The metaverse describes a virtual space in which physical and digital elements increasingly merge with one another[6]. While the term has gained popularity due to Facebook’s renaming to “meta” in 2021, practitioners and researchers still disagree on how to ultimately define the phenomenon[3]. What is clear, however, is that these are increasingly immersive, virtual spaces in which new and improved technologies such as extended reality, blockchain and artificial intelligence play a key role[2]. In addition, the metaverse is social – it enables encounters between individuals and thus spans a space parallel to reality[5]. Since 2021, companies have been exploring the use cases of the metaverse; the solutions are diverse, such as virtual concerts (e.g. Ariana Grande in Fortnite), the creation of a brand presence (e.g. “Nikeland” in Roblox) or entire fashion weeks (e.g. Adidas in Decentraland). Companies from a wide range of industries participate in the metaverse and bring their products and services into the virtual space[3].
While the promises are great, there are also downsides to the development of the metaverse. One key aspect that will be decisive for its adoption is data protection. By using state-of-the-art hardware such as virtual reality (VR), augmented reality (AR) and mixed reality (MR), a range of new data can be collected[4]. This includes, for example, biometric data such as body height, the recording of hand and head movements, eye tracking and the scanning of the physical environment to delimit the virtual space. The more sensors are built into the devices, the more immersive the experience can be and the more the user can move around the metaverse in a natural way[10].
The accurate mapping of physical attributes in the metaverse also allows an individual to be observed even better – by other users or providers. For example, it is possible to track exactly what a user looks at and for how long, how they move their head and which virtual spaces they visit. Studies show that the way a user moves can be used to identify whether he or she has illnesses that he or she is not yet aware of[9]. This is reinforced by the fact that learning algorithms are also getting better and better, making it possible to generate unprecedented knowledge with the new data in the metaverse[6]. This leads to a variety of new monetisation opportunities for providers. However, new risks also emanate from other users. For example, the improved immersion means that border crossings in virtual space are perceived much more realistically, which can have more serious psychological consequences[11]. The metaverse therefore brings with it a range of new data protection risks. Existing data protection solutions must be checked for their applicability to the metaverse and adapted if necessary. This starts with the new user interface. For example, data protection declarations are a classic element of websites. So how do you enable the accessibility of data protection information in immersive environments? In the next step, how do you limit sensitive data from remaining with the user and not being used for commercial purposes? In the past, there have been repeated data scandals that have made it clear that data protection must be actively demanded. Furthermore, the persuasive (or influencing) potential of immersive technologies must be assessed. Studies show that a high level of immersion can lead to changes in behaviour, such as a greater willingness to buy. Finally, the metaverse also includes technologies whose regulation in the area of data protection has not yet been finalised. These include blockchain and artificial intelligence, which are key pillars of the metaverse. For example, how can scams be prevented in blockchain-based metaverse environments? These are questions that need to be clarified in the development of the metaverse.
Comparability with analogue phenomena
While data protection in the past was primarily related to informational self-determination, the metaverse is once again focussing on physical border crossings[7]. This is primarily driven by the fact that individuals can map their physical characteristics in the metaverse, which makes encounters feel realistic[12]. Numerous users report harassment, stalking and persecution. The anonymity in virtual space means that there is a lower threshold for showing inappropriate behaviour and there is still no sanctioning[8]. The question of whether the true identity must be disclosed is controversial. On the one hand, informational self-determination and the ability to withhold personal information is a top priority. On the other hand, users must be adequately protected, which makes the sanctioning of behaviour and the banning of users indispensable. However, this requires users to be traceable. This phenomenon already existed in previous virtual worlds (e.g. Second Life), but the consequences have changed due to the realistic experience of encounters in the metaverse[5]. There is no doubt that the emergence of new types of data is a digital phenomenon. The rapid development and improvement of technology enables a fusion of physical and digital worlds, whereby physical aspects can be increasingly digitised (e.g. mapping of body size) – a series of sensors make this possible[10]. Overall, the development of the metaverse is progressing, even if we are still a long way from the vision of the metaverse – a virtual space that feels like the real thing. Large technology companies are investing billions to get one step closer to this vision[3].
Social relevance
The issue of data protection in the metaverse is highly relevant to society. Not only because informational self-determination is a maxim of the EU’s General Data Protection Regulation, but also because the consequences of inaction in the metaverse are even more serious than in previous environments. For example, real-world deep fakes can lead to identity theft or individuals being influenced to their disadvantage[1]. The data collected by providers can be used for monitoring or to create user profiles[4]. This in turn can lead to discrimination and stigmatisation based on the data profiles created. In order for the metaverse to be implemented in line with EU values, a number of issues still need to be resolved. The implementation of an appropriate level of data protection that respects the concerns of users is crucial for the acceptance of the metaverse.
Sources
- BSI. Deepfakes – Gefahren und Gegenmaßnahmen. https://www.bsi.bund.de/DE/Themen/Unternehmen-und-Organisationen/Informationen-und-Empfehlungen/Kuenstliche-Intelligenz/Deepfakes/deepfakes_node.html. [20.07.2024]
- Dincelli, E./Yayla, A. (2022). Immersive virtual reality in the age of the metaverse: A hybrid-narrative review based on the technology affordance perspective. In: Journal of Strategic Information Systems 31 (2), 1–22.
- Dolata, M./Schwabe, G. (2023). What is the metaverse and who seeks to define it? Mapping the site of social construction. In: Journal of Information Technology 38 (3), 239–266.
- Dwivedi, Y. et al. (2023). A multi-perspective analysis of the negative societal impacts of the metaverse. Information Systems Frontiers.
- Falchuk, B./Loeb, S./Neff, R. (2018). The social metaverse: Battle for privacy. In: IEEE Technology and Society Magazine 37 (2), 52–61.
- Lee, L.-H. et al. (2021). All one needs to know about metaverse: A complete survey on technological singularity, virtual ecosystem, and research agenda. arXiv preprint, 2302.08927.
- Marabelli, M./Newell, S. (2022). Everything you always wanted to know about the metaverse*(* but were afraid to ask). Academy of Management Annual Meeting, Seattle, WA.
- Marr, B. (2024). The metaverse and its dark side: Confronting the reality of virtual rape. Retrieved April 27, 2024. https://www.forbes.com/sites/bernardmarr/2024/01/16/the-metaverse-and-its-dark-side-confronting-the-reality-of-virtual-rape/?sh=795d2f372b66) [20.07.2024].
- McKinsey (2022). Value creation in the metaverse – the real business of the virtual world.
- Nair, V./Garrido, G. M./Song, D. (2022). Exploring the unprecedented privacy risks of the metaverse. arXiv preprint 2302.08927.
- Schulmeyer, J. (2023). Guardians of the metaverse: Expert assessment of emerging privacy challenges and mitigation strategies. Proceedings of the 27th Pacific Asia Conference on Information Systems (PACIS), Nanchang, China.
- I. Wohlgenannt, I./Simons, A./Stieglitz, S. (2020). Virtual reality. In: Business & Information Systems Engineering 62 (5), 455–461.