Is the metaverse a 3D version of the internet? Or an advanced variant of Zoom? Is it a video game with avatars or VR glasses that allow you to travel without leaving home? The term “metaverse” has no universally established definition yet, and for many people it alludes to the future of the digital world.
The concept was first introduced in 1992 in the science fiction novel “Snow Crash” written by Neal Stephenson. It was described as a “form of human life and communication in a virtual three-dimensional space through a digital avatar”.
Metaverse is currently a buzzword partly due to Mark Zuckerberg’s announcement in October 2021 that Facebook’s new corporate name would be Meta. The new name embodies the company’s commitment to go beyond social media, leading us into a new era of online interaction. Despite the recent popularity of the metaverse reality, it has been known for quite some time in the gaming world: Second Life, Roblox and Minecraft represent popular examples.
The metaverse operates thanks to and together with several technologies, such as artificial intelligence, augmented reality, virtual reality and 5G to design online spaces that are more dynamic, realistic and interactive than those we currently have.
Nevertheless, there are other uses for the metaverse. For instance, it can be used for attending virtual events, such as concerts and art exhibits; for education purposes, by enabling individuals in the most remote regions of the globe to interact and learn in immersive digital classrooms; in healthcare, for training settings to replicate medical procedures; and it could even go as far as promoting employment with the creation of never imagined job positions, such as metaverse tour guides, decorators and wedding planners. The possibilities are immense: not even the sky is the limit!
Given its novelty, complexity, and the opportunities it creates, the metaverse poses many questions, ultimately related to one: Can we trust the metaverse?
This Insight focuses on two crucial concerns for the trust-issues generated by the metaverse: privacy and cybersecurity.
Personal data collection
All sorts of personal information can be collected within the metaverse. For example, to whom a user speaks to, what someone chooses to purchase and the places most visited, how much attention each user pays to an advertisement, etc. Additionally, it can even obtain extremely personal details, such as the way an individual walks, talks, breathes and, perhaps, brainwave patterns could be collected in order to have a far better grasp on people’s mental processes and behaviours.
Moreover, metaverse users will be logged in for long periods of time, which means that their behavioural patterns will be continuously tracked and collected. Consequently, companies participating in the metaverse environment will need to abide by data protection laws. However, the nature of the metaverse presents significant challenges in relation to how that compliance will be achieved.
Responsibility for compliance with data protection law
Establishing who is responsible in the metaverse for deciding how and why personal data will be handled, as well as who processes it on behalf of another, may be challenging. Two main options are currently considered, namely centralised and decentralised collection and processing: (i) having a single administrator who gathers all personal data provided within the metaverse and decides how it will be processed; (ii) or having numerous organisations gathering personal data, each with their own specific purposes.
Applicability of the GDPR
In regard to the applicability of the General Data Protection Regulation (GDPR), a natural question arises: Is the current data protection framework adequate and enough to regulate how personal data is processed in the metaverse? Moreover, determining the GDPR’s territorial application may be challenging (when the entities are not based in the EU), since it depends on the location of the end-user when personal data is processed. But where is the end-user located within the metaverse environment? Different options can be considered: the location of the server, of the avatar or of the user which is controlling that avatar. Additionally, the GDPR limits data transfers to third countries, but the metaverse is an interconnected world which knows no borders.
Data breaches and cyber attacks
Every online platform faces difficulties preventing cybersecurity issues and data breaches and the metaverse is no exception. Given the intricate reality and ubiquity of the metaverse, it may be more challenging and difficult to identify and tackle these kinds of incidents. A major concern is data safety, since higher exposure to the metaverse may be associated with increased cyber risks. Moreover, it may also be hard to determine who is responsible for notifying users and data protection authorities of a breach.
Most probably, significant improvements in cybersecurity protocols will be necessary in the metaverse. Ironically, this may require that users provide far more personal information, in order to assure accurate identification and greater security.
Within this framework, the metaverse represents a virtual world quite similar to the real world and it may have a high impact on most aspects of our daily lives. It is already gone beyond online games and is steadily expanding into a wide range of sectors, including arts, communications, healthcare, etc. Consequently, it is of high importance that the challenges which derive from this environment are mitigated, starting with privacy and cybersecurity issues. However, that does not disprove the idea that the metaverse reality will continue to develop at an exponential rate.