?

Also it's illegal in some countries for an online virtual world to
require a users social security number for any reason.

Linden Labs WILL be held accountable for any problems that occurs as a result of ID theft, grid security breaches resulting in ID theft, Security Exploits resulting in ID theft,
Any problems that occurs with this third party in regards to out Privet info.

Until LL has publicly addressed these issues I REFUSE to submit any privet info or take part in LL's Age verification project. I simply do not feel my Privet info is safe nor has LL made any acceptable garuntees that it is truly safe.

Also it's illegal in some countries for an online virtual world to
require a users social security number for any reason.

And IP-based banning could be circumventing using Tor (to make it really work on SL will require linux machine to act as gateway and will result in rather big lags but it works currently).
Next step will be blocking Tor exit nodes? In this case griefer could (rather easily) buy VPN tunnel...

Better just allow users to add verification to their alts if they want. Currently - this not case. Currently it's not possible to verify alts using same set of indification data(at least without calling support,based on my experience)
p.s. If we speak about IPv6 addresses,which doesn't needed(or, currently, support) NATs - it too easy currently to get a lot of IPv6 addresses. And IPv6 is (still) not widely deployed (on MS platform only Vista supports IPv6 in GUI, XP support IPv6 partially and require commandline configuration)

http://www.chaum.com/articles/Security_Wthout_Identification.htm

By using the techniques in the paper, you can have opt-in identities and very strong privacy. Please, you owe it to yourself to read the paper before you embarrass yourself by proposing or implementing flawed schemes.