Building a safe and ethical metaverse
The metaverse has yet to become mainstream but it has already raised safety, privacy, and cybersecurity concerns. Last November, a beta tester of Horizon Worlds — Meta’s social virtual reality platform — reported that she was groped in virtual space. This prompted Meta to release a “personal boundary” tool to prevent sexual harassment.
Such uncivil behaviours may become common in the metaverse if the correct behavioural norms are not set. Case in point: After analysing a group of users’ activities on virtual world platform VRChat for 12 hours, the Center for Countering Digital Hate found that the group logged an average of one infringement every seven minutes. This included instances of sexual content, racism, abuse, hate, homophobia and misogyny, often with minors present.
“Similar to how the Internet created privacy, safety and security challenges, the metaverse will add even more challenges into the mix,” says Frank van Dalen, partner at Wordproof, a blockchain company.
Flaviano Faleiro, Accenture Interactive’s president of Growth Markets, adds: “The metaverse is a place where people can meet and interact, and where digital assets can be created, bought and sold. We can therefore expect ethics, privacy, security, behavioural issues, equity and inclusion, safety and integrity and environment issues to emerge as challenges that everyone has to overcome.”
Opening new doors to cybercriminals
As with any platform that allows us to interact and trade with others, the metaverse will be an attractive target for cybercriminals.
“Organisations looking to enter the metaverse have to be mindful of how different devices and parties will interact in this unfamiliar environment as opportunistic cybercriminals will view the metaverse as another platform to execute cyberattacks,” says Sean Duca, vice president and regional chief security officer for Asia Pacific and Japan at cybersecurity firm Palo Alto
Networks.
He continues: “As the metaverse takes shape, consumers will likely require some kind of wearable hardware — such as smart glasses or headsets — to be fully immersed in the digital environment. Mainstream adoption of those connected devices will translate to an inevitable broadening of the attack surface, resulting in more vulnerabilities and opportunities for cyber attackers if not adequately secured.”
“Additionally, businesses looking to set up store fronts and advertise in the metaverse have to consider brand reputation, intellectual property theft, and how to identify fraud and abuse right from the onset,” he adds.
Since most tools supporting the metaverse run on the same protocols as today’s web apps, van Dalen foresees cybercriminals continuing to exploit common vulnerabilities and exposures (CVEs). For instance, the Log4Shell vulnerability — which allows attackers to execute code remotely and arbitrarily in the target application — is likely to remain a cyber threat. This calls for metaverse developers and administrators to take the necessary security precautions and countermeasures. He also expects current techniques of zero-day attacks like cross-site scripting, SQL injection and web shells to continue being an issue with virtual applications powering the metaverse.
Additionally, Wordproof’s van Dalen warns that attacks on the metaverse could go beyond the digital realm into physical dangers. XR Safety Initiative, a not-forprofit organisation focused on helping build safe, immersive environments, produced a proof-of-concept research displaying how an attacker could manipulate a VR platform to reset the physical boundaries of the hardware, causing the user to be pushed into the path of furniture or towards a flight of stairs.
“The dangers could increase exponentially as AR enters the picture, with users being potentially misdirected into a street or led into a dangerous physical situation like a robbery.”
Misinformation might plague the metaverse
Since the metaverse provides a platform for content creation and information sharing, moderating content in the metaverse for misinformation will be a Herculean task.
“Social media platforms have stepped up efforts to moderate misinformation through the tightening of their misinformation policies. While those measures could be replicated in the metaverse, they are insufficient to curb the spread of misinformation in the metaverse,” says van Dalen.
“The metaverse could provide forums for misinformation and manipulation. In an age where even grown, educated adults are having issues discerning misinformation from real news, it’s possible that the metaverse can exacerbate issues such as confusion and misunderstandings around important social and political issues.”
“There could also be implications for people’s health. Misinformation related to medical treatments and major decisions could lead people to make decisions detrimental to their health, something we’ve already seen play out in our current reality on social media platforms.”
To effectively prevent misinformation, safety features need to be baked into the metaverse right from the start. “The main onus for creating a more secure and safe metaverse will lie with metaverse builders. They need to ensure their users’ safety by incorporating restrictions and strengthening security so that malicious actors are unable to take advantage of vulnerable users in the virtual world,” continues van Dalen.
Guidelines for building a metaverse that leans more towards utopia can be found in the User Safety Standards by the Oasis Consortium, an organisation of thought leaders aiming to accelerate the development of an ethical Internet. The standards can be used by metaverse builders for self-assessment as well as to validate their work and secure the needed resources to place safety, privacy and inclusion at the core of their business strategy. “The standards can become a blueprint for how metaverse companies approach rules and safety moving forward,” he adds.
Preventing a dystopian metaverse
If the metaverse will truly provide democratised access and be an inclusive space for everyone, embedding ethics and taking into account the potential risks cannot be an afterthought.
To prevent the metaverse from becoming a dystopian nightmare, Accenture Interactive’s Faleiro advises companies to first consider their product in the metaverse, how it is seen and purchased, where it goes and how their metaverse customers use it. “The life cycle of their product, brand, and experiences requires a complete mindset shift. The metaverse is a place and not just another channel.”
He also encourages them to focus on the user experience. “Companies need to draw up a roadmap of the customer journey in the metaverse. It will also be essential to provide the same level of user experience across different channels, whether in the metaverse, internet or physical stores and outlets.”
“Organisations should also work with trusted partners and providers who can act as strategic advisors with experience design capabilities for experience creation; is able to assemble, build and operate tech; and have the required content moderation capability for the metaverse. From a security standpoint, it’s about having capabilities to help with risk assessment, improving safety and trust in business operations by protecting digital identity, virtual assets along with content moderation in the metaverse.”
‘Zero Trust’ strategy
In terms of strengthening their cybersecurity posture, Palo Alto Networks’s Duca urges organisations to adopt a Zero Trust strategy. “In a Zero Trust architecture, each user, application and bit of infrastructure needs to have its digital interaction validated, regardless of whether it happens within the network or outside of it, to combat the exfiltration of sensitive data. This is in contrast with earlier approaches, where all systems within a network would be protected by a single firewall, for example,” he says.
“Ultimately, businesses must be mindful of how different devices and parties interact in the metaverse. As a result, they need to establish a well-coordinated architecture and implement solutions that validate, authenticate, and apply threat prevention capabilities across their entire infrastructure. This will help them identify potential threats and double down on areas that are especially vulnerable.”
As for preventing misinformation, time stamping should be adopted as part of an automated environment that will recognise and fight fraudulent and general misinformation. “Time stamping in the metaverse will help to identify the creator(s) behind a piece of content and expose the changes made to that content in a decentralised way. This means it will not be possible to alter the content without being noted. Adding tier-levels to timestamps or building multi-signature infrastructures around timestamps will help connect the metaverse with the real world as well as add additional layers of trust generation and fraud detection,” adds van Dalen.
Just like every other tenet of society, the metaverse needs to build in a sustainable way so that generations to come can continue to be a part of this world. Building ethics around social etiquette, safety, inclusion and accessibility for all must remain front of mind.