The Virtual Thief (and what that means for privacy)

Giff Constable technology, virtual worlds

In 2006, we created a online marketplace for virtual goods in Second Life.

Our competitor had a daunting network effect advantage, but we had no intention of fighting over the existing market. The real market in our eyes was consumers yet to come (they never really came, but that’s a different story).

To drive traffic, we built relationships with large media companies. However, to make the virtual goods marketplace thrive, we needed great products to sell, which means we needed great content creators.

It almost came to a sudden end when one of our engineers stole from the marketplace.

Wynx Whiplash was a fabric designer IRL. She fell in love with the creative potential of Second Life like the rest of us.  And she made a very nice income in SL by creating and selling the “Tinies”. The Tinies were a new kind of insanely cute avatar (hence the picture above). One of her Tinies was an adorable sheep, which she agreed to sell on our fledgling platform.

One of our engineers wanted those sheep.

He didn’t mean any harm. Our company was called the Electric Sheep Company. He had created some NPC bots for a technical experiment, and he figured, why not make them sheep since that was the name of our company.

So he went into the database and gifted a large number of the sheep to his avatar. He did not pay for them. I don’t know exactly what was going through his mind. I don’t think he even realized that he was stealing by doing it. Maybe he rationalized it the way people did with Napster, because there was no marginal cost to duplicating the virtual good. I’m not even sure he thought about it that far. But no matter how you slice it, it was stealing. Wynx charged money for those creations.

Then he plopped those sheep down in a wide-open virtual field that Electric Sheep was about to develop for a client.

Enter Prokofy. Prokofy was a demagogue blogger. If you ever read Ender’s game, think Peter’s Demosthenes. IRL she was a writer living in New York. I had met her in person and she was smart and delightful. Online, she was a he, and a wickedly clever troll. Back then, our company was target #2 only after LindenLab itself, the maker of Second Life.

Lo and behold, while scouting out what ESC was working on, Prokofy came across this field of endless sheep. And being who he was, he immediately took a picture and publicly accused us of stealing from content creators.

Which soon got to me. My reaction was first to shrug. More Prokofy pitchforks and torches. I wasn’t concerned, because it couldn’t be true, right?


One of our employees had stolen from our customers.

First and foremost, it was flatly immoral. Secondly, if the other content creators thought we would do such things, they would reject our marketplace and our plans would be toast.

Utter toast.

I am pretty sure there was an avatar in Second Life named Utter Toast, but I digress.

Thus ensued one of the craziest couple hours of my life where I had to reach out to Wynx, explain what had happened, beg forgiveness (and make sure her account was credited), try to put out the fires, and work with our CEO to take action on the hapless engineer who had little comprehension of what he had done and risked.

We got a little lucky. Of all the content creators this engineer could have stolen from, he chose one of my closer friends. I had personally helped Wynx build her online business, and there was a lot of trust between us. She accepted my explanation and worked with me to defuse the situation. If it had been almost anyone else, our reputation could have been ruined.

Ruined simply by a thoughtless step taken by someone who had the power to access our systems.

Why do I tell this story 8 years later?


Uber has been suffering a string of PR upsets because they are playing a hardball, whatever-it-takes game with competitors. And showing their true stripes in the process.

In the latest Buzzfeed story, the writer shares that the head of Uber NYC looked up a journalist’s travel information without her permission. Uber claims that this is against policy, but as my virtual worlds story illuminates, policy doesn’t mean much if you don’t have security infrastructure and processes to back it up. Violations merely take thoughtlessness. As we have learned over and over with Facebook, those violations of trust can have big implications on people’s lives.

In virtual worlds, everything you do can be tracked. Everywhere you go. Everything you own. Everything you type. Everyone you interact with. This data can be incredible for life-logging purposes, but such a panopticon existence is also a bit scary.

That same dynamic is coming to the real world, with huge implications. It’s not just our mobile phones, wearable devices, and Internet activity. Skybox (now owned by Google) is a private satellite company that peers down on the world and sells the data, and the Internet of Things is going to cause an explosion of data.

Privacy might be a thing of the past. We don’t know yet.

For me personally, I choose the tools I work with based on a guessed moral compass of a company. This always comes from the CEO. I don’t think Mark Zuckerberg or Travis Kalanick have a strong moral compass, and so I choose not to give Facebook or Uber much of my data. Rightly or wrongly, I actually think that Larry Page has a decent moral compass, so I give Google a lot of data.

Europe goes overboard on privacy and limits entrepreneurship because of it, but I also think that the USA has a lot to figure out here. Society has yet to face the implications that are coming for personal relationships, corporate behavior, and government power. It is actually interesting watching the evolution of how kids approach it, and I feel like every few years, each generation of kids is getting more sophisticated about the implications of the always-on Internet.

Privacy policies need to be simplified and made much clearer.
Consumers need to make smart choices about who they want to give data to.
The 30+ age groups have a lot to learn from kids here.
Companies, once they graduate from startup to “real company” status, need to go beyond “verbal policy” and put real security infrastructure and processes in place.
The government will always lag 20 years behind.
It is going to be really interesting, and possibly quite uncomfortable, watching society grapple with these issues over the next many years.