Our heroes track down a hacker and plot some vigilante justice

The use of the loaded question may imply that I believe they should. I shall be frank and admit that this is precisely the intention of this post, but please allow me to explain my reasoning before you dismiss such a ludicrous notion. What inspired me to write this post was last week’s Big Bang Theory episode, The Zarnecki Incursion. If you missed it, or if you are unwilling and/or unable to watch the YouTube clip, allow me to briefly sketch the plot. Leonard comes home only to find that Sheldon has called the police to report a robbery. Sheldon explains to a distraught Leonard that someone has stolen all of his enchanted weapons, his Vicious Gladiator armour, and his Wand of Untainted Power (yes, they are real items). In short, Sheldor, Level 85 Blood Elf (no class mentioned, but the use of a +Spirit wand makes me suspect a Priest) has been picked clean, they even took his Battle Ostrich named Glen (technically, it is called a Black Hawkstrider, but I digress). Leonard is amazed that Sheldon has called the police because someone hacked his World of Warcraft account, and obviously the police leave without doing anything. Hilarity ensues exploiting the comedic value of witnessing the real pain of a gamer who has his pretend weapons and virtual items taken from his account. Did I mention the ostrich? Funny! But leaving aside all of the comedy, did Sheldon have a point? Should the police become involved in game theft? Let us not just stay only with World of Warcraft, but think of any other online gaming environment that has any virtual goods tradable with real currency, say, Farmville, Aion, Maple Story, Runescape, etc. I do believe that police should indeed become involved as what happens is obviously a criminal offence in large numbers of jurisdictions. But we know that not all crimes are enforced equally as the police have to struggle with more pressing “real” crime. If anyone was to call the police because they had their virtual goods stolen, they may be less kind than the police in Sheldon’s story. So the question is, should this perception change?

Quid juris?

Legally there is not much of an argument. While I would not go as far as to equate virtual theft with real theft, just as I would never equate copyright infringement with real theft, what happens with account hacking is clearly typified in various criminal offences. The theft of virtual goods is intrinsically linked to hacking and identity theft; the game requires a password and login, which are obtained by means of malware, keyloggers, phishing, or other social hacking methods. In the end the cyber-criminal accesses the account without permission and removes the virtual items from the character’s bags and bank vault. This action in my opinion is clearly covered under laws that criminalise unauthorised access to a computer account. In the UK, s1 of the Computer Misuse Act covers such actions, as it states that:

“(1)A person is guilty of an offence if— (a)he causes a computer to perform any function with intent to secure access to any program or data held in any computer , or to enable any such access to be secured ; (b)the access he intends to secure, or to enable to be secured, is unauthorised; and (c)he knows at the time when he causes the computer to perform the function that that is the case.”

Similar provisions exist in other countries, as these mirror the offences specified in the European Convention on Cybercrime. Specifically, account hacking and virtual theft would probably be covered under Art 2 (illegal access), Art. 4 (data interference), and Art. 8 (computer fraud). So, if the law is clear, then we enter into a normative question. Should police pursue such crimes? Here, the answer is all about the amounts of money involved. This reminds me of the reaction experienced by the protagonists in Charles Stross’ excellent novel Halting State, in which policemen are called to an Edinburgh games company when a theft has been reported. The police find out that the heist was conducted by orcs and dragons against an online bank, and the officers rightly scoff until they are informed that the total real value of the stolen currency amounts to various million of Euro, but also affects stock prices and the security of important cryptographic keys. And here is precisely the crux of the matter. If there is evidence that virtual theft not only affects some people who take their games too seriously, but that it also has an economic effect in the real world, then the justification for the involvement of law enforcement should be not only justified, but necessary.

The virtual economy

Firstly, there is little doubt that the virtual economy has large economic value. A report on the virtual economy by the World Bank calculated that the global market for online games was $12.6 billion USD in 2009, and that the size of the secondary market in virtual goods (the monetary value of real money transactions in virtual goods) reached an astounding $3 billion USD. That’s a lot of magic swords. People will spend real money in purchasing virtual goods. This is not as far-fetched as one may imagine, if you think about it, a music file from iTunes could be considered as a virtual good, it only exists as bits in some computer or portable media player. Secondly, someone has to produce all of the virtual wealth. Some virtual goods are offered by the game makers themsleves, you can purchase items from Farmville makers Zynga, or you can buy in-game pets and mounts directly from Blizzard. But more interestingly, there is a larger market of goods provided by third-parties. Here we enter the wacky world of gold farming, where thousands of people, mainly in China, play online games to accumulate wealth that can be sold to gamers (if you haven’t already, you must read Doctorow’s For The Win). It is difficult to ascertain the true size of the gold farming industry, but some estimates range from 400,000 to 1 million people working in this sector in China. This is therefore an important new economic activity that is being largely ignored by the mainstream. Finally, there is the issue of the legal status of all of this wealth. As Korea is one of the countries with a more developed virtual market, it should be no surprise that virtual currency has been given much better legal status; the Korean Supreme Court has declared that virtual currency is convertible to real currency, opening the door for the legal recognition of virtual electronic commerce. Games like Project Entropia and Second Life used to offer exchange rates for their virtual currency into real money (SL no longer does, but currency is still tradable with third parties). And needless to say, there is a huge market in World of Warcraft gold, with sellers offering 10,000 gold for just under $20 USD. This I think is the element that makes virtual theft worthy of the attention of crime enforcement, and it is the fact that virtual goods are making their way into the economy.

