How do we regulate metaverse to protect consumer interest?

By Kazim Rizvi

Technology is advancing at an exponential pace in geometric progression. Within a short period, we have seen a transformation of two-dimensional Web 2.0 to Web 3.0, bringing virtual reality to life through the metaverse. Metaverse is next on the internet, which utilises the open-source technical layer for building proprietary augmented spaces for individuals to experience virtual reality. 

As technology advances, we need to analyse the regulatory landscape to protect consumer interest and make it safe.

Online behaviour and conduct violation

While we are still grappling with concerns about internet safety, the emergence of the metaverse might exacerbate digital safety and conduct concerns. Some of the critical security and safety concerns on metaverse are sexual harassment, discrimination, hate crimes, identity theft etc. While we have some legal frameworks to tackle concerns like sexual harassment, identity theft, etc., it is unclear how they will apply to conduct and behaviour over metaverse. 

Without a clear definition of personal, private, and public space within the metaverse, measures to tackle online harassment would remain more symbolic than substantive. 

Moreover, understanding how individuals’ improper actions like cyberbullying, sexual harassment etc., in the metaverse would be scrutinised in the physical world remains vague. For instance, in the case of a groping incident, it is neither physical harm nor virtual harm; instead, it is a virtualized physical harm with real-world implications. While the Sexual Harassment of Women at Workplace (Prevention, Prohibition and Redressal) Act, 2013 defines sexual harassment beyond physical contact, it is still unclear how it will apply to virtual spaces like a metaverse.

Secondly, the identity theft concerns might increase over metaverse. Though identity theft is a punishable offence under the IT Act, it only covers passwords and other unique identification features which might cause digital avatars to fall through the cracks. Moreover, verifying the digital version of the natural person could also become murky due to the existence of bots, deep fakes, manipulation, and hacked avatars due to identity theft. This may also cause problems in differentiating children from adults.

Finally, the metaverse is not immune to the historic disposition that leads to discrimination, racism, religious-based discrimination, hate crimes and hate speech. As platforms are evolving their understanding to crack the content moderation on social media platforms; real-time content moderation on metaverse under different scenarios would be a new challenge to deal with.

Data protection and privacy concerns 

India still doesn’t have a data protection regulation to protect our right to privacy. While the draft Personal Data Protection Bill would bring metaverse under its purview, the bill would need to pay attention to some of the nitty-gritty of regulating metaverse to avoid falling through the cracks. 

The data generated on metaverse is of anonymous avatar (digital identity), but it may become personal data when it is traced back to the natural person. There can also be scenarios where data generated on metaverse is only of the avatar, unrelated to the natural person. However, this could also cause a fall through the cracks like situation as we do not have a concrete understanding of digital-only data privacy concerns, where the demarcation between real identity and digital identity becomes blurred. A recent NordVPN study suggests that 41% of the sample believe it is hard to safeguard their real identity from their metaverse identity. The bill must clarify whether an anonymous avatar can be considered data principal when this is the case. 

Moving towards harms, while  the bill in its current form would recognise tangible harms of a metaverse like a spillover effect of the internet in real life, it is crucial to recognise intangible virtual harms which might not necessarily have physical repressions and vest individuals with a set of digital rights to secure their privacy. Besides, the division of responsibilities in terms of data collection, processing and sharing within the Metaverse must be sketched out clearly. A key question would be whether Metaverse will be a centralised or decentralised platform. While in the case of the former, Metaverse would be the administrator of data collection, processing and sharing within virtual reality. In the latter case, will Metaverse be considered an artificial juridical person (like “society” in the physical world) and multiple entities operating in the space as data fiduciaries?

Also, the emergence of Metaverse would also bring innovative hardware into existence like eyepieces, and other Internet of Things appliances in the form of AR and VR devices. It will be important to study the interaction of such devices with metaverse to protect individual privacy. One of the critical concerns with hardware is the extent to which the entities may monitor and extract biometric data like eye-tracking, gait-tracking, brain wave monitoring etc. When these data points are married with existing datasets, the levels of profiling might bring real-life implications in the form of greater online safety threats and even physical repercussions.

On the other hand, proposing a restrictive cross-border data transfer regime with strict data localisation for critical data and data mirroring for sensitive data, the bill must unpack how this applies to the metaverse where individuals are avatars and not legal citizens of any jurisdiction. 

While metaverse will provide a host of opportunities in the future, we need to ensure that we minimise the risks and harms to make it a success. 

(The author is founding Director of The Dialogue, an emerging research and public-policy think-tank. The views expressed above are those of the author and not necessarily of financialexpress.com)