Metaverse and Privacy

Desde el punto de vista de la privacidad, el uso del metaverso puede ser muy intrusivo, ya que el conjunto de datos que se tratan aumenta de forma exponencial.  Cualquier entorno virtual está plenamente datificado desde su diseño y permite tratar un espectro más amplio de información relativa a actividades humanas.

 

Photo from julien Tromeur Unsplash

Metaverses aim to extend the social networking experience far beyond the visual aspect or 3D graphics. The metaverse engages the user in multiple dimensions, such as social, economic, political or emotional, to the point of virtualizing all aspects of the development of an individual, and extends the data collected to non-verbal and biometric information. The current collective and technical environment has created the ideal context for its development and expansion, translating human experiences into digital data processing through simulations. However, the processing of this personal data is completely real.


Virtual worlds or metaverses have been present in fiction literature and film for a long time. Until now, social networks were a pale projection of the metaverse onto a linear environment with a limited capacity to penetrate the rest of the dimensions that make up our reality. Today, however, the metaverse is no longer an utopia and progress is being made in its implementation. This is possible thanks to the fact that the critical mass of technologies and social conditions that allow its deployment with options for economic profitability are already available.

On the one hand, the pandemic framework has accelerated the deployment of services, at all levels, on digital platforms. In addition, and what is more important, there has been a giant leap in the penetration of these services across all segments of the population, particularly among younger people. Two of these services are critical: those involving social interaction, and the mass acceptance of digital means of payment

  • On the other hand, the set of technologies that make it possible to deploy a virtual life are already mature, and among them we find:
  • Virtual reality (VR), augmented reality (AR) and mixed reality (MR) technologies, or extended reality (XR) as a whole.
  • Virtual currencies, cryptocurrencies and tokens, with an enabling ecosystem.
  • Digital identity techniques.
  • Digital entity techniques or avatars, and their realistic interaction projecting users' movements and facial expressions.
  • NFTs (non-fungible tokens), which are digital assets: stocks, art, games, tickets for digital events, property, land...
  • The Internet of Things, IoT, wearables (glasses, helmets, haptic gloves, joysticks, smart watches, sensors, etc.) and neural interfaces (Brain-Computer Interfaces, BCI), as sources of information for physical-virtual interaction, allowing the processing of biometric characteristics.
  • Artificial Intelligence (AI), essential for responding to real-world behavior, enabling intelligent interaction between users and avatars, and decision making and profiling.
  •  Distributed and decentralized data network infrastructure such as blockchain, 5G, cloud or edge computing.

They all enable immersive interaction in virtual spaces, giving the user a social experience, a digital identity and ownership of assets with an exchange market. The applications are infinite, as many as human activities and beyond: digital product markets, decentralization of finance, elimination of intermediaries, gaming, education, work, social interaction, design and simulation, health, digital land purchase, etc.

These are not theories or futures, but there are already well-known companies with deployed projects or entrepreneurial initiatives in the metaverse: PWC has virtual meeting services and has acquired virtual land, Adidas has designed NFTs, Warner Music plans virtual concerts, HSBC bank has acquired digital land for virtual offices, Epic Games and Lego have partnered to create a metaverse for children, Mastercard has applied for several patents related to NFTs and the metaverse, Barbados is opening a virtual diplomatic embassy, etc...

The metaverse is designed to be interoperable, borderless, persistent, and scalable. There is currently only one metaverse project, but there are already several platforms within it. These platforms are defined in a finite way, such as: Second Life, The Sandbox, Decentraland, Cryptoboxes, Somnium Space or Horizon Worlds.

Extrapolating from the techniques of cryptocurrencies, tokens and NFTs, they rely on cryptographic systems to create digital but limited assets, which will allow speculation. As has happened in the past with other technological initiatives, entry into the metaverse market may produce an uncontrolled race to be part of it, an impulse based more on FOMO (Fear Of Missing Out) syndrome than on rational evaluations.

