Privacy In The Metaverse Is Uncertain In 2023

Privacy in the Metaverse Needs An Established Standard First

There is no Metaverse. Yet.

First of all, don’t confuse Meta with the Metaverse. Meta is Facebook. The Metaverse is going to be thousands of companies providing virtual reality (VR) and augmented reality (AR) services. We’re not quite at Snow Crash levels yet. In fact, we don’t have a single standard in place.

Will there be big players? Absolutely. Facebook, Microsoft, Google, and all of the tech giants you know today are going to have a big part in the new Metaverse. These are advertising masterminds at work. Ad content, ad volume, and privacy concerns are all just as valid (if not more) as they are today.

And if you think they’re going to risk a "Battle Royale" for all the marbles, you’ve got another thing coming.

All of the big ad agencies are going to slice up the new Metaverse pie. But that means they need a common language. They need a way to translate assets across systems. They need an API.

What, there’s no API yet?! Companies claiming to be selling virtual real estate in the Metaverse are doing so before there’s even a way to make it open and interactive?

Of course, they are. Why worry about things like interoperability, user access, and the realism of supply and demand?

But before any of the above happens, the basic standards of the Metaverse need to be established. This is going to involve the collaboration of hundreds of companies and tens of thousands of individual contributors. The way 3D models are displayed and rigged, the security features up and down the OSI model, health and safety standards for things like force and haptic feedback, and the process for introducing new data and models to the Metaverse… all of these things require skills and resources that no one - or even three - companies have. So those agreements need to happen.

That’s before things like government legislation and censorship get involved, making access a potential region-by-region nightmare. This is another reason why no one company will dominate the Metaverse: Europe, China, and India want their pieces of the pie. Billions of consumers will get their own ‘versions’ of the Metaverse, taking into account language and local preferences and trends. China will prefer companies under government control. India will prefer companies that they have a close partnership with. The EU will demand certain standards that comply with their multinational agreements on everything from encryption to human rights.

How Close Are We To Standards For Privacy In The Metaverse?

Not very. But we’re getting closer to general standards, perhaps.

For example, Pixar’s Universal Scene Description has been embraced by Nvidia as the 3D asset standard for the Metaverse. It already has software support from Blender, Scenekit, Pixologic, and Autodesk 3ds Max. Unreal Engine and Unity have gotten behind it. Unless something major changes, the Metaverse will be a USD platform.

OpenXR seems to be the winner (so far) for VR and AR device interfaces. Microsoft, Oculus, and Valve have all embraced it. And since they have some of the most popular VR headsets on the planet right now, it would take a fairly huge market shift to imagine a competing protocol winning.

But that’s it. At the time of writing, nothing else about the Metaverse is even close to being established. Other frameworks, APIs, and agreements are theoretical at best.

That means privacy in the Metaverse is two or three monumentally large steps removed from current reality. Certainly, core design should keep privacy matters in mind. As well as parental control, mental health issues, and accessibility features. But these subjects can only be spoken about in the broadest of terms until more concrete decisions are made about the underlying technology.

Steps are being taken in that direction...

The Metaverse Standards Forum (MSF) was founded in June 2022 as an independent non-profit industry consortium with the mission to "foster the development of interoperability standards for an open and inclusive metaverse."

The first working groups are looking at a Metaverse Standards Register, 3D Asset Interoperability, Real/Virtual World Integration, and Asset Management...

The sexy stuff. Privacy has yet to be mentioned. But it's a start.

Current Privacy Options For The Future Metaverse

Things such as E-mail addresses will likely continue to exist in a post-Metaverse world. But will they be used as a means of ‘identification’ as they are today?

If so, all of the same options that apply to E-mail addresses on the current Internet will apply to the Metaverse. Throwaway addresses will be a thing, and there never needs to be any relationship with real names unless that information is provided voluntarily.

But if present in the Metaverse starts to constitute legal presence in other ways, like trespassing on someone’s ‘property’ and issues like stalking, then a more strict ID system might be required. If Metaverse presence is linked to real identities as a security feature, privacy will go out the window. Anonymity simply won’t exist without getting a fake ID made in real life.

Similarly, fingerprinting someone’s network stream will be utterly trivial if external sites have full access to everything from hardware profiles to biometrics. While tools may come into being that will scramble such data, it will likely interfere with the proper functioning of the Metaverse for that user.

That’s a common theme in the areas of VR and AR. Safety thresholds are maintained by looking at heart rate, and potentially brain activity. Aspects such as height and weight matter to the kind of gear being used. Optical statistics such as eye distance and inset matter as well. These are all additional pieces of information that can be used to narrow down someone’s identity.

These, at least, are concrete examples of things to worry about in regards to privacy in the Metaverse. Sharing this information with an insurance carrier, for example, might result in premiums going up if they think you fall into a high-risk category.

There’s also the risk of prejudice, either individual or systematic. Software designed to scan or monitor your face has been known to have certain racial biases. Racial discrimination in facial recognition tech is a known issue. And even if the skin itself isn’t being scanned, expression tracking might pick up certain bone structures, nose topology, and cheek features that could be used to racially profile someone. These, too, are known issues with current tech.

So full participation in the Metaverse must be designed with anonymity in mind. Certain data points, even if required locally to calibrate and set up hardware and software, should never be shared with the outside world unless there is expressed permission.

In short: Until we know more about the structure of the Metaverse, all we can do is learn from our current mistakes and limitations.

If you need a reminder as to why anonymity is worth protecting as we venture into new realms of the digital era, read: Online Anonymity is Important. Here's How to Protect it.