While investigating potentially harmful scripts in Second Life I contacted Abramelin Wolfe, the owner of Abranimations and sent him questions to help me understand how scripts and commerce works in Second Life. Abramelin explained in great detail some of the potential pitfalls Second Life Residents should watch out for. The following are excerpts from our conversation.
Dean: According to your response it does not seem that you believe that the script was introduced to the item by a third party but is in fact commonly used by legitimate vendors. Is that correct?
Abramelin: Yes, and this is not a specific script. ALL scripts that take debit permissions display this warning, the most common of which are vendor scripts as they are dealing with money transactions. Our affiliate vendors allow customers to sell our items and take a commission. They need permission to take money for refunding over payments and paying us the commission.
Dean: Based on my research, when an item is rezzed a message appears on the screen as follows; “Object wants access to take money from your Linden Dollar account. If you allow, this it can take any or all of your money from you at any time with no further warning or request.”
If I see this message my reaction is to click "deny", because I do not want an object to take my money at any time without further warning. Why would a legitimate vendor use a script with this type of message? Are there no other scripts that vendors can use?
Abramelin: Yes it also says after that... 'Before allowing this access, make sure you know what the object is and why it is making this request, as well as whether you trust the creator. If you're not certain, click Deny.'
That above statement makes all the difference. Legitimate vendors use this type of script because there are no other scripted ways to take money from an Avatar. You always need them to specifically give you permission. In the case of a vendor though you cannot have it ask every time because it needs to be left out for other people to purchase from even if you are offline.
Linden Lab gives you this warning to make sure you know what the script is and who it is from. As I already mentioned, this is not a specific script displaying this message. This is a warning given by LL when a script requests debit permission. If you do not know the source of the script or trust the source then you should always click deny.
Dean: Do you feel the use of this script in objects that are affiliated with your business could damage the reputation of your business?
Abramelin: No, We have commission vendors for our ice skates because we have been asked for them a gazillion times, especially around Christmas. I think the warning LL gives quite adequately explains the risks, hence the conversation we are having, but also explains that there could be legitimate reasons why. Affiliate vendors are common place in SL and this script function has always existed in SL. If anyone is uncomfortable granting debit permissions they can and should click deny and not use those vendors. It’s really no different than passing your credit card details to a company over the Internet. If you do not know or trust the company you should not do it.
Dean: How is it possible for a customer to pay too much for an item? When I have paid for items in Second Life, a message is displayed; "Buy for L$(amount) from (name of vendor) underneath is the option to "buy" or "cancel". Could you explain how I can accidentally overpay in this type of transaction?
Abramelin: The vendor script dictates whether it has those quick pay buttons or not. If a vendor is not specifically scripted to have them it displays a box where you can enter any amount. Originally all scripts were like this actually, the button feature was added to SL much later. Some third party viewers possibly do not support those buttons either so even if it is scripted with them they may not display. This is just one situation though...there are actually loads of other scenarios where you might need to refund. (eg. Rental booths giving bulk discounts. Some transaction failures can be detected and refunds issued automatically. Some vendors that contain inventory might need to refund if the inventory is missing...and the list goes on.)
The thing people need to remember is that drop down warning is a one warning fits all solution. The warning will be displayed in all cases where debit permission is required. It does not and cannot display different messages depending on the situation or script.
Dean: If a script is used to extract a share of the proceeds from an affiliate vendor, should the script clarify the percentage being extracted?
Abramelin: Yes people certainly should understand what the vendor is for before they use it. Affiliate vendors by their nature extract a commission. Our ice skates vendor for example is labeled ‘Ice Skates Affiliate Vendor (30%)' and the instructions note card also explains it is a 30% commission vendor. The vendors we use cannot run until this debit permission is granted. Once it is running though they also have an Admin Panel accessible that shows transactions and percentages and some other info.
Dean: Who writes the scripts used by your affiliate vendors?
Abramelin: Our store vendors are scripted either by myself or use Caspervend (by Casper Warden). The ice skates affiliate vendors use Caspervend which is very respected and trust worthy. No one else creates any of our vendors or has access to our scripts.
Thanks for answering my questions, your help is appreciated.
Abramelin: No problem, hopefully your article can shed some light on this for folk in SL so they understand the message and what it means. I've seen this concern come up over and over through the years, but it’s mostly due to people not understanding what the message is telling them. The debit permission function is not a fraudulent function by itself. It is only fraudulent if it is used in a fraudulent way. It has many legitimate uses too. The above ice skates customer that contacted you was quite right not to accept permission with the ice skates as they did not understand why it was being taken. What I think I'll do is put the affiliate vendor inside a box in the package so it cannot be attached accidentally with everything else. I think the confusion probably came from everything being attached out of the box without looking at what the items were.