back to article Surprise! The metaverse is going to suck for privacy

More thought – or at least some thought – needs to be given to privacy protection in the promised metaverse of connected 3D virtual-reality worlds, experts have concluded. In a paper distributed via ArXiv, titled "Exploring the Unprecedented Privacy Risks of the Metaverse," boffins at UC Berkeley in the US and the Technical …

  1. Pascal Monett Silver badge

    Cognitive Acuity ?

    Really ? A VR headset can measure how accurately I think ?

    Let's just say that I have trouble believing that.

    1. Korev Silver badge
      Big Brother

      Re: Cognitive Acuity ?

      They could very easily work out how you respond to a product (pupil dilation, heart changes) and it's easy to see how they could monetise that

      1. Helcat

        Re: Cognitive Acuity ?

        Nope - not without changing how VR works. There's no heart monitor or pupil monitor for feedback (yet).

        However, it is possible to assess speed of response, head movement in relation to image, and the hand sets movement and try to interpret that. After all, up pops an advert and you look away? Or you look towards it for 3 seconds... or you are hunting around for the 'close' box... That can be tracked and used to garner customer response.

        1. Graham Cobb Silver badge

          Re: Cognitive Acuity ?

          Many people wear heart monitors (fitness trackers) all the time, fully integrated into the platforms (mobile phones) used for VR. I presume VR devices already have access to that, don't they?

        2. that one in the corner Silver badge

          Re: Cognitive Acuity ?

          From the video where Meta show off their ideas for goggles, one of the goals is to accurately track the pupil.

          There are good technical reasons for this, mainly rendering in full detail only the part of the image that will hit the fovea, using lower res for the rest of eye (both in pixels rendered and in colour detail) - and maybe even not rendering at all the bit of the image that lies in your blind spot. Doing this obviously reduces the amount of computation and bandwidth needed for the video (and isn't a new idea, VR creators were trying to do the same in the 90s).

          Meta are even playing with changing the apparent depth of field of the image presented, as determined by measuring the pupils, including how dilated they are. Again, using the data to improve the results.

          Now, if they just happen to "accidentally" happen to also deduce whether you are enjoying what you're looking at by the pupil response and that "leaks" out to the advertisers...

          (PS if you've got various light sensors looking closely at the User's face and eyes, you can use them to, say, determine the heartrate as well. No need to try to tap into the User's heart monitor watch, which is just doing exactly the same trick - and having to do it on a tougher target, the wrinkled, tanned, hairy and dirty back of the wrist).

          1. Triggerfish

            Re: Cognitive Acuity ?

            I think pulse rate if the device is close enough to the eye is doable. But eh give a good marketing team five minutes and pretty sure they can come up with a way to sell why it should monitor your heart rate or be linked to a wrist device. Gaming for exmaple.

          2. myhandler

            Re: Cognitive Acuity ?

            There'll be a tiny image of Zuckerfucker in the blind spot.

          3. Toni the terrible Bronze badge

            Re: Cognitive Acuity ?

            one of the goals is to accurately track the pupil, in Year 10?

      2. Triggerfish

        Re: Cognitive Acuity ?

        There's been digital display boards with built in cameras for years doing things similar.

        Gaze tracking, pupil response, emotional response, (important to advert makers) now that's hard to crack with a camera that's at a distance.

        When they do gaze tracking with test groups they have to do some of it with headsets....

        Edit shot comment too soon someone has already mentioned in a demo they showed gaze tracking.

    2. Version 1.0 Silver badge

      Re: Cognitive Acuity ?

      Tinker Tailor Soldier Metaverse is today.

    3. General Purpose

      Re: Cognitive Acuity ?

      They could measure how quickly you respond to different stimuli and even your eye movements while taking in information. For example, if you often look at timetables or departure/arrival boards, do you generally dwell on them longer or more briefly than the general population? Do you keep looking back at the same information or move on?

      Over time, that might tell us something about how quickly you take in information and about your short-term memory. Some collection of such data will probably turn out to indicate the onset and progress of dementia. Responses while drunk or drugged will probably be different too. It might take a lot of AIs chewing through a lot of data to find the reliable signals, but this is the 21st century.

      1. Triggerfish

        Re: Cognitive Acuity ?

        People are individuals, but if you have a large enough group of people over time you can discern patterns that show grouping by type also.

        It's just sample size really, there are lots of big data companies in smart environment tech and a lot of retail stores count as smart environments nowadays.

        I saw a demo oh three four years back, That would track a person by what they were buying and looking at then send a message to a sale person voice message keying them with their likely interests. All done in the cloud with ML, including the mesaaging.

