Key challenges in the privacy and security of the metaverse
Kicking off the 2023 conference is USGIF’s GEOINT Foreword, the unclassified science and technology day preceding the Symposium intended to celebrate geospatial achievements and programs in non-traditional GEOINT areas such as health, disaster relief, data analysis, unmanned systems, and more.
A selection of panelists gathered to discuss the privacy and security of the metaverse in addition to the unique safety considerations the national security enterprise must take as it matures.
Moderator Dan Opstal, the Executive Secretary of the Civil Applications Committee, began the conversation by highlighting some of the reasons why the geospatial intelligence community should be monitoring—and hopefully driving—the growth and progression of the metaverse.
“A 2022 statistic showed that 20 minutes of VR can generate more than 2 million unique data elements, and immersive experiences in the metaverse are only going to enhance that,” Opstal stated. “Sixty-nine percent of consumers are pretty concerned about privacy in the metaverse… and that’s of importance because 25% of the global population, according to Gartner, is likely to log onto the metaverse for at least an hour a day in 2026.”
He followed by asking panelists about what key challenges are at play in the balance of privacy and security, and how GEOINT professionals may stand to overcome them.
Auren Hoffman, Chief Executive Officer of Safegraph, responded by emphasizing the important distinction between data dealing with a specific person versus data that encompasses an aggregate population. It is standard tradecraft—and often codified by law—that special protections are granted to information that may identify an individual person. However, Hoffman affirmed that such data can be incredibly useful once personally identifiable information is stripped. He mentioned the demographic, economic, and population data collected by the United States Census Bureau as an example.
“It is a real public good that we need to encourage,” Hoffman shared. “The Census does an incredible job of aggregating data from a lot of people and then presenting it to our community…while still protecting everyone’s individual privacy.”
Kevin Compher, Vice President of Technology at In-Q-Tel, paralleled Hoffman’s comments on balance.
“You are able to correlate geolocation with a user’s actions, and as we see more and more human-controlled interfaces—brain-computer interfaces, other biometric signals, personally identifiable information—[there are] additional risks when aggregated with geolocation,” Compher noted. The future of the metaverse is bright and boundless but requires structure and planning; when necessary, it may also involve oversight and intervention.
“It’s one thing to design something that’s on a sphere like Landsat data on a globe…it’s another thing to live in that 3-D immersive environment,” Opstal said.
He asked Lisa Maione, Assistant Professor in Graphic Design at the Kansas City Art Institute, to elaborate further on how to design for the metaverse and make intricate concerns about privacy and security more understandable to the average user.
Maione stressed the importance of preparation for metaverse projects. “It’s essential to know that the spaces that we’re in are designed…and they’re constructed for a particular kind of set of experiences and possibilities,” she explained.
Depending on the scope and complexity of the application, the development process should be shaped by the priorities, preferences, and expectations of the people that will use that product or service.
Hoffman added to Maione’s comments about the end user, stating that metaverse applications can actually be a source of consumer empowerment. He referenced using generative AI tools like ChatGPT to summarize long terms of service agreements into simple, digestible bullet points.
He “metas” the metaverse: “These things could potentially be great tools…to make better choices about our own privacy.”
As questions flooded in from the audience, Opstal pivoted the conversation to consider more formal regulations. An attendee asked, “How will domestic data privacy concerns impact our ability to compete globally when adversaries don’t maintain similar concerns?”
Compher spoke of his time working with technology-based companies that prioritize the need for speed over basic cybersecurity standards like encryption and went on to describe how that materializes into different forms of governance across the world.
“Privacy regulations for geolocation in particular are weak in the U.S., better in the EU, and don’t exist in authoritarian nations,” he revealed. “We’ve seen the rise of ubiquitous technical surveillance systems being commodified across the globe, and there’s no international baseline that really controls that data.”
He cited metaverse platforms’ opportunity for storytelling, providing content, and dispensing information, but that bad actors may take equal advantage to rewrite history.
“You suddenly have a vector that’s quite powerful for delivering influence and misinformation,” he said. “That’s what keeps me up at night.”
Participants then elaborated further on European Union regulations, citing the General Data Protection Regulation (GDPR); specifically, they referred to what is known as the “right to be forgotten.” Article 17 of the GDPR states that “the data subject shall have the right to obtain from the controller the erasure of personal data concerning him or her without undue delay and the controller shall have the obligation to erase personal data” under certain circumstances (like when the collector’s necessity to retain the data ends, or when those that are collected against decide to withdraw their consent).
“What if they want to be forgotten?” Opstal asked. “That’s part of the challenge.”
NGA’s procurement leaders outline strategies to meet new strategic objective