1 / 13

Privacy-in-the-Metaverse

Learn about the privacy in Metaverse.

tsaaro
Download Presentation

Privacy-in-the-Metaverse

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Privacy in the Metaverse © 2022 Tsaaro. All rights reserved.

  2. Overview Humanity has been attempting to escape reality ever since the internet was invented. technological advancement brings a new method for disengaging from physical ties and briefly entering the virtual space. between the real world and the digital one seems to get fuzzier every day as the metaverse nears its existence. And, Metaverse is being touted around the globe as the internet of the tomorrow. Metaverse embodies the ability to offer interactive experiences. This paper helps us understand what the metaverse is capable of and why is there a the need for tougher privacy and data protection regulations. Right now, the privacy jurisprudence is bereft with gaps and the law is unable to keep up with technological changes. These laws need to be revamped to fill in all the gaps that would be enlarged once actualizes. & immersive Every new The distinction moreover, the the metaverse Target Audience This whitepaper aims to be useful for the senior and management, program managers and compliance understand what is the metaverse, how it can have negative impacts on privacy, how should better prepare themselves and what could be the ways through which these privacy risks can be mitigated. It also aims at helping a wide array of secondary audiences like learners and scholars understand how privacy is closely connected to the metaverse and why is it an object for concern. This whitepaper contains a detailed view of these aspects for all audiences. mid-senior IT who want to leaders to businesses

  3. Introduction Neal Stephenson initially used the word "Metaverse" in his science fiction book Snow Crash from 1992, in which readers could manage avatars in a virtual reality setting called the Metaverse. One could communicate connections with other electronic agents via avatars. Many people think that Metaverse will be the next significant iteration of the internet. Understanding the idea of the Metaverse is important as the world moves into the new digital era. According to development of conjunction with technologies will continue to open up a wide range of new possibilities and profoundly alter the digital economies, working environments, and our social experiences. experts, Metaverse AR the in VR and and establish Problem Statement With the Draft Digital Personal Data Protection Act 2022 in India in the pipeline and the dawn of Metaverse lurking on the horizon, it becomes crucial for all stakeholders to take into consideration the need for better privacy frameworks that keeps up with emerging technologies. The key issue that Metaverse brings is the implications on individual privacy. It is essential for the regulators to formulate a governance framework to keep the metaverse moderated. Structure This whitepaper would be covering the following aspects: Understanding the Metaverse Laws Governing Metaverse Implications on Privacy Security Concerns in the Metaverse Key Considerations for Organizations Conclusion

  4. UNDERSTANDING THE METAVERSE According to Facebook, “The metaverse will feel like a hybrid of today’s online social experiences, sometimes expanded into three dimensions or projected into the physical world. It will let you share immersive experiences with other people even when you can’t be together – and do things together you couldn’t do in the physical world.” The capacity of Metaverse is aided and improved through the use of AR and VR technologies. Virtual Reality is a 3-dimensional digital environment where people would communicate and interact using avatars. This will be enabled through features like interactivity (the virtual world is accessible remotely and simultaneously by users) and persistency (programs continues to run whether anyone is using it or not). Augmented reality is "a computer-generated mix of images, movies, or text" that combines the physical environment and the digital one through the presentation of multimedia content and storylines. It is a virtual mirror of the virtual environment that has been improved with information. Google Earth, which mimics a web-based earth, is an illustration of this technology. The Metaverse is no longer a concept and is gaining more traction with each passing day. But still there is no agreement and clarity over what this new digital capability entails or how it should develop in terms of governance. Given this seeming inevitability, it is imperative that laws surrounding privacy and data protection include provisions that deal with the need for security and privacy standards to aid protection of privacy rights in the age of metaverse.