        1. Toni the terrible Bronze badge

          Re: Cognitive Acuity ?

          Currently I am not impressed by the current assessment of what you are/may be interested in buying - never has been that accurate (so far); you buy an item for your girl/boy friend, or a relative, or the old dear down the street and it is added to your profile, also, I buy an item and I didnt like it much or it failed to 'satisfy' (given contacting the seller is often a problem - I could waste my time responding but why bother).

        2. Anonymous Coward
          Anonymous Coward

          Re: Cognitive Acuity ?

          AI ML is just amazing.

          Or the sales droid could just notice I'm browsing the toaster aisle, and try to sell me a toaster

    4. DS999 Silver badge

      Re: Cognitive Acuity ?

      I could totally believe that. How long you look at certain things before you understand them, how quickly you figure out novel problems a game presents you with are all indicators of your cognitive acuity. Some problems an adult might figure out more easily than a child due to more education and more life experience. Some a senior might have more trouble with if their cognitive abilities are on the decline.

      It doesn't have to spit out your IQ accurate to within 2 points to be an issue - just being able to peg you as someone older whose cognition is on the decline (which it should definitely be able to do after a few years of use where it notices that decline from your original baseline) is something many companies would pay a FORTUNE to have access to!

      Most places aren't like the US where drugmakers can advertise directly to consumers, so you have to consider this in that context if you live elsewhere. "Your thinking has become slower over the last few years but don't worry, we can help. Ask your doctor about our new pill, and don't worry that we charge $5,000 per month (because we can) since your insurance company will be stuck paying for it and we'll include a coupon to reimburse your copay!"

      Now granted some of the things they list like arm length I have a real problem coming up with a reason why I should care if they collect about me. What are they going to do, sell that information to a company that makes dress shirts? I would have to tell them my arm length anyway to order a properly fit shirt, so them having them information in advance couldn't possibly matter.

  2. An_Old_Dog Silver badge

    other obscuring techniques

    In addition to noise, hiding techniques analogous to the "mouse smoothing" options in some FPS games might be applied to various data streams coming off the device. Since you don't -- well, shouldn't -- trust the hardware maker, you'd have to do this via a box external to the unit. But successfully doing that presumes you can enumerate and decode the data streams. If they've encrypted the data streams, that will defeat your attempts to maintain your privacy via data-alteration methods.

  3. Totally not a Cylon

    Depends on the hardware....

    Need to distinguish between a VR display which plugs into a computer and is merely a display device with an input device for motion


    an actual self contained VR headset which houses real computing power and is made by a company notorious for advertising...

    1. that one in the corner Silver badge

      Re: Depends on the hardware....

      Uh, why?

      If the FB Goggles don't have the computing power they'll just make you run their software on your PC (until someone cracks the proprietary comms to the goggles, I guess).

      In both cases, it is the software that is going to do the dirty on your data.

  4. Big_Boomer Silver badge


    Good luck securing VR systems. The more sensors you attach to your body, the more info they can get/infer from it, and the bigger dataset they have on you. They can quite easily calculate your approximate weight, height, fitness level, and probably age, amongst a whole load of other info just based on how you move and react to stimuli. By attaching those sensors you are giving up more data than you thought possible. No, it probably can't measure how accurately you think, but coupled with the right scenario in the game you are playing it can probably be used to discover your morality, and other personal traits. Look at the data that they are mining based on what clickbait articles you "like" in anti-social media, and on your comments on all other items. We are in the age of Big Brother and anti-social media & VR systems are just the thin end of the wedge.

    1. Anonymous Coward
      Anonymous Coward

      Re: Scenarios

      It won't just be games. I can see Meta pushing this technology for things like job interviews ("give a presentation"), medical consultations ("bend your leg as far as you can so we can assess mobility"), therapy sessions ("the AI therapist is completely non-judgemental") etc etc. Cross correlate that lot with your Meta "leisure activities" and you've got Big Brother's wet dream.

  5. Valeyard

    I think this gives too much credit to metaverse

    the only thing it's going to be leaking is meta's money until it's DOA

    it's a nice theoretical case study but hopefully as relevant as "what happens if triffids invade"

    1. Wellyboot Silver badge

      Re: I think this gives too much credit to metaverse

      I can't see how they get around the fact that anyone walking around with an active video camera strapped to their face will require permission1 (that won't be given) to use it in so many places they'd want to go, basically that's any non public space in the UK.

      Medical facilities have serious confidentiality rules, Banks will have security & confidentiality issues, Bars, Restaurants, Hotels and most shops will want to keep customer information away from competitors at the lowest level and to provide some level of semi-private space from a PR viewpoint. There's also the red zones where public opinion just won't be moved into allowing these, Rest rooms, Changing rooms, Swimming pools and almost anywhere that children congregate.

