Second Life Is Plagued by Security Flaws, Ex-Employee Says

Elena Lacey; Getty Images

A lawsuit filed by the former information security director of Linden Lab—the company behind the online virtual world Second Life, which, yes, is still a thing—claims the company mishandled sensitive user data and turned a blind eye to simulated acts of child molestation and the potential for money laundering.

Paris Martineau covers platforms, online influence, and social media manipulation for WIRED.

In a lawsuit filed in San Francisco County Superior Court on July 30 and served to Linden Lab on Tuesday, Kavyanjali Pearlman, a security researcher who joined Linden Lab from Facebook in 2017, says that she raised these issues during her tenure, and was met with hostility. The suit alleges company executives retaliated against her for flagging cybersecurity risks and potential violations of anti-money-laundering laws, child exploitation, and data misuse.

Pearlman claims the company discriminated against her as a woman, an Indian immigrant, and a Muslim. “After making her concerns known, [she] was treated worse than similarly situated employees who were not immigrant women of color, who were not religiously Muslim and wore a hijab,” says the suit. “Instead of looking into Pearlman’s complaints, Linden Lab’s senior officers led a campaign of retaliation against her, painting her as an inept employee who has issues with communication, and ultimately terminating her employment in March of 2019.”

“While we will fight her alleged claims in court, we deny any allegations that the company has engaged in any illegal activity,” said Linden Lab spokesperson Brett Atwood. “Ms. Pearlman left the company on March 15 only after she was given the opportunity to improve her work performance. We look forward to all the facts coming out in a court of law,” he said, declining additional comment because of the lawsuit.

Linden Lab is best known for Second Life, the massively multiplayer virtual world launched in 2003, which boasted around a million regular users at its peak, and an estimated 800,000 active monthly users as of 2017. Those numbers are paltry compared with today’s social media giants, but it’s still a sizable chunk of people.

A decade ago, Second Life was populated mostly by futurists, brands, and, for some reason, embassies; today, the virtual world occupies a more niche space online. Much of Second Life revolves around the Linden Dollar, a virtual currency with real cash value that is used to buy and sell in-game items, virtual land, and operate or play at virtual “skill gaming” casinos. In 2018, approximately $65 million was paid out to Second Life users for a variety of virtual goods and services. Gaming—including both free-to-play games and “skill” games that offer payouts—was the most popular activity among users, according to Linden Lab.

Last October, Pearlman says she raised concerns with Linden Lab executives that the company was not complying with anti-money-laundering rules, including not required information about the operators of skill games, according to the lawsuit. She says her concerns were dismissed, and that the issues had yet to be addressed by Linden Lab when she left the company in March.

Atwood, of Linden Lab, declined to comment when asked about the accuracy of Pearlman’s description of events. “All Second Life skill gaming operators must provide and verify their identification as part of a rigorous application process,” Atwood told WIRED over email. “We are in compliance with all legal regulations and all skill gaming operators agree to our Terms & Conditions as part of the review and approval process for our Skill Gaming program.”

In the suit, Pearlman claims that the user payment information collected by Linden Lab and “Second Life customer data” wasn’t secure, and that her attempts to correct even the most glaring security issues were met with hostility. In September 2018, Pearlman says she alerted multiple members of the IT team and executive board that payment information was accessible by employees from other parts of the company, and that outside contractors were gaining access to support tools that gave them unfettered access to private user data, according to the lawsuit.

Pearlman says even more serious issues received similar treatment. Sexual roleplay is a popular activity among Second Life users; the virtual world features many so-called adult regions where users’ avatars can be nude, have sex, and engage in more niche sexual activities. Last fall, the suit alleges, Pearlman urged Linden Lab to review its age verification and consent review process, as she was worried the company could be erroneously collecting data on minors and enabling children to use the platform without the consent of a parent or guardian, which would violate the Children’s Online Privacy Protection Act and Europe’s GDPR.

Pearlman says that her concerns were only amplified by violations of Second Life’s “ageplay” rules, which prohibit users from engaging in virtual sex acts with users that present themselves as children. The lawsuit says that violations of Second Life’s ageplay policies “could be called simulated child molestation” as users’ avatars can resemble children; in an email to the chief operating officer in the fall of 2018, the suit says, Pearlman raised concerns that the company’s age-verification policies posed the “risk of underage kids being involved,” but was dismissed in favor of prioritizing the launch of a subsidiary company.

According to the lawsuit, in 2018 the manager of Linden Lab’s fraud team “presented information to Linden board members in quarterly fraud reports that acknowledged a high number of such Ageplay [sic] violations were actually occurring on a regular basis each quarter.” The suit says Pearlman “was concerned that Linden Lab was apparently allowing the users to violate ageplay rules, by not implementing appropriate procedures to prevent violations from repeating at the same levels each quarter.”

The lawsuit claims that Scott Butler, Linden Lab’s former chief compliance officer, wrote a memo to other executives in June 2018 “urging compliance with cybersecurity laws consistent with Pearlman’s repeated concerns” and recommending that she be appointed the company’s Chief Information Security Officer. A former high-level Linden Lab employee confirmed the contents of the memo. The former employee said the memo “indicated that there should be more scrutiny on the ‘skill gaming program,’” and recommended Linden Lab adopt a suggestion from Pearlman to determine why it “had not been able to prevent the seedy population of ‘age-players’ from returning to Second Life, time and again.”

When asked whether Pearlman’s description of events regarding ageplay violations is accurate, Atwood, the Linden Lab spokesperson, declined to comment.

“In accordance with Second Life’s Community Standards and Content Guidelines, real-life images, avatar portrayals, and other depictions of sexual or lewd acts involving or appearing to involve children or minors are not allowed within Second Life,” said Atwood. “If any such activity is detected, individuals or groups promoting or providing such content and activities will be subject to enforcement actions, which may include immediate termination of accounts (including all detectable alternate accounts), closure of related groups, removal of content, blacklisting of payment information and loss of land or access to virtual land.”


More Great WIRED Stories

Read More