In case you’ve been locked in a cave for the past few months, I’m writing to warn you that the metaverse is nearly here. And by “nearly here,” I mean that it has been here for years in one form or another. The difference now is that Facebook changed its (corporate) name and the media has decreed that the metaverse shall be its new shiny object for a while.
Reality 2.0?
As to whether the metaverse is a cause for concern or celebration, the answer is both. It will certainly bring exciting new opportunities, especially on the social front. People have a need to interact with each other – as evidenced by the success of social media — and this technology promises to make it more convenient and fun. Imagine being able to feel like you’re sitting next to a family member who is, in reality, 2,000 miles away.
There are other benefits as well. For example, doctors might perform complicated surgeries for patients on the other side of the world. We could all climb Mt. Everest, dive the Great Barrier Reef, or trek to Machu Picchu without exposing ourselves to the existential dangers or creating more environmental impact. Our imaginations are really the only limits in a virtual world.
As an ethical hacker and penetration tester, however, I can’t help but see the downside risks as well.
Yes, it will be hacked.
Starting with the obvious, all the same threats that exist in the current tech world will exist in the metaverse, and there’s a chance others may be created. For example, a phishing attack could provide an attacker with permissions to control your bank account or even become you by controlling your avatar. It will become extremely important to validate people that we interact with since “becoming” someone else’s avatar could be very convincing even in a real-time conversation.
Blockchain technology seems like the odds-on favorite to protect against identity theft and fraud in the virtual world, but that will bring its own set of issues. So, the cat-and-mouse games between good and evil will carry on, but the stakes could get higher as we entrust more of our lives and ourselves to the metaverse.
“Beyond the overtly malicious threats, it’s important to remember that the new virtual world is not being created as a social experiment or an act of altruism. It is big business, plain and simple.”
Mark Puckett
Like any responsible corporate leaders, Zuckerberg and company are only willing to invest incredible amounts of money because they intend to make a profit that justifies the risk. It pays to think about the ways they might go about that.
Business in, business out.
There have already been at least two $1M+ “real estate” transactions in the metaverse. For now, these investments are mostly speculative. However, as innovations in augmented reality (AR) bring it into the mainstream, they could pay enormous dividends.
One reason is because reams of data will be captured in real time about the users and their environment. Your location, the people you talk to, the items you browse at stores, the billboards you look at, the writing you read, and the words you speak can all be potentially stored. Images of bystanders that have not agreed to be recorded could be facially recognized and stored.
Certainly, controls will be in place to protect privacy, but a cyberattack could put this data at risk. There’s also the very real possibility that the people who own the virtual real estate will use the information they gather to control the way we experience it.
“Reams of data will be captured in real time about the users and their environment. Your location, the people you talk to, the items you browse at stores, the billboards you look at, the writing you read, and the words you speak can all be potentially stored. Images of bystanders that have not agreed to be recorded could be facially recognized and stored. ”
Mark Puckett
As just one practical example, imagine that you, in the form of your avatar, look at tents and camping gear in a store window. Without entering any information or clicking on any links, you’ve given a strong signal of interest. You might then start to notice mountains on the horizon, virtual trails along your path, and receive invitations to joins clubs with similar interests.
Sooner or later, you’ll find coupons for real-world excursions in your mail. You may even realize that some of your virtual friends are just skilled marketers or even bots.
Hearts and minds in the mix.
Now consider that it might not be a product, but a political candidate or point of view you’re being sold. Such an immersive experience puts a lot of power into the hands of the people who control that world.
The most important point to remember about the metaverse is that you and I are its most important commodities. That’s why it’s helpful to know up front how much of ourselves and our privacy we’re expected and willing to give up as payment for the experience.
The good news is that, despite the media hype, we won’t all awaken one day as avatars. Just as social media consumed us bit by bit, so too will this new virtual world. My hope is that we truly learn the lessons from the former to improve our experience with the latter.