      Even if I didn’t consider the wholesale harvesting of personal data as abhorrent, for simple self protection I’d not wear one just to avoid the real danger of falling foul of UK law simply by being in the wrong place as someone has an 'oops' moment. In the UK mere possession of indecent images2 is a crime, the law is deliberately framed in that way because there is deemed no good reason for these pictures to exist beyond usage as evidence in criminal trials and the vast majority of the population agree.

      1In some countries that will include stepping through their own front door.

      2There’s a growing list of subjects.

      1. MachDiamond Silver badge

        Re: I think this gives too much credit to metaverse

        >Medical facilities have serious confidentiality rules, Banks will have security & confidentiality issues, Bars, Restaurants, Hotels and most shops will want to keep customer information away from competitors at the lowest level and to provide some level of semi-private space from a PR viewpoint.<

        In the medical realm, it would depend a lot on how medicine is dispensed and paid for where you are. A single payer government program might be the problem to start with even if the data is never released to a third party (which it almost always is "for analysis").

        Banks, bars, hotels, shops and holiday companies are more than happy to share all sorts of data for a price or to receive payment "in kind". Banks share credit data with all sorts of other financial institutions. A hotel would certainly trade the information they hold about you to receive even more back so they can further refine how they market themselves to you since you are already a customer.

      2. Triggerfish

        Re: I think this gives too much credit to metaverse

        One thing to think of regarding hotels and shops IMO, is that seemingly rival brands may be ultimately owned or part owned by one company. I can think of a few who own a good dozen rights in some way with various hotel brands and whole bunch of retail together.

        Now if your EULA at the end says I am giving my data to company x which is the parent company...

      3. Falmari Silver badge

        Re: I think this gives too much credit to metaverse

        @Wellyboot "I can't see how they get around the fact that anyone walking around with an active video camera strapped to their face will require permission"

        It won't be a camara it will be a monitor strapped to the face of the metaverseian it's VR. So no walking around without a lot of falling down/over/under/out of/into.

      4. JasonT
        Big Brother

        Re: I think this gives too much credit to metaverse

        There was a point early in personal computing when it seemed that the use case was limited to boxes with keyboards. Fast forward to today where, even if you don't own a smartphone or tablet, you will probably run into a doctor's office where instead of paper forms, you'll be given a tablet to fill out. Self-service kiosks at retail and airports run on the same tech. You don't have to run around with a tablet to be using one all the time, and this metaverse stuff isn't any different. And I am lumping in augmented reality in there, because I feel that is where the vast majority of people will interact with this brave new world of data mining. Most people are not going to be running around with avatars in fake universes getting fake laid.

        Today, yeah, you have to be running around with goggles or such. Tomorrow, those cameras, metabolic sensors, etc. will be installed near everywhere you go. The monitors won't be on your face, they'll be plastered onto the walls, shelves and racks. Projectors and holograms coming soon. There will be terms of service that you will implicitly agree by entering the establishment, but it's okay because you can review them, if the manager can find them, and you might even understand them if you have your lawyer/barrister with you.

        At the gym? Our sensors will make sure that none of our customers are dangerously over-exerting themselves. We can guide you around your circuit. Out shopping? It gets even more obnoxious. Convenience, custom experience and, of course, the promise to anonymize all that data before it goes to third parties; who will have to spend at least some money to reassemble that anonymized data into *your* profile.

    2. Evil Scot Bronze badge

      Re: I think this gives too much credit to metaverse

      I agree. VR / AR is soo niche.

      Ironically I am more likely to trust a distributor of PC root kits rather than any Ad agency, if and when I go down the VR / AR rabbit hole.

      1. MachDiamond Silver badge

        Re: I think this gives too much credit to metaverse

        >I agree. VR / AR is soo niche.<

        It is NOW, but wait until M$ incorporates it into their Office suite and companies require you to interface with colleagues using that gear. All of that interaction being across the internet and mediated through Microsoft servers that host the apps will be a huge treasure trove of PII for M$ to sell for even more money.

    3. Charlie van Becelaere

      Re: I think this gives too much credit to metaverse

      "t's a nice theoretical case study but hopefully as relevant as 'what happens if triffids invade'"

      So what you're saying is I need to drop my headset in a bucket of sea water?

      Probably good advice.

    4. hoola Silver badge

      Re: I think this gives too much credit to metaverse

      I suspect not, Facebook have made billions, off data harvesting and aggregation, it is their business model.

