Applying Privacy and Identity Best Practices to the Metaverse

Real World Privacy Considerations
in the Metaverse Context

Meta / Facebook is betting big on the Metaverse, with over $10 billion spent in 2021 and that level of investment set to continue. They’re also making really solid strides in the market. Their all-in-one virtual reality headset, the Oculus Quest, is a best seller. In fact, I recently picked one up and can confidently say that both the hardware and software have come a long way in the last few years.

When I founded Tozny, I wanted to bring the best technologies for security and privacy to everyday end users. That’s why we focus on end-to-end encryption, identity, and access management. The Internet was built without a trust foundation, and for many years those of us in the cybersecurity world have invested significant effort to shore it up.

But with new platforms comes new opportunities. Android and iOS radically changed the nature of security on end-user devices with fine-grained permissions (like when the operating system asks if you want to allow access to GPS location). And Apple of course touts the privacy benefits of end-to-end encryption as a feature of the iPhone, which extends into their web services like iCloud. Some people see virtual and augmented reality (AR/VR) as a new platform equivalent to the smartphone.

Virtual reality headset

With the “metaverse”, there is an opportunity to build interoperability, privacy, and identity into the ecosystem, and there’s even some evidence that Facebook is motivated to do so. To catch on, the metaverse has to be built by a variety of vendors and interoperate – and Meta has emphasized this. One of the implications of that is that people should be able to move seamlessly between experiences without worrying about privacy. Metaverse applications should integrate in a way that’s quite different from how apps on smartphones integrate today. Moving between apps should be more like moving around in the real world in that the people, avatars, and objects should cross application boundaries.

In Meta’s article about “Building the Metaverse Responsibly”, they highlighted privacy as a key risk area and noted their need to take the right approach early on by looking at, “how we can minimize the amount of data that’s used, build technology to enable privacy-protective data uses and give people transparency and control over their data”.

Since we here at Tozny truly believe in identity and cryptography being keys to building privacy-preserving and secure systems, I thought we’d explore what these technologies can do for the metaverse.

Identity, Attributes, and Privacy in the Metaverse

The identity community has made amazing strides in building interoperable login and access control solutions. Identity management workflows and solutions are being embraced wholeheartedly by enterprise software ecosystems where companies want to give users a single login and let them use that login across a lot of third party applications. For non-enterprise users, the most visible example of this is so-called “social login” features like “Login with Facebook” and “Login with Google” that you will see offered by some websites.

An important consideration when it comes to user identity management is privacy and privacy-preserving identity practices should be a native feature of the metaverse:

  • Users should be able to bring their identity from a variety of services into a variety of VR/AR platforms and apps. My metaverse identity on Apple should be reusable on Meta, and I should be able to communicate with people on different platforms in a variety of services. Meta recently made a small improvement here; previously you had to have a Facebook account to use an Oculus Quest, but they are now allowing a separate Oculus account. We’ll see how that plays out.
  • Users should be able to share attributes, claims, and data across services. When I log into a metaverse app, I should be able to selectively bring along information about myself, which I selectively share with the platform and other users like friends or people nearby. This could include my avatar, my age, my privacy preferences, and the communities I’m associated with.
  • Users should be able to adopt personas according to their level of interaction with a platform and other people. The way they identify themselves personally to various apps and services should not be the default way they identify themselves to the public or communities. That is, the user should have control over an anonymous or semi-anonymous public persona. Transactions, communications, and other kinds of trust-based interactions can be handled anonymously to avoid abuse.
  • User attribute sharing should be “blinded” where possible so that we can share attested attributes without revealing our identities. That’s to say I should be able to prove that I am over 18 without revealing my birthday, name, or contact information to every app. This moves the question of who to trust about user attributes from the user to the attesting party, but that’s actually better both for privacy and accuracy of attributes.
  • Safety – the platform can still know who I am and attest to the apps that I haven’t been blocked from for bad behavior for example. This can be leveraged both to protect children from inappropriate behavior, and to protect the rest of us from the trolling that’s endemic to a lot of online communities and has already made its way onto VR platforms.

Leveraging Encryption in the Metaverse

Solid end-to-end encryption is becoming the gold standard for privacy. It lets a single user trust that the data the platform stores on their behalf is secure and only visible to them. It lets multiple users text message, do conference calls, and collaborate without the cloud platforms having access to private and sensitive information.

End-to-end encryption isn’t the only approach though. Using application-layer encryption improves privacy throughout the data lifecycle, from data collection to machine learning. We recently published a paper on this topic in fact.

  • Users should have the option to manage their data in the metaverse in an encrypted way. Similar to how Apple encrypts data between your phone and their servers, platform vendors should provide encryption from your VR rig to their servers.
  • When users share private and sensitive information with other users, it should be encrypted in a way that they can trust it’s not being accessed by unauthorized parties.
  • Identity and encryption go hand-in-hand, which is why we’ve built both an IAM platform and an end-to-end encryption platform that interoperate.
  • It’s almost inevitable that objects in the real world are going to be captured as digital models and integrated into the virtual world. For instance, your living room can be scanned by your VR headset and integrated into the world for people to virtually visit you. We should be allowed to maintain some kind of control over our spaces and objects, and end-to-end encryption is an excellent technology to address that.

User Privacy

A few years ago, NIST outlined a set of privacy engineering objectives that ties together some goals we believe metaverse companies should strive toward, and I’ll outline the applicability of identity, access management, and encryption technologies to these goals:

  • Predictability: users can understand how their data is handled. Metaverse vendors should adopt shared best practices about how user data is handled so that users can move freely across various experiences without having to worry about privacy.
  • Manageability: users can have granular control over how their data is handled. This can be strongly supported by identity and access management platforms, including use of protocols like OAuth to release information and end-to-end encryption to protect it.
  • Dissociability: users can reveal selective information about themselves without revealing their identity. This can be accomplished with identity services that can assert user login and user attributes without revealing the user’s identity. More platforms should allow login like this.

metaverse privacy

The Metaverse is in its Infancy, but Privacy is Not

This is an opportunity to build identity management, standards, privacy, and encryption directly into the metaverse while it’s in its infancy. A number of companies are investing heavily in the metaverse, and this will allow them to interoperate, protect user privacy, and improve user experience across the board. If you’re building a VR / AR experience and want some advice about applying these concepts to your application, please reach out. We are passionate about improving the security and privacy of everyday people, and we’re excited about what the metaverse has to offer.