Virtual worlds increasingly offer significant outreach and business development opportunities to companies, governments, and the world at large. These virtual worlds – such as Second Life, World of Warcraft, Entropia Universe, EVE On-Line and others – allow people to interact through digital personas or avatars. As these worlds evolve and grow in popularity and acceptance, and become more integrated into many aspects of business and society, they offer new and uncharted terrain for security practitioners to embrace, explore and apply corporate governance and information security policy.

As security practitioners, there are many things to consider before advising our business leaders on how to make the leap into virtual realms. In many cases, the old rules apply, but some things we simply have not had to think about before. Walk into the uncharted terrain, but go with trepidation.

Terms of Service - Many third-party companies now provide virtual services to individuals and businesses. Most require a monthly fee but some are free of charge. All of them require participants to agree to the company’s terms of service. These terms of service are an attempt to protect the virtual world service provider’s control over all aspects of the service, content and data generated in that virtual world. Thus, ability to remain a member of a virtual world or to have or use a space within that world is behavior dependent and not always guaranteed.

Each virtual world provider has its own unique characteristics and terms of service. In signing up to participate, businesses should fully understand the terms and conditions to which they are agreeing as members of that community. Users who sign up for service should also recognize that, unless specifically directed by their management, they are signing those terms and conditions as an individual. Therefore, the individual and not the business are responsible for all aspects of participation in a virtual world. If an account is for business purposes, ensure that it is not paid for with personal funds and review the terms of service with appropriate legal counsel.


Public Forum - It is also important to remember that virtual worlds are public, software-based, open societies in which having a dialogue is similar to having a discussion or meeting in a public place such as a hotel lobby or an airport. Individuals acting for themselves or as part of a directed business venture should operate on the assumption that all actions, communications and data can be seen, heard and recorded by anyone, including the service provider – which may not, and often does not, have any obligation to protect your communications or information.

In the conduct of personal or employer business, many rules of the physical world apply to the virtual world(s):

1. Do not run the client on an account with Administrative privilege.
2. Do not disclose proprietary information or talk about company business in a non-company forum.