Privacy in the metaverse: dead on arrival?
With the arrival of the metaverse, things are bound to become very complicated. And that makes privacy experts worried.
For those out of the loop, metaverse as a concept was coined by sci-fi writer Neal Stephenson in his 1992 novel Snow Crash. To put it simply, the metaverse is envisioned as a blend of online and offline experiences in alternative virtual worlds where peoples’ social interactions and transactions will take place.
While many are excited at the metaverse’s tremendous technological potential, some are worried about the potential costs we will have to pay for the privilege.
Our privacy may be one of such potential costs. As the online and offline worlds collide, we can expect to encounter unprecedented challenges and risks posed by the widespread adoption of the metaverse. From all-encompassing tracking and data collection to invasive ads that keep following you even after you disconnect, the future of privacy in the metaverse is all but certain.
With that in mind, what are the potential privacy consequences of widespread metaverse adoption?
Virtual worlds with no privacy?
Camila Serrano, Chief Security Officer of MediaPeanut, warns that the metaverse can lead to a world of no privacy. “We can definitely expect companies and organizations in the metaverse to collect personal information for individual identification, advertisement, and tracking through multiple channels as we have been experiencing in the regular internet activities we do today,” she told CyberNews.
“Companies will surely gather information from things like wearable devices, microphones, heart and respiratory monitors, and user interactions to the extent that we have never seen before.”-Camila Serrano, Chief Security Officer of MediaPeanut
Allan Buxton, Director of Forensics at Secure Data Recovery Services, adds that there won't be any privacy if the metaverse is implemented as envisioned by Mark Zuckerberg’s Meta.
“Assuming you've managed to avoid a Facebook login or any other internet identity that requires authentication of a physical identity, you've been able to go to work, school, or wherever using your physical identity, and log online under whatever handle you've chosen,” Buxton says.
According to him, if your handle isn’t linked to an address or a payment system by a retailer or shipping company, your digital life remains relatively separate, and thus private, from your real life.
“Advertisers may know plenty about your web activity and online identity, but it doesn't necessarily link to your physical ID,” Buxton suggests. “If you're still using a ‘dumb phone’ or maintain a separate identity for your smartphone, you may have some anonymity from all the data aggregators.”
But if the metaverse becomes the sole place where you work, play, bank, pay taxes, or manage your documents, that all changes.
“Your real life and your digital identity become irrevocably intertwined,” Buxton notes. And if your life happens under a single roof managed by Meta, the privacy implications are stark, to say the least.
However, as the situation stands now, privacy concerns in the metaverse are ultimately no different than they are now on the Internet and social media, says Stel Valavanis, founder of onShore Security.
“But like those virtual spaces, it's all too easy to let our guard down and not fully realize that these are fairly public and we cannot count on the system to keep us private or secure,” he claims. “That the metaverse is somewhat new or rather non-ubiquitous enough that it's new to most is where the danger lies.”
However, Valavanis doesn’t see the metaverse leading to a world without privacy. “We've eroded so much already and that's a societal shift as well as just a slow reaction to change. Except for regulation and even market pressures to enact more privacy, better defaults, and possibly some real liability for abusers, I don’t see a way to change this,” he told CyberNews.
A goldmine for data brokers
Needless to say, advertisers and data brokers are likely to look at the metaverse controlled by big tech as a potential goldmine.
“Their fortunes are tied to the mercy of the corporate giant that controls the metaverse,” notes Alan Buxton. “For the sake of argument, we'll say it's Meta since they're the most public advocates for the metaverse lately. This is a company that has a track record of misleading its partners and its users and has no qualms about reducing security and privacy controls to further its own.”
According to Buxton, the best option for advertisers and data brokers will be to get onboard the metaverse bandwagon early and hope to have some say in the data collection and sharing.
“Whoever succeeds in implementing the metaverse will likely offer assurances that users' and companies' collected data remains their own – assurances that do not match the legalese in the terms and conditions,” he speculates. “Someone has to pay for it, and someone has to profit off of it to incentivize its development.”
“If the last 25 years of publicly accessible internet has offered any lesson, it's that no clear, enforceable standards will be in place prior to the appearance of the metaverse.”-Alan Buxton, Director of Forensics at Secure Data Recovery Services
Buxton suggests that it’s high time for governments to set a consistent privacy standard and invest in individuals capable of investigating and enforcing those standards in a timely fashion.
A pessimistic outlook
Camila Serrano believes that ensuring privacy in the metaverse will require innovation. “Data privacy and security has already been a major concern for any online environment but entering the metaverse would evolve data security protocols to a completely new level.”
According to her, this will require an evolved personal data and privacy protection that will guarantee a person’s identity including possessions in the virtual world. “As to users of the metaverse, personal verification might come to the point where we will have to provide more personal data to identify ourselves and make sure that the security system works efficiently and in keeping personal data safe.”
Buxton, however, remains pessimistic, especially when it comes to enacting regulations to protect our privacy in the metaverse.
“Regulators will have their hands full. The EU has been the most aggressive in enforcing any limits to Big Data's skirting of laws or even their own terms and conditions, yet no fine appears to curb their behavior,” he claims.
According to him, marketers and advertisers already skirt privacy laws with impunity, and we can see this by looking at current social media networks.
“Big data does not fear fines. What big data does fear is the abandonment of its services by its users for new competitors,” Buxton suggests. “Interface designers are tasked with making the UI addictive, playing on the habits and routines that give rise to dependency. First discussed in 2018, it's somehow still news and still unregulated in 2021.”
And with the arrival of the metaverse, things are bound to become even more complicated.
“If you have a hard time unplugging from your mentions for a weekend, imagine how difficult that becomes when that same app includes your bank accounts and employer,” Buxton says. “The metaverse may not just be a privacy wasteland, it may also become a prison from which there is little to no escape. A seven-year investigation into a metaverse violation will likely yield privacy disclosures and addiction counseling for users by the time it concludes.”