I can remember my first steps in the metaverse.
After ensuring it had a snug fit on my face, I turned on my virtual reality headset and stepped into the metaverse. I was first tasked with designing my avatar, a representation of myself that would be presented to the rest of the virtual world. Should I base it on my real looks? I already made conscious decisions to obscure my identity; I displayed only my first name above my avatar and limited the visibility of my profile to only people I connected with. Despite urges to perform an entirely painless cosmetic transformation, if I was going to participate in the metaverse, it seemed only proper to make my avatar look like me. So, I added blonde hair and a ginger beard to my avatar and considered it complete. Next, I loaded Beat Saber, a virtual reality video game I had always wanted to try and started slashing away at the blocks coming towards me in what can only be described as dancing, albeit poorly.
Beat Saber was used in a recent study to determine that an individual could be correctly identified with 94.33% accuracy out of a data set of 50,000 by analyzing just 100 seconds of head and hand motion data. If my biomechanical dance patterns could almost certainly identify me, what other privacy concerns were waiting for me?
What exactly is the metaverse?
The origin of the term metaverse can be traced to Neal Stephenson's 1992 novel "Snow Crash," in which denizens of the dystopian world use their avatars to connect with and entertain each other in the virtual world. Seen as a respite from an otherwise bleak and difficult life, the virtual world also carried many of the same social politics of the real world, like classism and social stigmas.
Typically, a metaverse is described as a persistent virtual world where users can perform many of the same actions as they do in real society, like dressing up, buying virtual goods and property, and communicating with others. It is frequently characterized as the next iteration of the internet. Access is often granted through extended reality headsets and peripherals, though this is not a requirement to be considered a metaverse. Much of the draw to participating comes from doing things in the virtual world that one cannot, or cannot easily, do in the real world. Thus, a common theme of escapism permeates each implementation.
The popularity of the term has exploded in tandem with the growth and maturity of XR technologies. XR is the catch-all term for the technology that surrounds access to the metaverse as well as related technological-environmental developments. There are three types of XR:
- Virtual reality: A fully digital environment that encompasses the user's view and does not implement their physical environment.
- Augmented reality: A combination of the user's physical environment with an overlay of digital information.
- Mixed reality: Like augmented reality, except the physical and digital environments are able to communicate with one another.
Players in the metaverse
Many consider the first consequential metaverse to have materialized in 2003 with the release of Second Life. SL is an online multimedia universe — its developers refrain from calling it a video game —where users create avatars and participate in the SL world primarily by socializing with other residents and buying virtual assets using virtual currency, which can be exchanged with real-world currency. Compared to a traditional video game, where content is created by a team of developers, content in SL is made by its users. It is played like a typical video game, however, and does not require the use of XR technology. The freedom and artistic expression afforded to residents of SL is perhaps its biggest draw. Not only are they free to create and trade almost any kind of virtual asset they can come up with, but they are also able to present themselves in virtually any manner. Despite being around for 20 years, SL still has an estimated active daily user count of more than 27,000. Its staying power is a testament to the draw of a metaverse, especially one that puts the bulk of the power in its users' hands.
Other popular metaverse platforms include:
- Roblox: A free online game and game creation platform popular with children that allows users to buy virtual outfits, weapons, and animations for their avatar, interact with other players and view digital representations of real-world products. They had more than 66 million daily active users in the first quarter of 2023.
- Fortnite: Another wildly popular online video game, especially with children, has shifted into a metaverse-like experience via in-game promotional material and numerous entertainment franchise tie-ins.
- Decentraland: A 3D virtual world that uses blockchain technology and is compatible with XR technology. It is similar to SL, where players can buy and sell virtual goods, including plots of land, in the form of NFTs. A plot of digital land was sold for almost USD2.5 million in 2021.
