I’m trying to make sense of this piece by Ed Felten, on what he calls a “weapon of mass virtual destruction” in an online game. (You will probably have to read it first to understand the rest of this.)
The problem isn’t that I think he’s wrong – I’m pretty sure he’s right. The problem is I’m not sure why he’s right.
Should the FBI get involved in this mess?
It seems to me that they should. A WMVD of this sort is just a fancy denial of service attack, and a deliberate denial of service attack against a large network service looks to me like a crime. It’s possible that the first attack wasn’t meant to crash Second Life — though even if not deliberate it was certainly reckless — but subsequent attacks could only have been intended to cause a crash.
That sounds very promising to start with. A crashing server is a “real world” event, not a “virtual world” event, and since a real human has deliberately caused a real-world harm, we are in the domain of real-world law enforcement.
On reflection, though, the issues start to blur. The jargon term “crash” can be used to describe a large range of computer behaviours. The assumption in this case is that the game server software stopped working, and either terminated itself or had to be terminated by an operator. There are other possibilities, though. For instance, it might have continued to function “correctly”, but, since the majority of the “virtual objects” being maintained were by now copies of the “gray goo”, the actual progress of everything else might have been slowed down, possibly by 1000 or 10000 times. It’s not actually particularly likely, but it’s quite plausible, and it would actually be difficult to tell whether this was the case or not. Even the most casual computer user has been faced with the question “is it working, is it going slow, or is it dead?”
So what? If it doesn’t make any difference to any actual user, then it’s no different, right? But it’s less clear in this case that we’re talking about a “real world” event. A server rebooting is a real world event, but a program processing objects of type A not objects of type B? Not really.
And that, I think, negates Felten’s argument. He calls it a “denial of service” but it is more of a matter of opinion – if the server is servicing the allegedly malicious user rather than other users, that could be seen as a legitimate “aim” of the game. After all, if you kill the character of another player in a game (which in many games is more or less the main point), you are “denying service” to that player, but you are no more guilty of “denial of service” than you are of murder So the fact that you’re deliberately impairing the experience of other players does not make you actions illegal, any more than if you killed them with a sword in one of the more combat-oriented games.
The obvious difference is in the intention of the game, or its organisers. You’re supposed to decapitate people in Everquest, you’re not supposed to destroy the world in Second Life. But that’s weak too – the attraction of Second Life, from what I can see, is it’s open-endedness, the fact that you can do things in it that nobody else thought of doing.
In conclusion, I think that it is reasonable that this “WMVD” could be considered to be against real-world law, but it’s a matter of judgement, and of degree. Effectively, an arbitrary line would have to be drawn – how much are you imparing the service of other users, how far from the intention of the owner of the service are your actions. Many other things are like that, of course.
Two related issues, for comparison:
In sport, there are rules that you can break with purely in-game consequences, and rules that you can’t. For instance in soccer, if you are behind the last defender when the ball is played to you, you are offside, and if the match officials judge it correctly, the other side gets the ball. There is nothing immoral in being offside, even deliberately (in the hope of getting away with it). On the other hand, if you deliberately trip up another player, that also results in the ball being given to the other side, but in addition it is considered to be misbehaviour. If the foul is considered to be deliberate or reckless, you can receive extra in-game penalties, and also penalties that are within the game-system but external to the actual game being played – for example, being disqualified for another game, or being fined by the game’s governing body or your club. In extreme cases, you can be subject to out-of-game penalties, such as being charged with assault or sued. This has happened a few times. The same three levels can apply in online computer games. You can be pursued by some kind of in-game policeman – this is part of the game, like a free kick for offside. You can be excluded or restricted by the game’s organisers – this is like being suspended. Or you can be pursued through the law. The distinctions aren’t always clear. (Was a criminal fraud committed on 22 June 1986?)
Second, similar questions of proper and improper uses exist with other network services. An SMTP server can receive email messages. Some servers are configured to receive only from certain users, but to forward mail to anywhere. Some servers are configured to receive from anywhere, but deliver only to certain addresses. Servers can be, but rarely are, configured to accept mail from anyone and forward it to anywhere. Some servers are not correctly configured to enforce the restrictions intended by their owners. What uses of these servers are proper? Is it a crime to take advantage of a misconfiguration? of a software bug? Over the past 5 years or so, some arbitrary lines have been drawn.