Emergence of the metaverse is a revolution in technology. The beginning of our subtle yet inevitable move towards metaverse shouts attention towards hazards to data privacy and security, which cannot be ignored. Though our data protection regulation is still to see the light, to strengthen cyber security in the country, the Indian Computer Emergency Response Team (CERT-In) issued directions under sub-section (6) of section 70B of the Information Technology Act, 2000 relating to information security practices, procedure, prevention, response and reporting of cyber incidents for Safe & Trusted Internet. Nonetheless, sooner or later India will have holistic data protection and privacy regulation in place and several existing data protection and privacy norms in the world suggest that Organizations must consider certain implications before operating in the Metaverse. Implications such as:
a. Consent: Consent mechanisms should be in place with the variety of new data types flowing in including user biometrics information. It must be simple enough for the user to meaningfully engage and should be regularly refreshed without the assumption of perpetual permission and with every new data type, these mechanisms have to be upgraded.
b. Transparency: Both human and AI entities will form part of the metaverse and with time, it could become difficult to tell the two apart hence, users must be informed when they are interacting with AI bots so that users always know who they are sharing their data with.
c. Monetisation: Transparent monetisation can help counter data misuse concerns as one of the biggest reasons behind the misuse of data is the thought that most of the internet is a free service. Which is not the case as behind the free concept lies the revenues collected via targeted advertising based on user data.
d. Security: VR worlds have to be purpose-built for data security. Watertight technology is must since the metaverse will house massive volumes of user data. PETs and in-sensor data processing practices should be adopted in the metaverse.
e. Data privacy and ease-of-use could be in conflict as interoperability becomes much faster and smoother in case of a single set of terms & conditions governing both platforms. For the sake of users’ privacy and control over third party sharing, ideally, consent should be renewed at every point of data re-entry.
Security As Foundation And Security By Design
Companies must design their product/ service/ offering keeping in mind user privacy. Irrespective of the legal framework, in order to gain and ensure user trust, companies venturing into the metaverse must consider privacy an important building block. As it appears that users are more willing to share data if they trust the company for its usage and security. Though some countries require embedded privacy and data security products and services, it is otherwise also a good practice keeping security in mind as data breaches and accidental exposure could prove costly for companies in the long term. Embedded privacy and data security products and services require understanding what personal data is needed, only collecting such data (having business needs), getting rid of such data when that need no longer exists, and securing personal data in their possession.
Who is responsible for data security?
Majority of privacy lapses in recent years have revolved around the ways organizations exchange data with third parties. In the ocean of data, security is of the paramount importance. To determine who is responsible for data security, how data breach incidents may be prevented, and what happens in the event of a data breach incident, is crucial. Each metaverse can create its data processing rules and declare who is the data controller and data processor of the relevant metaverse.
Recommendations:
To protect privacy in the metaverse, companies should make sure that these devices should treat the data according to some principles. These XR devices that collect sensitive data should provide visual cue and a control button to manage the input data flows from sensors. Can also opt for the processing of private data on the users’ side. Adaptation of privacy frameworks that allow users and developers to fine-control the privacy of the input data. This collection of data can be managed by privacy enhancing technologies (PETs) that blur any sensitive data from the sensors before being shared with cloud services.
Countries, including India with no holistic data protection regulation in place have an example of the California Consumer Privacy Act (CCPA) and the General Data Regulation Protection (GDPR) which specifically deals with the protection of individuals in monitoring environments.
Way forward:
Despite all the aforementioned proposed solutions, there is still the need for device manufacturers, systems, frameworks to develop a consistent privacy protection solution across all entities that conform to the metaverse.
(Khushbu Jain is a practicing advocate in the Supreme Court and founding partner of the law firm, Ark Legal. She can be contacted on Twitter: @advocatekhushbu.)