Metaverse, metaverse everywhere. What is all the buzz all about? Does it have anything to do with your privacy? The short answer is yes. The long answer is yes, absolutely. Let’s start with the origins—Neal Stephenson coined the term ‘metaverse’ in his 1992 dystopian novel, Snow Crash. It comprises two words, i.e., ‘meta’ and ‘universe’ and was initially referred to as a 3D virtual space. This concept remained in science fiction books until some years ago but is slowly becoming a part of the real world. Yet, talking about the ‘metaverse’ almost feels as if someone was talking about the ‘Internet’ in the 1970s—it is there but not entirely in existence yet. Some platforms, like video games, provide the closest metaverse experience. So what exactly is a metaverse, and what does privacy in such a world entail? Let’s see.
Metaverse, metaverse everywhere. What is all the buzz all about? Does it have anything to do with your privacy?
The short answer is yes.
The long answer is yes, absolutely.
Let’s start with the origins—Neal Stephenson coined the term ‘metaverse’ in his 1992 dystopian novel, Snow Crash. It comprises two words, i.e., ‘meta’ and ‘universe’ and was initially referred to as a 3D virtual space. This concept remained in science fiction books until some years ago but is slowly becoming a part of the real world. Yet, talking about the ‘metaverse’ almost feels as if someone was talking about the ‘Internet’ in the 1970s—it is there but not entirely in existence yet. Some platforms, like video games, provide the closest metaverse experience. So what exactly is a metaverse, and what does privacy in such a world entail? Let’s see.
The simplest definition of the metaverse is where the digital and the physical coincide. It includes virtual reality (VR) and augmented reality (AR) with the characteristics of the digital and physical worlds. This world is found in video games and has evolved into one where peoples’ social interactions occur, and transactions take place for a digital economy. The metaverse is, thus, a searchable, clickable, and machine-readable world that allows individuals to work, shop, game, and socialise in a virtual 3D space.
With Facebook Inc. now calling itself Meta Platforms Inc., the buzz surrounding this technology is even more. Ultra-fast broadband speeds and technology that support immersive experiences is making the metaverse slowly and steadily take over our lives—Zuckerberg reckons that it will only take five to ten years. Currently, most platforms have avatars and virtual identities associated with only one platform. However, as the concept of the metaverse progresses, a persona for every person is likely to get created that one can take to anywhere within the metaverse! This will be much like copying a profile picture on various social networking sites. When this happens, this virtual universe will operate on AR, and each person will control his avatar.
Metaverse is the successor of today’s Internet. While it is exciting to know about the potential that this technology entails, everything comes with a price. And maybe the price of the metaverse will include data privacy compromise.
Data security challenges are sure to be much more than what we face in today’s 2D world. The metaverse will rely on immense titbits of data that would go to the personal level of even being able to gauge your gait, the way you gaze, how your pupil dilates etc. Such all-encompassing access to private data, which will stick to you even after you have disconnected, questions the future of data privacy. The need for data protection in the metaverse, thus, increases.
Data is everywhere in the digital world. For as long as we have been in this world, data has been created—sometimes even without our knowledge and sometimes even without permission. Each byte of data that we create reveals more about us, including our habits, location, behaviour and more. The amount of data points for each individual that can be collected is immense. We have already established that with the advent of the metaverse, which uses AR and VR, the amounts of data points that can be collected are even more now—to the point of allowing organisations to recreate human personas.
For example, currently, even if one does not possess a Facebook account, his information can still be obtained from his friends using Facebook. Also, most websites today have Facebook Pixel installed in their backend, which helps to gather personal information. Over time this helps collect multiple data points on an individual, thus creating his unique persona. If ever he creates a Facebook account, all these data points will get merged into his real-life profile. Right now, an individual’s data can be tracked and analysed via the emails, social media handles, etc., that he has. However, there is still fragmentation of one’s identity.
When it comes to the metaverse, platforms will have the ability to track people much more intimately and closely since many more data points will merge. For example, research showed that a 20-minute VR game session could record 2 million data points about body movements. Similarly, VR and AR can contribute to biometric data tracking, including the movement of the head, torso and eyes to diagnose anxiety, depression, ADHD, autism, etc. Therefore, almost everything falls under the ambit of the metaverse.
The distinctiveness of our movements and responses will help form a very, very accurate persona in the metaverse, one that can be tracked and exploited to no end. A study found that data collected across 95 time points in VR helped identify an individual with over 92% accuracy. Your persona will be no less significant than your thumbprint because it is unique and can open doors to a lot more information about you.
Given the importance of this data, companies in the metaverse are ready to collect more information for identifying which products will sell, tailoring advertising campaigns, finding out which individual will be attracted to which item, how user interactions can be improved, etc. There is a great chance that you will not even be consciously aware of what is being marketed to you. The big brains behind the big data will never make it obvious. Therefore, the metaverse, for sure, is blurring the lines between the real and the virtual and questioning the notions of privacy.
The metaverse seeks to combine simulated sights, sounds, and feelings into what we know as the real world, thus, changing and even distorting how we interpret our daily life. It aims to merge the physical and the virtual world so compellingly that boundaries will vanish—we will believe that certain people, places and objects exist when they don’t. The metaverse might provide an escape from reality, but it is manipulation at its best.
