Over thirty years ago, science fiction author Neal Stephenson coined the term Metaverse. Nowadays, this idea, an extension of science fiction, is set to revolutionize the way businesses, organizations, and the Internet operate. The Metaverse is described as “a virtual shared space that incorporates virtual reality, augmented reality, and the internet” (Stephenson, 1992). While the idea of a metaverse has gained much traction, cyber threats, fraud, and identity theft have gradually disrupted the existing digital reality. So in the Web 2.0 era, the Metaverse needs to be governed by governments, technology companies, and users by better managing online identity, setting trust and safety policies for virtual worlds, and establishing a shared code of conduct.
Potential Security Risks to Metaverse
Technological innovations pose a considerable challenge to privacy and cybersecurity, and the Metaverse may pose many fraud risks, especially in terms of user data protection and Identity theft and fraud. According to the Aite Group, an Internet consultancy, losses from identity theft are expected to reach $721.3 billion by 2021 (Aite Group, 2021). The Metaverse is designed to work by using the digital body that each user creates for themselves, so it is likely to collect a large amount of personal identifying information, including brainwave, biometric data, health information, preferences, and other sensitive data. Unlike traditional social media platforms, users cannot guarantee that the data they share will only be shared with the people they choose to share it within the Metaverse. Users cannot turn off people who “can follow us” in the virtual world as they can in traditional social media (Pesce, 2021). As the Metaverse evolves, identity theft is also gradually penetrating the physical and digital world today. Passwords can be compromised, passports can be forged, and biometrics can be hacked. When a user’s identity is stolen, their digital assets, avatars, social connections, and digital lives can be compromised in more devastating ways than what we see in traditional identity theft. Therefore, if a hacker steals this information, they can deepfake another person in the Metaverse to commit fraud based on the tracking data. For example, on March 2, the Ukrainian government’s Center for Strategic Communications warned that a fake video had appeared on Facebook. The video shows Volodymyr Zelensky with deepfake asking the Ukrainian military to lay down their weapons and announcing their surrender to the Russian invasion.
“Deepfake video of Zelenskyy could be ‘tip of the iceberg’ in info war, experts warn” by the Ukrainian Presidential Press Office
Other than that, today’s form of the Metaverse is still driven by capital and power, and for the moment, virtual identities reflect social capital. The idea of “digital identity” has attracted the attention of many technology giants, including Epic Games, Microsoft, and Apple Inc, most notably Facebook, which has changed its name to Meta. Facebook’s business model is to provide users with personalized advertising, which involves behavioral targeting and extensive monitoring and collection of personal information. However, the advent of the virtual reality world could give Facebook another online monopoly and allow them to steal even more personal information and surveillance from users.
In February 2022, Facebook was sued for allegedly illegally harvesting facial recognition data, accusing Meta’s social media platform of collecting millions of biometric identifiers from photos and videos on its platform without users’ knowledge and consent and using them for commercial and marketing purposes.
“Texas Sues Facebook’s Parent Meta Over Facial Recognition Data – The New York Times” by Justin Sullivan
Furthermore, Facebook has also been accused by its product manager Frances Haugen, who claims that it has repeatedly put its interests first rather than public goods and safety. It continues to collect information from users through virtual identities that collect personal data, making profits at the expense of their safety and well-being, and even fueling false conspiracies about election fraud.
“Whistle-Blower Says Facebook ‘Chooses Profits Over Safety’ – The New York Times” by CBS News/60MINUTES
How the Metaverse should be governed?