  5. LAWS GOVERNING METAVERSE 1 GENERAL DATA PROTECTION REGULATION 2018 The GDPR creates a system of protection by design and by default which must be applied to all data processing and, by extension, to all technologies that handle personal data. The current EU law should serve as the foundation to solve the majority of the privacy protection issues that the metaverse will uncover while making adjustments as the technology involved and the metaverses themselves advance. GDPR needs to be modified in order to successfully govern the metaverse. For example, if a data breach results in the loss of cryptocurrency, there must be more accountability for metaverse owners and third-party service providers like crypto platforms, so users can transact securely. EU'S DIGITAL SERVICES ACT 2022 2 This law aims to increase user openness and safety in online settings while simultaneously enabling the expansion of innovative digital enterprises and was proposed by the European Commission. DSA's key component of introducing responsibility and security obligations for digital platforms raises questions about how to strike a balance between assuring content moderation, data exchange, and use. In order to verify that the collecting and processing of biometric data on the Metaverse complies with EU requirements, DSA would be used in conjunction with the GDPR. Due to the great opportunities for targeted advertising created by the aforementioned gathering of biometric data, DSA will play a critical role. 3 EU’S PROPOSED AI REGULATIONS 2021 The European Commission has released a proposal for an AI Regulation. Many human interactions in the Metaverse may be made possible by artificial intelligence. Some AI- related technologies would be outlawed, and both AI providers and consumers would have to abide by new regulations relating to high-risk AI systems as well as transparency requirements. Stakeholders can anticipate having to abide by these kinds of regulatory standards in the future if much of the human/system interaction within the Metaverse is automated and powered by AI.

  6. MITIGATING THE IMPACT IMPLICATIONS ON PRIVACY The legal issues surrounding cybersecurity and privacy in the comparable to those raised by the internet, which in turn reflects societal issues. Experts predict metaverse's distinctive infrastructure will lead to the emergence of completely new types of cybercrime. Everyone wants to be a part of the metaverse, which is no longer just an idea. Before consumers and platform owners can be confident that they won't be held accountable for breaches or housing cyber criminals, these are some of the questions that need to be addressed. metaverse are that the facilitating security The metaverse offers up a vast new scale of data tracking via cameras and sensors that continuously record user motions and can track body movements 90 times per second. After 20 minutes in a VR simulation, there are slightly about 2 million distinct body language recordings left. Data gathered from pupil dilation and eye tracking may point to more delicate categories of information including personality traits, cultural affinity, abilities, preferences, and dislikes. Platforms will market these consumer profiles to businesses and since there are currently no statutory limitations on that; the metaverse will be filled with privacy violations. Large Amounts of Personal Data Getting fair, informed consent from users over their data will be challenging. Businesses may manage extremely sensitive data improperly even with consent, particularly when they work to incorporate third parties, services, and developers into their metaverse platforms. Users will have to expressly consent to the gathering and usage of their data while interacting with the metaverse. However, some of the collection and processing would be required for the metaverse to function. Here, consent would not be strictly required and could open the door to the collection and processing of a significant amount of personal data without the user's actual knowledge or consent. Changing Idea of Consent

  7. IMPLICATIONS ON PRIVACY The technologies for accessing the Metaverse may be able to collect new types of biometric data that are not taken into account by the GDPR, such as information related to users' neuronal information which so far existing technologies have not been able to collect and has therefore been excluded from data protection regulations. It can be useful to deduce users' routines, pursuits, and decisions by observing relationships and social interactions in the metaverse. Collection of Biometric Data Online anonymity has frequently been blamed for wrong doings and incivility. It is often construed by general public that by eliminating online anonymity, inclusive and safe online public places can be created. This is because identity theft, phishing scams, and other crimes have been known to target virtual identities and avatars. Instead than concentrating on providing complete anonymity, programmers and consortiums building their Metaverses should instead focus on mitigating privacy hazards. Risk of Anonymity Issues like reasonableness and minimalism of processing will be difficult to handle given the enormous amount of personal data that will be available for processing via the metaverse. Additionally, cybercrime issues like unauthorized data mining and identity theft could and probably will appear in the metaverse. The issue then becomes whether national regulators and governments are prepared for and able to handle the problems mentioned above. Processing

