Metaverse

The privacy perils of the Metaverse

A recently released report from New York University claims that the Metaverse, an all-in-one virtual online space, poses a potentially major risk to user privacy. This is because headsets and other similar devices can collect an incredible amount of personal, physical and biometric information. The user isn’t always aware of the collection, or how it could be used in ways they don’t expect.

It’s worth asking at this point: what is the Metaverse?

Most folks would think of Mark Zuckerberg and Meta, with a virtual reality headset thrown in for good measure. Others may associate it with “game hub” style online places to meet others taking place on their computer screens only. For some, mobile devices making use of augmented or mixed reality will be their first association.

The truth is that “Metaverse” can incorporate any or all of these different aspects. While some people hope for a world of entirely connected systems, the reality is that this is not going to happen for a very long time and may not happen at all. In fact, the Metaverse overall is not in the most robust of health, with proclamations of its demise across the web.

While it continues to struggle on, it’s still worth considering some of the potential privacy pitfalls waiting for any curious users. A good chunk of these come from the gaming space, and in particular advergaming (the art of displaying targeted adverts inside of virtual realms).

When playing a virtual reality game, the headset is an important part of gameplay. It typically contains several cameras (pointing both in and out), along with various sensors and microphones. These tools all help to track eye movements, interact with the digitally realised space around the user, and assist the game to keep track of what the player is doing.

While this is generally fine for an offline game with no data being sent elsewhere, once additional first or third-party systems are introduced this can become a risk. Is an ad network layered across the game? How does the network serve targeted ads? What is it tracking? Is player data sent to the advertisers, or does the game provider start building up a profile for non-gaming purposes? Is any of this disclosed?

This is just one basic example. Now consider that all of those eye movements, those motions, those biometrics are also up for grabs in terms of being able to build up pictures of users.

The research notes that Meta’s approach is more about harvesting user data (via profiles) for targeted ads. Apple, meanwhile, shifts its cost toward expensive high-end devices instead of purely advertising. Additionally, Apple does not collect eye-movement data whereas Meta “disclaims responsibility for the data practices of third-party developers with whom the company shares user data”.

Even so, Apple has not yet revealed what it intends to do with face-tracking and body-motion data. The researchers note that the specifics for the company’s upcoming Vision Pro device does not yet have a detailed privacy policy.

This is just one small consideration of the upcoming data collection landscape where Metaverse is concerned. However, with the downsizing in expectation for these virtual worlds as a whole, these issues may not be as far reaching as they potentially could have been.

The report comes with numerous recommendations for safety features and privacy functionality, some of which have existed in video game/VR circles for some time now, though not always with success.

For example, Meta ran into several problems with regard to sexual harassment in virtual spaces. One of many issues was that a “bubble” around users in VR realms can prevent others from harassing or getting too close. Bafflingly, this wasn’t enabled in Meta as a default setting until the damage was already done.

Child safety is also another concern, given that headset use isolates the user and makes it harder for parents to see at a glance what their child may be doing.

Gaming platforms and consoles often come with a wide range of granular privacy and security controls. In VR, these controls aren’t always obvious and users may not know how to reach them. For example, hiding names, blurring faces, preventing the sending of data to unwanted third-parties and so on. These options should always be clear and evident to whoever happens to be using the device.

The full report is available to read here. Metaverse may not be the hot property it once was, but it’s still worth learning about the possible dangers and privacy risks inherent in the headset.


We don’t just report on threats—we remove them

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

ABOUT THE AUTHOR

Christopher Boyd

Former Director of Research at FaceTime Security Labs. He has a very particular set of skills. Skills that make him a nightmare for threats like you.