Remote User Access Control: Allowlist Asset Restrictions

[CakePost]

Is your feature request related to a problem? Please describe.

It is common knowledge that "once an asset hits a GPU it is trivial to steal it." As we have seen with other platforms, the prevalence of ripping becomes pervasive once there is enough demand for it.

There are many users that have assets which, for one reason or another, they would like to have some piece of mind that it does not get stolen. The reasons for this include but are not limited to:

• Sentimental value of an asset that is closely tied to their identity such as an avatar.
• An expensive commission that they really only care to share with their friends.
• An asset where a lot of time and effort was spent authoring it.

In these cases and many more, it's desirable for an asset to have additional protection against rippers. Given that "once an asset hits a GPU it is trivial to steal it", the most effective way to prevent the ripping of assets is to not let the ripper download the asset in the first place.

Describe the solution you'd like

Definitions

For the purposes of this feature request, "asset owner" shall refer to a user who uses this feature to protect an asset they own. For the purposes of this feature request, "remote user(s)" shall refer specifically to users that are on the receiving end of an asset. Specifically, these are users that only have access to an asset by downloading said asset from a Resonite data store and are not the asset owner as defined above. For the purposes of this feature request, the words "see", "seen" shall mean any of the following:

• Download an asset locally onto the system for rendering.
• The bits that encode an asset being available on the hardware.
• Information sent to remote user(s) such that they can use that information to reconstruct an asset perfectly.

  Feature Request

  This feature request pertains specifically to a mechanism/setting/option/component that an asset owner can use to outline which remote users are allowed to see an asset. The UX for such a feature I'll leave up to the developers, but the result should be that an asset with this component or setting applied cannot be seen by remote users that are not added to the allowlist in said component or setting by the asset owner.

Describe alternatives you've considered

The following are a number of alternatives that have been suggested by the community. I'll add more here as they get brought up.

• Don't upload assets you don't want stolen.
• Report stolen assets to moderators if you see people that have it without your consent.
• Don't go into public instances with assets you don't want stolen.
• Come up with some crazy shader defense system that mangles mesh and texture data such that it is difficult (though not impossible) to extract.

The following is a variation of the specific request made above using the same definitions from the "Definitions" section.

• The preferred implementation describes an allowlist for selecting remote users that may see an asset, however, an alternative implementation might use a blocklist instead. As such the feature request would read: "A mechanism/setting/option/component that an asset owner can use to outline what remote users are not allowed to see an asset.
• This feature may not need to be implemented using components or asset provider settings, but instead integrated with the personal moderation tools. For instance, blocking someone may have the effect of also not allowing them to see (as defined in "Definitions") assets from the asset owner.

Additional Context

There have been numerous discussions about this on the discord which you can find listed as follows:

• A summary post containing the bullet points of the discussion
• A less focused but more community engaged discussion on the topic.
• An acknowledgement from @Geenz regarding the suggestions and some supporting features to accomplish this.
• A discussion regarding unwanted interactions with ones avatar and how

The discussions revolve mainly around the side effects of such a feature. The side effect of this feature is that an asset won't be able to be rendered the same for everyone. There are ways to remedy said side effect, but to the extent of this feature request, a remote user will not have anything to see in place of an asset owner's asset. Additional work will need to be done in preparation for, or in tandem with the implementation of this feature if this side effect is undesirable, which it is.

[shadowpanther]

So, essentially, you want to drive the protected asset to null or to a replacement "public" asset for everyone except the users specified. This could be solved with just ValueUserOverride.

The implication of this is that everyone else would see nothing or an "unprotected" copy of said asset, which would look weird in a social setting.

[CakePost]

Would ValueUserOverride prevent remote users from seeing/ripping or being able to see/rip the asset owner's assets?

The implication of this is that everyone else would see nothing or an "unprotected" copy of said asset, which would look weird in a social setting.

The side effect of this feature request will need to be addressed in a different feature request. That's what I've been instructed to do by one of the devs. At the links there has been a lot of discussion about the side effects that I encourage you to look at, however, this feature request is about adding support for blocking access to assets to only those on an allowlist to such an extent that it is not possible for those not on the allowlist to get access to those assets.

[shadowpanther]

Nothing would stop a determined malicious user from getting the original asset. Everything that exists on the DataModel syncs to every user in the session, so if someone knows that you are overriding your assets for different users, nothing is stopping them from making a system that gets said asset via another user that has full access. The method might be overcomplicated, using refhacking and such, but is it theoretically possible.

We would likely need Hard Permissions before a system you describe is viable.

[shadowpanther]

The only one way I can actually think of how to implement this system would be to only load the protected assets in an overlay world that exists outside of the worldspace (like the userspace your Dash is in) and the assets (or their URIs) only get transferred to the users you trust. Render this overlay protected world on top of the worldspace, and you're set.

Edit: Geenz's point of only providing full quality asset variants to the whitelisted users is also valid, but should be implemented on the Cloud side, so that the URI is same for everyone, but some people get a different asset from it. Because otherwise we'd be back to step one - malicious user getting the URI for the protected asset and getting said asset from said URI. You'd still be able to get the full quality textures via trusted users by means of refhacking, cameras and hidden layers, but at least meshes would be safe-ish.

[lxw404]

The effect of this is possible right now as far as I am aware.

For every asset: Textures, 3D models, Audio, etc you can specify a remote URL. This can be something you can self-host and create your own access control if you are extremely paranoid. This would prevent anyone from getting access to the asset even if another person inspects your avatar or refhacks to the asset field because you are the one directly controlling what gets sent to each person from the same URL. The disadvantages are obvious though, you have to be able and willing to host and control an access list for all content you control, and you also won't be able to utilize the asset variant system.

The rest of the issue, eg. a trusted person distributing your assets against your wishes, is social in nature and doesn't have an engineering solution, but already has moderation consequences.