2. Overview
Target Audience
Humanity has been attempting to
escape reality ever since the internet
was invented. Every new
technological advancement brings a
new method for disengaging from
physical ties and briefly entering the
virtual space. The distinction
between the real world and the
digital one seems to get fuzzier every
day as the metaverse nears its
existence. And, moreover, the
Metaverse is being touted around
the globe as the internet of the
tomorrow.
Metaverse embodies the ability to
offer interactive & immersive
experiences. This paper helps us
understand what the metaverse is
capable of and why is there a the
need for tougher privacy and data
protection regulations. Right now,
the privacy jurisprudence is bereft
with gaps and the law is unable to
keep up with technological changes.
These laws need to be revamped to
fill in all the gaps that would be
enlarged once the metaverse
actualizes.
This whitepaper aims to be useful for
the senior and mid-senior IT
management, program managers
and compliance leaders to
understand what is the metaverse,
how it can have negative impacts on
privacy, how should businesses
better prepare themselves and what
could be the ways through which
these privacy risks can be mitigated.
It also aims at helping a wide array of
secondary audiences like learners
and scholars who want to
understand how privacy is closely
connected to the metaverse and why
is it an object for concern. This
whitepaper contains a detailed view
of these aspects for all audiences.
3. With the Draft Digital Personal Data Protection Act 2022 in India in the pipeline and
the dawn of Metaverse lurking on the horizon, it becomes crucial for all
stakeholders to take into consideration the need for better privacy frameworks
that keeps up with emerging technologies. The key issue that Metaverse brings is
the implications on individual privacy. It is essential for the regulators to formulate
a governance framework to keep the metaverse moderated.
Neal Stephenson initially used the
word "Metaverse" in his science
fiction book Snow Crash from 1992,
in which readers could manage
avatars in a virtual reality setting
called the Metaverse. One could
communicate and establish
connections with other electronic
agents via avatars. Many people
think that Metaverse will be the next
significant iteration of the internet.
Understanding the idea of the
Metaverse is important as the world
moves into the new digital era.
According to experts, the
development of Metaverse in
conjunction with AR and VR
technologies will continue to open
up a wide range of new possibilities
and profoundly alter the digital
economies, working environments,
and our social experiences.
Introduction
Problem Statement
Structure
Understanding the Metaverse
Laws Governing Metaverse
Implications on Privacy
Security Concerns in the Metaverse
Key Considerations for Organizations
Conclusion
This whitepaper would be covering the following aspects:
4. According to Facebook, “The metaverse will feel like a hybrid of today’s online social
experiences, sometimes expanded into three dimensions or projected into the physical
world. It will let you share immersive experiences with other people even when you can’t
be together – and do things together you couldn’t do in the physical world.” The
capacity of Metaverse is aided and improved through the use of AR and VR
technologies.
Virtual Reality is a 3-dimensional digital environment where people would
communicate and interact using avatars. This will be enabled through features like
interactivity (the virtual world is accessible remotely and simultaneously by users)
and persistency (programs continues to run whether anyone is using it or not).
Augmented reality is "a computer-generated mix of images, movies, or text" that
combines the physical environment and the digital one through the presentation of
multimedia content and storylines. It is a virtual mirror of the virtual environment
that has been improved with information. Google Earth, which mimics a web-based
earth, is an illustration of this technology.
The Metaverse is no longer a concept and is gaining more traction with each
passing day. But still there is no agreement and clarity over what this new digital
capability entails or how it should develop in terms of governance. Given this
seeming inevitability, it is imperative that laws surrounding privacy and data
protection include provisions that deal with the need for security and privacy
standards to aid protection of privacy rights in the age of metaverse.
UNDERSTANDING
THE METAVERSE
5. LAWS GOVERNING METAVERSE
The GDPR creates a system of protection by design and by default which must be
applied to all data processing and, by extension, to all technologies that handle
personal data. The current EU law should serve as the foundation to solve the majority
of the privacy protection issues that the metaverse will uncover while making
adjustments as the technology involved and the metaverses themselves advance.
GDPR needs to be modified in order to successfully govern the metaverse. For
example, if a data breach results in the loss of cryptocurrency, there must be more
accountability for metaverse owners and third-party service providers like crypto
platforms, so users can transact securely.