Of course, much of the current discussion about the metaverse has centered around the capital-M Metaverse. In October 2021, Facebook announced it was rebranding to Meta, with all of its offered products and services falling under this new umbrella and XR research and development under the Reality Labs company division. In his Founder's Letter, Mark Zuckerberg hailed the metaverse as "the next chapter" of the internet and, in turn, the company. He emphasized the social benefits of such technology, where holograms "designed by creators around the world" would replace physical objects like TVs and board games, and allow you to "teleport instantly (to) the office without a commute." Both statements have seemingly aged poorly now that Meta has recently put additional restrictions on creators and called for workers to return to the office. Importantly, access to the Metaverse is afforded only through Meta's XR headsets.
Almost immediately, Meta faced criticism. Initial reactions regarded the rebranding as a move to co-opt and establish legitimacy in an area that the company had seemingly bought its way into through the purchase of VR companies like Oculus, Beat Games (developer of Beat Saber) and Within, the last of which drew ire from the U.S. Federal Trade Commission. The company was further criticized in late 2022 for the graphical fidelity of Horizon Worlds, its flagship metaverse experience, due to the avatars' lifeless appearances and lack of legs (an accidental reference to "Snow Crash," wherein people are stigmatized based on the quality of their avatars). By the end of 2022, Horizon Worlds had a monthly active user base of less than 200,000, far below Meta's projection of 500,000 it set at the beginning of the year. Partially as a consequence, Reality Labs lost USD13.7 billion in 2022.
The dichotomy between the user experience in Second Life and Horizon Worlds exemplifies the differing views of the metaverse and XR technology, especially as it relates to privacy. Consider their approaches to designing avatars. In its effort to put the ultimate power of creation in the hands of its users, SL empowers them to create whatever kind of avatar they choose, whether it be a recreation of their own likeness or something as outlandish as a cartoon pig standing on two legs. With Horizon Worlds, the implication is that avatars resemble their users since the primary goal is to emulate real-life social connection. For example, Meta's higher-end headset, the Quest Pro, utilizes its array of sensors to provide realistic face and body movements to make social interactions more meaningful and realistic. Whereas SL developed its metaverse as a place to escape, Meta developed it as an extension of the user's real life. This is especially clear in the delineations of their products: Meta defines the metaverse as "the next evolution in social connection" to get you "even closer to that feeling of being together in person," while SL says its users should "expect the unexpected" and that its world is "an inclusive haven of self-expression."
Privacy concerns
Any system that tracks a multitude of biometric data points like XR technologies do, has a wide privacy risk landscape. Body movement data can provide a remarkably potent source of information about an individual. Studies have linked body movement to medical health diagnoses, such as ADHD and autism, facial movement to task performance and eye movement to sexual orientation. One study was able to predict the levels of fitness, visual deficiencies and demographic characteristics of 50 participants with at least 80% accuracy and reported disabilities with 100% accuracy. Besides the aforementioned Beat Saber study, another identified users with over 95% accuracy using just five minutes of their motion data. Any unauthorized collection and/or subsequent use of this data could lead to severe individual privacy violations.
A user's biometric data is not the only sensitive data XR devices may collect. For many devices to work properly, they are required to scan your surroundings and make a virtual map of your location. With some forms of AR or MR, a camera might be used to capture raw images of your surroundings. It raises fundamental questions of privacy in the home: are users comfortable with having a camera and other sensors capture information about their private domicile, especially if it captures previously undisclosed sensitive information?
There are privacy concerns to consider outside of the home too. In a public setting, unwitting bystanders within the XR environment could potentially be a part of the XR data processing. While there is little expectation of privacy in public, XR users and developers alike will have to reconcile with a system that has the power to process data about others, with abundant issues of transparency and consent.
In general, data privacy concerns should be on the minds of any privacy pro dealing with XR technology. Since XR sensors collect so much data to function properly, it's difficult for them to align with general data minimization principles. Knowing how much data is collected, where it's going and how it's processed is key, especially considering much of this data may be considered personally identifiable. Meta has taken steps in this area: raw eye and facial tracking images are processed on the headset itself and deleted when finished, though abstracted versions of the data may be sent to Meta servers for processing. Notably, abstracted data used by third-party apps is subject to the third party's own privacy policy.
