Zuckerberg's Metaverse, and the possible privacy and security concerns

Zuckerberg’s Metaverse, and the possible privacy and security concerns

The news is currently jam-packed with tales of Facebook’s Meta project. Of particular interest to me is Facebook’s long-stated desire to introduce adverts into the VR space, and what this may mean for Meta too. I’ve talked about the privacy and legal aspects of adverts in gaming and other tech activities many times down the years.

An advert in every home

Back in the Xbox 360 days, I explained how even in 2009 console dashboards were increasingly filled with adverts. A few years later I also highlighted how gamers resorted to using HOSTS files or OpenDNS to block advertisers from placing adverts onto the screen. Sure, they ended up with lots of black empty boxes but they felt it was preferable to the alternative.

Adverts and tracking in gaming has never gone away, and in many cases has only become worse. In 2017, I presented findings on what gamers could expect to see in many EULAs and privacy policies. I also covered, in detail, what kind of things you should expect with regards advertising in VR/AR platforms.

The Advergaming wilderness years

Things sort of fizzled out in VR/AR for advergaming for a few years. The technology has been there, but the big push has been around advertising in VR more generally. Advergaming is still pretty niche, and VR headsets always seem to be on the cusp of becoming the next big thing…but then not quite getting there.

What this realm has been crying out for, is a massive platform push. Step up to the plate, Facebook. Now with all new Meta.

A frosty Meta reception

The promotional material for Meta hasn’t had the best of receptions. There’s still a lot of things in there which simply don’t make sense, and provide no real indication of how it’s going to work. Even so, something VR/AR-centric is definitely going to be the end result, we just don’t know what specific form it’s going to take. But what we do know is that advertising will be a big part of it. Some of the basic ideas already thrown around suggest a gamification of reality, seen through the lens of Meta.

We’ve been down this privacy road before with Google Glass and other AR specs. What are some of the possible concerns and issues related to privacy and security in this new world of virtual augmented realities?

Avoiding the physical risks of VR

If you’re going to spend a lot more time in headsets, it pays to be mindful of your surroundings. There’s already been one VR death that we know of, and we don’t need any more. I’ve spent a fair amount of time with a headset on for advergaming research, and below are the rules I generally follow to keep myself safe. We don’t know what Meta will say in terms of physical security yet, but encouraging a big push into VR should probably be accompanied by suggestions similar to these:

  1. Some VR games require you to stand up, or move around. They’re quite physical. Others are fine to play sitting down, and you might use a mouse and keyboard or a controller. If you’re doing the latter, you won’t want to accidentally hit your screen. You’re not looking at it anyway, so consider turning it around so it faces away from you. If your layout doesn’t allow for this, you can often align the “front view” of the game (what you see, in other words) to be aligned in a different direction from the TV or monitor the PC is plugged into. So you’re still able to have yourself facing a different direction. Note that this will only work if you’re using a controller or wands. You can’t really sit at a right angle to your screen if you still need the mouse and keyboard.
  2. Wire safety is crucial. It’s incredibly easy to get your legs tangled up and then have a head/floor incident. Some people install overhead hooks to manage wires. Where this isn’t possible, cable ties are also handy. If all else fails, there are apps you can use which will show you if cords are tangling while in-game.
  3. Some platforms use “chaperone” modes. These map out the safe floorspace area while playing.
  4. I’ve seen many “Oh no, I bashed my toddler on the head with my wand” type posts down the years. There used to be no easy way to get the attention of someone in a headset without risking a bash from a flailing arm or leg. Thankfully there are safeguards which can be used. For example, the Steam “knock knock” feature.
  5. Orientation is another problem. I don’t remember where I got this tip from, but placing a fan next to wherever your TFT or TV is located means you’ll always know where everything in the room is related to your position. Finally, if you’re on carpet then put down a rubber mat or similar so you know where the safe zone is. If you’re on wood, then a few squares of carpet or a rug will do.

That’s the physical side of things covered, though there’s probably room for improvement. Now we move onto the digital concerns. Let’s start the ball rolling with what is probably the biggest problem for Facebook/Meta specifically:

In June, we looked at what happened when Facebook announced it was going to do some advert testing in games. The title selected for this was something called Blaston. Although the adverts arguably stuck out badly from the game’s futuristic environment, the ad tracking side of things was pretty non-invasive. No movement data was used to determine ad success, no information was processed or stored locally, and conversation content was not recorded. Compared to the kind of deep-dive practices which happen on your desktop every time you open your browser, this is an incredibly light touch.

Despite this, the test didn’t seem to go very well. The developers were told by players “We don’t want this” and they decided not to do it anymore. Like many popular VR games, it’s a paid title and not a freebie. Ads in expensive console and PC games tend to get a rough time of things by default. It seems the same is true for VR titles. The fact that players on some VR platforms would see these ads as opposed to others pretty much sealed their fate.

There’s no easy way round this, and Facebook/Meta has a big hill to climb here.

