How dangerous are IAR exports?

Inventory exports, or IARs, became a heated topic of discussion in Google Plus communities yesterday, with one grid even disabling its IAR exports temporarily as a result.

Much of the debate is due to a misunderstanding of how IAR backups work — and of how thieves steal content.

What is an IAR?

The IAR backups allow users to make personal backups of their inventory files. They can use those backups to restore their inventories in case somethings happens, to move their avatars to another grid, or to share their inventories — or individual folders from those inventories — with other people.

All three of these have legitimate uses. For example, in many countries, any backup made purely for personal use is legitimate, no matter what the license terms on the content are.

Moving content from one grid to another is perfectly fine if it’s content that you have created yourself, if it’s content distributed under CC licenses, or it’s exportable content bought from Kitely .

Distributing IARs is also perfectly fine if, again, you’ve created the content, or the content came with a CC license and you’re distributing in accordance with the license. Linda Kellie has quite a bit of content available in IAR form on Zadaroo.com.

Linda Kellie's clothing is available via IAR file on Zadaroo.com.
Linda Kellie’s clothing is available via IAR file on Zadaroo.com.

Low risks of abuse

Can this technology be abused? Yes.

But the risks of abuse are extremely low, for the following two reasons.

First, you can only export things that are already in your own inventory. That means that if you want to steal commercial content, you have to buy it first. So, at worst, you’re stealing a few items that you’ve already paid for.

Real crooks will take copybot viewers to places that have lots and lots of content and rip it all. That means that they go to shopping malls in Second Life instead of bothering with a couple of pieces of content here and there in OpenSim.

Second, where to sell it? On the hypergrid, the only real sales venue of any significance is the Kitely Market, and they are extremely careful about content theft. The Kitely Market is online, so it’s easy for content creators to check if their stuff has been stolen, and Kitely delays payouts to limit fraud and has other security measures in place, as well.

The best place to sell stolen stuff is, again, Second Life.

Freebie stores in OpenSim have been rapidly switching over to Linda Kellie content or to products made by local creators, to avoid the possibility of content infringement lawsuits. No startup grid has extra money lying around to defend itself from a suit. It would destroy a grid before it even really gets going — the risk is just not worth it. Especially when there’s legitimate content that can be used, instead.

Finally, anyone with a few minutes and a little persistence can set up an OpenSim region on their own computer. That gives you full console access to everything on that region. If you teleport in and put stuff down, you can save it to your hard drive, change its perms, do anything you want — you are the grid owner, you have full access to the database and the console.

Scripted content can be stolen

The one big exception to the “low risk” argument above is that of scripted items. Copybots typically won’t steal the scripts — just the outward appearance.  But if you have the item in your inventory and save the inventory, the script gets saved, as well.

There are two main things that content creators can do to protect scripted content in OpenSim.

First, they can avoid distributing it on open grids. Unfortunately, that means that they can’t sell exportable versions on the Kitely Market, because it doesn’t discriminate between other grids. You’re either delivering to all other grids, or none of them.

Second — and this is the option that I recommend — is that they switch to server-side scripting. By moving key functionality to a server, you’re ensuring that your competitors can’t get their hands on it. Even better, you can run some of the server-side functionality in an OpenSim module that you install on your grid and only on your grid. That means that your customers will have to come back to your grid in order to, say, breed their new pets — because the functions only exist on that one grid, or only on those grids that have purchased a license to your system.

What can grids do to protect their content?

Open grids typically do nothing. That’s why they’re called open grids. Anyone can connect a self-hosted region, which means anyone can do anything they want to the stuff on that region.

Atek is an open grid, like Metropolis, OSgrid, FrancoGrid, Craft, WestWorld, and many others.

This is how those grids work.

Filtered exports are typically implemented by grids who provide their own region hosting and do not allow users to connect regions they run on their own home computers.

One way to filter exports is to check if the item has the export permission turned on, though this code is still experimental. Another way to filter exports is more popular, and that is to check if the item is full perm or your own original creation. Several grids do it this way, including Spellscape.

Kitely has a combination of both — it uses its own export permission, and it also checks for copy and transfer permissions before allowing content to be saved in OAR files or travel via the hypergrid.

Filtered exports allow commercial grids to be open to the hypergrid, to offer IAR and OAR exports and still protect proprietary content.

However, this is only effective when people can’t connect self-hosted regions. Export filters only work when users don’t have access to their consoles.

Does that mean that open grids should not try to filter exports at all?

Of course not. As many pointed out, “locks are for honest people.”

Filtered exports serve to remind people about the license terms of their content. Yes, the crooks will be able to circumvent that by connecting their own regions and going into the databases, the OpenSim server management console, or by giving themselves God powers. But crooks have many tools available to them already for stealing content. They’ll steal stuff one way or another anyway.

Filtering can hurt usability

The one downside to filtering content is that it can make things difficult for some legitimate applications.

Say you’ve built a big object and one tiny piece of it is not full-perm. It’s a little piece that someone handed to you and forgot to fix the permissions on, or that you picked up in a freebie store. Now you can’t export that whole object until you track down that little piece and replace it.

Or say you’ve worked on a project as part of a group. Different pieces of it now have different creators listed, some of whom may have gone on to other things so can’t come back and fix the perms — and now you can’t export the entire build.

This happens particularly frequently with educational builds, where students may be used to do a lot of the building, they forget to set the permissions or deed the objects appropriately, and now the teacher can’t save the build or share it with other classes.

OpenSim permissions don’t distinguish between employees creating things under work-for-hire licenses for their employers, and content purchased from outside creators. By default, the intellectual property created by employees on company time should belong to the company that pays for it. Instead, it’s attributed to the individual employee’s avatar.

As a result, filtering exports may dissuade groups, schools, and companies from using a particular grid in favor of another open grid without the filters. Or they may decide to run their own grid, instead, where they have full control over everything.

Maria Korolov

Maria Korolov is a science fiction writer who covers cybersecurity, AI and extended reality as a tech journalist at her day job.
Check out her author page on Amazon or follow her on Twitter, Facebook, or LinkedIn. Her first virtual world novella, Krim Times, made the Amazon best-seller list in its category. Her second novella, The Lost King of Krim, is out now.