« Confessions of a Virtual Transient | Main | The MMO Powerplant »

Jun 14, 2006



This whole case is flatly ridiculous. What's really at issue is whether hacking an ecommerce system to get a lower price is legal or not.

If you try the words: "hacked into the Linden Lab's ordering system via URL manipulation" instead of "tweaked the URL's" I think you'd have an equally accurate article.

I'm still shaking my head at the gall of this guy. I think he's lucky he hasn't had criminal charges brought against him.


(Not a legal opinion, but from an IT and IT security professional's perspective)

On one hand, the person did manipulate the URL... a publicly available interface, to find these items.

I don't know about you, but I "hack" URLs all the time - usually because some bozo at the web site can't maintain their systems properly.

This information was publicly available, via a URL, if not easily available, because it was not indexed by the current auction system. The person did not "hack" the system in any meaningful way.

This is pretty analogous to trying to guess an email address or phone number from partial information. Something everyone does.

This case is much closer to an airline inadvertently advertising tickets for a dollar or a gas station screwing up and advertising gas for a penny. Because the price was publicly available - via a URL that could be entered over the internet and Linden Lab processed the order, it should be considered a valid sale. There were many points before the sale completed that Linden Lab could have prevented the sale. They took his money for the sale. The burden is largely on the company to accurately advertise its pricing. Usually, once you process a transaction - sign on the dotted line or accept money - you have a contract.

Most companies would take a "shame on me" attitude, bite the bullet, honor the sale, and fix their security.


Personally I think Mr. Bragg is not someone with whom I would want to do business. That being said, the issue at hand actually makes SL and Linden Labs an organization with whom I would want even less to deal with.

Personally, I think it's ridiculous that people would pay money for virtual property, even more so when the organization has gone to great lengths to craft a TOS that tells you that for any reason (TOS points 2.6 and 5.2) at whim, discretion, or external act it can all go away tomorrow and the only thing you can do is bend over and take it. At least that's what they'd like you to believe based on the TOS.

I think the line between service provider and purveyor of virtual property makes the issue muddy at best. Especially when you conclude a transaction and then decide you didn't get a good deal (in this case allegedly due to some form of fraud or tweaking/hacking of the sales system) and use eminent domain to yank the property back and re-sell, in essence, stealing money from the original consumer(s).

I for one had been checking SL out but, after this issue coming to light, I've decided that regardless of how intriguing it is, it is no longer worthy of consideration. When all else fails, vote with your feet.


Did LL keep the money?



Any actual lawyer should know better than to try something like this. All the actions Linden Labs took appear to be clearly and even explictly covered under the Terms of Use.

Barring a challenge to the legitimacy of the actual terms, there doesn't seem to be anything even worth looking at here.

These aren't droids period, much less the ones we are looking for.


I've explained why this is an exploit, but not a hack, and still theft in CC and BNA linked in the OP. It's not just tweaking a URL, it's like taking a car with the car keys left in, then selling the hot car, then screaming when the police arrest you and seize the funds. He sold the hot land fast and cheap, and the Lindens kept the proceeds. The auction system was used in a way in which it was not intended. A legitimate auction with an opening bid of $1000 was not accessed; what was accessed was probably with an ID number in the queue, but not formally placed with an opening bid yet.

When an auction house operates, you can't sneak into the back room, take a rare vase out of the queue befoer it goes under the hammer, and claim that because the door wasn't locked, you get to keep your stolen property. The item wasn't placed for auction, the bid wasn't opened -- it was faked and forced open out of queue.

The issue now is whether the account was properly closed by LL under the TOS; it seems pretty clear they can close accounts for any reason or no reason, and they have pretty clear rules that they get to keep your stuff and money when they do that, too.

It seems arbitrary and unreasonable, I guess until you can see their side of it a bit, being vulnerable to every hustler who comes along and tries to shake them down for a free sim. The right thing to do would have been to point out their flawed browser function, so they could fix it (which they did instantly), and ask for an arrangement, either to pay just the opening bid price of $1000 or to start the auction again.

