Raphael Thys
The metaverse is an opportunity to add an interactive layer to the internet – but will we learn from the past mistakes?
It’s a familiar refrain in the user centric digital identity community, “the internet wasn’t built with an identity layer.” That’s the reason given why we haven’t been able to solve digital identity for the entire internet. We experience the result of this problem: receiving haveibeenpwned.com emails, locking down our credit reports, using multi-factor authentication, our fingers or face to unlock our phone, while simultaneously sharing sensitive login details with loved ones or co-workers in order to get things done. Companies feel the pain too, having to head off insider threats, detect business email compromise attacks and increase security budgets to meet attacker demand.
Users want privacy over their digital data too, but companies are only coerced by regulation to give up even the smallest piece of control over our own data. And why? Because so many business models fail without the in-depth data collection of our every click, read or mouse pause, to create detailed customer profiles used for targeted advertising and more.
We’ve learned to mitigate these downsides as we try to solve them; however the world is filling up with new technologies that unlock new worlds – and new collections of very personal and biometric data that can be misused to manipulate you as well as present a tempting target for attackers.
Enter the Metaverse
The metaverse is an alternate digital reality, where we can create avatar versions of ourselves to explore and work and play in these alternate worlds. The metaverse is the term used to describe the rich virtual layer of different worlds across platforms (and timeframes) that may or may not connect and interoperate.
Virtual worlds have been around for at least 3 decades. Back in the ‘90s, I user-tested some of the first 3D worlds on the internet. We didn’t brand it as the metaverse then, but it was the extension of virtual worlds onto the newly emerging internet. Back then, technology costs were high for both the hardware to create the virtual worlds and the bandwidth to browse them. While we struggled with our business model, the internet explored ad-based revenue models as a way to validate the internet’s existence to the business world.
In the subsequent years, the dream of the metaverse has continued, technology has matured and operating costs declined, but mainstream consumer success is elusive. Meanwhile the advertising-based revenue model has been very successful.
The Facebook effect
There have been concerns with Facebook’s decisions about data use and digital identity from the earliest days. Facebook’s early attitude towards digital identity was “one identity based on your legal identity” and this caused a lot of concern from the user-centric digital identity community because it didn’t accurately reflect the lived experience of the majority of us on the internet.
Facebook is the latest company looking to capitalize on the metaverse and it makes sense – it’s a new channel for the same kind of advertising that they already excel in. It makes sense that they leverage their existing technology to collect data and serve personalized content. But the metaverse isn’t just a new channel for advertising, it’s a new channel to collect biometric data.
Metaverse technology has the potential to collect even more personal data, from conscious physical actions to unconscious eye flickers. But if we haven’t solved privacy and data ownership for the regular web, can we assume the emerging metaverse is solving these problems? If companies must be coerced by regulation to give rights back to the user on what to do regarding their digital data, can we assume there will be oversight over the even more sensitive biometric data?
Biometric data security
Collected biometric data must be stored somewhere. No one has airtight security, and when you’re sitting on a vast database of biometric data, it’s an attractive target. How can you make your security better than the skills of individual hackers, organized criminals and nation state-backed attack groups? Biometric hacks are already happening.
And if you think it’s difficult to clear up identity theft incidents now, wait until your biometrics are compromised. Changing a password is a lot easier than changing your fingerprint. Once your biometric data is out there, it’s near impossible to put it back into a secure box.
Weaponizing biometric data
Then there is how biometric data can be used or misused. There are concerns with the collecting entity (e.g. Facebook) using collected biometric data. And we must assume that if data is collected and stored indefinitely, it will get hacked eventually. We don’t know all the scary use cases where someone could use your biometric data for crime.
But just as there are new hacks and attacks today, we can be certain there will be new attack vectors. Security doesn’t just need to protect for today’s vulnerabilities but to consider trajectories for future ones.
Conclusion
The metaverse has the same kind of digital identity and data privacy problems as we have on the web today. It is an opportunity to rethink digital privacy and data ownership, but so far, it looks like it’s a missed opportunity.
About the author
Heather Vescent is a digital identity industry thought leader and futurist with more than a decade of experience delivering strategic intelligence consulting to governments, corporations and entrepreneurs. Vescent’s research has been covered in the New York Times, CNN, American Banker, CNBC, Fox and the Atlantic. She is co-author of the The Secrets of Spies, The Cyber Attack Survival Manual and The Comprehensive Guide to Self Sovereign Identity.