For example, the person behind the retail counter will be able to gauge his customers using AR. Their personal data, right from spending habits to tastes, will float above their heads like a thought bubble. This is the kind of universe we will live in—amidst innumerable layers of technology. Hence, those who own these layers can exploit and influence our thoughts. And marketing is a small part of what is possible when so much data is available. It will have negative repercussions to the effect that products will be sold to us even if we don’t need them, information that is untrue and can cause social unrest will be circulated, political divisions will get magnified, and certain groups will get ostracised. The community that we are a part of today, which to some extent allows for different viewpoints, will cease to exist. Instead, we will be fed news that matches our beliefs, reinforcing existing biases. You can only imagine the kind of society, if any, that we will be living in.
Metaverses will also help large IT companies become more powerful, and social media platforms might become more dangerous, especially for vulnerable sections of society, including children. After all, when kids fictionalise their identity, it can mess with their heads. Yes, maybe one cannot be physically touched in the metaverse, but our minds can be exposed and exploited, making it psychologically assaulting. The question then is, can we exit the metaverse? In the 2D world, we can turn off our phones and computers and move away from fake news. But with AR, this will no longer be possible. Companies are developing hyper-realistic avatars so that the identity of users can be hidden, which itself is questionable given the uniqueness of each person’s responses. But, if we believe them for a second, in such a medium, it is possible for children to impersonate adults or vice versa. Where lies the safety then?
Elon Musk once said that we are all already cyborgs, and leaving the metaverse will close essential facets of our lives like our work or how we socialise. Given that an exit is not easy, privacy aspects automatically become important. An individual needs to be protected both from other people and organisations, especially in the metaverse.
In the real world, we know and see the people we interact with. The metaverse is only the digital identity of a person, and one may not know who he really is interacting with. It is more of a leap of faith, based on a cryptographic Root of Trust, rather than a humanistic one. This, however, leads to the possibility of fraudulent activities.
Hence, there is the need to enhance human trust with digital cryptographic credentials so that there is safety in places where people gather—like chat rooms, social media, messaging apps and others. For instance, parents of kids who play in the metaverse would want to know if the others present really are of similar ages or not, the age-appropriateness of the games themselves, and the safety of the gaming arena. Thus, no matter which online space a person is in, or what his avatar is, one should be able to trust the digital identity that he is interacting with.
As we head into an age where there will be two kinds of interactions, i.e., the real and the virtual, we need to create personas that will be as trustworthy as our real beings. Digital identity verification in the metaverse needs to be built by design to add a layer of authenticity. It doesn’t mean that you should have to reveal your credentials in the metaverse, but a system at the backend should grant access only if the real identity is verified. If unverified identities manage to make their way into the metaverse, the possibility of grave frauds and crimes, especially when laws are not up-to-date, will rise.
Unlike the 2D world, the 3D metaverse platforms track individuals intimately. Thus, the legal implications of using AI needs to be analysed. Laws of the real world cannot fully apply to the virtual world propagated by the metaverse.
To some extent, the EU’s General Data Protection Regulation (GDPR) can be applied to the metaverse to protect users rights. However, since there are no boundaries in this universe, when data transfer and processing outside the EU, what laws would apply needs deeper thought and clarification. The question then is, while considering what laws will govern the metaverse, should one consider the location of the person operating the avatar or the location of the avatar as it’s the avatar’s data that will be processed. Also, if the latter is considered, how would one know which jurisdiction the metaverse falls under? Additionally, under the EU regulation, the person processing the personal data has the responsibility to comply with the data protection law. However, it will be tough to establish who bears the responsibility for data processing in the metaverse as this could be a decentralised network. Hence, proper evaluation is needed before one can determine, say, who is responsible for data theft.
Concerning laws, also important to know is how privacy notices of different entities are being displayed to the users and how consent can be given before data is collected—especially sensitive ones like that of minors. Different laws will likely apply to different types of virtual worlds—while some will need disclosures, others might need warning labels on how their data will be used and what legal obligations they are getting into.
There is also no indication of how the law would work regarding serious crimes, including killing, identity fraud and cybercrime in the metaverse. Will they be treated at par with real-world offenders?
The metaverse seems like an exciting proposition but has many adverse implications on our privacy. Before you jump on the bandwagon and explore the virtual worlds, it is vital to understand how to protect yourself. It is already difficult to retain control of our privacy in the real world; the layers of technology will only worsen it.
Many of us say that ‘we have nothing to hide’ when asked why we are not vigilant about data privacy. While this could be true, one does need to understand that as the metaverse becomes more prevalent, without serious privacy standards, we will become mere puppets in the hands of those holding our data. As virtual environments get embedded into and connect to physical systems and networks, serious issues will emerge. For instance, there can be hacking wherein sensitive data can get extracted. Ransomware could emerge in virtual and augmented worlds as well. Thus, even if we have nothing to hide, we must understand the need to protect our data. The metaverse will be the first battlefield that will show how much we are ready to fight for our privacy.
Ransomware is a stealthy form of malware that poses a risk to businesses, their employees, their customers, and the community as a whole.
Self-Sovereign Identity refers to the idea that individuals or organisations can have complete control of their digital and physical identities, as well as control over the sharing and usage of their personal data.