There have been two academic initiatives lately that will certainly be of interest to anyone considering advanced studies in cyber-investigations, cyber-security and web technology whether the interest is from a technical or policy perspective.

In the West Simon Fraser University has partnered with POLCYB and the Provincial Government of British Columbia to form The International Cybercrime Research Centre. According to the press release “It will investigate online crime trends and help to develop new tools to counter cybercrime.”

In Montreal, Concordia University is hosting the National Cyber Forensics Training Alliance of Canada. It’s a joint effort between the Competition Bureau, Concordia, Bell Canada, Rogers Communications and Microsoft.

Dr. Louise Dandurand, Vice-President, Research and Graduate Studies, at Concordia University stated in its press release that “There is a recognized need for industry, academia, and law enforcement to work together and share information about cyber incidents in a neutral venue to identify and mitigate threats”

This is a clear recognition of the need to review new ways of tackling crimes that relate to the Internet. The convergence of technology, policy and traditional methodology is not only topical but necessary. I am very much looking forward to the reading the research that is produced by these two institutions.

It’s no secret that large companies like IBM and Nortel have been exploring the applications of virtual world and advanced Web 2.0 technologies in the context of their corporate environments. Not to mention that a number of smaller companies, such as IA Consultants and VR Workplace that have created specialized services to help clients to take advantage the opportunities that these technologies continue to present.

As these technologies grow in use in corporate environments, it is important to remember that the behaviours of avatars in a corporate context do have real world implications.

IBM has actually posted a page on their website called “Virtual World Guidelines” which, I think is a great example of a corporation recognizing that harassment, intellectual property rights infringement and conflicts of interest can all happen in a virtual world context as easily as they can in other forms of Internet interactions or interactions in “real life.”

One question that emerges is: “Isn’t that just generally understood?” My answer is, “Possibly, yes, sort of.” These types of policies are generally written to govern an employee’s conduct in any environment; however, I haven’t noticed too many corporate codes of conduct that expressly deal with interactions in digital environments quite the way that this code of conduct does. For example:

“Individuals employed by virtual world providers (e.g., “administrators”) have broad powers to monitor and control action within the world with very few, if any, checks on their powers. They are not necessarily obligated to treat user information with any particular level of care.”

And:

“…the originator of a digital persona may deliberately decide to allow his or her avatar to have several “owners” or operators if permitted by the terms of the virtual world. In these situations, the owners are collectively accountable to exhibit consistent behavior through the digital persona and to maintain the level of trust and transparency it previously exhibited with its fellow digital personas, before its ownership or participation was expanded.”

IBM does point out that that the policy relates to the behaviour of employees in virtual worlds in the context of how they might be perceived as representing IBM. This is simply recognition of how many people currently conduct their affairs. We might use a separate email for work and home, maintain separate groups of friends at work and in our personal life (although they sometimes interact) and so why not have separate on-line personas for our work and our personal lives? Or one for work and none for personal use, if that is your inclination.

In a quote from IBM Developer Jo Grant which I first noticed on Virtual World News, he explains that “Other companies look to IBM to see how it approaches virtual worlds when shaping their own approach. Down the road the virtual world guidelines will probably be folded into our normal business conduct guidelines. But for now publishing them explicitly and prominently also draws attention to the fact that business can and is conducted in these environments.”

Obviously, virtual worlds are not quite common-place enough yet in corporate culture that IBM is comfortable with integrating it into their normal policy verbage; having said that legal departments of corporations and agencies may wish to examine the impact that digital environments have on their current ethics policies.

On July 14, 2008 Judge David Campbell of the District Court of Arizona granted a summary judgment to Blizzard Entertainment in their civil case against MDY Industries, LLC. (“MDY”)

In summary MDY designed a bot called WoWGlider that allows players of World of Warcraft (“WoW”) to acquire higher skill levels through menial tasks while not being physically present playing the game. WoW is owned by Activision Blizzard which is in turn owned by the French entertainment giant Vivendi.

The bot plays the game for the player while the player sleeps, goes to work and generally lives life away from the game. The player can then regain the controls of their avatar later once it has achieved a high enough skill level to be more interesting to play. Essentially, its automated Power Leveling.

You can read all of the filings made by both parties on PACER if you have a subscription. Some of the files are also available on Justica.

Since I’m not a lawyer, I will refer any reader who wishes a deeper legal analysis of the issues to the postings made by Ross Dannenberg on The Patent Arcade and Benjamin Duranske on Virtually Blind.

