User authentication for ToS and GDPR compliance not a walk in the park for OpenSim grids

(Image courtesy David Kariuki.)

There currently is no easy way for OpenSim users to agree to a grid’s privacy policies and terms of service or give data use consent as required by the General Data Protection Regulation, or GDPR.

GDPR is a data security law enacted by the European Union in May 2018 that applies to all organizations that deal with the personal data of European citizens and residents — and breaking its rules can result in severe fines and penalties.

Although almost all OpenSim grids implement their terms of service and GDPR compliances, it requires more than just a user authentication module that allows users to click a checkbox to agree to terms and give consent, said Ilan Tochner, CEO of Kitely.

Kitely CEO, Ilan Tochner.

“Among other things, GDPR compliance requires handling certain data in ways that OpenSim isn’t set up for and requires reengineering to support,” he told Hypergrid Business. “For example, GDPR defines a right to be forgotten, which requires the removal of personal data – as defined by GDPR – from your system, including from your server logs and backups, under certain conditions.”

A company must implement a long list of technical and procedural requirements to support GDPR, said Tochner.

“You’ll likely need to use the services of a lawyer or one of the many companies that specialize in helping companies achieve GDPR compliance,” he said.

Kitely, on its part, uses a custom solution that is more comprehensive and addresses all the GDPR requirements.

“Kitely was one of the first OpenSim grids to support GDPR, way back in 2018 before GDPR came into effect,” said Tochner. “One of the long list of changes we’ve had to make to support this legislation is to require people to submit a web form before they can teleport their avatars into Kitely from third-party grids.”

Existing user authentication modules

Grid owners can use a few OpenSim authentication modules, including jOpenSim and the newly launched HGauth.

HGauth, for instance, enforces a web form submission using a set of PHP scripts that require a user to click on a link.

PHP is an open-source scripting language that can be used for different Internet operations — including connecting to remote servers — and is often used for creating and operating online forms.

The HGauth link takes a user to a web page outside the viewer with the grid’s custom terms of service. The user must accept the terms of service before they can teleport to the grid.

The HGauth module is better to have on a grid than not using any solution at all, said Tochner.

Database configuration and port blockage issues

It can be a long, involved process to enforce terms of service and GDPR compliance even with an almost automatic system such as DreamGrid for what is supposed to be a single-click solution, said Fred Beckhusen, CEO of Micro Technology Services Inc, which owns OutWorldz and DreamGrid software for making home-based grids.

“All solutions I know of use PHP, which uses a web server to print the license and get back the ‘I agree’ checkbox result,” he said. “PHP requires configuration and database integration, which DreamGrid does automatically.”

According to Beckhusen, DreamGrid also includes a fully configured, secure Apache. Apache is open-source web server software that allows users to deploy websites.

“But not everyone wants to turn it on, and Internet service providers often block the port,” he said.

A different port can be used, he said. “But then there are additional issues to deal with, such as SSL certificates.”

SSL certificates ensure a website is secure and encrypted, and not having one can leave a website vulnerable to hackers.

Dreamgrid does support free SSL certificates that auto-renew, he said. “But that requires Port 80 to be used, which is, again, often blocked.”

Fred Beckhusen

Beckhusen said he was able to get an alternative module called Diva front end — created by Diva Canto — to work in a standalone version of DreamGrid called DreamWorld.

“But that code is not suitable for DreamGrid,” he said. “It was close to ideal, though, as it uses the grid port, typically 8002, which can’t be blocked.”

DreamGrid does support WordPress with its W4OS plugin for OpenSim, he said. “Also, there is jOpenSim running on Joomla on PHP on Apache web server.”

But it’s a lot of work to integrate code from Apache, WordPress, and jOpenSim, he said. “And you still have the issue of Internet service providers blocking the web server port.”

DreamGrid has a solution to make things easier.

“DreamGrid has its own built-in web server on a user-selectable port for Diagnostics, the in-world partner system, a Text to Speech API, Automatic Updating Teleport signs, and more,” said Beckhusen. “It’s a simple solution to this issue for the EU users who want GDPR and others who want a pop-up ToS.”

Micro Technology Services will be developing its own custom and in-built OpenSim authentication module for grids instead of using a module like HGauth as it requires Apache to be enabled, said Beckhusen.