      That most of that data has been collected through deception and completely without consent is one of the massive problems. This simply adds yet another collection point.

      Anything to do with this and the companies involved are just total and utter shites.

      Yet again nothing will even be suggested that what they are doing is wrong until it is far too late.

  6. b0llchit Silver badge
    Big Brother

    You know what will happen

    Westworld: We didn't know what we needed. Therefore, we just recorded everything to sort it out afterwards.

    You can be damned sure that they will record as much as they can without you knowing about any of it. If it might be monetise-able (or could be used against you), now or in any possible future, it is reason enough to store and use it. Therefore, everything will be stored and used.

    1. chivo243 Silver badge
      Big Brother

      Re: You know what will happen

      Film = minority report... Song = Dream Police by Cheap Trick.

      Think happy thoughts, think happy thoughts...

  7. Howard Sway Silver badge

    The researchers think they "might" want to do data harvesting?

    And there we all were thinking it was just going to be about skipping through a world of fluffy clouds and rainbow happiness with our bestest friends.... and not at all some ad-drenched surveillance dystopia full of goons being bombarded with psychological damage every second that they're there. Imagine the lengths Zuckerberg will be prepared to go to when the revenue streams initially fall well short. He'll know so much about people that there will be pizzas arriving at people's doors 2 milliseconds after they've decided they want one.

    1. chivo243 Silver badge

      Re: The researchers think they "might" want to do data harvesting?

      While all of what you said is true, I would love to have that pizza in even 2 seconds instead of it coming cold an hour later!

      Stop shoving, there's plenty of pizza for all of us!

    2. Anonymous Coward
      Anonymous Coward

      Re: The researchers think they "might" want to do data harvesting?

      there will be pizzas arriving at people's doors 2 milliseconds after they've decided they want one.

      More like: You go into the spare room and take down the flat box you keep your unsorted central american stamp collection in, and Meta ML infers you want 3 pizzas, and you are puzzled when an Amazon driver arrives two weeks later with cold chinese takeout from a shop in Guatemala.

  8. Jimmy2Cows Silver badge


    Couldn't help but notice the "Lowest Privacy, Highest Accuracy" crap at the left end of the privacy slider.

    There's exactly zero valid technical reasons to link privacy and accuracy. Just don't monetise everything that comes down the pipe. Assuming the AR/VR device is linked to a phone, the phone can do local data processing for accurate positioning and orientation, then just pass position and orientation data to the Meta server. No need to send everything to the server for processing.

    Of course this is Meta so they will try every trick in the book to harvest everything under the guise of trading privacy for accuracy.

    1. Anonymous Coward
      Anonymous Coward

      Re: MetaGuard

      "There's exactly zero valid technical reasons to link privacy and accuracy."

      I believe the slider relates to how aggressively the privacy app works to anonymotize you. The proposed privacy app works by adding noise to the VR data. Added noise means better privacy, but worse accuracy.

      To oversimplify, if you're exactly 2m tall the app could make you appear to be 2.02m tall. Your view of the VR world will be offset by 1% from the "correct" view. If it made you 1.8m tall, your view would be offset by 10%.

  9. Anonymous Coward
    Anonymous Coward

    Slurp, slurp, slurpy slurpy, slurp, slurp

    It’s ALL about the data, the product is you and the coloured flashy lights are just to keep you captivated.

    1. Marty McFly Silver badge

      Re: Slurp, slurp, slurpy slurpy, slurp, slurp

      WTH does my Samsung 'Smart' TV need me to agree to a EULA for? Every damn time I power it on, and I refuse to give it an answer or network access. Just connect HDMI1 and I'll tell you what to display. I bought a different brand the next time just to avoid that garbage.

      Sheesh, I am ready for an analog VGA connection that won't report back to the mothership. Slurp that!

  10. Mike 137 Silver badge

    going to suck for privacy

    What does one have to suck (or to whom does one have to suck up) to be granted privacy these days?

  11. John Smith 19 Gold badge

    "Data leakage" is not an accident

    It's a goal.

    Remember Googles streetview mapping cars that "Accidently" harvested all those WiFi details?

    Danger. Data feitishists at work.

    And after all if your personal data has no value (IE you can't sell it to someone for actual money) why should it (be allowed to ) have any value to them?

  12. Anonymous Coward
    Anonymous Coward

    VR and metadata....or META data....

    No mention here about how the snoops will map a VR device to a real human being.'s easy when the end user signs up for a VR account with a credit card........

    But then again, savvy users may be signing up in other ways:

    - using a burner phone for authentication (but not while they are at home)

    - connecting using a VPN location in <who-knows-where>

    ...given those, and similar steps,....the Meta-folk collect tons of "metadata" about an unknown person in an unknown location.....

