Hype around the metaverse is continuing to grow within the big-tech economy. According to Gartner’s projections, by 2026, 25% of the global population will log onto the metaverse for a least an hour a day — be it to shop, work, attend events or socialize.

However, the array of technologies that enable the metaverse — like VR, AR, 5G, AI and blockchain — all raise issues of privacy and data security. A third of developers (33%) believe these are the biggest hurdles the metaverse has to overcome, according to a report by Agora.  

Another Gartner report says that “75% of all organizations will restructure risk and security governance for digital transformation as a result of imploding cybersecurity threats, insider activity and an increase in attack surfaces and vulnerabilities.”

Recent legislation has addressed the privacy of personal data. For instance, the GDPR gives consumers the “right to be forgotten,” requiring companies to be prepared to remove consumers’ information upon request. It also mandates that private enterprises obtain consent from people to store their data. Assisting companies with compliance is a growing business, and European regulators have moved toward stricter enforcement actions. As regulations become stiffer, organizations eyeing leadership in the metaverse must prioritize data privacy and security more than ever.

Web2 to Web3: The changing face of digital privacy

While digital privacy on websites is now fairly regimented, the metaverse is still very new and there is no legislation in place to enforce privacy there. According to Tim Bos, founder and CEO of ShareRing, “the breakout metaverses will be ones where people can have genuine experiences that they can’t currently do in the real world.” He added that “a lot of companies are trying to build something with the appeal of Fortnite or Minecraft, but where they can exist beyond just playing battle-royale games. I am yet to see anyone crack that puzzle. There’s also a growing trend in online shopping through the metaverse, but once again, they haven’t quite figured out how to offer more than a simple Web2 site.”  

The threat to privacy in Web3 and the metaverse is greater than in Web2, as 20 minutes of virtual reality (VR) use generates some two million unique data elements. These can include the way you breathe, walk, think, move or stare, among many others. The algorithms map the user’s body language to gather insight. Data collection in the metaverse is involuntary and continuous, rendering consent almost impossible.

Existing data protection frameworks are woefully inadequate for dealing with these technologies’ privacy implications. Research also shows that a machine learning algorithm given just five minutes of VR data with all personally identifiable information stripped away could correctly identify a user with 95% accuracy. This type of data isn’t covered by most biometrics laws. 

The metaverse: Still a ‘Wild West’ 

Among the privacy issues in the metaverse are data security and sexual harassment. “I think the reason it [concern about harassment] applies to the metaverse, whatever that even means, is right now in Web2, we clearly haven’t gotten that right,” said Justin Davis, cofounder and CEO of Spectrum Labs. “[Not] in terms of trust and safety and content moderation at any given company, much less at scale across the entire internet.” 

One reason there are no metaverse-specific privacy regulations yet is that the global reach of the metaverse falls across several data privacy regimes, according to Bos. He said that “one of the most considerate policies on digital privacy remains the GDPR, as it seems to be the baseline for data privacy. It’s a moving target though, as the developers need to consider traceability of the user if they’re storing information on the blockchain.”  

“There’s also the challenge of security when people are connecting their wallets to the metaverse,” Bos added. “How can they be sure that the metaverse doesn’t have an issue that will cause users’ previous NFTs to be stolen?”

Further aggravating these problems, Bos noted, is that “right now, nearly all of the metaverse projects are open for everyone. It’s a virtual ‘free-for-all’ at the moment. As with the gaming industry, age- and location-based regulations will inevitably be introduced (either voluntarily by the makers, or by various governments).”   

The nature of the data being gathered may also impact privacy, security and safety in a Web3 world. There are fears that some of the data collection might be deeply invasive. Such data will enable what human rights lawyer Brittan Heller has called “biometric psychography.” This refers to “the gathering and use of biological data to reveal intimate details about a user’s likes, dislikes, preferences and interests.” In VR experiences, it’s not only a user’s outward behavior that is captured. Algorithms also record their subconscious emotional reactions to specific situations, through features such as pupil dilation or change in facial expression.

Undoubtedly, the metaverse offers immense promise for a more connected, immersive world. However, organizations seeking to stake their claim in this nascent virtual realm must make data privacy and security top priorities as they build out their metaverses.