You know the feeling you get when someone says things like “the cat’s meow”? That is how antiquated our approach to understanding data privacy is.
The daily newsletter you read, the publication you check religiously every morning—they have been driving the metaverse data-privacy conversation, albeit in a very outdated way. Their focus? How the metaverse can track your eye movement, GPS location (hello, smartphones), record your voice—not like over 100 million people have an Alexa, or anything. This type of data collection may be an invasion of privacy, but it is an extremely well-regulated invasion of privacy governed by state, federal, and national laws.
The real problem? Like Las Vegas, whatever you do in the metaverse stays in the metaverse and can come back to haunt you. It may be the future, but the metaverse returns itself to the wild west of the internet, where internet companies in the US couldn’t be held liable. In the metaverse, the sentiment of data ownership is a paradox—no one owns your data, yet everyone does. Being decentralised, no one has the authority to prevent individual brands, coordinated nation states, unscrupulous individuals—virtually any unknown entities—from monitoring you; storing, selling, and monetizing data; or matching the data back to you through the Facebook login ID you used to enter the metaverse.
Only when you “cash out” of the metaverse, likely through some sort of transaction, do these data points become restricted by law from being matched together. Remember those quasi data brokers that we spent 25 years eliminating? They’ve just found employment again!
Overreach, consumer protection, and intellectual-property rights
Imagine you have a stalker. Now stop imagining, because in the metaverse you have not one, but millions. With 2.89 billion monthly active Facebook users, even if only half end up using the metaverse it is a daunting number. For every one of your actions within the metaverse—visiting a virtual property, viewing an NFT, conducting a virtual transaction, having a virtual conversation—you give good or bad actors implicit authority to track you.
Beyond free-for-all tracking, people are investing real money into the metaverse, yet there is no virtual police force, no regulations, no laws. In other words, there is no consumer protection and no guarantee for what you have purchased. You know that thousand-dollar NFT that you were considering buying? Imagine if, after you purchase it and provide all of your personal information to register the art under your metaverse avatar, the NFT company goes bankrupt overnight. What are you left with? An orphan file on your computer, a lighter wallet, and the realisation that you have just been scammed—with no potentiality for legal recourse. Just ask the investors that were scammed out of approximately $1.13 million on January 11 after purchasing an NFT part of “The Big Daddy Ape Club,” which used the classic bait-and-switch scam and never even minted the tokens.
Solutions: The good, the bad, and the ugly
Everyone and their mother has disseminated the concerns associated with the metaverse with no mention of a solution. Why? They are either unpopular or fractional at best—and no one wants to be the bearer of bad news.
The likely route is that publishers and/or tech companies will be self-regulatory. Under this potential solution, the amount of implicit data transfer to third parties from data collected in the metaverse could be limited by type. For example, limiting that which can be collected to login ID while restricting access to location details, socio-demographic data, browsing behavior, history, and voiceprint data—all of which are currently available, no holds barred, to companies and third parties.
Limitations could also be placed to make data accessible only to verified third parties. Much like how Twitter verification denotes celebrity, metaverse verification would indicate credibility. The problem with this solution—and most that can be suggested—is that the metaverse is inherently decentralised and therefore inherently unpopular to regulate.
That brings us to the problematic second option for regulating the metaverse, which would be to hold the government responsible—cue, the outrage. Under this approach, user capability would be regulated within the geographical walls of users’ current locations as an extension of existing data-privacy laws. Besides general community backlash, the major problem with this solution is that it would create holes in the metaverse: imagine walking into a world that is only 40% built. Want to go to the metaverse movie theater? Sorry, you can’t if you are from Canada, only a black wall for you. Want to invest in a piece of virtual real estate? Sure, walk inside and view the NFTs that came with the property, which you can only see as black squares because of differing country regulations. The value may still be there, but the excitement definitely isn’t.
It goes without saying that metaverse privacy issues are concerning. So why do we keep treating it like we’re trying to regulate Twitter? The data policies that exist today are complete relics in the metaverse: You can’t use centralised geographic data privacy laws to tame this decentralised beast, just like the SEC cannot regulate cryptocurrency.
What can the metaverse learn from the Shanghai Data Exchange?
Taking a nod from China, which has been ahead of the curve with the Shanghai Data Exchange, the metaverse can and should leverage such capability to regulate the abundance of data that will be collected in the virtual world.
First, the Shanghai Data Exchange verifies and vets the source of data and acts as a certification body. In the case of the metaverse, this could be applied to verify data quality and origins to determine whether or not it can be transacted by different brands.
Second, a data exchange could verify the transaction of virtual assets, validate their value, and subsequently form a blockchain ledger to know where the data was used, bought, and consumed. Say, you purchase a virtual plot of real estate created by a virtual person that suddenly disappears—now, there is a record of it.
The metaverse, if not properly regulated, will end up a virtual world full of black squares and characterised by a terrible user experience, or, the more likely option, as a place where tech giants will set limits to the amount of information and data transacted to evolve the principle of decentralisation.
Humphrey Ho is managing director of Hylink USA.