General News

Privacy in the Metaverse

It’s been far too long since we’ve checked in with Facebook (now Meta), and their ongoing mission to make as much money as possible from our data, so we thought we would discuss the Metaverse, with Mark Zuckerberg’s company being at the forefront

of this new virtual world that they’ve assured us is the future. With Meta being in the business of personal data, and their mistreatment of that data in the past, it’s important to understand how the Metaverse will change the way in which our data is collected and used, and the potential privacy concerns that come along with it. Facebook have had countless fines in the past for using personal data in a way that goes against the GDPR, so it’s easy to imagine that their venture into the Metaverse will only scale this up to an currently unimaginable degree.

Before we look into the privacy concerns that exist regarding Meta’s new virtual world, I think it’s important to try and get a grasp on exactly what the Metaverse is, as the term can be confusing. Below you can watch Meta’s marketing video on how they see people using the Metaverse in the future. 

As always, a good place to start in explaining something is Wikipedia, who defines the Metaverse as; 

“a network of 3D virtual worlds focused on social connection. In futurism and science fiction, the term is often described as a hypothetical iteration of the Internet as a single, universal virtual world that is facilitated by the use of virtual and augmented reality headsets.”

Instead of joining remote work meetings on zoom or teams, everyone will put a headset on, and meetings will take place in a 3D virtual office, with each of your colleagues sitting around a table, being represented by a virtual avatar they’ve picked out for themselves. Instead of ordering clothes off of a website, you’ll walk around a virtual clothes shop, pick out what you like, and your avatar will wear it, for a price of course. Instead of meeting up with friends and family to watch the latest movie release, you’ll all watch it ‘together’ in the Metaverse in a virtual movie theatre, with a headset on.

An article by Wired gives a good explanation of the broader meaning of what the Metaverse will be. Imagine a virtual world that will exist even when you’re not there to experience it- people will still be in this virtual world, it will change, adapt and develop. You won’t even have to necessarily access this world through the technologies we typically associate with the Metaverse, such as headsets (like the Oculus Rift) and haptic feedback suits (think Ready Player One). The Metaverse can similarly be accessed through PC’s, and people will work, buy, sell and spend their free time in this world. In addition to this, all of the virtual worlds that will exist from different developers, Wired suggest, will be interconnected meaning just as you can currently buy a jumper from a store in real life and wear it wherever you want, your avatar will be able to buy clothes in one ‘Metaverse’, and wear them across the multiple worlds they interact with. Right now, platforms allow you to create avatars and buy different skins and addons which are only usable within that platform, but the Metaverse may create a more interconnected network of platforms instead.

Above is an example of what a virtual reality 'suit' could look like in years to come.

Now that we hopefully have a brief understanding of what the Metaverse might become, I just wanted to illustrate the current popularity of the virtual world, as well as how much Meta are investing in developing the technology that will allow us to spend so much time in this world. In 2021 alone, Meta have invested $10 billion into their Metaverse venture, and someone has recently spent $450,000 on a piece of virtual land that will allow them to be Snoop Dog’s neighbour. Numerous companies are investing in land in what will in the future be popular areas of the Metaverse, just as companies now spend millions of dollars to advertise their product/service in Times Square in New York. It’s important to highlight however that there won’t be just one singular ‘Metaverse’ made by one company- numerous tech companies are currently developing their own virtual world, where anyone can buy virtual land right now, despite the technology not quite being there yet to fulfil all of the promises that the creators are making. 

In the year 2022 however, that’s where the Metaverse mostly sits- promises and potential. In its current format, the Metaverse exists as a virtual world where a small percentage of gamers (which admittedly is growing) meet up, hang out and play games. The technology just isn’t there right now for even mainstream gamers to adopt, let alone companies beginning to ask their employees to conduct meetings in a virtual environment with a headset on. It seems like it will be some time before we’re all living a significant amount of time in this virtual world, although the amount of investment Meta are putting into developing the technology may suggest it’ll be here sooner than we think. 

So, despite the fact that we aren’t currently at a stage where Meta’s mining of our data in the Metaverse is a real issue, it doesn’t mean we shouldn’t begin thinking about the privacy concerns that we’ll have, especially as we may not even be able to fully understand how concerned we should be. Just as we could never have predicted the extent to which social media can use our data maliciously when the first website was made in 1991, it’s almost impossible to predict what the Metaverse will be in 30 years time. 

