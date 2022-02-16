Kate O'Flaherty considers the security challenges in the metaverse and investigates how they can be resolved It’s official – whether people like it or not, the metaverse is coming, and if recent reports are to be believed, it’s going to be led by firms including Facebook owner Meta. The metaverse, however, is also a security and privacy minefield, partly due to the sheer scale of the soon-to-be-realized virtual worlds. As the technology continues to develop, some companies are already taking their first (cautious) steps into the metaverse. Sportswear brand Nike is one: the firm has partnered with online gaming platform Roblox to create a virtual world called Nikeland. Others, including Microsoft, Facebook and Google, will provide the overarching experience across the metaverse as virtual worlds emerge over the coming months and years. Online gaming ecosystems such as Second Life, Roblox and Decentraland also have a central part to play. When it arrives, the metaverse will be an open-ended collection of digital experiences, environments and assets leveraging virtual technologies, says Roberto Schiavulli, head of games and immersive experiences at Dark Slope, a metaverse and virtual production company. He explains that this will include virtual and augmented reality and a complimentary digital economy. “It’s helpful to think of the metaverse in the same way we think of the internet: less a single tool or platform than the combined sum of these experiences.” The metaverse is rapidly expanding, creating urgent security issues to address. Among the concerns, verification is key to ensuring people can’t spoof their identity. Another challenge is the vast amounts of sensitive data such as biometrics which, alongside cryptocurrencies used to make purchases, will make the virtual worlds hugely attractive to cyber-criminals. Nation-states, hacktivists and criminals all stand to benefit from poor data security and privacy practices in the metaverse. So how can the security challenge of the century be resolved? Verification in the Metaverse Verification in the metaverse is one of the biggest challenges to overcome. A system where people can attend appointments with a doctor or lawyer will depend heavily on authentication of their real-world identity, Will Richmond-Coggan, a data protection expert at Freeths LLP points out.

"Unless more people realize the possible threats from handing over their sensitive data to the technology giants, we are potentially sleepwalking into a privacy minefield which will affect us all"

Without proper verification, he says, the risk of impersonation will be “impossible to control.” A lack of robust verification will lead to fraud and fake news, allowing malicious actors to cause havoc, agrees Alexey Khitrov, CEO at ID R&D. “There are many security risks posed by the metaverse, and any environment where people hide behind avatars.” Among the issues, poor verification practices could lead to misinformation, people signing up with fake identities and adversaries hacking user accounts, he says. To weed out the fakes from the real people, metaverse providers will need strong identity verification, “both in the sign-up process and continuously as the platform is used,” says Khitrov. Facial recognition technology will likely provide verification in the metaverse – and this sensitive user data must be kept secure and private. A metaverse requires interaction between multiple devices, which means “a great deal of data being shared,” says Schiavulli. Because metaverses use optical and biofeedback-reading devices to make their virtual worlds more interactive, it will mean collecting personal data such as facial expressions, pulse rate and breathing metrics. At the start, the metaverse will probably use the same confidentiality and security measures currently applied to smart internet of things devices, says Schiavulli. However, as metaverses become more popular, he thinks more tailored third-party security solutions will emerge. Given what you can do in the metaverse, criminals have a large scope to take advantage of, says Sean Wright, SME security lead at Immersive Labs. “You could literally get married in the metaverse. If a criminal were able to carry out this ceremony by pretending they were a legitimate person, they could potentially gain access to a lot of personal data. People will be putting their personal lives into this platform; that’s going to provide a very juicy target for criminals.” There are also less obvious considerations that must not be forgotten as the metaverse expands. For example, if firms including Meta allow third-party apps at some point in the future, it will be essential to assess security measures from the outset to protect user data, says Jake Moore, global cybersecurity advisor at ESET. “It will also be imperative to monitor for potentially malicious or insecure apps that will no doubt be developed to exploit any unknown weaknesses.” Data Privacy in the Metaverse The privacy of metaverse data is another issue that must be resolved. One of the biggest concerns is that Mark Zuckerberg’s Meta, which has a poor reputation in data privacy, will largely handle data privacy in the metaverse. Google is another company with a big part to play in the metaverse, and both tech firms’ business models are funded by advertising that depends on vast amounts of user data.

"There are many security risks posed by the metaverse, and any environment where people hide behind avatars"