From a privacy point of view, the use of the metaverse can be very intrusive as the set of data processed in this environment increases exponentially.  Any virtual environment is by design fully data-enabled and allows for a broader spectrum of information related to human activities to be processed.

In particular, it may involve new categories of data with greater granularity and precision. For example, the diversity of biometric data collected is increasing through wearables or neural interfaces, but what is more interesting is the information being sought from these biometric data. VR glasses extract information from iris variations, and remotes that interface with the metaverse reveal postural changes, allowing analysis of emotional response.

The analysis of the relative position of avatars in a virtual world allows for automatic proxemic analysis, i.e. the study of the organization of space in non-verbal linguistic communication. Reaction times and forms of reaction allow the biomechanical study of the individual, and so on.

All this, together with neural interfaces, allows knowing and profiling the individual to levels not previously known in social networks. Moreover, this information flows in two directions, from the individual to the environment, and from the environment to the individual. In the latter case, the projection of small bodily variations will be translated into the avatars of the people with whom one interacts in the virtual world, revealing information in an undesired way that can even be exploited by automatic means. And of course, novel neuromarketing techniques could be employed with great precision.

All the technologies that make up the metaverse environment (social networks, AI, IoT, neural interfaces, etc.) have their own privacy risks that need to be managed.  But, in addition, the joint application of all these technologies can lead to individual and societal effects that generate risks to rights and freedoms on a scale that is difficult to estimate a priori.

In the metaverse, the user experiences events in the virtual world as if it were the real world and will face all sorts of privacy risks. For example, mass surveillance, discrimination, loss of autonomy, fraud or identity theft. Even the use of personal data, through vulnerabilities in wearable devices, or in the virtual environment itself, could pose real physical risks to the health of the users who handle them.

An important aspect to bear in mind is the development of metaverses on technologies that aim to replace real-world regulatory and governance mechanisms with automatically executed rules, as has already happened in certain cryptocurrencies on blockchain. In other words, the possibility of displacing humans in the process of applying rules and law, and replacing them with algorithms that make decisions in a virtual environment.

The "laws" of the metaverse will have to be contrasted not only with the GDPR, but also with the new regulatory proposals in the EU, the Digital Services Act, the Data Act, the Digital Markets Act, the Data Governance Act, the proposed IA Regulation, etc.

Finally, all this mass data processing must be in compliance with the GDPR, and it is necessary to take into account:

  • Mechanisms to minimize the data collected by wearable devices themselves and by the metaverse.
  • The governance mechanisms of the metaverse and the establishment of transparent rules for the protection of rights, clearly establishing the roles of those involved and their submission to control bodies.
  • Auditing and transparency, especially in automated decisions in order to avoid abuse, bias, profiling and discrimination.
  • Appropriate management of wearables and devices to protect the data transmitted and stored, considering the possibility of biometric data from which even more personal information can be inferred.
  • Conducting data protection impact assessments, given the number of technologies, some of them novel, that concur in the metaverse and that amplify the risks to rights and freedoms.
  • Ensuring data subjects' rights, including the right to erasure and suppression.
  • Specific privacy-by-design and default safeguards that can be applied to, for example, preserve the privacy of avatars and their digital footprint in the metaverse.
  • Security, especially in terms of availability, resilience and confidentiality of personal data that are part of the processing carried out in the metaverse.
  • And finally, it is of paramount importance to place children at the center of the policies for defining measures and guarantees in the design of virtual environments.

In relation to the above and to encryption and pseudonymization issues, further material can be found on the AEPD's Innovation and Technology page, in particular:
•    A Guide to Privacy by Design
•    GDPR compliance of processings that embed Artificial Intelligence. An introduction
•    Risk Management and Impact Assessment in the Processing of Personal Data
•    Anonymisation and Pseudonimization
•    Encryption and privacy
•    IoT (II): from the internet of things to the internet of bodies