Privacy is one of the four major risks associated with the metaverse — the expanding virtual universe of network connections — an industry expert told Canadian Underwriter recently.
When developing a metaverse strategy, your commercial clients should look at operational, cybersecurity, privacy and safety risks, said Carlos Chalico, cybersecurity and privacy leader at EY Canada.
“This is a technology that is in motion,” Chalico said in an interview. “This is something that is coming and I think we need to be paying attention to it. And as it happens with any new piece of technology, we need to be aware of the risks that we will be facing in order to properly respond to them.”
Essentially, the metaverse is the conjunction or integration of four different types of technologies:
Spatial computing — The next interface being used to get connected to the internet, such as virtual or augmented reality devices
Game engines — To get to the metaverse will require game developers. “Perhaps the clearest examples we can see of these types of environments that have been already created can be represented by Fortnite, Roblox, Minecraft, which are these spaces where you create your own avatar and you go inside this digital ecosystem to have an experience in that space,” Chalico said.
Digital environments — For example, a real world environment that is enriched by augmented reality, or a completely new and virtual world
Virtual economies — Examples include blockchain or non-fungible tokens (NFTs), which allows transactions in these environments.
Of the four major metaverse risks — operational, cybersecurity, privacy and personal safety — privacy is one of the most sensitive considerations to consider, Chalico told CU. (Personal safety, for its part, can result in harm to oneself or others. “When you are immersed in one of these online virtual worlds, you completely lose perception of your physical reality.”)
Those looking to develop a metaverse strategy need to identify the personal information being used, use it only for the purpose consented to by individuals, and keep the information only as long as needed to respond to the agreed-upon purposes.
“Traditional considerations on privacy are, of course, a topic that we need to consider when it comes to the metaverse,” Chalico said. “But in addition to that, when it comes to the metaverse, we need to be very… strict on identifying all the personal information we are collecting.”
In the real-world space with augmented reality or a completely virtual world, “chances are that the devices you will be using will be collecting more personal information about you,” he said. “Maybe your body dimensions in order to represent your avatar in the space, maybe how you blink, or maybe information about your iris in order to know how you are reacting to certain considerations.
To alleviate privacy concerns, Chalico recommends involving the right specialists as early as possible. This includes technical specialists well-versed in metaverse technologies, as well as cybersecurity and privacy experts.
When it comes to data, it’s not only about where the company or clients reside, but where the data is going to reside. “Use of the cloud is always something that will be surrounding the operational environment within the organization,” he said. “You may be sending data to a different jurisdiction. If that’s the case, you also need to pay attention on how the vendor that you’re going to be working with is protecting your personal information.”
For example, Quebec has new privacy regulations that say if personal information leaves the province, the company responsible for the information needs to verify that the vendor or entity receiving the information offers reasonable protection mechanisms to the personal information transferred to them. “And reasonable means that these measures are at least similar to the ones that companies are using with the data they are processing on their own.”
Another factor to consider is how the technology is going to be used and the specific process associated with it. “Is it going to be directly associated to operations or how the company is interacting with customers, of is it going to be perhaps associated with training?” Chalico asked.
“Or maybe it’s something we are going to be using to completely interact with clients. Maybe instead of a call centre, we are going to have a virtual space where clients will go and have a face-to-face conversation using their avatar to talk to someone from my company in order to alleviate all the questions we will have.”
Feature image by iStock.com/Kinwun