Different fact patterns for incidents
Global privacy laws generally do not contain exclusions for incidents occurring within the metaverse, but how they apply and who they apply to is a difficult question, and the respective timelines are tight.
Home
Different fact patterns for incidents
Global privacy laws generally do not contain exclusions for incidents occurring within the metaverse, but how they apply and who they apply to is a difficult question, and the timelines are tight.
While the metaverse may see a number of similar security challenges to those already seen across existing online platforms (eg, hacking, phishing and malware), the metaverse also exposes new security issues which organizations will need to familiarize themselves with (eg digital twins, fake avatars, special hardware protection).
Different factual breach scenarios
Reliance on avatars may expose users to risk of impersonation (ie, avatar duplication), identity theft and social engineering attacks. Additional thought will need to be put into identity verification methods within the metaverse.
Equally, given many users may have an expectation of anonymity when accessing the metaverse with an avatar; exposing a user’s true identity without their permission could be a breach.
Where areas of the metaverse build in the opportunity for “private” rooms/areas or conversations, there will be risks of bad-actors infiltrating those rooms and confidential conversations becoming public. Organizations should consider in particular where an incident may arise in a situation where users would have a reasonable expectation of privacy - for example, a private chat room, a virtual bank, or a virtual medical office.
Given the intention for the metaverse to become a central hub for e-commerce, there could be significant financial consequences to a user if their account/profile is accidentally deleted (unauthorized deletion/unavailability is also a data breach in many jurisdictions).
As the metaverse relies on virtual/mixed reality hardware which processes a user’s physical surroundings and their physical biometric data (such as hand / eye movement) there are additional risks should bad actors be able to gain access to this raw data and either directly cause harm with that information, or gain an ability to draw inferences about the user. If a user’s physical behaviors can be tracked and anticipated, this may lead to more complex social engineering attacks.
Considering whether “personal data” is impacted
When engaging with the metaverse services, users may share extensive amounts of data, including private communications and data which can identify the user or infer additional information about the user. Data shared by the user is critical in creating immersive experiences, but also presents unique security risks.
Whilst in some jurisdictions the categories of information that breach reporting relates to is broader than personal data (capturing, for example, all data implicated by a cybersecurity incident, or focusing on leakage of secrecy of communications data), in recent years we have seen the global proliferation of incident reporting laws focused on personal data breaches.
Traditionally, personal data (or personal information) includes (i) direct identifiers such as names, identification numbers, location data, online identifiers and (ii) indirect identifiers such as factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity or characteristics of an individual.
Within the metaverse, we suggest it is helpful to first make a distinction between:
- any information which can be related back to a natural user, such as names, identification numbers, location data, online identifiers (e.g. an avatar or account profile), and certain communications which clearly identify the participants (“digital identifiers”)
- information about a digital identity that cannot be associated back to a natural user (e.g. an avatar’s date of birth or physical characteristics)
Digital identifiers are likely to be covered under personal data breach notification laws, whereas, for the moment at least, information about a digital identity may not be.
When assessing if information about a digital identity is “personal data”, you should consider if the information about the digital identity:
1. relates back to a natural user, eg, an avatar, a user’s unique profile name or identification number;
2. can be used to access a user’s account (on or off platform including interoperable worlds), e.g. if an avatar’s physical characteristics or hand gestures are used as a private key to authorize access to a private room or third party platform;
3. can be used to infer a digital identifier, e.g., where a user’s activity log (or lack of) suggests that a user is away from its primary real-world residence, i.e. location data;
4. is an indirect identifier specific to the physical, physiological, genetic, mental, economic, cultural or social identity of an individual or characteristic. Examples include:
- where an avatar’s wardrobe comprises of designer brands and indicates that the user is wealthy
- where data collected to improve product functionality, such as ‘play area’ dimensions, can be used to infer information about a user’s wealth based on room area;
- where a user’s purchase history or collection of NFTs indicates wealth
- where an avatar’s social identity represents the alter ego of an individual and can infer sexual preference or cultural interests
- where biometric data is inferred from anthropometric data, e.g. the telemetry positioning of a user’s controllers denotes a user’s wingspan, which can be used to infer the user’s gender
- where characteristics or behavior of an avatar can identify the user due to his/her special circumstances (e.g. the user reacts to certain experience differently due to disability or age)
Recommendations
Be mindful of different factual breach scenarios and ‘inferred’ categories of personal data when investigating the consequences/producing risk assessments in relation to any incident arising in the metaverse.
Conduct cyber wargames which incorporate new metaverse specific incidents to raise internal awareness.
Train employees on different scenarios where information on avatars and behavior in the metaverse can relate back to users and on strategies aimed at protecting personal data in the metaverse (e.g. by avoiding unnecessary user identification).
Take into account different circumstances of users and relevant user groups (e.g. children) as well as possible interactions and information which can identify them.
Key legal risks / issues
- metaverse exposes new security issues and factual scenarios which organizations will need to familiarize themselves with
- degree to which identifiers associated with an avatar relate to a “person” or “data subject” is a crucial area of ambiguity as the metaverse evolves
- the more data in any form can relate back to a physical person, can contribute to identity theft or can otherwise cause tangible harm to a physical person (e.g. theft of intellectual property), the more likely this data will be subject to breach notification requirements
- be prepared for different factual breach scenarios and ‘inferred’ categories of personal data when investigating the consequences/producing risk assessments in relation to any incident
- put more focus on training employees on different fact patterns and incident/breach management
- take into account the characteristics and special needs and expectations of certain user groups (e.g. children or disabled users)
Questions to consider
- have you considered all of the scenarios where a data breach may arise?
- were an incident to arise, are you clear on all information which can be related back to a natural user (including information that can be inferred)?
- what can you do to enhance awareness across your organization/employees? Are metaverse specific cyber wargames appropriate? Has a training program for employees been introduced and updated regularly?
- have you taken into account the different characteristics and needs of certain user groups in your data security and incident/breach management policies and procedures?
Find out more by viewing our three Cybersecurity and Data Breaches issues:
Contact
Paula Barrett
Co-Lead of Global Cybersecurity and Data Privacy paulabarrett@eversheds-sutherland.com View Paula Barrett's full contact details
Michael Bahar
Co-Lead of Global Cybersecurity and Data Privacy michaelbahar@eversheds-sutherland.com View Michael Bahar's full contact details
Jonathan Palmer
Click on the topics of interest available below to explore the legal issues arising in the metaverse. We will be releasing further reading on a variety of topics periodically.
View our
Shaping the future
Digitalization and corporate digital responsibility (CDR)
Businesses are forecast to spend $10 trillion over a five-year period on digital transformation. Digitalization is game-changing. But it comes with numerous risks, challenges and obligations that need to be understood and navigated to stand the best chance of success.
Our global report highlights key findings on the uptake of digital technologies, future strategies and M&A activities, perceived risks, challenges and approaches to using, developing, buying or selling digital technology responsibly.