Digital privacy in the metaverse

At the end of October, Facebook made headlines by announcing that the company was changing its name to “Meta”. The name is as a reference to the “metaverse”. CEO Mark Zuckerberg defines this as “an embodied internet where you’re in the experience, not just looking at it”.

Zuckerberg and other tech leaders see the metaverse as the logical next step in the evolution of the Internet. But many observers are wary of the privacy issues that it may bring (and not just because Facebook is involved). 

What exactly is the metaverse?

The meaning of the term “metaverse” depends a lot on who’s using it. But the most broad definition would be a future version of the Internet where the physical world, augmented reality (AR), and virtual reality (VR) come together.

Meta’s vision of the metaverse (at least going by Zuckerberg’s recent keynote introducing Meta) focuses on VR: accessing an immersive digital world via VR headsets like Oculus. 

Other companies, such as Niantic, creators of Pokémon Go, are leaning towards a more AR-centered version of the metaverse. Here, digital objects would overlay the physical word, and be accessible via smartglasses like Google Glass or by using standard smartphones. 

What’s the point of the metaverse?

All of this sounds very cool and science-fictiony — but what can one actually do with the metaverse? The proposed use cases are actually pretty diverse:

Training: AR/VR has medical or compliance training applications. It can simulate real-world scenarios, and provide realistic training on state-of-the-art equipment that may not be available locally. 

Teaching: AR/VR can provide students with an immersive learning experience. It can also increase access for students at schools where lab equipment is not readily available or for whom field trips are not feasible.

Entertainment: AR/VR may also be able to enhance live entertainment. For example, sports fans at stadiums might use the technology to see real-time statistics superimposed over their view of the event, or use graphical overlays that help them make sense of what’s happening on the field of play.

Gaming: Immersive video games are another possible use of the technology. This one is already in use. AR tech can turn the real world into a massive online game (think Pokémon Go) and VR can provide immersive gaming experiences in a realistic virtual world.

Shopping: Retailers are exploring ways in which AR and VR can make shopping from home more like shopping in an actual store, using the tech to display products and offer suggestions, or even allowing you to “try on” clothes virtually. 

Travel and tourism: There is great potential to use AR and VR to enhance city tours and museum visits, or to make “distance tourism” possible. This runs the gamut from AR-powered information displayed at local attractions and digital renderings of historical figures acting as virtual tour guides all the way through to fully immersive VR tours of faraway places. 

Social applications: Meta spent a good deal of time discussing the potential social applications of AR/VR tech (perhaps unsurprising given the company’s roots in social media). This could mean everything from virtual hangouts with friends to attending public digital art exhibits in virtual space. 

The metaverse and privacy issues

Until recently, the development of the metaverse was limited by several factors: insufficiently advanced AR and VR hardware; not enough high-speed internet in public places; and, frankly, a general lack of interest.

But that’s all changing — and very quickly. 

The newest versions of wearable tech are far better than ever before. 5G networks are starting to cover the globe, offering access to a super-fast internet connection pretty much wherever you go. And of course, the COVID-19 pandemic has accustomed everyone to distance learning, working from home, and meeting with friends and colleagues in virtual spaces. 

So what are the privacy issues that we need to worry about in the metaverse? Here are four of the big ones:

1. Next-level location tracking

   AR tech in public spaces threatens to take location tracking to a whole new level. As Electronic Frontier Foundation (EFF) puts it, “AR is location tracking on steroids”.

   It’s not just that AR glasses will be collecting and transmitting the location data of their owners back to the tech companies. It’s that they may incorporate facial recognition technology, and this can be used to identify random passers-by and collect and transmit their location data back to the developers — or to any law enforcement or government agency that they partner with.

   In effect, this would be a mobile version of the Ring doorbell cam panopticon already found in neighborhoods around the country. Worst case, it could mean the end of location privacy and anonymity in public spaces.

2. Brand new forms of tracking

   In addition to location data, wearable metaverse tech will likely collect forms of data that — up until now — were never collected by tech companies. Both AR and VR technology are likely to use eye-tracking sensors, for example, creating a detailed record of what the user is looking at from moment to moment.

   In addition to biometric data about the wearer, AR systems may be able to generate data about the people around them, by way of digitally analyzing video feeds captured by the device. An ACLU report on the rise of AI-powered surveillance points out that new visual analytics capabilities are beginning to emerge. These include things like body language and emotion recognition detection.

   It’s not clear yet how tech companies and their allies in government could, or would, use this data. But if history is any guide, it’s unlikely that all of this new data is going to be handled in a way that is good for user privacy.

3. Lots of user data to lose

   We’ve talked about the types of data that may be collected, and about how it might be used. But in one sense, the fact that it will be collected at all is also a problem.

   Even assuming that the data collected by metaverse development companies is handled responsibly, they could still lose it all in a data breach. As we’ve seen time and again, tech companies from Facebook to LinkedIn to Venmo just can’t seem to lock down all of the data that they collect. This is one of the main arguments against the practice of mass data collection: It increases the risk that the data will one day be exposed in a breach, even when the people collecting it are doing everything they can to keep it safe.

   In his keynote, Zuckerberg was pretty clear that the metaverse — much like the current Internet — won’t be run by any single company or developer. In one sense, that’s a relief. But it also means that there will be many different metaverse developers, companies, and independent creators collecting user data. It’s unlikely that all of them (or even most of them) will be good at keeping that data secure.

4. No clear business plan

   At the moment, it’s not clear how companies operating in the metaverse will actually turn a profit. In a few cases, such as with immersive gaming, it’s straightforward enough to predict a business model. But it’s a bit harder to imagine how VR hangouts will make money for their developers.

   This is basically the same problem that platforms like Facebook faced back in the early days of social media. Their solution, as we now know, was to collect as much user data as possible in the hopes that they could one day figure out how to monetize it. The strategy turned out to have disastrous consequences for everything from individual privacy to democracy itself. Will metaverse developers adopt the same approach? We don’t know.

   They may simply attempt to shift targeted advertising to virtual space. This would likely necessitate the same type of data collection and user profiling that Facebook and Apple have been sparring over for the past year. But at least it wouldn’t be anything we haven’t had to deal with before. On the other hand, it could turn out to be far worse this time around. You only have to think of Clearview AI, the face recognition startup that was selling its database of illegally scraped biometric data to law enforcement agencies, for an idea of what that might look like.

Learning more

We’re still in the early days of this next iteration of the Internet. As new developments emerge, we’ll definitely be covering them here and on The Checklist. For now, if you’d like to learn more about issues of security and privacy in the metaverse, you may want to check out EFF’s recent virtual panel discussion entitled: At Home with EFF in VR: Privacy and Surveillance in XR.