When you look into just how much personal data collection will change with the Metaverse’ widespread adoption, it’s easy to see why Zuckerberg’s Meta are going so head on into its development- what’s $10 billion a year investment when you stand to make $100’s of billions in ad revenue? An article by Norton Rose Fulbright provides a good outline on how data collection will adapt and become even more sophisticated than it already is. Firstly, it’s expected that users of the Metaverse will be spending extended amounts of time in the virtual world if they’re working and socialising there, which will mean patterns of behaviour will be better understood by Meta- how the user acts in certain situations, when they do things, why they do them. This will only mean the improvement in highly targeted advertising, which Meta will of course be able to charge more for. This becomes obvious when you think about the types of special category data the technology will facilitate the collection of. The reading of a user’s heartbeat will allow advertisers to know when you’re calm or excited. When you ‘walk’ past an item such as a car or piece of clothing, Meta will be able to know that your heart rate has increased, which would suggest you like that specific car or item of clothing. The accuracy of this is easy to understand when you consider the fact that your location within the Metaverse will be tracked, as well as your eye movements within the headset. Meta, and by extension advertisers, will know where you were, what you were doing and what you were looking at when your heart rate increased. When you pass a food shop in the Metaverse and look at a certain drink, they’ll be able to send you specific advertisements for that particular item. A version of this use of our data exists now. When you google an item, it isn’t a coincidence that adverts for that item start showing up on Facebook and Instagram. With the technology in use, it won’t require us proactively searching for a specific product for us to be bombarded with advertisements for it, this will all be happening in the background without us really being aware of it.

Luckily, as much as Meta would like the opposite to be the case, there will be regulation on how our data is collected, stored and used in the Metaverse. It’s unclear however the form in which this will take. The Norton Rose Fulbright article outlines how the data we’re talking about (heart rate, eye movements, even brain patterns), are classed as biometric data, and would therefore fall under special category data. Therefore it would mean that the user would need to consent to the collection of this data in the Metaverse. Importantly, the user would also need to consent to each specific use of this data, as a result of the additional protection provided to special category data. This would mean that whilst you may consent to the collection of your heart rate data when it is used as part of a game for example, you can refuse the collection for the purposes of advertising and marketing. The same choice would be afforded to eye movement data, physiological responses to things, as well as brain wave patterns.

The issue however comes with how this consent will be collected. The article highlights the lack of knowledge as to how the Metaverse will establish who is responsible for deciding how and where data is processed. Who will be the controllers and processors in the Metaverse? Will there be one main actor responsible for deciding how your data is collected, processed and used, or multiple smaller parties that have their own ways in which this will be done?

To provide users with a seamless experience, data will need to be transferable across platforms and services, where there may be individual privacy notices and policies governing how that particular platform processes user data. As the Metaverse becomes more sophisticated, to allow avatars and items to be used across the different channels, organisations may need to create multilateral sharing agreements to allow the seamless sharing of data. 

These sorts of arrangements already exist in some form, however there are requirements in place, such as the need for the organisation receiving a user’s data to send them their privacy notice shortly after receiving their data. In a seamless and vastly interconnected Metaverse, this could prove difficult as data will need to be shared constantly and involve multiple parties. One way around this would be to have one central data administrator to outline to users how their data would be processed, and where relevant to ask for consent for certain uses.

With there being an unprecedented increase in the number of cyber attacks since 2019, it’s hard to imagine that attackers won’t turn their attention to the Metaverse, considering the unimaginable amounts of sensitive data that will be available to collect. In the Metaverse, breaches and cyber attacks may take the form of deep fakes and hacked avatars, so it may be harder to identify than is currently the case, and understanding where responsibilities lie is a key privacy concern. The complex relationships that will exist, and how data will be shared seamlessly will make it difficult to not only inform users that there has been a breach of their data, but also have a clear set of protocols and policies that will govern how users, and organisations should act in the event of a breach, or cyber attack.

The nature of the Metaverse will only give rise to different forms of cyber attacks, as a Metaverse that is centred around cryptocurrency and the use of NFT’s (digital art) will undoubtedly entice cyber criminals in years to come- and fraud, money laundering, phishing and ransomware attacks will be tools used by cyber criminals, just as they are today. An article by Gamma Law points out how the opportunity for this already exists. 

Sotheby’s, the famous art dealers have introduced their own ‘Sotheby’s Metaverse’ which centres around the selling of Non-Fungible Tokens (NFT’s) for digital art collectors. Just as counterfeiters and scammers in real life can pose as legitimate art sellers and fool collectors into buying fakes, in the Metaverse scammers can sell fakes by hiding behind screens and avatars. 

One of the biggest battles Metaverse developers face is persuading potential users that the space will be as regulated and safe as the platforms we use today are. The laws, policies and procedures must be ready to go and be fit for purpose. Currently it is obvious that new laws and regulations need to be made to align with the vast increase in the levels of data collecting, processing and transferring that we will have to see if the Metaverse is to become what developers and investors have assured us it will. Developers such as Meta must focus as much on the privacy regulation of the Metaverse as they are on the technology that will facilitate its use. There are still many questions that need to be answered as to how data privacy will work in the Metaverse, and it will be on developers to show users that their personal data will be safe in their hands.