The metaverse is quickly becoming the next must-have concept enterprises are looking at to improve engagement and UX for employees, customers and partners. And, while the metaverse isn't here just yet, that doesn't mean companies can't consider the security challenges it will bring.
Key concepts and justifications for the metaverse are known; the various cybersecurity risks and privacy issues this new virtual universe might contain, however, have gotten less attention.
This article explores some of the privacy and security issues companies can expect to deal with when adopting the metaverse and what to do now to prepare for them.
First things first: What is the metaverse?
The metaverse can be defined as a virtual environment in which people connect, interact and shop. This convergence of the physical and digital world is denoted by the Greek word meta, meaning beyond or after, and verse, short for universe.
There are two main forms of the metaverse:
- Virtual reality provides an artificial reality via a VR headset, which takes over the user's field of vision to provide an immersive experience. Other forms of immersive experiences include audio and positional tracking of the body to enable a person's hands or other body parts to interact with the virtual environment.
- Augmented reality (AR) is less immersive than VR. It adds virtual overlays on top of the real world via a lens of some type. Users still have a normal view of their surroundings. AR examples include a smartphone using the Waze app or a wearable, such as Microsoft's HoloLens. The host can see a user's location and can guess their intentions.
It is important to note that, in VR experiences generally, there currently should be no expectation of privacy rights; in AR environments, where there is a foothold in the physical world, privacy rights are on firmer ground.
Implementing cybersecurity in the metaverse: 3 components
There are three components to cybersecurity in the metaverse: the cybersecurity of the hosting platform, the cybersecurity of the property (renters on the platform) and the cybersecurity of the users of the property (consumers interacting inside the property).
Let's lay out the main risks associated with each component and how to address them.
1. Platform owners
Lack of regulations. The largest technology giants are investing in building out the metaverse's platforms. However, because of a lack of regulation, the security and privacy practices are inconsistent. This leads to fractured and inconsistent UX and expectations.
How to address the risk: Platform owners should seize the opportunity to collaborate on a set of mandates and agree to adhere to a strict code of conduct. This shows leadership and awareness of the cybersecurity challenges in the metaverse. Ultimately, it also helps drive platform adoption.
The oversight of metaverse platforms requires proactive and reactive intervention. Create a comprehensive administrative oversight team supported by a security strategy enabled by artificial intelligence (AI). Use AI insights to proactively identify any abuse, misconduct or misrepresentation, and promptly take action. There should also be mechanisms for property owners and their customers to raise security and privacy issues.
2. Property owners/renters
Lack of knowledge about metaverse cybersecurity best practices. Users of virtual real estate include customers, partners and guests, all or some of whom are newbies to the metaverse. In many cases, property owners/renters are also newcomers, creating an atmosphere where cybersecurity and privacy best practices are either missing or misinterpreted, misrepresented or just ignored.
How to address the risk: Property owners should take the time to understand the security and privacy of the platform they are hosted on, examine the services they are building and/or using on the platform, and take steps to ensure the security and privacy of those services. The next crucial step is translating the policy to users of their property in an understandable form.
User data in the metaverse includes sensor, location, physiological and social data. It is important that property owners understand what user data is being collected by the platform provider and then layer on top of that the user data they are collecting as well. They must then provide -- in user-understandable form -- what this data is, why it is being collected and what data rights their customers have.
Lack of consumer protections. The use of headsets that have sensors and trackers to provide an immersive experience can cause consumers to not realize or pay attention to how and how much of their personal data is being collected. Consumers are at risk because, unlike in the real world, which has consumer-empowering data privacy acts, like GDPR and CCPA, there is no such equivalent in the metaverse.
The lack of credential verification processes, especially for avatar manifestation, puts consumers at risk. Deepfakes are becoming more prevalent in videos, as are impersonations in conference calls. The metaverse presents an even bigger challenge.
Also, communication rights differ depending on the metaverse platform. In AR worlds, communication rights cover physical-to-virtual interactions, as well as virtual-to-virtual interactions. In a VR universe, all interactions are virtual.
How to address the risk: Consumers need to make the effort to understand the security and privacy safeguards being employed by the platform provider and by the property owner. It is incumbent upon the consumer to ask questions of the platform provider and the property owner. What data is being collected? How long is it going to be stored? What data rights exist to purge this data?
Consumers also need to be vigilant and careful in sharing any information. They must proactively reach out to the property owners for verification in case of any doubt.
Importance of cybersecurity in the metaverse
The foundation of the metaverse needs to be underpinned by security for the following reasons:
- Reputation. The success of the metaverse depends upon platform owners engendering trust in the platform and its users -- the owners/renters. One of the key pillars of trust building is cybersecurity. Customers are more aware of cybersecurity due to the data breaches and cyber attacks they've seen in the real world. It is critical for the reputations of the platform owners to demonstrate they can protect the sensitive information of customers.