To address the identity-related security flaws of the Metaverse, technology companies, governments, and individuals need to work together with technologies guaranteeing meta-security. First, technology companies must improve authentication in the Metaverse and better manage online identity. The metaverse will encounter unique challenges in identifying and identity verification, meaning, identity-proofing technology must evolve. For example, Liquid Avatar Technologies, a blockchain-based platform that hyperlinks the real and digital worlds, can help users process and manage their digital identities and information. “We imagine that people have a right to personal and handle their id and private information, and they need to manage and handle it offline and online,” David Lucatchs said. And at the same time, the social network operators in the Metaverse or the companies should not wholly control biometric identification information and user data. For example, the chosen authentication system could be used with blockchain technology to help people control their data and how it is used. Blockchain would put personal data under the user’s control, as it cannot be changed once it is in the public ledger. The service will only check if the data user is genuinely based on the block chain and transmit the information via a QR code. This so-called self-sovereign identity tries to solve the problem of providing personal information to service providers without the risk of data misuse.
Furthermore, governments must set trust and safety policies for the virtual world, and tech companies must establish a shared code of conduct. From the government’s point of view, the government must formulate relevant legal policies on behalf of users’ rights to address the current security and privacy issues facing the Metaverse and strengthen the regulation of the Metaverse. For example, the EU’s amended to the artificial intelligence, law explicitly includes the metaverse environment in the law’s scope of application. It proposes three standards that the metaverse environment must contain. The first is the individual user. There must be a connection between a specific natural person and a virtual identity or avatar. The second is a high degree of interactive consistency, meaning that socio-economic interactions are highly consistent with the behavior in the virtual framework, the virtual world, the metaverse, and the real world. Finally, there are real-world effects, and the behavior of the Metaverse and virtual world must allow for the corresponding effects to occur in the real world. Moreover, Metaverse cannot be limited to one or a few data privacy regimes because it has a global reach and can provide the functionality to users regardless of their location. For example, suppose a company offers goods or services in the EU or monitors the behavior of EU citizens. In that case, it needs to comply with its terms even if no EU entity is located anywhere in the world. EU General Data Protection Regulation – Office of the Victorian Information Commissioner (Article 3 Sec. 2 GDPR). Second, a standard code of conduct needs to be developed from the perspective of technology enterprises to manage data transmission and information security standards. This code should serve the entire social population and the development of the entire meta-universe era. There should be a consensus among enterprises to form a unified industry standard, even to the extent of national standards, to serve the overall development of the entire country and society.
In conclusion, although the emergence of the Metaverse is a technological revolution, it may also be a new threat to data privacy and security. Thinking about the Metaverse can not only stop at the technical surface and individual experience, but ensuring a secure environment will be an essential requirement for all virtual worlds. To better regulate the Metaverse under web 2.0era, government and tech companies have to manage online identity better, setting trust and safety policies in the virtual world and establishing a shared code of conduct.
Reference List
Allyn, B. (2022, March 17). Deepfake video of Zelenskyy could be “tip of the
iceberg” in info war, experts warn. NPR.org. Retrieved October 9, 2022, from https://www.npr.org/2022/03/16/1087062648/deepfake-video-zelenskyy-experts-war-manipulation-ukraine-russia
Office of Victorian Information Commissioner. (2022, October 6). EU General Data
Protection Regulation. Office of the Victorian Information Commissioner. Retrieved October 9, 2022, from https://ovic.vic.gov.au/privacy/resources-for-organisations/eu-general-data-protection-regulation/
Introduction: A riot in Rhodes. (2021). In Pesce, Augmented reality : unboxing tech’s next big thing (pp. 1–15). Polity Press.
Pesce. (2021). Augmented reality : unboxing tech’s next big thing . Polity Press.
Kang, C. (2021, October 27). Whistle-Blower Says Facebook ‘Chooses Profits Over
Safety.’ The New York Times. Retrieved October 9, 2022, from https://www.nytimes.com/2021/10/03/technology/whistle-blower-facebook-frances-haugen.html
Kang, C. (2022, February 14). Texas Sues Facebook’s Parent Meta Over Facial
Recognition Data. The New York Times. Retrieved October 9, 2022, from https://www.nytimes.com/2022/02/14/technology/texas-facebook-facial-recognition-lawsuit.html