Personal data security and privacy in Metaverse

by Daria Grigorash.

Gigabytes of our personal information are flowing out every day. Every
visited website, sent message, booked ticket or delivered food order leaves traces of
personal information in Metaverse. In case of data breaches and leaks users may face
the consequences of privacy violations, financial fraud and reputation damage.

Though, Metaverse has provide arrangements to protect personal data such as data
encryption, role-based access control, secure storage and etc., still there is risk of
personal privacy erosion.

Edward Snowden (who is fame for Wikileaks case) in 2016-th said: "Privacy isn't
about something to hide. Privacy is about something to protect. That's who you are.
That's what you believe in, that's who you want to become. Privacy is the right to
the self. Privacy is what gives you the ability to share with the world who you are,
on your own terms, for them to understand what you're trying to be."

Users shouldn`t be afraid of security lack in Metaverse and refuse to exploit the
potential of digital age achievements. "Although Metaverse provides a great
opportunity for immersive experiences, it also raises concern about personal data
protection." (Lin, Y. and Wang, Y., 2021)

For now, Metaverse has several security problems which lead to data breaches and
hacking. Recent leak of Yandex company client’s personal data-base with phone
numbers, addresses and even lists of ordered food is just one of the many evidences
of the protection issues of IT-empires.1

It`s not only about weakness of the protection measurements, but also about
backward legislation which allows to neglect personal data protection law and
clients` interests. Other example of IT-companies which overused user’s personal
data is Facebook and Google.2 It is known that those companies are not just
collecting data but tracking user`s activity and selling it to advertisement companies.
Knowledge of exact sources of personal data in Metaverse may help user to protect
themselves. First source of data collecting is procedure of registration on websites.
User email is being collected to data-base. After that, user may receive a lot of outer
ad. Second source is tracking technology such as browser cookies. It «remembers»
which websites user visit and which topic interest user the most. Other sources are
virtual assistants and chatbots with access to confidential information such as name,
geolocation, interests, search query and etc.

For personal data protection in Metaverse there are some existing measures. One of
it is General Data Protection Regulation (GDPR) which has several requirements in
order to validated user`s consent.3 According to those requirements, consent must
be freely given, granulated, consent withdrawable, informed, minimum consent
information, unambiguous, demonstrated consent.

Other way to protect personal data is to use of encrypted communications. This

measure allows you to communicate without intervention from unauthorized party
because of its data render methods and encoding process. Two-factor secure
authentication is a reliable and user-friendly method of data protection on social-
networks and messengers.

In recent years, Bitcoin system, which proves to be secure currency transfer system
with decentralized regulator, demonstrated blockchain technologies as a key
solvation of personal data protection problem. Blockchain is based on asymmetric
cryptography and use public and private key system in order to prevent users from
guessing each other private key.4

"Blockchain technologies offer promising solutions for secure and decentralized

personal data protection in Metaverse." (Hou, Y., et al., 2021)

Although, personal data collecting and breaching is an ethical and law-based issue,
there are some cases in which data leaks are the only possibility to explore hidden
and public-interest information. OSINT (open source intelligence) investigators use
data leaks and hacked data-bases to inquire into political assassinations, financial
fraud, corruption and war crimes. Leaked data in combination with an open source
data helps to investigate a lot of cases in authoritarian government where is no
independent Investigative Committee. It is an ethical paradox that still waits to be
solved.

One of the greatest OSINT examples is Bellingcat team. Bellingcat investigates

political and war crimes using all data they can receive in order to ascertain and
collect evidences for a court. Their work on MH-17 catastrophe laid into ICC`s
investigation materials.5 Also, investigation of Alexey Navalny`s poisoning revealed
more political poisoning and indirectly confirm its versions. Phenomenon of OSINT
investigation is a consequence of social-media oversharing, neglecting privacy
protection rules and data leaks from governmental companies.

Personal data protection in Metaverse is an important issue and the next step of full
digitalizing of the world. New security technologies and solid legal basis are core
elements at this stage.

Sources and quotes:

1. https://yandex.ru/company/services_news/2022/01-03-2022
2. https://medium.datadriveninvestor.com/google-facebook-and-twitter-are-
collecting-your-data-they-dont-want-you-to-know-about-
4693d6185e13#:~:text=The%20data%20they%20collect%20is,not%20trans
parent%20about%20this%20fact.
3. https://blog.lukaszolejnik.com/how-to-gdpr-consent-data-processing/
4. Guy Zyskind, Oz Nathan, Alex ’Sandy’ Pentland. Decentralizing Privacy:
Using Blockchain to Protect Personal Data. IEEE CS Security and Privacy
Workshops, 2015.
5. https://www.bellingcat.com/app/uploads/2015/10/MH17-The-Open-Source-
Evidence-EN.pdf