A recent report from New York University’s Stern Center for Business and Human Rights has issued a stark warning about the metaverse, an immersive internet experience, highlighting severe privacy concerns. The report emphasizes that substantial measures are necessary to enhance and regulate how the metaverse technology collects and stores personal data.
At the core of the issue is the reliance of the metaverse on extended reality (XR) technologies, which encompass augmented reality, virtual reality, and mixed reality, all of which require copious amounts of personal and bodily data for operation, making user privacy vulnerable.
According to the report, the collection of bodily data alone has the potential to deduce intricate behavioral and psychological insights about individuals. Conventional XR hardware is equipped with sensors that continually monitor various user data, including head movements, eye movements, and spatial maps of physical surroundings.
Over time, the accumulation of this data, the report argues, could expose highly sensitive information about users, including their physical and mental well-being, which could be exploited for commercial or political purposes.
The report also points out that major players in technology, such as Meta, Microsoft, Nvidia, Epic Games, and Unity, have substantial interests in metaverse technology. To address these privacy concerns, the report recommends that companies establish “known best practices” for privacy, safety, and cybersecurity before launching their products, and they should transparently communicate how the technology may impact user privacy.
Furthermore, it advocates for the removal of “raw and derived bodily data” when it is no longer necessary for the product’s operation, and for providing users with options to control their exposure to privacy risks. Finally, the report calls for the passing of comprehensive privacy legislation, including safeguards against the use of body-based data for user profiling and enhancements to user consent models, building upon the foundation set by the American Data Privacy and Protection Act (ADPPA).
In addition, the report acknowledges the progress made in the form of the ADPPA, which aimed to restrict companies from collecting geolocation and health data but ultimately failed to reach a floor vote after passing through the House Energy and Commerce Committee in July 2022.
The report suggests that this version of ADPPA provides a solid foundation upon which to build more comprehensive privacy protections. The House Energy and Commerce Committee is currently in the process of negotiating an updated version of the ADPPA to address the risks posed by the potential uses of body-based data, improve notice and consent standards, and prohibit the use of consumers’ bodily data for psychographic profiling.