Second Life screams for an Internet Identity Layer

Second Life is an Internet-based virtual world developed by Linden Labs. It uses advanced virtual world technology to create what is, in essence, a highly sophisticated social networking application. Users of the system, called “Residents”, can explore, meet one another, socialize, participate in individual and group activities, create and trade items (virtual property) and services. Today, Second Life is home to half a million residents, and everyone from Duran Duran and Wells Fargo Bank to the Department of Homeland Security has funded real estate here.

Why am I talking about this on my blog? Well, in a recent statement on their official blog, Linden Labs announced that it will be introducing an age and identity verification system. Residents will have to provide proof of identity (driver’s license, passport or ID card) that asserts their identity as well as their legal participation in SL as an adult (above 18). SL states that

“The verification system will be run by a third party specializing in age and identity authentication. No personally identifying information will be stored by them or by Linden Lab, including date of birth, unless the Resident chooses to do so. Those who wish to be verified, but remain anonymous, are free to do so.”

Yet More Proof (as if we needed it)
Well, if there ever was a shining example of why we need an identity layer for the internet, this is it. Linden Labs has made the decision that the existing information they have (credit card and Paypal accounts of residents) is not enough. They need full-fledged identity verification (including age information), presumably to protect themselves in an attempt to prevent cases of child abuse in their online world. But to provide sensitive PII credentials like a driver’s license or passport? Concerns of identity theft are springing up all over (see Mitch Wagner’s blog post on the subject).

The Theory
I would venture that most of the people accessing SL are sophisticated web users that have online banking accounts. My bank already took all the same information (driver’s license, passport) when I opened my account with them. Wouldn’t it be great if our banks could issue a signed identity assertion that I could take to SL that informs them of my being of legal adult age? I could access a special SL webpage using my bank issued InfoCard, that allows SL to link up my account information to the fact that my bank asserted that I am legally an adult. And I don’t have to worry about who might receive the scan or jpg I upload of my most sensitive documents.

Similar Experiences Across The Web
I recently had the same experience at iStockPhoto, where I was trying to sign up as a user allowed to sell photographs I took. The “application” required me to upload a digital image of my drivers license and upload it to their website. This was a simple identity verification process that took on larger significance for me, because I had no way of gauging how well iStockPhoto would protect my information. I don’t know if the image will be securely destroyed once age is verified, if it will be kept on a server (the backup DVD of which may end up falling out the back of a Fedex van somewhere), or who has access to see that image.

In the identity management community, it has long been understood that the most important, and difficult, part of the self-registration process is the identity verification process. Most websites never really require anything more than an email address that they know you own (verified through a simple email-based verification method). But as child protection regulations force more and more online sites to take the sort of step SL is taking, the issue of identity verification will become an even greater challenge. The only way to avoid the next wave of identity theft and phishing attacks is to get an identity layer in place, and motivate the right identity providers. The last part is probably key, as without incentive, no worthwhile identity provider (like banks) will be willing to take on the liability. SL states that

“Premium Second Life Residents will have access to the identity verification system for a nominal Linden Dollar fee as part of their subscription. Free-account owners (Basic membership) can pay a larger Linden Dollar fee for the service, can upgrade to Premium to access the system, or simply decline to verify their age and continue enjoying Second Life without access to adult content.”

Maybe banks can charge their customers a nominal fee everytime their identity is verified somewhere using a bank issued identity selector (not that I am saying I want this model).
I can just see the email landing in my inbox one day. “Dear Second Life Resident, it has come to our attention that we do not have your age verification on file. Please click on this link to …”