  8. SECURITY CONCERNS IN THE METAVERSE Under every data protection law, privacy has always been closely associated with security. In GDPR, Article 32 lays down importance of security of processing personal data and introduces the concept of "technical and organizational measures" that must be taken by Data Controllers in order to ensure that during processing, data of the users is safeguarding during its entire lifecycle. Similarly, the newly introduced Indian Digital Personal Data Protection Bill 2022 lays down the importance of reasonable security safeguards that must be followed by the Data Controllers and Data Processors. Hence, it is pivotal to look at the challenges in the domain of cybersecurity that would arise due to the presence and growth of Metaverse. Vulnerabilities of AR/VR Devices A lot of processing of personal data and sensitive personal data would happen at the user endpoints, i.e., the VR/AR headsets used by the users to communicate in the Metaverse. Such headsets will act as a one-stop data collection point for sensitive data of the users like location, financial information, avatar details, biometrics, user identification data, login credentials, etc. Therefore, such AR.VR devices can be prone to higher vulnerabilities and be a threat to unauthorized access and loss of sensitive personal data of the users. VR malware and ransomware that enables hackers to record any communication done via the device and collect such data or disrupt the operation can be another vulnerability that would lead to a risk to loss of personal data. that lets hackers record your headset screen, collect data, corrupt work instructions or disrupt operation. AR devices have an option to track iris patterns of users which can also be stolen by a hacker. With the wider ambit of user data that is collected through such devices, vulnerabilities of the devices can make them a lucrative hacking target.

  9. Platform Vulnerabilities Metaverse platforms like gaming applications and NFT platforms have to be built with sufficient security deliberation during their design, testing and development phases to ensure that it is free from any malicious codes or any design flaws that could have a deteriorating impact on the rights of the users. during the design and development phrases Privacy by Design has to be embedded within the Software Development Lifecycle of the platform with security measures like multi-factor authentication or two-factor authentication that secures the platform and protects the digital assets from getting stolen or facing unauthorized and malicious access which can compromise user accounts. Security of User Interaction User interaction will be one of the cornerstones of metaverse, with users communicating virtually via their AR/VR headsets. This happens today with metaverse-like applications and gaming platforms. This type of interaction can open doors to new threats that can exploit the cyberspace and forge fake identities, or malicious activities that poses a threat to the users. Security standards have to be ensured within the platforms so that user interaction is secure and users are not faced with bullying, harassment, cyber- crimes, etc., This can be done by establishing moderation of speech that protects the safety of users. Lack of Global Regulation Laws and regulations would need to evolve to govern metaverse. To begin with, the current laws like the EU GDPR and national laws on privacy and security should append minimalistic provisions to guarantee that the metaverse ecosystem develops within a sphere governed by security and privacy mandates. With an evolving digitized world, cyber-crimes and nefarious activities will also increase exponentially and securing the metaverse ecosystem will become pivotal. Specific standards will also be needed to developed to govern the use of AI and emerging technologies.

  10. KEY CONSIDERATIONS FOR ORGANIZATIONS Data Security Companies must abide by strong security & privacy guidelines. Organizations must adopt privacy by design when creating new technology & evaluate procedures in place to safeguard users' privacy. Since Metaverse is being built upon NFTs, scams and fraudulent activity is more likely to emerge in the future surrounding NFTs and blockchain. Data breaches will be pervasive with the use of biometrics, & such data will be at risk without security infrastructure. Customer Trust Consumers are more eager to disclose more data, according to research, if they believe that a corporation would use it for their benefit. Hence, businesses should incorporate privacy and data security into their initial products and services. This entails being aware of the personal data they require, only gathering it when they have a legitimate business need, discarding it when that need is met, and protecting the personal data they already have. Ensuring Safety In quest of better opportunities, criminal activity has historically tended to gravitate toward newer technologies. Already, there are reports of scams in NFT transactions, fraud in Ethereum addresses, sexual harassment in the VR and several other types of abuse. While it’s always exciting to be in at the start of things, the disruptive potential of the metaverse is huge and cannot be overlooked. In this light, it is important for organizations to establish stringent policies & rules.