This law aims to increase user openness and safety in online settings while
simultaneously enabling the expansion of innovative digital enterprises and was
proposed by the European Commission. DSA's key component of introducing
responsibility and security obligations for digital platforms raises questions about how
to strike a balance between assuring content moderation, data exchange, and use.
In order to verify that the collecting and processing of biometric data on the
Metaverse complies with EU requirements, DSA would be used in conjunction with the
GDPR. Due to the great opportunities for targeted advertising created by the
aforementioned gathering of biometric data, DSA will play a critical role.
GENERAL DATA PROTECTION REGULATION 2018
1
EU'S DIGITAL SERVICES ACT 2022
2
3 EU’S PROPOSED AI REGULATIONS 2021
The European Commission has released a proposal for an AI Regulation. Many human
interactions in the Metaverse may be made possible by artificial intelligence. Some AI-
related technologies would be outlawed, and both AI providers and consumers would
have to abide by new regulations relating to high-risk AI systems as well as
transparency requirements. Stakeholders can anticipate having to abide by these
kinds of regulatory standards in the future if much of the human/system interaction
within the Metaverse is automated and powered by AI.
6. MITIGATING THE IMPACT
The legal issues surrounding cybersecurity
and privacy in the metaverse are
comparable to those raised by the
internet, which in turn reflects societal
issues. Experts predict that the
metaverse's distinctive infrastructure will
lead to the emergence of completely new
types of cybercrime.
Everyone wants to be a part of the
metaverse, which is no longer just an idea.
Before consumers and platform owners can
be confident that they won't be held
accountable for facilitating security
breaches or housing cyber criminals, these
are some of the questions that need to be
addressed.
IMPLICATIONS ON PRIVACY
Large
Amounts of
Personal
Data
The metaverse offers up a vast new scale of data tracking via cameras
and sensors that continuously record user motions and can track
body movements 90 times per second. After 20 minutes in a VR
simulation, there are slightly about 2 million distinct body language
recordings left. Data gathered from pupil dilation and eye tracking
may point to more delicate categories of information including
personality traits, cultural affinity, abilities, preferences, and dislikes.
Platforms will market these consumer profiles to businesses and since
there are currently no statutory limitations on that; the metaverse will
be filled with privacy violations.
Getting fair, informed consent from users over their data will be
challenging. Businesses may manage extremely sensitive data
improperly even with consent, particularly when they work to
incorporate third parties, services, and developers into their
metaverse platforms. Users will have to expressly consent to the
gathering and usage of their data while interacting with the metaverse.
However, some of the collection and processing would be required for
the metaverse to function. Here, consent would not be strictly
required and could open the door to the collection and processing of a
significant amount of personal data without the user's actual
knowledge or consent.
Changing
Idea of
Consent
7. IMPLICATIONS ON PRIVACY
The technologies for accessing the Metaverse may be able to collect
new types of biometric data that are not taken into account by the
GDPR, such as information related to users' neuronal information
which so far existing technologies have not been able to collect and
has therefore been excluded from data protection regulations. It can
be useful to deduce users' routines, pursuits, and decisions by
observing relationships and social interactions in the metaverse.
Collection of
Biometric
Data
Online anonymity has frequently been blamed for wrong doings and
incivility. It is often construed by general public that by eliminating
online anonymity, inclusive and safe online public places can be
created. This is because identity theft, phishing scams, and other
crimes have been known to target virtual identities and avatars.
Instead than concentrating on providing complete anonymity,
programmers and consortiums building their Metaverses should
instead focus on mitigating privacy hazards.
Risk of
Anonymity
Processing
Issues like reasonableness and minimalism of processing will be
difficult to handle given the enormous amount of personal data that
will be available for processing via the metaverse. Additionally,
cybercrime issues like unauthorized data mining and identity theft
could and probably will appear in the metaverse. The issue then
becomes whether national regulators and governments are prepared
for and able to handle the problems mentioned above.
