3 minute read
Improving security together
PRIVACY THOUGHTS WITH KARA KELLY
The metaverse presents many unique challenges to individuals’ privacy. Data minimisation—the need to collect only data necessary to conduct processing activities—is a principle of data protection regulations. A challenge posed by the metaverse is that the data processing required to create immersive environments is expected to result in massive collections of data about individuals, from health data to financial data. Companies in the metaverse such as JP Morgan, Walmart, Nike and Samsung may soon have access to surveillance data from business engagement and sales, exposing us to highly commercialised digital spaces where overcollection of data may become unavoidable. The 2022 Deloitte Australia Privacy Index stressed the link between consumer behaviour and privacy with 51 percent of individuals surveyed saying they were uncomfortable with their behaviour being subject to online surveillance. So, how do companies create these environments while managing consumer expectations of data minimisation? Meta is one company that has attempted to overcome this challenge. As of August 2022, users of Meta’s virtual reality (VR) devices will no longer need their Facebook account details to log in. However, Meta will still require name, email address, phone number, payment information and date of birth for age verification to create this new type of account. This practice raises the question of whether or not Meta is adhering to the principle of data minimisation.
How do we address the risk of overcollection of personal information in the metaverse?
Most data protection laws are drafted to be agnostic in their treatment of new technologies, and are applicable to the metaverse. The EU’s General Data Protection Regulations (GDPR) and China’s Personal Information Protection Law (PIPL) specifically mention monitoring the behaviours of natural persons living within their territories regardless of where the data gathered is processed. They also require a high level of transparency from entities processing the personal information of individuals. Such entities must be able to identify exactly what they are collecting and processing in the metaverse and explain this to their users in a manner that allows for informed decisions. Companies looking to benefit long term in the metaverse by engaging with individuals must examine their data collection needs and build trust through transparency.
SECURITY THOUGHTS WITH SARAH IANNANTUONO
The metaverse represents a convergence of multiple technologies. This makes security a top priority for metaverse development if the opportunities it creates are to be exploited. With countries like South Korea investing $US177.1 million into the metaverse
ecosystem and companies such as Meta, Microsoft and NVIDIA focusing on the metaverse as a core offering it is important to foster discussion on security concerns and collective ways to mitigate them. Here is a small snapshot of some of the key security consideration to be aware of, and some example mitigations.
Data portability and fragmentation.
The (slightly utopian) objective to have one seamless digital experience across companies and providers creates trust challenges for individuals who are currently unable, in most cases, to take identity and assets between platforms. In addition, the current fragmentation between the players in the metaverse divides applications and products.
What to think about. A new approach to governance and standards in the metaverse needs to be established. Some companies currently exploring the metaverse, such as Meta and Microsoft, have committed to portability of data across platforms. If your company is looking into metaverse opportunities, consider staying flexible and remaining open about applications and products used to ensure you are not locked in.
Broader attack surface and fraud opportunities.
Mixed reality devices provide malicious actors with new attack surfaces. New metaverse-specific crimes such as ‘pump and dump’ NFTs and fraudulent metaverse investments have already emerged. Looking at the history of IoT devices, there are numerous examples in which exploitation of new weak points in the enterprise were targeted.
What to think about: Ensure devices such as mixed reality headsets with mobile device management are secure. Provide training to staff members on scams exploiting metaverse opportunities and, lastly, ensure your company secures the rights to its URL address to stop impersonation.
Call for discussion
The metaverse is here to stay (and will develop exponentially), but there will be teething pains for privacy and security as it does so. Building trust through transparency and security will be key for companies seeking to use this new channel of communication with users. While current laws and regulations will apply, our understanding of this technology will be critical to how we, as users, adopt it and behave in this new hyper-spatiotemporal and self-sustaining virtual environment.
www.linkedin.com/in/kara-kelly-9515b9b3
www.linkedin.com/in/sarahiannantuono
2023
NEW ZEALAND WOMEN IN SECURITY AWARDS
9TH NOVEMBER
Don’t Miss Out
