The hype around the metaverse continues to grow within the big tech economy. According to Gartner projections, by 2026, 25% of the world’s population will log into the metaverse for at least one hour a day, whether to shop, work, attend events, or socialize. However, the variety of technologies, such as VR, AR, 5G, AI, and blockchain, that enable the metaverse raise data privacy and security concerns. A third of developers (33%) believe these are the biggest hurdles the metaverse has to overcome, according to a report by Agora.
Another Gartner report says that “75% of all organizations will restructure security and risk governance for digital transformation as a result of imploding cybersecurity threats, insider activity, and increasing attack surfaces and vulnerabilities.” ”.
Recent legislation has addressed the privacy of personal data. For example, the GDPR gives consumers the “right to be forgotten,” requiring companies to be prepared to delete consumer information upon request. It also requires private companies to obtain people’s consent to store their data. Helping companies with compliance is a growing business, and European regulators have moved toward more stringent enforcement actions. As regulations tighten, organizations seeking leadership in the metaverse must prioritize privacy and data security more than ever.
Web2 to Web3: the changing face of digital privacy
While digital privacy on websites is now fairly regulated, the metaverse is still very new and there is no legislation in place to enforce privacy there. According to Tim Bos, founder and CEO of ShareRing, “emerging metaverses will be ones where people can have genuine experiences that they currently can’t in the real world.” He added that “a lot of companies are trying to build something with the appeal of Fortnite or Minecraft, but where they can exist beyond just playing battle royale games. I have yet to see someone crack that puzzle. There is also a growing trend in online shopping through the metaverse, but once again, they haven’t figured out how to offer more than just a simple Web2 site.”
The privacy threat in Web3 and the metaverse is greater than in Web2, with 20 minutes of VR use generating some two million unique data elements. These can include the way you breathe, walk, think, move, or look, among many others. Algorithms map the user’s body language to collect information. Data collection in the metaverse is involuntary and ongoing, making consent nearly impossible.
Existing data protection frameworks are woefully inadequate to deal with the privacy implications of these technologies. Research also shows that a machine learning algorithm using just five minutes of VR data without all personally identifiable information could correctly identify a user with 95% accuracy. This type of data is not covered by most biometric laws.
Privacy issues in the metaverse include data security and sexual harassment. “I think the reason why [concern about harassment] it applies to the metaverse, whatever that means, it’s in Web2 right now, we’ve clearly misunderstood it,” said Justin Davis, co-founder and CEO of Spectrum Labs. “[Not] in terms of trust, security, and content moderation at any enterprise, much less at scale across the Internet.”
One reason metaverse-specific privacy regulations don’t yet exist is that the global reach of the metaverse falls under various data privacy regimes, according to Bos. He said that “one of the most considered policies on digital privacy remains the GDPR, as it seems to be the baseline for data privacy. However, it is a moving target as developers need to consider user traceability if they are storing information on the blockchain.”
“There is also the security challenge when people connect their wallets to the metaverse,” Bos added. “How can they be sure that the metaverse doesn’t have a problem causing previous NFTs to be stolen from users?”
Compounding these problems further, Bos noted, is that “right now, almost every project in the metaverse is open to everyone. It’s a virtual round robin right now. As with the gaming industry, regulations based on age and location will inevitably be introduced (either voluntarily by creators or by various governments).”
The nature of the data that is collected can also affect privacy, security and safety in a Web3 world. There is a fear that some of the data collection could be deeply invasive. Such data will enable what human rights lawyer Brittan Heller has called “biometric psychography.” This refers to “the collection and use of biological data to reveal intimate details about a user’s likes, dislikes, preferences, and interests.” In virtual reality experiences, not only the external behavior of the user is captured. The algorithms also record their emotional reactions to specific situations, through features such as pupil dilation or change in facial expression.
Without a doubt, the metaverse offers immense promise for a more connected and immersive world. However, organizations looking to claim their right to this nascent virtual realm must make privacy and data security top priorities as they build their metaverses.
The VentureBeat Mission is to be a digital public square for technical decision makers to learn about transformative business technology and transact. Discover our informative sessions.