8. SECURITY CONCERNS IN THE METAVERSE
Under every data protection law, privacy
has always been closely associated with
security. In GDPR, Article 32 lays down
importance of security of processing
personal data and introduces the concept
of "technical and organizational measures"
that must be taken by Data Controllers in
order to ensure that during processing,
data of the users is safeguarding during its
entire lifecycle.
Similarly, the newly introduced Indian Digital
Personal Data Protection Bill 2022 lays
down the importance of reasonable security
safeguards that must be followed by the
Data Controllers and Data Processors.
Hence, it is pivotal to look at the challenges
in the domain of cybersecurity that would
arise due to the presence and growth of
Metaverse.
Vulnerabilities of AR/VR Devices
A lot of processing of personal data and sensitive personal data would happen
at the user endpoints, i.e., the VR/AR headsets used by the users to
communicate in the Metaverse. Such headsets will act as a one-stop data
collection point for sensitive data of the users like location, financial
information, avatar details, biometrics, user identification data, login
credentials, etc. Therefore, such AR.VR devices can be prone to higher
vulnerabilities and be a threat to unauthorized access and loss of sensitive
personal data of the users.
VR malware and ransomware that enables hackers to record any
communication done via the device and collect such data or disrupt the
operation can be another vulnerability that would lead to a risk to loss of
personal data. that lets hackers record your headset screen, collect data,
corrupt work instructions or disrupt operation.
AR devices have an option to track iris patterns of users which can also be
stolen by a hacker. With the wider ambit of user data that is collected through
such devices, vulnerabilities of the devices can make them a lucrative hacking
target.
9. Metaverse platforms like gaming applications and NFT platforms have to be
built with sufficient security deliberation during their design, testing and
development phases to ensure that it is free from any malicious codes or any
design flaws that could have a deteriorating impact on the rights of the users.
during the design and development phrases
Privacy by Design has to be embedded within the Software Development
Lifecycle of the platform with security measures like multi-factor authentication
or two-factor authentication that secures the platform and protects the digital
assets from getting stolen or facing unauthorized and malicious access which
can compromise user accounts.
Security of User Interaction
Platform Vulnerabilities
User interaction will be one of the cornerstones of metaverse, with users
communicating virtually via their AR/VR headsets. This happens today with
metaverse-like applications and gaming platforms. This type of interaction can
open doors to new threats that can exploit the cyberspace and forge fake
identities, or malicious activities that poses a threat to the users.
Security standards have to be ensured within the platforms so that user
interaction is secure and users are not faced with bullying, harassment, cyber-
crimes, etc., This can be done by establishing moderation of speech that
protects the safety of users.
Laws and regulations would need to evolve to govern metaverse. To begin
with, the current laws like the EU GDPR and national laws on privacy and
security should append minimalistic provisions to guarantee that the
metaverse ecosystem develops within a sphere governed by security and
privacy mandates. With an evolving digitized world, cyber-crimes and
nefarious activities will also increase exponentially and securing the
metaverse ecosystem will become pivotal. Specific standards will also be
needed to developed to govern the use of AI and emerging technologies.
Lack of Global Regulation
10. KEY CONSIDERATIONS FOR ORGANIZATIONS
Companies must abide by strong security & privacy guidelines.
Organizations must adopt privacy by design when creating new
technology & evaluate procedures in place to safeguard users' privacy.
Since Metaverse is being built upon NFTs, scams and fraudulent activity is
more likely to emerge in the future surrounding NFTs and blockchain.
Data breaches will be pervasive with the use of biometrics, & such data
will be at risk without security infrastructure.
Data Security
Consumers are more eager to disclose more data, according to research,
if they believe that a corporation would use it for their benefit. Hence,
businesses should incorporate privacy and data security into their initial
products and services. This entails being aware of the personal data they
require, only gathering it when they have a legitimate business need,
discarding it when that need is met, and protecting the personal data
they already have.
Customer Trust
In quest of better opportunities, criminal activity has historically tended
to gravitate toward newer technologies. Already, there are reports of
scams in NFT transactions, fraud in Ethereum addresses, sexual
harassment in the VR and several other types of abuse. While it’s always
exciting to be in at the start of things, the disruptive potential of the
metaverse is huge and cannot be overlooked. In this light, it is important
for organizations to establish stringent policies & rules.
