A confluence of events has occurred both in the media and in my own consulting practice which has caused me to consider evolving concepts of background due diligence in a Web 2.0 environment.

From a marketing/public relations perspective businesses now have the opportunity to connect with and engage consumers ways never thought possible before. On a transactional level you can make the deal with an avatar and pay with Paypal, Liberty Reserve or perhaps even Linden dollars.

Some aspects of these types of transactions aren’t new. Legitimate businesses and the not-so-legitimate businesses have been negotiating transactions on the Internet for a long time. Whether it was in a chat room, on a bulletin board or some sort of auction site, people have been finding a way to connect and to transact on line.

Regulatory agencies haven’t always been so quick to react either. In fact it was only recently that different tax authorities around the world have begun to tackle the eBay power seller issue.

What is interesting from a fraud prevention and risk management perspective is that many of these communities are largely self policed. We have rating systems for sellers, and there are always other forum participants that are willing to oust a bad business person on the forum.

This modified honour system may be okay for some types of businesses and some types of transactions, but for others it is never going to be enough. For large, sensitive transactions where your company’s reputation is at stake; or you have a fiduciary duty to your clients I strongly believe you have to know who you are dealing with in real life. It sounds like common sense, but things are moving very quickly at the moment and sometimes common sense gets a little less attention than it deserves.

Consider this; there are many interesting corporate, social, political and legal trends happening all at the same time. There is the rise of corporate virtual worlds where you can either hold private meetings or connect directly with customers. On the political front there was the incident a few weeks ago where a British politician was impersonated in Second Life (it was a funny story, and there are arguments to be made that politicians have a lesser expectation of privacy than the average joe-avatar, but it is illustrative none the less).

It also seems that the legal world still seems to be grappling with the concept of identity and Web 2.0. It was only recently that a court in Australia allowed papers to be served via a Facebook profile. Of course we’re still waiting to hear the final outcome of the Lori Drew case.

Now to circle back to the point in all of this, in a previous life during the immediate post-dot-com, Enron, Worldcom, 9-11 era where know your client requirements grew substantially I spent a significant amount of time doing background due diligence.

It was in the context of commercial transactions and these kinds of inquiries became standard practice for large financiers that had a fiduciary duty to their own investors; but if you would have tried to sell this service two years prior you would have been met with blank stares. Times had changed then and I sense that they are changing now.

The first question we were always trying to answer was “Is this person actually who they say they are?” Only then would we start looking at other issues around financial stability, reputation, conflicts of interest and so on.

Seems kind of rudimentary doesn’t it? Maybe so, but identification and authentication is something that many people from the technology, financial and legal communities have been tackling for a very, very long time. Regardless I strongly urge you to say something to the effect of “That is a great idea! One question though…how do we know this is really them?” the next time your organization is considering a large dollar, high value or high risk transaction through some sort of Web 2.0 platform where you are buying into the other party’s reputation.

Whether it is a technology solution or it is flying somewhere to meet them and shake their hand; you must satisfy yourself that you have answered this question.

If you are looking for further information on this subject, and depending on the context of your inquires I recommend the “Identity, Anonymity and Privacy” chapter in Protecting Games (so far a great read by the way) or the Digital Identity Forum.

According to an article in the Times Online, the four men behind the hugely popular BitTorrent file search engine Pirate Bay are going on trial in Sweden for copyright violations. If successfully convicted the four men involved could face two years of prison and a fine of £100,000 (1.2 million Swedish kronor).

The article also states that there is a civil claim launched by the music and film industry which is also being heard at the moment in Sweden. Between the two industries they are claiming a little over €13 million. Strangely the article does not reference if the B.S.A. or any other software association is also participating in the suit, nor does it indicate if the suit or criminal trial is covering software violations as well. If anyone knows of any software elements to the case please let me know.

Pirate Bay claims that it makes all of its money from advertising revenue, not from the directory service. It will be interesting to see how much money this model actually makes and whether or not the advertisers take flight if the criminal/civil trials result in convictions or penalties.

At the moment, Pirate Bay is still active.

According to an article on Reuters Myspace has found and removed some 90,000 sex offenders from its site over the last two years using the help of a kind of a national sex offender registry that it created using the help of a company called Sentinel Safe Tech Holdings Corp.

The article indicates that Connecticut Attorney General Richard Blumenthal, who was the person behind these inquiries, has also issued a similar subpoena to Facebook. It appears that Facebook has not formally responded to the subpoena as yet, but Facebook’s Chief Privacy Officer, stated that the site “has not yet had to handle a case of a registered sex offender meeting a minor through Facebook.”