  11. KEY CONSIDERATIONS FOR ORGANIZATIONS Improving Consent Mechanisms This is a crucial step to make sure industry standards are clearly defined to everyone who indulge/experience in metaverse, and to ensure applicability and consistency in this new context because consent is the pillar of the privacy. This could be based on the amount of data collected, how it is shared with third parties, and how to ensure that adequate consent has been obtained. Incorporating Transparency Notify the users when they engage with AI. AI bots must be clearly identified in order for users to know with whom they are sharing their data. By being open about how data is utilized and even by paying users for providing their data, the metaverse might avoid the pitfalls made by Web 2.0 enterprises. Self-Regulation Organizations incorporating the metaverse should have strict data privacy and security policies regulating the use of personal information. Users should beware of the amount of personal information they are willing to share when signing compliance policies. Practices like adopting VPNs, antivirus software, phishing protection become significant. Self- regulation becomes pivotal without global laws governing metaverse.

  12. CONCLUSION Data privacy and security have always been a concern for users and organisations worldwide. Amidst the emergence of the metaverse, which is proving to be a revolution in technology, several hazards to data privacy are on the prey. Metaverse opens up Pandora box of privacy and security violations because of the enormous possibility of collecting various types of data such as social interactions, eye moments, physical movements that might be able to get a better picture of a user. The current laws does not recognise digital avtars and this leads to challenges like attribution of identity and jurisdiction to litigate. Also the anonymity of users provide challenges for governance as well. Although GDPR has set a foundation stone around privacy regarding metaverse however certain definitions need to be updated in pace with their technological innovations and also you has proposed AI regulation which will pose challenges to many bots and services which are powered by AI. A global consistent enforceable privacy standard is the need of the hour. Not just policy but the government needs to invest in the capability of investigation and enforcement of these standards in a timely manner. REFERENCES https://www.commonsensemedia.org/sites/default/files/featured- content/files/metaverse-white-paper-1.pdf https://www.sciencespo.fr/public/sites/sciencespo.fr.public/files/Metaverse-Group- report-final-draft-June-12-1.pdf 'Metaverse: Security and Privacy (https://arxiv.org/pdf/2205.07590.pdf) https://www.mondaq.com/unitedstates/privacy-protection/1150088/heavy-meta- privacy-and-cybersecurity-in-the-metaverse https://www.martechalliance.com/stories/what-privacy-issues-will-haunt-the- metaverse https://iapp.org/news/a/metaverse-and-privacy-2/ https://gdpr-info.eu/ Issues', Roberto Di Pietro

  13. WHY TSAARO? Tsaaro provides Privacy & Cybersecurity services to help organizations meet regulatory requirements while maintaining a robust security infrastructure. Our industry-standard privacy services include DPO-as-a-service, DPIA, Privacy Program Development, Privacy Risk Management, Cookie Compliance Program, Consent Management, to name a few, delivered by our expert privacy professionals recognized by IAPP. CONTACT US Akarsh Singh (CEO & Founder, Tsaaro) Akarsh is a CIPP/E, CIPM, CIPT, Fellow in Information Privacy by IAPP, and an IAPP Advisory Board Member. His expertise lies in Data Privacy and Information Security Compliance. Tsaaro Bangalore Office Manyata Embassy Business Park, Ground Floor, E1 Block, Beech Building, Outer RingRoad, Bangalore- 560045 India P: +91-0522–3581 Poojan Bulani Data Privacy Consultant, Tsaaro Tsaaro Gurugram Office Level 1, Building 10A, Cyber Hub, DLF Cyber City, Gurugram, Haryana 122002 Krithi Shetty Data Privacy Consultant, Tsaaro India +91522–3581306 Tsaaro Amsterdam Office Regus Schiphol Rijk Beech Avenue 54-62, Het Poortgebouw, Amsterdam, 1119 PW, Netherlands P: +31-686053719 Email us info@tsaaro.com

More Related