The metaverse puts users’ privacy at risk Much more than mobile applications, headsets and smart glasses will be able to collect a huge amount of data

In an article titled “Exploring the Unprecedented Privacy Risks of the Metaverse”, experts from the Technical University of Munich (TUM) in Germany and UC Berkeley (UCB) in the United States tested an escape room virtual reality (VR) game. “to better understand the amount of data a potential attacker could have access to. Through a 30-person study on the use of virtual reality, the researchers – Vivek Nair (UCB), Gonzalo Munilla Garrido (TUM) and Dawn Song (UCB) – created a framework for assessing and analyzing potential threats to privacy. They identified more than 25 examples of private data attributes accessible to potential attackers, some of which would be difficult or impossible to obtain from traditional mobile or web applications. The goal of their paper, they said, is to shed light on the widespread privacy risks of augmented / virtual reality and to encourage other researchers to seek solutions. According to these experts, more reflection, or at least a little more, needs to be devoted to privacy in the promised metaverse of connected 3D virtual reality worlds.

The wealth of information available through augmented reality (AR) and virtual reality (VR) hardware and software has been known for years. For example, a 2012 article in New Scientist described Ingress, an augmented reality game from Niantic Labs, a Google spin-off, as “a data gold mine.” Likewise, trust and security issues associated with online social interaction have plagued online services since the days of telephone modems and bulletin boards, even before the advent of web browsers. And now that Apple, Google, Microsoft, Meta and other players see the possibility of remaking Second Life under their control, consulting firms are once again reminding their clients that privacy will be an issue.

Advanced technologies, particularly in VR headsets and smart glasses, will track behavioral and biometric information on an unprecedented scale. Currently, digital technologies can acquire data related to facial expressions, hand movements and gestures. Therefore, personal and sensitive information leaking through the metaverse in the future will include real-world information about user habits and physiological characteristics, explains The Everest Group in its recent report: “Taming Hydra: Trust and Confidence in the Metaverse.”

The problem of safety also arises

Not only is privacy an unsolved issue in the metaverse, but hardware security also leaves something to be desired. A recent study on augmented and virtual reality hardware, titled “Security and Privacy Evaluation of Popular Augmented and Virtual Reality Technologies,” found that web site providers had many potential security, hardware and software vulnerabilities lacking authentication to multiple factors and privacy policies were obscure.

The study lists specific data points accessible to attackers of all types (hardware, clients, servers, and adversary users). It should be noted that the term “attacker”, as defined by the researchers, includes not only the external threat, but also the participants and the companies that manage them.

Potential data points identified by the researchers include: geospatial telemetry (height, arm length, interpupillary distance, and room size); device specifications (refresh rate, tracking speed, resolution, device field of view, GPU and CPU); network (bandwidth, proximity); behavioral observations (languages, maneuverability, voice, reaction time, near vision, distance vision, color vision, cognitive acuity and physical condition). From these measurements, various inferences can be drawn about a virtual reality participant’s gender, wealth, ethnicity, age, and disabilities.

The alarming accuracy and concealment of these attacks and the push of data-hungry companies towards metaverse technologies indicate that data collection and interference practices in VR environments will soon become more pervasive in our daily lives.

We want to start by saying that these “attacks” are theoretical and that we have no evidence that anyone is currently using them, although it would be quite difficult to know if that is the case. Also, we use “attacks” as an artistic term, but in reality, if this data collection were to be implemented, consensus would likely be buried in an agreement somewhere and in theory it would be quite blameless, wrote Nair and Munilla Garrido in an e -mail.

However, the two researchers say there is reason to believe that companies investing in the metaverse do so at least in part in hopes that aftermarket advertising will compensate for losses, such as the $ 12.5 billion dollars spent by the Reality Labs group. Meta last year for revenues of only $ 2.3 billion.

Now, assuming a company of this size knows how to calculate a physical invoice, this approach to reducing losses must be a strategic decision that they believe will ultimately pay for itself. “And if we look at who these companies are and what methods of earning they have already perfected, we suspect that it will be at least somewhat tempting to use those same methods to recover material losses due to speculation,” said Nair and Munilla Garrido.

All of our research shows that if a company wanted to collect data, it could get a lot more insight into users in VR than mobile apps, for example. added.

Asked whether the existing privacy rules adequately address data collection in the metaverse, both experts said yes, unless those rules only referred to mobile apps. But we have a unique challenge with metaverse applications, as there is a plausible reason to pass this data to central servers. Basically, metaverse apps work by tracking every movement of your body and passing all that data to a server so that a representation of yourself can be rendered to other users around the world.So, for example, while a company could hardly claiming that tracking your movements is necessary for its mobile app, it is actually an integral part of the metaverse experience! And then it’s much easier to argue that logs on this need to be filed for troubleshooting and so on. So in theory, even if the same privacy laws apply, they could be interpreted in radically different ways because the platform’s core data needs are so different, “they explained.

Nair and Munilla Garrido acknowledge that some of the approximately 25 collectible attributes they identified in their research can be obtained via cell phones or other online interactions. But metaverse apps are a one stop shop for data.

We are in a situation where all these categories of information can be collected at the same time, in a matter of minutes. And since you have to combine multiple attributes to make inferences (for example, height and voice to infer gender), having all these data collection methods in the same place and at the same time is what makes “virtual reality a risk.” unique in terms of being able to infer attributes from user data with high accuracy, “they explained. The sheer volume of information available in the metaverse is enough to anonymize any VR user, they claim. They claim this isn’t the case with apps or websites.

The goal of their paper, they said, is to shed light on the far-reaching privacy risks of AR / VR and encourage other researchers to seek solutions. They already have one in mind: a plugin for the Unity game engine called MetaGuard. The name clearly indicates the source of the privacy threat. Think of it as an “incognito mode for VR”. It works by adding noise, using a statistical technique known as differential privacy, to certain VR tracking metrics so that they are no longer accurate enough to identify users, but without having any significant impact on the user experience. Like the incognito mode in browsers, it’s something users can turn on and off and adapt to their liking depending on the environment and their level of confidence, write Nair and Munilla Garrido.

Sources: arXiv, SSRN

And she ?

What is your opinion on the subject?

See also:

60% of French people believe that the metaverse is above all a means of entertainment, only 15% are in favor of associating their Facebook account with the digital profiles of the metaverse

Real estate sales in the metaverse exceeded $ 500 million in 2021 according to MetaMetric Solutions, the company expects to double in 2022

Soul will become the first city to enter the metaverse. what will the first city of the metaverse look like?

Leave a Comment