- Spillover impact. While the metaverse is still in its relative infancy, the fact that large tech companies are building platforms and property owners are filling them up demonstrates the demand and the likelihood of long-term success for this area of virtual existence.
Meanwhile, every company in the metaverse also continues to have presence in the physical world for a long time -- maybe forever. This means organizations have dual existence -- inside the metaverse and outside of it. Any security breach, identity theft or denial of service in the metaverse world can have a spillover effect on the real world, tarnishing reputations and diminishing business. Conversely, a positive metaverse experience could enhance the real-world business of the organization.
- Business growth. As the regulatory environment for the metaverse is nonexistent, platform owners who take it upon themselves to lead with a secure environment and put a secure customer-first experience as their motto can use that as powerful marketing to drive business growth early on. Owners can also help shape the regulations so there is no need to catch up later, giving them a first-mover advantage.
Common metaverse cybersecurity challenges
Here is a checklist of some of the common security challenges that exist in the metaverse:
- Moderation challenges. No help or support access exists in most of the metaverses. Nonfungible token theft, for example, can leave a user without support.
- Identity. Metaverse users' identities can be spoofed, their accounts can get hacked and their avatars can be taken over. A common challenge is that the identity of the person metaverse users are dealing with is always questionable.
- Client vulnerabilities. VR and AR headsets are heavy-duty machines with a lot of software and memory. They are also ripe targets for malicious and inadvertent hacks. Additionally, location spoofing and device manipulation enable perpetrators to take over users' identities and cause havoc after entering the metaverse.
- User-to-user communications. The metaverse experience is all about facilitating user-to-user communications. These relationships are typically built through commerce and depend on trust. One bad actor can cause tremendous damage. The need for moderation at scale is critical and must be addressed.
- Data accuracy. Location, merchandise quality, reviews, user information and third-party trusted data are anchored upon accuracy, but ensuring accuracy in the metaverse can be difficult.
- Privacy. As noted, no metaverse regulations exist, and the need for data collection for a truly personalized immersive experience requires privacy invasion. Users typically have no knowledge of the level of data they are providing, however. And, unlike GDPR and other regulations, which have regional sovereignty requirements, virtual experiences have no borders, and therefore, ensuring privacy is at the mercy of the platform owner and the property owners.
Unique VR and AR security challenges
VR and AR environments raise many security and privacy questions. Challenges include the following.
VR security challenges
- Reliance. The lack of standards and shared services in the fledging metaverse means that users of a product or platform are reliant on the owner of the platform for the safety of the experience. For instance, early adopter enterprises that chose to use Second Life -- one of the earliest metaverse platforms -- had to rely on that platform completely for security, identity protection, privacy and even financial transactions.
- Responsibility. The property a user buys or rents in a VR environment creates many security and privacy challenges that need resolution. Who is allowed into or blocked from the property? Does the property owner have the right to decide who can and cannot enter? What happens inside these properties? Could financial or illegal transactions occur inside?
- Authentication. Knowing entities are who they say they are is challenging. How do you prove the people you are engaging with are who they claim to be? Take telemedicine, for example. How do patients know the person they interact with is a medical professional? How can a property owner qualify the credentials of doctors before allowing them to practice?
- Accountability. If fraud, harassment or other forms of abuse occur, is the owner of the VR environment accountable?
- Privacy. No regulations exist for VR environments -- yet. Given the metaverse VR platform owner's invasive data collection and analysis and the fact that a lot of data is being constantly shared by users unknown to the VR user, regulations will come but down the line. Now, however, the protection or sharing of this data is completely at the discretion of the platform owner.
- Ad feeds. The metaverse owner has complete control of this. Much like the real world, where an ad banner could be put up in front of your physical store, virtual ads can show up in front of your virtual storefront. These ads may or may not be appreciated by your customers, but you have no control over it.
- Privileged accounts and hacking. The takeover of customer support or admin accounts could result in major compromise of a VR environment, which, if undetected, could harm many users.
- Access point compromise. Because the entry into the VR metaverse is typically through a headset, the compromise of the headset endpoint could result in complete takeover of that user's avatar.
- Spying. Avatars can change appearance, meaning that meetings, personal chats and other interactions are subject to spying and intrusion without the affected parties' knowledge.
AR security challenges
- Data integrity. AR involves overlaying third-party data, so any compromise in the integrity of data could present a major challenge. If a location app that has been overlaid onto a headset uses flawed location data, for example, it could result in incorrect directions given to the user.
- Physical security. Users typically move around in the real world with an AR overlay, making physical security a concern. If users get too immersed in the virtual spaces, they could bring harm to themselves or those around them.