Metaverse platforms also present an additional advertising channel for businesses. Companies such as Nike, Adidas and Under Armour have all started using metaverse platforms to market their products and create unique experiences. Fortnite has hosted movie nights and movie trailer debuts, replete with interactive elements such as voice chat and tomato-throwing. Being able to craft such interactive experiences blurs the line between marketing and entertainment, raising ethical concerns.
This kind of marketing and advertising also presents privacy questions. Take the motion and facial data captured by XR devices, for example. If a user chooses not to disclose some demographic attribute of theirs, yet the abstracted data can be used to infer with high accuracy said attribute via some algorithm, is it okay to advertise based on that inference? Or, more simply, are advertisers allowed to base the content of their ads on an avatar's appearance?
The metaverse is a "melting pot of various privacy regimes," so the scope of relevant regulation is broad. XR developers and data processors will be forced to contend with major data and privacy protection laws, especially if their metaverse is accessible by users in multiple jurisdictions. With data transfer issues dominating privacy headlines as of late, privacy professionals may be left with full plates when determining whether or not they're in compliance.
Privacy protections in these interactive environments are not just about meeting regulatory requirements or appealing to potential customers. Users who feel marginalized in real-world communities commonly turn to the internet for safety and support. For example, many people in the LGBTQ+ communities use platforms like Second Life because they are free to express themselves however they want, with others who can do the same. Privacy concerns viewed through this lens help us understand the field in a broader sense too. At a time when these communities feel particularly threatened, the value of these platforms cannot be understated. To this end, XR and metaverse developers need to embed a framework of trust into their products as development continues. Being transparent about what data is collected, how it is processed and with whom it is shared will go a long way.
Children's privacy concerns
Children's privacy in the metaverse is particularly sensitive since services used by kids and teens often face additional compliance burdens — as Fortnite developer Epic Games found out recently. Children's privacy regulation has increasingly broadened in scope to services that children could reasonably access. This can be seen in:
- The Children's Online Privacy Protection Rule applies to operators of online websites and services with "actual knowledge that they are collecting personal information online from a child under 13 years of age."
- The U.K. Information Commissioner's Office Age Appropriate Design Code applies to "information society services likely to be accessed by children."
- The California Age-Appropriate Design Code Act applies to any business subject to the CPRA that provides an online service "likely to be accessed by children" or "routinely accessed by a significant number of children."
Not all lawmakers are thrilled with the idea of expanding metaverse access to children. In February, Meta announced its plan to allow users aged 13-17 in the U.S. and Canada to use Horizon Worlds, and, despite terse feedback from U.S. senators, went ahead anyway.
Since virtually all metaverse platforms can be, at minimum, reasonably accessed by children, service providers in this domain will have to take special care to ensure they follow applicable regulations.
Reports of my death have been greatly exaggerated
XR technologies and metaverses are not dead. There is a narrative that the high point for the metaverse was the dramatic rollout of Meta's metaverse. Despite its financial losses, Meta is staying the course. Notably, recent significant layoffs did not impact resourcing in Meta's Reality Labs division. Besides, Meta is not the only player in the XR and metaverse game. In addition to all the aforementioned products, Apple has recently tossed its hat into the ring with the Apple Vision Pro. This upcoming AR headset blends digital content with the physical world while maintaining contact with the user's physical space. Privacy was center stage during the initial presentation of the product. Apple promised eye tracking information will never be shared with anyone — including them — and data from the camera and other sensors never leaves the device.
This space presents exciting prospects for privacy pros as well. Innovative technology requires innovative solutions, and implementing emerging privacy-enhancing technologies will play a big role in ensuring privacy protections are achieved. Emerging PETs, like differential privacy and multiparty computation, maintain data utility while preserving privacy. Meta already implemented this technology in its ad platform, so further implementation in its XR products is likely. Additionally, the metaverse provides a novel avenue for creating privacy content, like privacy disclosures and consent mechanisms.
My exploring — and dancing in — the metaverse was a reminder of the important role privacy protections play in our day-to-day lives. The technology can potentially be used for some amazing transformative and prosaic things but can also cause severe harm. Privacy pros have an opportunity to help develop this burgeoning technology with privacy and privacy-enhancing practices integrated from the start rather than down the road.