Measuring crime and its effects

Here is where we enter speculative territory, but please bear with me. There are no official figures about the extent of the theft of virtual goods. Going merely on anecdotal evidence and the amount of game-related phishing that I receive, it seems evident that hacking is widespread, enough that game developers like Blizzard have engaged in a serious education campaign to warn players about the dangers of account hacking, and have also deployed levels of account security that can often be found in online banking (such as authenticators, tokens and one-time keys). Hacking as a whole exceeds $1 billion USD, so it is fair to assume that a non-negligible percentage of that affects online games. Why can we assume that? Because, as others have pointed out, gold selling has become gold hacking. Why pay salaries when you can hack into a player’s account, steal their gold and possessions, and then sell them to another player for real money? This is where the encouragement for cyber-crime exists, players will buy virtual currency without caring where it came from, so the black market exists. Here is where the real damage exists. Many games will replace the stolen virtual goods, but this creates another problem for the virtual economy, it generates inflation. If you have more currency flowing around, currency that has not been “earned”, but that is only flashed into existence, then the market will suffer inflation as the currency loses value. Moreover, this is wealth that is making its way into the real economy, as real money is being used to pay for the stolen virtual goods. There is even the prospect of using virtual economies to launder money. The solution to the problem would be the creation of more secure virtual goods, say, items and currency that are “soulbound” only to one account, and can be accessed through the appropriate cryptographic keys, but this is only likely to encourage even more sophisticated hacking.

Concluding

I watched recently “Catch Me If You Can“. During the first part of the film, Tom Hanks’ character finds it difficult to convince his fellow FBI agents that cheque fraud is a serious offence. At some point, while explaining to a task force the importance of cheque fraud, an agent tells him “you should talk to my wife, she is the one who balances the chequebook at home”. Cue laughter from fellow agents. It was not until Di Caprio’s character’s fraud starts reaching the millions of dollars that higher echelons take notice. I think that we are at a similar junction in the pursuit of in-game crime. At the moment it is something that can be laughed at, the subject of comedies like the The Big Bang Theory. But there is something more serious taking place, we are talking about substantial amounts of money, but non-gamers still cannot comprehend that this has important economic implications. At the moment, it is up to the companies involved to try to improve their security, but law enforcement will have to intervene at some point. Online currency is an easy target because the chances of prosecution are minimal. Who cares if a Blood Elf loses his magic wand? Cue laughter.


5 Comments

Avatar

Johnny in Lisbon · April 8, 2011 at 11:58 am

Olá, I was sent here by your sister (my adopted soul sister), she reckoned I'd appreciate this post since I worship at the altar of geekitude. I did appreciate it and I couldn't agree more with what you wrote. That episode was hysterical but it had me thinking too (and empathising muchly). It's also a sign of times changing, it is theft, it does matter and it does often have IRL implications (and not just emotional ones). I look forward to the time when your post will be obsolete.

You're a brilliant writer, cheers!

    Avatar

    Andres · April 9, 2011 at 4:29 am

    Thanks for the kind words. If it's geekitude you seek you've come to the right place. Daleks and light-sabers are no strangers to these pages 🙂

Avatar

Lilian Edwards · April 9, 2011 at 8:03 am

An intersting point that occurs to me is the low level of concern about account hacking for games (which I share 🙂 compared to the current hysteria in the UK about hacking phone voicemail accounts (which though it may involve invasion of privacy doesn't generally involve financial loss, at least in the NoW cases.) Just a thought.. (also that they're predicting £100,000 as the average settlement for that kind of account hacking..) Do avatars have privacy and feelings? Discuss..

    Avatar

    Andres · April 10, 2011 at 7:58 am

    Feelings? sure! privacy? Perhaps the privacy of not having the avatar tied to the person.

Avatar

Alexandra · April 12, 2011 at 10:21 pm

Since I saw this episode, I've been waiting for your post concerning virtual theft. I was sure you wouldn't let it go without a comment!

So, congratulations! Great post.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.