As I was thinking about the webinar we have coming up on February 3, I started to think about what the “Metaverse” really means and it’s overlap with privacy and security.
I started to envision a future where our current situation, of working from home, is the norm, but even more than that. Instead of logging into a computer, we put on a virtual reality headset, gloves and a vest, all provided by our employer.
With all this gear on, we “walk” to the office. The office is secured with an eye scanning technology, so your iris is scanned in order to gain entry, which is done by the headset.
You enter the virtual space and “sit” down at your desk. Having been alerted to your presence, your boss comes over to you and asks to have a conversation. You both “walk” to a conference room where there is a table and two chairs. Your boss shuts the door and you sit across from each other.
You’re nervous. Your heart rate is a little fast and your blood pressure goes up. Your palms are sweaty.
Your boss is alerted to this change in your physical condition through their headset.
Why?
Because the company uses an emotional intelligence app to track your heart rate, sweaty palms and blood pressure through your gloves and vest. Supposedly this app is for mental health and wellness. At least, that is what you use it for. What you don’t know is that management gets additional benefits from the app.
The app goes on to tell your boss that this type of physical response is due to one of many reasons and lists them for your boss to see, all in their headset. So you can’t see it, but your boss can.
Your boss may see analytics like: you may be nervous because you have done something wrong, or you are about to lie, or you are about to quit, or you have to say something that might make your boss angry, or maybe it is anxiety.
Since that emotional intelligence app was developed by people who are not licensed therapists, a lot of these potential causes are based on unverified data they pulled from another app. Probably from Facebook.
Now your boss’s blood pressure also increases with their own anxiety.
But guess what? None of those reasons are accurate. It’s just a normal meeting. Your heart rate and blood pressure go up because you have a secret crush on your boss. A fact that you would never disclose, not in a million years.
This is the future of the Metaverse.
At least, I can see it being one version. In law school, this sort of fact pattern would require me to do a legal analysis and spot the areas for potential liability. In this post, I am going to analyze it for privacy and security threats.
You have probably already spotted them.
First, by putting on all that gear, you are inviting more surveillance into your home. Much like a Roomba scans your floor when it vacuums, so will all of this gear with the explicit purpose of preventing you from hurting yourself while wearing it (like bumping into a chair). Basically, for “safety” the gear will be simultaneously recording your space. Now it will know what type of home you live in. It will know if you traveled and are actually in a hotel room. These are security risks, in addition to the obvious privacy violations. Burglary is going to take on a whole new meaning in the Metaverse.
Second, there is a security issue for your employer. Remember when the pandemic started and everyone had to learn how to use their employer’s VPN? How is IT going to secure all that physical equipment?
Third up, the iris scan to gain entry. Authorized entry is not new. It is a physical security protocol that happens today through mostly badges and old fashioned keys. However, now they have your iris scan. By “they,” I mean whatever third party is doing the screening because clearly your employer is not the one who has control. Iris recognition has been flagged by privacy professionals as a risk for some time. Here is a good article on it by EFF.
Fourth, your boss and everyone else knows exactly when you arrived at the office, but also every time you take off the headset. Those days of “clocking in and clocking out” that most employees hate become ubiquitous. Employee surveillance, which was originally invented to pay salaries accurately, has really deviated from that purpose when my bathroom habits are recorded.
Fifth, and the final one I will analyze, is the privacy invasion of that app tracking an employee’s heart rate, blood pressure, etc. I don’t need to state the obvious on that one, but I will comment that it horrifies me. The idea that my physical state is being analyzed for my emotional state.
To add insult to the injury, that app is then analyzing it for my employer’s benefit. I mean, I can’t even. My boss thinks I am lying! When nothing could be further from the truth.
A few years ago, the phrase “data is the new oil” was a common saying. To me, the Metaverse opens up even more data mining opportunities.
And we haven’t yet figured out privacy and security in Web2, so how are we going to do it for the Metaverse?
We are only one pandemic away from putting all of this gear on our bodies. An excuse to keep our physical bodies “safe” but full of potential unintended consequences.
With the Metaverse, comes real risks to our privacy and security. It is already in process. But that doesn’t mean we can’t figure it out in time and build the infrastructure the right way.
So, I am making it easy for you to get involved in your own future, and those of your children. Our first webinar is for the completely uninitiated but interested. In other words, we will discuss what the Metaverse is and how it relates to Web3. In this series, we will be talking to privacy and security experts, some who are building the Metaverse or parts of it.
We all want the world to change for the better. I intend to roll up my sleeves and get to work. How about you?
About the author: Caroline McCaffery is a co-founder at ClearOPS, an A.I. privacy tech company managing privacy and security operations data to make mundane tasks, simple. She is a frequent blogger and speaker with over 20 years of experience as a lawyer working with tech startups. You can connect with her on Linkedin as long as you are not a deep fake with ill intent.
The Security Expert Marketplace is a community of vCISOs. We produce thought leadership opportunities for vCISOs with the express purpose of helping small businesses identify and fix security gaps. We also sponsor community events exclusively for our vCISO network, identifying ways for them to help their businesses grow. Privacy and Security in the Metaverse is sponsored by ClearOPS, knowledge management for privacy and security operations powered by AI that helps small businesses respond to security questionnaires and privacy impact assessments quickly and easily.
If you were added to this newsletter and don’t want it, please unsubscribe.