While there’s much buzz around the metaverse, few conversations focus on its security, privacy and safety. But these challenges may be even bigger in this emerging space than in the rest of the digital world.
I spoke with several experts who agree organizations wanting to embrace this new medium must think about the challenges now – not when the metaverse gains full steam.
What is the metaverse?
The metaverse is an immersive three-dimensional world where people engage in social and commercial activities through digital avatars. Users can access it on many kinds of connected devices, but it’s most immersive when used with a virtual reality (VR) headset. There are many metaverses, including that being developed by Meta, formerly Facebook, Horizon Worlds.
Some call it the future of the internet. In this metaverse future, our physical and virtual spaces and lives may converge seamlessly. It could create a common place to work, shop and socialize.
The Metaverse’s history shows we’re not quite ready for it
Events leading up to Facebook’s Metaverse show business should wait for technology to catch up before investing heavily in the space.
Some put this future closer than we might think. Global analysts Gartner predict 25 percent of people will spend at least one hour in the metaverse by 2026. Market Research Future says the metaverse market will grow by 45 percent annually until 2030. By contrast, they expect the Internet of Things (IoT) to grow by just 26 percent each year.
Little focus on metaverse security and safety
“The metaverse’s attack surface [possible entry points for malicious actors] is bigger, and it’s also a new technology space,” says Nick Donarski, co-founder and chief technology officer at blockchain company ORE System. “Developers don’t have the experience, technical resources and exposure for long-term understanding of its security and how it applies to organizations.”
Al Pascual, senior vice president of enterprise risk solutions at identity security provider Sontiq, thinks we can easily get ‘ahead of our skis’ when it comes to security. “We invent new ways to give people experiences and products using old security paradigms and have to clean up the mess later,” he says. “We must think about security before we start deploying the metaverse to everyone.”
Securing the ‘Wild West’
“The metaverse is like the Wild West right now. There aren’t even any standards yet,” says Aarti Dhapte, senior research analyst at Market Research Future and an author of its metaverse market forecast reports. “You can’t even regulate it well because everybody doesn’t define the metaverse the same way.”
Gartner defines the metaverse as “a collective virtual space created by the convergence of virtually enhanced physical and digital reality” that’s “device-independent and not owned by a single vendor” with “an independent virtual currency.” Other definitions include fully immersive experiences, a three-dimensional overlay on the physical world and a persistent collection of universes we can traverse with digital identities and assets.
Despite its early stage, many security experts expect the metaverse will see familiar security threats: Social engineering, phishing, identity theft and more.
“Cybercriminals’ methods are rarely new. More often, they use the same methods in a new channel,” says Pascual, whose fraud prevention career includes working for global banks.
As the metaverse combines broader technologies and mediums, from VR to blockchain to IoT, we may see threats we know today on a bigger scale.
Adding blockchain to the mix
Many think blockchain will play a central role in the metaverse because of the need to decentralize the space and enable the various worlds within it to interoperate. Cryptocurrency, which uses blockchain, is the natural candidate for metaverse ecommerce. The metaverse could use smart contracts – digital transactions stored on blockchain that self-execute under certain conditions – to implement rules.
Also a new technology, blockchain adds complexity and security challenges to the metaverse. And while many think its immutability makes it more secure, recent attacks on blockchain highlight its security shortcomings.
Virtual currencies, whether cryptocurrency or non-fungible tokens (NFTs,) are also hard to navigate, especially for a big metaverse user group – children. “It’s risky for kids and teens to understand handling virtual money in all forms and can lead to big losses,” Dhapte says.
People still the weakest link
Malicious actors most often use people manipulation to attack. For example, Verizon’s 2022 Data Breach Investigations Report says 82 percent of data breaches involve a human element. The metaverse’s human element is similarly exploitable.
Educating your people and community about good security practices is the key to security for any space.
Nick Donarski, co-founder and chief technology officer, ORE System
The metaverse will also magnify data privacy concerns. Artur Kane, vice president at secure remote access company GoodAccess, says that since the metaverse is a “world attacking even more of our senses,” tech giants can use it to make more money with better-targeted advertising. That means tracking even more of our behavior online.
“We give away much more information in the metaverse,” says Kane, a frequent privacy speaker at industry events. “Companies can learn much about us – like race, sexual interest, potential health issues.”
He mentions recent research showing how attackers could exploit hardware and application weaknesses to violate privacy. They set up a benign-looking VR escape room game and inferred many participants’ attributes, from height to age to location, with high accuracy using just minutes of gameplay.
Regulation far behind
Lagging data privacy and security regulation adds to the metaverse’s Wild West feel. “We’re giving away so much more data than we realize,” says Kane. “There’s huge potential for data breaches and leaks in a new environment where legislation doesn’t restrict much.”
Blockchain regulation is also lacking, which Dhapte thinks could mean greater chance of fraud. “Since various countries don’t have fixed regulations for blockchain, tracking fraudulent activities would be a real challenge for governments.”
User risks in immersive environments
The metaverse is a rich playground for abuse – from sexual harassment to virtual assaults. “Any vulnerable group, especially children, faces higher risk as non-consensual contact and communication might be more intrusive and targeted, given how immersive the experience is,” Kane says.
A survey by global think tank Wunderman Thompson Intelligence found 66 percent of parents familiar with the metaverse have child safety concerns. Fears are not unfounded – one media investigation found behaviors like racist comments and sexually explicit content directed at children.
Pascual of Sontiq says metaverse participants exchange little of monetary value today, “But in ten to 20 years, the potential for financial transactions is huge, especially as digital properties gain value. Thefts will become more meaningful.”
In the meantime, users still risk fraud. Pascual says scams draw kids looking for cryptocurrency and virtual swag. “We’ve seen evidence of predators targeting children in open worlds like Roblox. Parental oversight, education and control on who children can engage with and what they can see will be key.”
An investigation as part of Tomorrow Unlocked’s hacker:HUNTER video series found rife hacking in children’s games like Roblox, for example stealing hard-won digital items. These hacks had considerable impact on the child gamers.
It’s harder for parents to monitor children consuming content using VR headsets because they can’t look over kids’ shoulders as with a computer or phone. That gives brands launching metaverse experiences a greater responsibility to protect users.
Protecting business in the metaverse
For teams responsible for metaverse experiences, security experts like Pascual emphasize the need for moderation. He sees danger for brands in platforms ineffectively moderated. “Brand trust will be critical, so there’s a need for moderation, including monitoring to ensure brands aren’t easily imitated,” he says.
Moderation may not be easy. Tech giant Meta’s chief technical officer said moderating user behavior “at any meaningful scale is practically impossible.” Still, some experts think self-scrutiny by brands, alongside industry collaboration, will be a business imperative in the metaverse.
The good news is security concepts are roughly the same in the metaverse, according to Donarski of ORE Systems. “The fundamental security practices carry over because the architecture is the same. It still runs on a server, you have databases on the backend, user and password management, and so on.”
It may take a while, but the metaverse will likely become a reality. Companies must consider security and privacy before that reality takes shape – whichever version of the metaverse unfolds.