Data breaches are still a thing even in VR land

Users of a pornography-based VR app were in the news back in 2018. Researchers found it was possible to view information including email addresses and device names for app users along with download details for anyone who’d paid using PayPal. Even though you’re interacting with a virtual or augmented world via headset or mobile, your data is still ending up somewhere other than the visor on your head.

It’s never been easier to pick up cheap DIY tools and get making some VR apps. We often wonder how much security work goes into cheap IoT devices and regular mobile apps, and the same thing applies to VR and AR. At this point, we simply don’t know what the future holds in this respect. If Meta allows for third party apps somewhere down the line, we need to know what security measures are in place to protect user data, and also screen for potentially malicious or insecure apps.

Augmented reality specs are on thin ice regarding privacy concerns

Look, we’ve been here before. People were so carried away with the idea of tiny digital lenses on their face that we soon ended up with lots of privacy invading overreach. Oh no, my fancy glasses are banned from public restrooms. Ah, this eatery won’t let me sit inside with other customers. Whoops, the local cinema has accused me of recording a movie and sent me to space prison.

And so on.

Any maker of AR glasses must surely be aware of the privacy furore just waiting to explode again the moment someone does something bad with their branded specs in the accompanying news stories.

Facebook seems to be conscious of the Glass issues years prior, but some of its solutions to these privacy issues are arguably a little bit lacking in solid details so far. Tying real world product functionality to be dependent on social media accounts generally is also risky. We need to see a lot more meat on the bone where addressing safety and privacy issues arising from AR glasses is concerned. Whoever manages to crack this problem will reap the benefits, but will they be able to pull it off in the first place?

The privacy concerns issue isn’t really helped by some of the commentary from Mark Zuckerberg himself. He commented that a “killer use case” for AR glasses is being able to do something the person you’re talking to is unaware of.

We’re in a time where privacy focused people have seen years of awful tech practices. At this current moment, we’re all waiting for the next privacy fallout from a data breach. With the myriad ways bad people can abuse people through technology placed in their homes, the stakes for real/digital crossovers have never been higher.

And then, in all of this, we have the man at the forefront of a new, unreleased real/virtual crossover normalising a (mildly) deceptive use of technology towards people unaware that it’s happening.

This seems like a bad idea.

Don’t make it easy for criminals

Another selling point of Meta is being able to reproduce your home inside the VR space. This sounds cool, but there’s already plenty of VR apps and desktop-based programs you can do this in already. Yes, I made my home in Fallout 4. Yes, I blew it up shortly afterwards.

The difference is, the only person able to see it before it went kaboom was me.

There’s almost certainly going to be a social dimension to Meta’s home building. Friends will want to come and hang out at your (digital) place, right?

Where this could be a cause for concern is privacy settings. We need to make sure people are able to make their homes private, or inaccessible to strangers. I’ve seen similar situations in games where your home can be opened to the public. Sometimes you can port accessibility restrictions from house to house. Other times, homes or apartments are listed in public databases in-game and you’re free to visit wherever you want.

VR and AR allows for a lot more realistic homebuilding in digital spaces. There are furniture store apps which allow you to use AR and place items in your home to see if it fits the space intended for it. Could we see people scanning portions of their home and inserting it into Meta spaces? How about accurate replicas of rooms and their furniture?

The danger is we’ll be making scale models which could be used for any dubious purpose you care to mention. What if you’re able to make the outside of your home resemble the real thing too? Why stop at your home, when you can port in the whole street via public map databases?

Now you have a proper digital replica of your everyday life which strangers can visit. They can use this data and OSINT (open source intelligence) to figure out where you live. A dubious character might keep an eye on your social media feeds till you say you’re on holiday for 2 weeks. At that point, you might have your first burglary using VR as a launchpad…and an incredibly accurate floorplan of your home for reference while doing it.

Making Meta mountains out of molehills?

This is all wild speculation, but it’s very easy to see a way several unrelated aspects of VR/AR could unintentionally help people up to no good. If the right privacy tools don’t exist, if users aren’t given warnings as to why doing x or y in VR isn’t safe, it could be bad. A senior lecturer in digital cultures recently said “Facebook’s VR push is about data, not gaming”. I’d have to respectfully disagree.

All of the proposed coolest looking features seen so far are indeed all about gaming. If it isn’t Force ghost chessplayers, it’s Force ghost fencing battles. Wanting to make your own home digital and show it off is gamifying the experience. You can’t get any more gamey than oft-frustrated attempts to jam adverts into popular video game titles.

The games are absolutely the hook, and the way in, to vast quantities of data. Regardless of which direction Meta goes in with this, it’s up to the people wearing the headsets and glasses to be comfortable with their choices and be aware of the privacy perils of VR and AR.

It’s a whole new digital world out there.


Christopher Boyd

Former Director of Research at FaceTime Security Labs. He has a very particular set of skills. Skills that make him a nightmare for threats like you.