The issue that seems to have struck both the legal and gaming communities as the most interesting is the fact that the Court upheld Blizzard’s assertion that the game client purchased by users was a license, rather than a product completely owned by the end-user/purchaser.

WoW for the purposes of this discussion has two components. The first is the game agent which a player purchases and loads on their computer. This is the product on the shelf at the video game store that kids bug their parents to purchase for them. It is purchased once for one price.

The second part is the game server that the player logs into in order to interact with other players, go on quests, etc…..to play the game. This is the monthly subscription portion of the game and is resident on Blizzard’s servers.

When the WoW agent is activated part of the code gets copied from wherever the game is stored on the users system, for arguments sake the hard drive, into the Random Access Memory (“RAM”). This is what happens with most applications on a computer.

The Court felt, citing other cases, that the copying of the game from hard drive to the RAM was a copyright infringement because the copying of the files resulted in a violation of an End User License Agreement (“EULA”) and the Terms of Service (“TOS”)

The offence was in fact a EULA violation, but because source code was “copied” from the hard drive to RAM the activity was found to constitute a copyright violation. It was also found to be a vicarious copyright violation because the program allowed other players of WoW to violate the EULA and TOS that they would have agreed to when they purchased the agent and accessed the WoW servers.

It is unclear at this stage whether or not the case will result in an appeal, but the general consensus is that it will. If it does not end up in appeal it is certainly not clear what Blizzard will recoup from MDY.

There are two things that are clear. First this decision will have a large impact on the decisions that game and virtual world platform owners make when dealing with violators of their terms of service and license agreements. It may make prosecution a more appetizing choice.

Second, this was a well coordinated effort between the legal team at Sonnenschein Nath & Rosenthal LLP, Blizzard’s technical security group and the “unidentified private investigator.” It’s an excellent example of the convergence of these areas of expertise and how these functions can work together successfully, something that is very topical in the Investigations and Security field.

With this inaugural post on the Evince blog I thought I would offer some thoughts regarding considerations that corporations and government departments should address when researching third-party ethics complaint companies (a.k.a. hotline companies).

As far as opening post go, this is not exactly fireworks and a ribbon cutting ceremony, but this is definitely a topic of interest for companies looking to bolster their ethics program.

This four point list is by no means exhaustive, but it’s a good starting point. Furthermore, based on the experience of our professionals these points make a big difference when it comes to encouraging the use of, and enforcing an ethics program.

1. What interface options does the company offer? Not every complainant will communicate the same way, so it is important to consider what options are available to complainants for making their submission.

Some complainants will prefer an anonymous web interface, others will wish to call a 1-800 number to speak with an actual person. There will be a third group who will prefer an email contact point and a fourth group that want a postal address so they can send in their complaint that way. The more options available to complainants, the more likely they will find one that they are comfortable using, which of course means more information for the Compliance Officers will have to be able to do their job.

2. How skilled are the interviewers at the hotline company and how detailed is the questionnaire on the web reporting tool? If the complaint receiving company provides a call centre service you should try to determine the level of training and experience the interviewers have. An experienced interviewer can go a long way towards obtaining useful information and conversely an untrained interviewer can thwart the effort all together. You will also want to find out if the company has the language capabilities that are required by your workforce. Finally, ask for redacted samples of their reports so that you can get an understanding of the information obtained and the quality of the writing.

Similarly, if the complaint mechanism is a web-interface, are the questions specific to your company’s culture or are they too general? Is the tool user-friendly? Does it allow for both open ended and closed ended questions?

These may sound like basic considerations, but they will really impact the quality of the information received in the complaints. Furthermore, even though it is an outsourced company you’re looking at, your employees, vendors and partners will look at this company as an extension of your firm and therefore your reputation will be affected by the representations made by the hotline company.

3. Where is the data stored? An organization must seriously consider where the archived complaints are stored. Is it in a jurisdiction outside your own? If that is the case, it is then subject to that jurisdiction’s laws i.e. think of a company from Canada using a third party hotline company based in the United States. That Canadian company’s stored complaint’s are now subject to the Patriot Act.

4. What other features are available? A complaint reporting service is only useful if your employees or constituents are aware of its existence. Furthermore, they also need to know what constitutes a violation of the department’s ethics policy. Some business conduct hotlines will provide educational videos and other resources which your organization can leverage in order to get the message out, while saving cost and effort.

Whether your organization falls under the jurisdiction of Sarbanes-Oxley, the Public Servants Disclosure Protection Act or you’re just interested in implementing best practices in your compliance program, you will want to ensure that at a minimum, these basic requirements are met when selecting an ethics and compliance hotline company.