What is the future of your privacy in the Metaverse?

Antonelle Freitas**

Life as we know it is changing at an almost uncontrollable rate. With the development of cyberspace and the emergence of different virtual environments, such as augmented reality applications, social networks or virtual worlds, coupled with emerging technologies, we are finally introducing activities that until recently were only part of our experience into our daily lives. Fiction movie.

We are currently taking a big step towards enabling a “hyperreal” alternative world through the Metaverse, which incorporates both physical and digital in immersive virtual experiences that allow users to fully experience different types of reality. By leveraging technologies such as virtual reality, augmented reality, and blockchain, Metaverse is able to provide elements such as 3D avatars, digital assets, and various events that enable users to interact with each other and with supported projects, applications, services, and businesses Interactive virtual economy to promote social relations.


In a short period of time, the metaverse has grown from a concept to an imminent reality. Ideas that first emerged from science fiction will take over the world and revolutionize the way businesses, organizations, and the entire internet work. For some, the metaverse will be the successor to today’s internet. We believe this transition will be very natural as we have adapted to being indoors and isolated and now we can understand and experience the world and its experiences in a very interactive way from comfort and “safety”. “From our home. Nothing is more perfect and “safe” than this! Do you agree?

Unfortunately, we cannot fully agree with this statement, because all technological progress comes at a price, and while this seems inevitable, it should not be unconditional. In this interconnected universe, we will face new challenges and risks, especially when it comes to our privacy. Metaverses will change the way we interact and socialize with each other, and the way we travel, buy and consume information, but they will collect more information about us than any other platform. In this way, the consequences will be more serious.

Considering that the reality of the metaverse is not real, people who want to experience virtual reality need to create an avatar. These avatars can reflect any digital appearance the user chooses, so they can take the form of animals or objects, as there is no rule that they can only take human form. Thus, this digital personality can make it possible to identify or not to identify real personalities.

Undoubtedly, if a digital personality makes a person identifiable in the real world, that data will be considered personal data. Also, creating the avatars needed to “live” and “coexist” in the metaverse involves sharing and exposing more data with companies that will be able to track individuals in a more intimate way as they will be able to monitor physiological responses and biometrics Data such as facial expressions, voice changes, and real-time vital signs. This in-depth information enables companies to gain a deeper understanding of user behavior, which in turn can be used to personalize advertising campaigns in uniquely targeted ways.

In this context, concerns about the protection of personal data in Metaverse are latent, especially due to the amount and type of data that can be processed. as defined in art. According to Article 5(II) of the General Data Protection Act (LGPD), Sensitive Personal Data is data concerning race or ethnicity, religious beliefs, political opinions, affiliation with trade unions or organizations of a religious, philosophical or political character, the data refer to are health or sexual life, genetic or biometric data associated with a natural person and can only be processed in the circumstances listed in the art. 11, given its discriminatory potential. However, the listed assumptions do not allow the processing of sensitive personal data for marketing purposes without the express consent of the holder.

In the data ocean of the metaverse, it becomes critical to determine who is responsible for data security, how to prevent a data breach, and what happens when a data breach occurs. In Metaverse, who is in charge depends on whether Metaverse is decentralized or centralized. There may be one primary administrator who handles personal data and determines what to do with the data, or there may be multiple entities that handle the data through the metaverse.

Therefore, in order to ensure compliance with the principle of information self-determination laid out in the art. LGPD 2, II, guarantees holders the freedom to choose the processing of their data, letting them know that their data is being processed, how and why, and the principle of transparency, according to Article Art. In LGPD 6, VI, each metaverse may create its “Privacy Statement” (possibly using a sign or symbol) to comply with the requirements of Art. 9 LGPD.

In addition to concerns about how private data is collected and used, there are also concerns about how the Metaverse handles escapism. According to Louis Rosenberg, the metaverse “has the potential to change our sense of reality, distorting the way we interpret direct, everyday experience.”

In the metaverse, we will live surrounded by countless layers of technology that can be easily manipulated by those with them (big tech companies of course), injecting their own content,

Maybe use a filter layer that only a few can see and tag individuals with denominations (e.g. “racist”, “immigrant”, atheist) so only selected people can see distorting their reality and forming their opinions and widening differences between individuals.

Regarding data security, the big question raised has to do with the fact that the level of integration of disparate systems will be unprecedented, and this integration will greatly increase the attack surface, which will require new and sophisticated approaches to access control.

Other equally noteworthy topics relate to authentication of users in virtual worlds (while protecting their privacy); lack of legal documentation to protect user identities (the use of avatars instills the idea of ​​virtual identities that hackers can easily steal); vulnerability to attacks AR/VR devices such as augmented reality glasses become a gateway for malware intrusions and data breaches, as well as social engineering attacks such as phishing, which may become more convenient and powerful, and therefore more frequent.

Still, the Metaverse raises concerns related to the privacy of user behavior. Espionage and tracking are practical examples of this type. Currently, personal information collected on social media platforms has been used for human flesh searches — the practice or threat of revealing a victim’s private information for the purpose of extortion or online exposure. Given that Metaverse will provide more personal information about its users, not only to the platform but to other users, how can we prevent doxing?

Companies will also be able to monitor employee conversations and possibly even their tone and behavior. This will allow managers to identify the most engaged employees, those with a sense of teamwork, and those whose behaviors are not aligned with organizational goals.

As such, both users and companies need to carefully consider and protect privacy in Metaverse, and should begin to implement privacy “by design” when developing the technologies we rely on so much. Because, leaving the virtual world is not an easy task because eventually we will have to shut down important aspects of our lives, like our jobs or the way we socialize.

The Metaverse is a reality that has arrived, bringing with it a host of innovations and opportunities, as well as unprecedented security and privacy risks. It’s impossible to predict which direction the metaverse will go, but no matter where it goes, there will be a need to ensure users have more control over their personal data and ensure their privacy. We want adequate regulation and measures to ensure data privacy in the real and digital world. May privacy be with us!

**Antonielle Freitas is DPO (Data Protection Officer) of Viseu Advogados. She is a graduate of the State University of Ponta Grossa (UEPG), a graduate of the Brasilia School of Law (EBD) in digital law, and a graduate of the Catholic University of São Paulo (PUC/SP) in civil procedure law. He is a member of ANPPD (National Association of Data Privacy Professionals).


Leave a Comment

Your email address will not be published.