The metaverse will bring many benefits, but is also likely to multiply and complicate privacy issues, especially given its global nature.
With the advent of the commercial internet in the 1990s, organizations were increasingly able to track users’ clicks and searches to gather information about their preferences, interests, and purchasing habits. Mobile technology has not only added accurate location tracking, but has also enabled the integration of smartphones into nearly every life activity, giving organizations deeper insights into users’ identities.
The metaverse will take us further down this path, enabling tracking of human bodies and even ideas, especially when users develop deep relationships with digital avatars. Whether through virtual reality (VR) or augmented reality (AR) — known together as extended reality (XR) — the metaverse will increase the type and volume of data that organizations collect, as well as change the way it is processed and shared across domains and borders. This will raise a host of privacy issues that we are just beginning to appreciate.
Data types and size
In his last book Metaverse: And how it will revolutionize everythingMatthew Paul defines the metaverse as:
“A large-scale, interoperable network of 3D virtual worlds rendered in real time that can be experienced simultaneously and continuously by an unlimited number of users with a single sense of presence and with data continuity, such as identity, history, entitlements, objects, communications and payments.”
Much of the activity that takes place in this universe is based on XR technologies that enable 3D experiences. Researchers estimate that XR apps produce one terabyte of data per hour, which is the equivalent of 200,000 songs stored in a digital playlist. To convincingly render a scene, the VR headset tracks dozens of different types of movements at a rate of 90 times per second.
While online companies monitor browsing and search history, operators in the metaverse will track our bodies themselves. Immersive technologies monitor human physiology, including eyeball movement, point of view, facial expressions, voice, and heart rate. They also note a wide range of physical actions, including head and body movements, walking, walking, and standing. They can track emotions through expression recognition techniques and neural activity using brain-computer interfaces.
Furthermore, XR Environments uses acoustic, visual and inertial sensors to detect the position of the user or device in relation to their surroundings. This often includes collecting data on non-participants, passive bystanders who happen to be within range of the system’s sensors.
Operators that track physiological, mental, and biometric data are subject to laws governing the collection, use, and sharing of sensitive and biometric data. Includes the European General Data Protection Regulation; state privacy regulations in California, Colorado, Connecticut, Utah, and Virginia; and biometric privacy laws, such as the Illinois Biometric Information Privacy Act.
When the metaverse is used in business, education, or healthcare contexts, operators that collect data of this type will be subject to industry-specific privacy laws, such as the Family Educational Rights and Privacy Act and the Health Insurance Transfer and Accountability Act.
How is the data processed?
Organizations will process data using machine learning algorithms and artificial intelligence techniques to estimate or infer the identities, emotional states, and intentions of their users, as well as predict how they might act in the future. Moreover, AI systems and bots will actively participate in games as well as social media and other communication platforms, raising trust-related challenges. Deepfakes may raise particularly thorny issues.
In recent years, several states have passed advanced laws on automated decision-making, and policymakers in the United States, the European Union, and China are debating the regulation of artificial intelligence. Under these laws, operators and metaverse participants will be subject to new layers of rules, including standards, trust marks, certification frameworks, and audit plans.
How data is shared across domains and borders
One of the defining characteristics of metaverses – what makes them “meta” – is their interoperability. To support a permanent, live, concurrent, and interoperable environment, organizations need standards and frameworks for sharing data across domains and platforms.
As noted, many countries already have laws on data collection, use and sharing, particularly when it comes to personal data – and many new laws are being considered. But laws in different countries may conflict. It can be very difficult or even impossible to determine which national laws apply when people from different locations around the world come together to interact in virtual environments.
Like the Internet, the metaverse does not “reside” in a particular jurisdiction. What country laws take precedence, for example, when a person located in Japan meets another person located in Brazil to interact in a virtual coffee shop owned by a US company that uses servers located in India?
The Internet, a relatively static environment, is already raising a myriad of questions about jurisdiction and choice of law. The metaverse – where avatars roam interconnected, ever-operating digital spaces with no physical or logical boundaries – will multiply and multiply.
The hype surrounding the metaverse is also linked to its technological lineage, the blockchain. While conceptually separate, the metaverse and the blockchain intersect where ownership issues arise. For example, avatars may appear in tradable forms such as NFTs and carried across platforms and applications through users’ digital wallets. Moreover, Web3 champions support decentralized “sovereign self-identity” systems in the metaverse, freed from the control of major platforms and centered by cryptography.
The blockchain of course has its own privacy frictions. For starters, it is designed to maximize transparency, and actions taken on the blockchain are immutable. Anyone can see the history of every transaction made on the blockchain dating back to the launch of the chain. Technically, individuals cannot enforce their right to privacy by deleting personal data stored on the chain or hiding it from public view.
Metaverse offers exciting opportunities to activate online business, trade and play. At the same time, organizations that design products and services in this space will need to abide by the laws and standards that govern sensitive data, biometrics, artificial intelligence, machine learning, and data sharing across platforms and blockchain applications. Whether through top-down government regulation or bottom-up privacy by design, the metaverse is an exciting new field not only for gamers but also for lawyers and policy makers.
 Joseph Jerome and Jeremy Greenberg,”Augmented Reality + Virtual Reality: Considerations for Privacy and Autonomy in Emerging and Immersive Digital Worlds(Future of Privacy Forum, 2021).
#Data #Protection #Metaverse #Avatars #Dream #Privacy #Goodwin