On June 20, 2024, exactly one month ago today, Primfeed, a new social media platform specifically designed for Second Life users, officially launched.
Primfeed integrates seamlessly with EasyBloggers, another product by Primfeed’s creator, Luke Rowley, allowing creators to maintain a separate Primfeed profile for their businesses.
The launch appeared to go extremely well for Luke.
With 8,000 users, 38,000 posts, and 33,000 images uploaded within the first 24 hours, the launch was nothing short of impressive.
Throughout the last month, Luke has steadily added adding new functionality and features based on user feedback.
Since then, the platform has grown significantly. We’ll get back to that shortly, but first, let’s walk through the history of events as they unfolded.
The launch of Primfeed
Shortly after the launch, while many users expressed their satisfaction, a minority began raising concerns on the Second Life Community forum and subreddit about Primfeed’s privacy and security.
Initially, Luke was quick to respond to some of the concerns raised by users.
This is when I began to inspect the service, focusing particularly on two of Luke’s claims:
- The ToS and Privacy Policy have been co-written with a French lawyer with a master's degree in business law.
- As stated in the Privacy Policy, IPs are not collected, not even for statistics, I have no way to confirm that avatar X is the alt of avatar Y (Which is why, when taking actions / support on the avatar X, I'm requiring to be contacted only through avatar X in Second Life)
Luke claimed the ToS and Privacy Policy were co-written with a French lawyer. While I cannot verify this, the Privacy Policy, at the time, was only a couple of paragraphs long.
Upon reviewing the provided policy, it was clear that it lacked crucial elements, especially regarding compliance with the EU General Data Protection Regulation (GDPR).
I documented my observations, anticipating that Luke would prioritize addressing the issues with the ToS and Privacy Policy in response to the concerns raised on the Community Forum and on Reddit.
Post launch silence
Fast forward to July 15th, 25 days after Primfeed’s official launch, and to my surprise, the Privacy Policy had not been modified since my initial review.
At this point, there had been ample time to seek legal guidance, rectify the shortcomings, and implement the necessary changes.
Some users may not prioritize their privacy, but collecting and processing personal data of what at this point amounts to tens of thousands of users without a proper privacy policy or transparency is not only unethical but also a violation of the law.
With the only contact method available being in-world messaging, I composed a notecard addressing my concerns about the following areas of the Privacy Policy:
Data Subject Rights.
Data Protection Officer (DPO) and the Identity and Contact Details of the Controller.
Transparency and Disclosure.
Security Measures.
I provided descriptions of the deficiencies and referenced the relevant GDPR articles.
Shortly after, I joined the public discourse, mentioning that I had reached out to Luke.
Four days passed with no response or acknowledgment from Luke.
At this point, I lodged formal complaints with my Data Protection Authority and the Data Protection Authority in France, where Luke resides.
I also discovered that Primfeed creates a user with Canny.io, its feedback portal provider, transmitting the avatar picture and legacy name of the user to Canny.io without the data subject’s consent. Consequently, I lodged a complaint with Canny.io as well.
As of writing this post, I have not received any response or acknowledgement of receipt from Luke.
Publication of the much needed Privacy Policy
Today, July 20, 2024, Primfeed published a formal Privacy Policy and a Legal notice.
While it is unfortunate that it took a full month from the launch for this to happen, it is good to see that actions were finally taken.
With the Privacy Policy and Legal notice in place, we now have some much-needed transparency. Let’s examine some of the now-public information.
Subprocessors
Although there isn’t a dedicated section listing subprocessors, we can identify them throughout the policy.
Here’s a table summarizing them:
Entity | Sub-processing Activities | Entity Location |
---|---|---|
SmartBots | Processing and transmitting avatar UUID via a request | Not specified |
Cloudflare | Processing IP address, country, device type, browser, ASN, and operating system for infrastructure protection and statistical purposes. | Not specified |
OVH | Hosting the website https://www.primfeed.com | Roubaix, France |
Canny.io | Retrieving feature requests and bug reports from users, processes the Second-Life legacy name and avatar picture. | Not specified |
Consistency in providing the processing locations for each subprocessor would be preferred, but at least we now know who they are and can seek that information ourselves if we need to.
Data Controller and Data Protection Officer
We now have a section identifying the data controller beyond a Second Life avatar name. Cleevee SASU, based in Paris, France, is the legal entity running Primfeed, responsible for storing and processing user data.
An email address for contacting the DPO is now provided.
This means data subjects have a traditional method of contacting the data controller and a legal entity to refer to for complaints and legal notices.
Rights of the data subject
The Privacy Policy now informs data subjects of their rights, including:
Right of access, rectification and erasure of data (laid down in Articles 15, 16 and 17 of the GDPR respectively);
Right to data portability (Article 20 of the GDPR);
Right to restrict (Article 18 of the GDPR) and object to data processing (Article 21 of the GDPR);
Right not to be subject to a decision based exclusively on an automated process ;
Right to determine the fate of data after death ;
Right to refer the matter to the competent supervisory authority (Article 77 of the GDPR).
However, the following statement is problematic:
You can contact Primfeed's DPO at [email protected] for any relevant information. However, to exercise your rights you must contact the DPO by sending a notecard to Luke Rowley in Second Life™. Requests made outside of Second Life™ are not accepted as there is no way to accurately verify that the account is actually linked to the requester.
This means if a data subject loses access to their Second Life account, they have no means to exercise their rights. Primfeed should implement additional verification methods.
I suggest adding functionality to support data subject rights within the Primfeed dashboard itself, allowing users to request a copy of their data and account deletion directly through the platform.
Conclusion
Just as I was wrapping up this post, Primfeed dropped an update with some impressive stats:
- More than 20,000 registered accounts
- More than 210,000 pictures uploaded
- More than 120,000 daily interactions (comments, posts, likes…)
- More than 10,000 unique residents use it every week
- More than 34,000 subscribers subscribed to their favorite stores through Primfeed’s store profile
While these numbers are impressive and deserving of congratulations, they also underscore the importance of getting privacy right. The recent improvements, though overdue, show that Primfeed is trying to address these concerns now.
There’s still room for improvement, but the new Privacy Policy and Legal notice are big steps forward. I'll keep an eye on how things develop, hoping to see continued positive changes.
If Primfeed maintains this momentum, it's shaping up to become a fantastic platform for Second Life users to showcase their photos and promote their creations.
Comments