The article did not specify whether a similar subpoena was issued to any of the other gazillion social networking sites or other platforms, but we may be hearing about this issue more in the future.

On the opposing side of the argument, a separate report commissioned by the National Association of Attorneys General called “Enhancing Child Safety & Online Technologies” finds that “the image presented by the media of an older male deceiving and preying on a young child does not paint an accurate picture of the nature of the majority of sexual solicitations.” The report also found cyber-bullying is in fact a much larger problem.

Interestingly, a Wired article described how Connecticut Attorney General Richard Blumentha and South Carolina Attorney General Henry McMaster were two of the avid dissenters of the report’s findings. They may now be gathering evidence to help bolster their case.

From an academic perspective it may be completely accurate that the majority of solicitations that youth receive on-line are from other youth. It may also be accurate that media and other sources play up the threat of predators on social networking sites because they make good headlines but 90,000 registered sex offenders on a given social networking site is a pretty big number and warrants some consideration. It certainly creates a confusing environment for parents and lawmakers alike.

There was no indication in the article that all of the 90,000 offenders were actually using the social networking site to prey on youth, but rather that this was a proactive gesture on the part of Myspace to remove the offenders based on the information that they compiled in their sex-offender database. The article also seems to indicate that the 90,000 includes only US citizens. MySpace is an international platform so it makes one wonder if similar statistics would be found elsewhere.

To be honest I’m still making my way through the 278 pages of the Attorneys General report, but one paragraph in the Executive Summary did grab my attention. The report does indicate that the best way to protect children on line is comprehensive and multifaceted. Specifically it states:

“Technology can play a helpful role, but there is no one technological solution or specific combination of technological solutions to the problem of online safety for minors. Instead, a combination of technologies, in concert with parental oversight, education, social services, law enforcement, and sound policies by social network sites and service providers may assist in addressing specific problems that minors face online.”

Not an easy task, but if you believe the old saying that it takes a village to raise a child then this statement couldn’t be more accurate.

For more information on child safety on line parents can visit any number of great sites, including US based www.WiredSafey.org and www.connectsafely.org. The site www.kidsintheknow.ca is a Canadian site that is a great resource which is affiliated with www.cybertip.ca. Finally there is a United Kingdom based site called www.bullying.co.uk if you’re looking for resources on cyber-bullying.

Depending on the virtual world, social network or MMO that you’re looking into the developers of that world will do their best to create an environment that includes the ability to compete, grow in social status or simply allow the user to express themselves through tools and attire that they can affix to either their social networking page or their avatar (or both).

Now that they have created the environment where that “character development” can happen the next step is to monetize it. There are several different strategies that they might choose to do so, from tailored solutions to the use of payment cards, Internet wallets, or payments through mobile telephone.

I came across this video from the 2008 Virtual Goods Summit that features the following panelists:

Lex Bayer – Founder & CEO, Spare Change Payments
Christian DeBaun – Director of Business Development, PayByCash
Gene Hoffman, Jr. – Chairman & CEO, Vindicia
David Marcus – CEO, Zong a part of Echovox, Inc.
Tim Pechmann – President, GMG Entertainment

The moderator is Paul Thind – GM North America, Sulake Corp.

Although there is no real representation on the panel, platform owners can also use third party sites to help facilitate item sales and RMT that would act as an intermediary on their behalf and therefore likely assume some of the fraud risk.

For the most part these payment platforms apply to MMOs and VWs as well as social networking sites.

This will give viewers a good overview of some of the different options for payment facilitation. Given that credit card charge-backs are such a huge issue, this is also an opportunity to hear how platform owners can transfer at least some of the payment risk to consumers.

Which one is the best solution? That will be business model and platform specific. My thought is that it will be driven largely by the marketing choices that the game platform makes (i.e. which geographic markets it chooses, which age demographics it targets, etc.)

These are interesting solutions from a fraud prevention perspective, but they also present interesting challenges and opportunities from an investigative perspective. How much does PayByCash know about where their cards are purchased for example? If virtual goods are being used as a payment mechanism how are you going to track that if the offender is using a payment card? The data may be more rich if a mobile telephone payment is used but who has the best records? The payment company or the mobile telephone company or both?

Some of these issues with respect to mobile telephone payments were discussed at the World Bank Workshop on Mobile Telephone Payments that I discussed in an earlier post.

I am interested to hear what the community’s thoughts are on these different platforms. Feel free to leave a comment or email me directly.