When your data controller is Snoop Dogg

May 3, 2022 | By Caroline Louveaux and Derek Ho

What is the metaverse? By some accounts, it is a parallel, immersive and pervasive virtual life where you can exist among other avatars, purchase and trade virtual goods and participate in digital concerts and cocktail hours. For others, the ultimate vision is that the metaverse isn’t one place, but a multiverse of digital worlds offered by different platforms, some blending with the real world.

And for good measure, Hollywood offers up some dystopian examples: “The Matrix,” with its ersatz version of reality that serves as a prison for humanity, and the massive, chaotic gaming and social platform in “Ready Player One.”

Whatever you think of it, metaverse-related ideas, technology and platforms are being backed by billions of dollars in investments, and the addressable market is expected to be in the trillions of dollars. It will be a fast-evolving and complex area with a great many potential use cases. From gaming to shopping, fitness to education, all of it could be enabled by the convergence of foundational and interlinked technologies — blockchain, 5G/6G, artificial intelligence, spatial computing, cloud and edge computing.

Such an all-encompassing and powerful platform will create massive amounts of personal data — and raise significant ethical, privacy and security questions, both novel and familiar.

If the world’s collective experience with data (mis)use to date is instructive, we need to better understand the implications of our choices in these virtual worlds, especially given the complexity and emergence of many of the metaverse’s enabling technologies. If we don’t create clear data controls and guardrails, it could expose people using the metaverse to excessive data collection and abuse of their data and privacy.

More data creation and collection — lots more

The technologies used in the metaverse will expand the current widespread collection and use of data. These platforms and devices could create a more intimate profile of individuals, including physiological information — such as the size of your hand, how your eyes move when you scroll a page, what your brain waves are doing in response — and behavioral data. Information collected from these systems could not only point toward preferences but could even, for example, make predictions, identifying the early onset of medical conditions. The metaverse will be data collection on steroids.

This expanded level of data collection also is expected to be “always on.” For example, prescription glasses with augmented reality functionality would not only provide real-time heads-up displays and overlays of information but also contain a selfie-type camera that tracks what your eye is looking at: Look toward an Italian restaurant and you'll be presented an offer for takeout from that business. On the other side of an augmented reality lens, people around the wearer will be concerned (as will be regulators) about whether individuals are being recorded and subject to facial recognition without their knowledge. Some organizations — companies, hospitals, governments — may also want to bar such devices from sensitive areas so as to limit data leakage or confidentiality concerns.

Data will also continue to bleed between the virtual and physical worlds. Real-world information or preferences that are unintentionally disclosed or displayed by your avatar in the virtual world or by transactions reflected on a public blockchain can be used to identify you in the real world, and vice versa. As with the digital exhaust you currently produce when surfing the web, you could end up sharing far more personal information than you intended when interacting in the metaverse.

Defining the data controller

Some privacy laws place much of the responsibility for compliance on the data controller — the person or entity who determines the purpose and the means of the collection of the data. A data controller needs to be distinguished from a data processor, who acts on the instructions of the data controller.

Identifying who is the data controller is important, as data controllers need to ensure transparency (such as providing privacy notices) and get users’ permission for collecting and using their data. These controllers must also allow individuals to access, correct and delete their data, and notify individuals in the event of a data breach.

Determining who is a data controller or processor in today’s Web 2.0 world is difficult enough, and you will get as many disagreements on the roles and responsibilities of a data controller or processor as there are lawyers in the room. This complexity will only grow when dealing with a metaverse built on public blockchains, given the web of parties and interactions that could occur.

Let’s say that Snoop Dogg has a virtual concert in the Sandbox (a digital real estate and gaming metaverse that allows users to create, buy and sell land and digital assets using a public blockchain), and you purchase a ticket (in the form of an NFT) using your crypto wallet. Who is the data controller here — and hence responsible for compliance with privacy laws? The Sandbox, the crypto wallet provider, the NFT marketplace or Snoop himself?

The answer could be all of them. The wallet provider could be the data controller for the data used to create your account, conduct "know your customer" checks and manage your cryptocurrencies. The NFT marketplace could be the data controller for the data on its platform. The owner of the gaming metaverse could be the data controller for data collected from content creators, users and landowners. The brand owners in the metaverse — for example, Snoop Dogg — could be the data controllers for data collected in relation to his events or experiences that take place in the metaverse much in the same way that brands are data controllers for the personal data collected on their business page on, say, Facebook.

Given the significant responsibilities a data controller holds — including responding to individual requests for the deletion of personal data — more guidance from regulators will be needed.

Navigating the metaverse with our eyes open

There will be other novel — and familiar — questions to deal with. For example, we have yet to fully appreciate the impact of extended reality devices on our perception of reality. How much will we take information at face value in a virtual reality world, and the plausibility of information being presented (that is, “responding as if it is real”)? Spotting scams and fraudulent emails in today’s world is difficult enough, so perhaps we should  start preparing for how to deal with scammers using deep-fake avatars in a metaverse.

Security will continue to be only as strong as the weakest link. Basic phishing attacks will still be a blight, as seen in a recent phishing email campaign targeting NFT owners.

There are several approaches we can take to navigate potential pitfalls. These could include adopting a Privacy by Design and Security by Design approach, being guided by a strong sense of data responsibility and giving individuals transparency and granular controls over use of their data. Manufacturers could also consider establishing common standards for extended reality devices to recognize no-filming zones.

Beyond that, and critically, the potential complexity of the metaverse means that addressing the ethical, privacy and security issues will require discussions that involve a diversity of views and disciplines — from law, security, technology, psychology, ethicists, economists, regulators and the wider community.

We sleepwalked into the internet age. Investing in the necessary discussions, analysis and governance will help to ensure that we do not sleepwalk into the metaverse, whatever version, or versions, we ultimately create.

Caroline Louveaux and Derek Ho

Caroline Louveaux is Mastercard's Chief Privacy Officer. Derek Ho is assistant general counsel for Privacy and Data Protection at Mastercard.