Data vulnerability in the metaverse

With the rise of metaverse users and subsequent increase in data privacy attacks, metaverse platforms must take action to ensure the protection of data.

Nowadays, technology is at the base of most devices we use in our daily lives. However, we often forget how much our lives rely on technology. From the microwave used to reheat our meals, to the smart watches that allow us to answer calls and messages, and measure our heartbeat, among a variety of other activities, the benefits of new technologies are undeniable for our comfort, health and, in one word, our life.

Smart devices are now found in people’s homes, companies’ offices, and every governmental institution, creating a window of opportunity for outsiders with bad intentions to interfere with them. As technology has evolved over the years, computer systems have been forced to match the growing sophistication of their attackers. Layers of protection have been added, but hackers have shown their capability of ‘cracking’ these safety nets. Technology develops so fast and in divergent directions, making it impossible for lawmakers and authorities to keep up with and respond to all the crimes and offenses involving technology.

Today, data and information are the most valuable items and thus require protection. A company or state which fails to protect its data or information is seen as weak and untrustworthy.

The metaverse is a recent development of a new reality that transcends the virtual world, creating an immersive experience that engages all the user’s senses. The metaverse is described as a “hyper spatiotemporal (…) shared space for humans to play, work, and socialize”, a space for individuals to gather ideas, develop hefty apps or simply play a super realist game.

Despite it being a relatively young creation, there has been rapid growth in the percentage of the population present in the metaverse, reaching 400 million monthly active users. There was a particularly sudden growth in the number of users during and after the Covid-19 pandemic, as tech savvies and the general public became impatient for transformation and all things digital. This number is only expected to grow in the next few years, with a forecast of 800 million active users by 2028.

The metaverse has a promising future, with individuals and companies investing large amounts of money into it, but the issues of data privacy and security of information continue to cause major concerns among scholars and experts.

According to Yuntao Wang, a “wide range of security breaches and privacy invasions” may occur in the metaverse due to the enormous amount of information being exchanged, algorithms, users’ data, among other factors. His paper “A Survey on Metaverse: Fundamentals, Security, and Privacy” identifies three main threats to data privacy.

The first threat relates to the pervasive amount of data required to become a part of the metaverse community and to take advantage of the full immersive experience it can provide. According to the Financial Times, Meta is seeking to collect seemingly inoffensive data, like pupil movements, body poses and nose scrunching, in order to make avatars more realistic and the related technologies more efficient. Companies strive to develop hyper-realistic avatars and environments that fully stimulate users. In order to achieve this, biometric features and even brain waves are stored and studied for further expansion of the metaverse universe. Following the great deal of data collected about the user, an impersonation attack may arise, which may include an individual using one’s metaverse identity to commit fraud or unknowingly interact with a person with ill intentions .

A second threat is the potential of privacy leakage, be it in data transmission, data processing or in the cloud. In the case of data transmission, the information may be intercepted by experienced hackers, despite the layers of encryption protecting the data transfer. In relation to this threat, there may be a severe avatar authentication issue, due to the general availability of AI systems that mimic an individual’s features, pushing for the need for a higher degree of security within the systems. When it comes to data processing, considering the massive collection of user data, down to each micro-movement and feature, it is hard to believe that this processing does not at some point go against the General Data Protection Regulation, or other similar acts.

The third threat that may arise is related to the range of devices worn by metaverse users, which retain thorough and confidential information about the person, providing a window of opportunity for hackers who want to gain access to sensitive data. Moreover, this may lead to an accurate description of the user’s digital footprint and, consequently, to user profiling.

What measures can be taken? Due to the rapid evolution of technology, boundaries and security check points must be assured from the get-go, as it is in everyone’s best interest to develop awareness and secure users’ data.

There is clearly the need for a decentralised identity system, meaning that its authority would be spread across various nodes. This would be a better option since centralised systems are more vulnerable and prone to data leakage. Furthermore, a privacy-by-design principle should be shared among companies operating in the metaverse and a differential privacy mechanism to prevent “user-linkage association” is also advised. Moreover, to decrease the potential for attackers creating digital footprints, a clone avatar or temporary avatar disguise is suggested.

In conclusion, the virtual environment is evolving at a rapid pace, with technologies opening up a whole new world of possibilities that can improve our standard of life, transform social relations, and change work procedures, routines and mindsets. However, the collection of our personal information is essential to making us part of this process. The amount of personal data we freely provide is quite extraordinary and is expected to increase in the future. The situation regarding companies and governments is very similar, since the data collected allows individuals to access personal details that may be used by anyone with bad intentions, leading to a very delicate situation. We are aware that this is a never-ending story and that every security system or layer is at risk of being broken. Nevertheless, the focus will continue to be on preventing data leakages and maintaining the privacy of the data shared in the metaverse.

The Insights published herein reproduce the work carried out for this purpose by the author and therefore maintain the original language in which they were written. The opinions expressed within the article are solely the author’s and do not reflect in any way the opinions and beliefs of WhatNext.Law or of its affiliates. See our Terms of Use for more information.

Leave a Comment

We'd love to hear from you

We’re open to new ideas and suggestions. If you have an idea that you’d like to share with us, use the button bellow.