Lunettes de réalité virtuelle

Metavers and virtual reality: what about privacy?

The metaverse is all the rage. Like social networks or decentralized virtual worlds. So many concepts that are still vague, often very “marketing”, but that the National Commission for Informatics and Freedoms has taken at its word. His Laboratory of Digital Innovations (LINC) has engaged in a foresight exercise, imagining various scenarios on its website (“Metavers: this game of which who will be the hero?”). With, each time, this question: what about privacy and personal data? Responsible for prospective studies at the Cnil, Régis Chatellier explains the stakes of these futuristic visions.

Science and the Future: Has the CNIL already decided on the subject of virtual reality?

Régis Chatellier : Not directly. But she addressed it in some publications. In particular in 2015 in one of his Innovation and foresight notebooks on the use of data in the creative industries, where video games were discussed. But there are no general recommendations, except that virtual realities are new digital interfaces raising the same issues, asking the same questions, as those that already exist on a computer or phone screen, with a chatbot or a voice assistant.

What exactly are these questions?

From the CNIL’s point of view, it will be a question of whether we are dealing with actors collecting and processing personal data and for what purposes. And if so, how to ensure that the user is properly informed about his rights and can assert them if necessary, verify that the data controllers comply with the GDPR [réglementation européenne sur la protection de données, NDLR]. With virtual worlds, instead of looking at his screen, the user enters it, for 3D interactions. It will be necessary to wonder if a single actor is responsible for the universe set up, as in a video game, or if there are several, if they collect data to push you content, advertisements or other.

Does virtual reality not require redefining what personal data is?

A personal data corresponds to everything related to a natural person and allows, directly or indirectly, to identify him. By cross-referencing or by inference. This status does not change with the context. In virtual reality, this is everything that is related to your account, to your avatar, as long as you are connected to this avatar yourself: identification data, usage history, “eye-tracking”, capturing emotions, etc.

A lot of things are collected on the Internet. Is it gaining momentum with virtual reality?

The specificity is the helmet that increases the collection capacity.

The metaverse is all the rage. Like social networks or decentralized virtual worlds. So many concepts that are still vague, often very “marketing”, but that the National Commission for Informatics and Freedoms has taken at its word. His Laboratory of Digital Innovations (LINC) has engaged in a foresight exercise, imagining various scenarios on its website (“Metavers: this game of which who will be the hero?”). With, each time, this question: what about privacy and personal data? Responsible for prospective studies at the Cnil, Régis Chatellier explains the stakes of these futuristic visions.

Science and the Future: Has the CNIL already decided on the subject of virtual reality?

Régis Chatellier : Not directly. But she addressed it in some publications. In particular in 2015 in one of his Innovation and foresight notebooks on the use of data in the creative industries, where video games were discussed. But there are no general recommendations, except that virtual realities are new digital interfaces raising the same issues, asking the same questions, as those that already exist on a computer or phone screen, with a chatbot or a voice assistant.

What exactly are these questions?

From the CNIL’s point of view, it will be a question of whether we are dealing with actors collecting and processing personal data and for what purposes. And if so, how to ensure that the user is properly informed about his rights and can assert them if necessary, verify that the data controllers comply with the GDPR [réglementation européenne sur la protection de données, NDLR]. With virtual worlds, instead of looking at his screen, the user enters it, for 3D interactions. It will be necessary to wonder if a single actor is responsible for the universe set up, as in a video game, or if there are several, if they collect data to push you content, advertisements or other.

Does virtual reality not require redefining what personal data is?

A personal data corresponds to everything related to a natural person and allows, directly or indirectly, to identify him. By cross-referencing or by inference. This status does not change with the context. In virtual reality, this is everything that is related to your account, to your avatar, as long as you are connected to this avatar yourself: identification data, usage history, “eye-tracking”, capturing emotions, etc.

A lot of things are collected on the Internet. Is it gaining momentum with virtual reality?

The specificity is the helmet that increases the collection capacity. This can be seen in patents that have been filed by Meta [comme révélé par le Financial Times en janvier 2022]. There are well-known techniques, such as voice and emotion capture, but also eye-tracking, consisting of following the movement of the eyes via the headset to better understand what the person is looking at in the simulated space. There is also a desire to propose the creation of avatars close to the real person, up to reproduce his skin texture. Which amounts to having some kind of digital clone.

All this can open up new forms of emotional marketing that can go much further in personalizing content. It will no longer be only the history of your browsing but your real-time behaviors that will potentially be exploited.

You mention, in your scenarios, the capture of the person’s movements.

This is prospective but it turns out, for having tested it, that even without going so far as to place sensors on the entire body, by staying at a headset and controllers, it is possible to recognize a person in his way of moving in virtual. If we then imagine that avatars resemble us, the very notion of avatar almost disappears. Because the interest of an avatar is to protect our privacy behind a different identity in order to evolve in the digital world without having to suffer problems of discrimination of any kind.

Does the particular notion of metavers add new question marks?

Today, from what we perceive, the virtual reality analysis grid applies to metavers. But if we are talking about metavers that allow people to create elements and data collection means, we will need to know how to recognize them. We can take up the principle of the “Turing flag”, consisting in making an artificial intelligence signal itself as such to avoid ambiguities during an interaction [un concept dû à un chercheur en informatique de l’université de Nouvelle-Galles du Sud, Toby Walsh, ndlr]. In the same way, one can imagine that members of a metavers report themselves as what they are: a lambda person, a company, an organization…

Then there is the question of the “gate keepers”, those actors who manage and control access. With Meta’s Horizon Workrooms, Microsoft’s Mesh or spaces like Decentraland or The Sandbox, we can clearly see that the context is nothing new: it is the beginning of a new competition between players to take the market. This is the logic that has been going on for thirty years in the digital world. The question of who will gain the upper hand will arise quite quickly for the metavers.

You mention precisely platforms like Decentraland or The Sandbox, so-called “decentralized”. Can the user really have control of virtual spaces or elements?

When we start selling virtual spaces associated with property rights, there is a form of decentralization. But it always remains in the hands of an actor: if the platform as a whole, overnight, closes, these contents have no value, they no longer exist.

It’s all about the way things are presented because deep down, there’s always an infrastructure. There are certainly social networks where it is possible to host your own instance, Mastodon for example. But these are quite light infrastructures compared to the resources that will have to be mobilized in a metavers. We can still imagine local instances that communicate and are interoperable with each other, but we are still far from it.

Go to our cases Get a free quote