Ensuring Safety
11. KEY CONSIDERATIONS FOR ORGANIZATIONS
This is a crucial step to make sure industry standards are clearly defined to
everyone who indulge/experience in metaverse, and to ensure
applicability and consistency in this new context because consent is the
pillar of the privacy. This could be based on the amount of data collected,
how it is shared with third parties, and how to ensure that adequate
consent has been obtained.
Improving Consent Mechanisms
Notify the users when they engage with AI. AI bots must be clearly
identified in order for users to know with whom they are sharing their
data. By being open about how data is utilized and even by paying users
for providing their data, the metaverse might avoid the pitfalls made by
Web 2.0 enterprises.
Incorporating Transparency
Organizations incorporating the metaverse should have strict data
privacy and security policies regulating the use of personal information.
Users should beware of the amount of personal information they are
willing to share when signing compliance policies. Practices like adopting
VPNs, antivirus software, phishing protection become significant. Self-
regulation becomes pivotal without global laws governing metaverse.
Self-Regulation
12. REFERENCES
CONCLUSION
Data privacy and security have always been a concern for users and organisations
worldwide. Amidst the emergence of the metaverse, which is proving to be a revolution in
technology, several hazards to data privacy are on the prey. Metaverse opens up Pandora
box of privacy and security violations because of the enormous possibility of collecting
various types of data such as social interactions, eye moments, physical movements that
might be able to get a better picture of a user. The current laws does not recognise digital
avtars and this leads to challenges like attribution of identity and jurisdiction to litigate.
Also the anonymity of users provide challenges for governance as well. Although GDPR has
set a foundation stone around privacy regarding metaverse however certain definitions
need to be updated in pace with their technological innovations and also you has proposed
AI regulation which will pose challenges to many bots and services which are powered by
AI. A global consistent enforceable privacy standard is the need of the hour. Not just policy
but the government needs to invest in the capability of investigation and enforcement of
these standards in a timely manner.
https://www.commonsensemedia.org/sites/default/files/featured-
content/files/metaverse-white-paper-1.pdf
https://www.sciencespo.fr/public/sites/sciencespo.fr.public/files/Metaverse-Group-
report-final-draft-June-12-1.pdf
'Metaverse: Security and Privacy Issues', Roberto Di Pietro
(https://arxiv.org/pdf/2205.07590.pdf)
https://www.mondaq.com/unitedstates/privacy-protection/1150088/heavy-meta-
privacy-and-cybersecurity-in-the-metaverse
https://www.martechalliance.com/stories/what-privacy-issues-will-haunt-the-
metaverse
https://iapp.org/news/a/metaverse-and-privacy-2/
https://gdpr-info.eu/
13. Tsaaro Amsterdam Office
Regus Schiphol Rijk
Beech Avenue 54-62,
Het Poortgebouw,
Amsterdam, 1119 PW,
Netherlands
P: +31-686053719
Akarsh Singh
(CEO & Founder, Tsaaro)
Akarsh is a CIPP/E, CIPM, CIPT, Fellow in
Information Privacy by IAPP, and an IAPP
Advisory Board Member. His expertise lies
in Data Privacy and Information Security
Compliance.
WHY TSAARO?
CONTACT US
Email us
info@tsaaro.com
Tsaaro Bangalore Office
Manyata Embassy Business Park,
Ground Floor, E1 Block,
Beech Building, Outer RingRoad,
Bangalore- 560045
India
P: +91-0522–3581
Tsaaro provides Privacy & Cybersecurity services to help organizations meet
regulatory requirements while maintaining a robust security infrastructure.
Our industry-standard privacy services include DPO-as-a-service, DPIA, Privacy
Program Development, Privacy Risk Management, Cookie Compliance Program,
Consent Management, to name a few, delivered by our expert privacy
professionals recognized by IAPP.
Tsaaro Gurugram Office
Level 1, Building 10A,
Cyber Hub, DLF Cyber City,
Gurugram, Haryana 122002
India
+91522–3581306
Poojan Bulani
Data Privacy Consultant, Tsaaro
Krithi Shetty
Data Privacy Consultant, Tsaaro