Why privacy and security are the biggest hurdles to metaverse adoption

Watch the Low-Code/No-Code Summit on-demand sessions to learn how to successfully innovate and achieve efficiencies by upscaling and scaling citizen developers. Watch now.

Hype surrounding the metaverse continues to grow within the big-tech economy. According to Projections from Gartnerby 2026, 25% of the world’s population will log into the metaverse for at least an hour a day – whether it’s to shop, work, attend events or socialize.

However, the array of technologies enabling the metaverse, such as VR, AR, 5G, AI, and blockchain, all raise privacy and data security concerns. A third of developers (33%) believe these are the biggest hurdles the metaverse must overcome, according to a report from Agora.

Another Gartner report says that “75% of all organizations will restructure digital transformation risk and security management as a result of imploding cybersecurity threats, insider activity, and an increase in attack surfaces and vulnerabilities.”

Recent legislation relates to the privacy of personal data. For example, the GDPR gives consumers the ‘right to be forgotten’, requiring companies to be prepared to delete consumer information on request. It also requires private companies to obtain permission from people to store their data. Assisting companies with compliance is a growing business and European regulators have stepped up enforcement measures. As regulations become stricter, organizations seeking leadership in the metaverse must prioritize data privacy and security more than ever before.

Web2 to Web3: The Changing Face of Digital Privacy

While digital privacy on websites is now fairly regulated, the metaverse is still very new and there is no legislation to enforce privacy there. According to Tim Bos, founder and CEO of ShareRing“The outbreak metaverses will be the ones where people can have real experiences that they can’t currently do in the real world.” He added that “a lot of companies are trying to build something with the appeal of Fortnite or Minecraft, but where they can exist outside of playing battle royale games. I haven’t seen anyone crack that puzzle yet. There is also a growing trend in online shopping via the metaverse, but again, they don’t quite understand how to offer more than a simple Web2 site.”

The threat to privacy in Web3 and the metaverse is greater than in Web2, as 20 minutes of virtual reality (VR) use only two million unique data elements. These may include the way you breathe, walk, think, move, or stare. The algorithms map the user’s body language to gain insight. Collecting data in the metaverse is involuntary and continuous, making consent nearly impossible.

Existing data protection frameworks are woefully inadequate to address the privacy implications of these technologies. Research also shows that a machine learning algorithm that gets just five minutes of VR data with all personally identifiable information stripped away could correctly identify a user with an accuracy of 95%. This type of data is not covered by most biometrics laws.

Among the privacy issues in the metaverse are data security and sexual harassment. “I Think That’s The Reason It” [concern about harassment] applies to the metaverse, whatever that means is now in Web2, we clearly misunderstood that,” said Justin Davis, co-founder and CEO of Spectrum Labs. “[Not] in terms of trust and security and content moderation at a particular company, much less at scale across the internet.”

One of the reasons why there are no metaverse-specific privacy regulations yet is that, according to Bos, the global reach of the metaverse spans multiple data privacy regimes. He said that “one of the most considerate digital privacy policies remains the GDPR, as it appears to be the foundation for data privacy. However, it is a moving target as the developers need to consider user traceability as they store information on the blockchain.”

“There’s also the challenge of security when people connect their wallets to the metaverse,” Bos added. “How can they be sure that the metaverse doesn’t have an issue causing users’ previous NFTs to be stolen?”

Adding to these problems, Bos noted, is that “right now almost all metaverse projects are open to everyone. It is currently a virtual ‘free-for-all’. As with the game industry, age and location-based regulations will inevitably be introduced (either voluntarily by the creators or by various governments).”

The nature of the data collected can also affect privacy, security and safety in a Web3 world. It is feared that some of the data collection could be deeply intrusive. Such data will enable what human rights lawyer Brittan Heller has called “biometric psychography.” This refers to “collecting and using biological data to reveal intimate details about a user’s likes, dislikes, likes and interests.” VR experiences don’t just record a user’s outward behavior. Algorithms also record their unconscious emotional responses to specific situations, through characteristics such as pupil dilation or change in facial expression.

Undoubtedly, the metaverse holds tremendous promise for a more connected, immersive world. However, organizations looking to stake their claim in this burgeoning virtual realm must make data privacy and security top priorities as they build out their metaverses.

The mission of VentureBeat is a digital city square for tech decision makers to gain knowledge about transformative business technology and transactions. Discover our briefings.