This is a case of a blowhard trying to distract from his own fraud by yelling loud enough and thinking that he can get eggheads at Terra Nova to accept it as legally interesting. It isn't. It's not going to forge any new territory in law about virtual goods and chattle. Nothing to see here, move along.


Let's remember that no one forced Linden Lab to have unsold "property" available at all.

No one forced Linden Lab to accept the money for the property.

The actions of this individual are not nearly so interesting as the problem it exposed and Linden Lab's response.

Basically, we have a company that is in the virtual real estate or hosting or ??? business who has not properly protected one of its core revenue generators - the auction of "virtual property". It did not simply keep unsold or pending properties from being visible for sale. It did not clearly mark them as not being for sale. It didn't even set them at a price that would be prohibitive to purchase if they were accidentally exposed.

This is not a business that just started operating last month - one would think that these flaws had been worked out by now or not existed in the first place.

This error was just dumb. The response dumber.

There is something to see here. The game that keeps trumpeting itself as a "virtual world" and a "platform" for new businesses is "not the droid we've been looking for".

Virtual property rights are beginning to be established in China, Korea, and even Vietnam. Its likely that the basic global definitions of these virtual asset problems are not going to be determined in the US.


I'm surprised they filed a civil suit. I would have reported it as a crime.

"On one hand, the person did manipulate the URL... a publicly available interface"

Swapping price labels on boxes in a retail store to steal something for a lower price could be considered "manipulating a publicly available interface", but it's theft. Using fishing wire and metal slugs to trick a vending machine to dispense cheap product is "manipulating a publicly available interface", but it's theft.

Theft is theft. The mechanisms may change, but the thieves remain the same.


Bigger companies with bigger computer systems have made similar mistakes to what LL had with their auction system and had them exploited in a similar way. Stupid, yes, but the guy who exploits the stupidity is still culpable. If you really want a legal precedent, look up the case history of Adrian Lamo (http://en.wikipedia.org/wiki/Adrian_Lamo). (I may have the technical details wrong but if memory serves, much of his "hacking" involved changing URLs, as well as setting up proxies in IE to access sensitive info.)

Indeed, nothing new to see here. Move along.


I'm waiting for the case that establishes whether LL is a service provider or something more. This doesn't seem to be it. However, I do think that their TOS/EULA vs. how they hold out the service is problematic, and I wonder when advertising "puffing" becomes something more.

Then again, I also think EULAs are in serious need of reformation, especially for platforms that purport to be a service.


Keep in mind that even if a court found that your property in SL belongs to you, they are selling property in some manner. That wouldn't necessarily apply to the people who want to cheat at more mainstream games through RMT etc.


I just got an email from Michael Warnecke, the legal editor at BNA, who writes:

"Bragg recently withdrew his complaint just before the small claims court was scheduled to consider his case. My understanding is that the case has not settled but that Bragg may refile it in another court that has broader jurisdiction to address the underlying policy issues."


Thanks for that, Prokofy. As I suggested above, filing this in district justice was a strange move -- so I'm not incredibly surprised.

Bottom line: until we hear something new, there are now no droids.

Hence, these are certainly *not* the droids we were looking for.


Although the "droids" aren't there, I think the ToS issue is important enough to be discussed with regards to the above issue.

The description for a Standard Form Contract, aka adhesion contract, on http://en.wikipedia.org/wiki/Standard_form_contract is IMHO very similar to the ToS agreement users are forced to sign when they wish to participate in many online activities. The main problem, as I see it, is the customer's lack of ability to negotiate the terms of the contract he or she signs, not to mention the fact that most ToS agreements are written in Law-English, which is practically unreadable by average Joe, and so many consumers sign these contracts without ever trying to realize the actual terms of the agreement. You could say it's their fault, but it's not - they have too many cryptic agreements to sign and they are tired of trying to decipher them.

I think the above case, despite the fact Mr. Bragg is allegedly not snow white, is a good example of how unfair the ToS system is and how badly a reform in that field is required.

I think there should exist a multinational government institute that negotiate ToS contract terms with online service providers on behalf of the public and explain those negotiated terms to prospective consumers in plain English and let them react. That way, the service providers will be forced to have less radical ToS and consumers will have a better understanding of what they are signing on.

The comments to this entry are closed.