    All that said, it seems that since NO ONE cares about privacy, so no one will take care to protect their own privacy. Sad! Sad! Sad!

  13. This post has been deleted by its author

  14. Anonymous Coward
    Anonymous Coward

    I wanna be a cute anime girl, dammit!

    Doesn't some of this assume that we'll be using physically representative avatars?

    It wouldn't eliminate many of the tracking parameters mentioned, but could one's motion parameters not be tracked locally, mapped onto a standard skeleton that is the same for everyone, and only then transmitted to the data harvester? Most games use one or a small set of standard skeletons to animate avatars, so I imagine this already needs to be done at some stage.

    1. Jason Bloomberg Silver badge
      Big Brother

      Re: I wanna be a cute anime girl, dammit!

      This week I'll be playing with training weights strapped to my wrists and wearing Pogo Shoes. Let's see them figure that out.

  15. chivo243 Silver badge

    Calling Dr. Malcolm

    see title... that is all.

  16. richardw42


    Oh noz, more boring data stored about me somewhere for a purpose I don't care about.

    I am so concerned. I am traumatized. I must make my placard, travel to the HQ of Meta and smack the head employee over the head with it.

    Chance I'll not enjoy my VR headset due to this when I eventually buy one? 0%

  17. Snowy Silver badge

    Surprise! The metaverse is going to suck for privacy

    Said no one who cares about their privacy.

    If your already on Facebook/Meta how many of these potential data point do they already have if they wanted them.

    Does them knowing how long your Height, Arm Length, Interpupillary Distance is affect you in anyway?

    1. spold Silver badge

      Re: Surprise! The metaverse is going to suck for privacy

      >>> your Height, Arm Length, Interpupillary Distance is affect you in anyway? <<<

      If you are shopping at the Wingsuit Gliding store it may be relevant to your success in flying, and missing trees. I'm going to sell you medical insurance as well.

  18. Anonymous Coward
    Anonymous Coward


    They can have all that data, I don't really care.

    If someone finds value in me having a habit of scratching my balls mid-game, more power to them.

  19. MachDiamond Silver badge

    It's that one missing bit of data

    With all sorts of PII being hoovered up, aggregated and sold on subscription, the last thing you want is to add more to your file. I have a friend that got taken in by a scammer that had enough of her information and was a good enough talker to get her to fill in that last thing they needed to hijack her Phone/TV/Internet account. Fortunately, she figured out she'd been scammed right away and was able to fix the damage. When she told me about it, I could see that they had been able to buy enough information to do a really convincing job they were legit. She's not stupid or particularly gullible, but they were able to get her to lower her guard enough to push in a wedge.

    If a system is measuring your acuity durning your leisure time, I expect the data will be time stamped, they will be able to detect things like whether you've had a tipple or two or were partaking in the devil's lettuce. Maybe even being able to make a fairly accurate guess about which non-prescribed medication you have recently ingested. You'd expect that your insurance company or the State's health board would like to know all about that. Perhaps the patrol would be interested if your VR system has determined you've had a few and are now in your car based on the car being registered to you and modern enough that it broadcasts its usage whenever it's switched on. It's the information about you in the aggregate that becomes the problem even if you would have no problem dashing out for some take away just up the road and back.

    1. martinusher Silver badge

      Re: It's that one missing bit of data

      I've got to that point in life where I won't do business with anyone on line or on the phone unless there's an established, personal, relationship. Scammers have to rely on something needed to be done Right Now, their goal is to catch you wrong footed and keep you in that state until they've got what they want. If you insist on only doing business with them using snail mail it really cramps their style.

      I've been telling people for years that its not that I don't understand all this 'technology', its because I understand it only too well. (I have spent my entire working life in the field after all.) I like all this modern technology, its just that we develop it because its cool but its then handed over to a bunch of sociopaths to exploit.

  20. Anonymous Coward
    Anonymous Coward

    well, at least the metaverse is consistently sucky.

  21. martinusher Silver badge

    Privacy is passe

    Alas, thinking that 'strong data protection' will somehow keep you safe from the Internet predators is wishful thinking. You can see just how much robust legislation is worth with the recent revelations about how Uber works -- its reasonable to think of this as the norm, not the exception. There's no point in ignoring it as well -- you might not be interested in them but they are certainly interested in you. The only thing you can do is to understand the technology, its capabilities and limitations, recognize that it will be misused, sometimes with the best of intentions, and do your bit to poison whatever databases are out there.

    Ultimately the aggregators will want to reduce you to a minimal set of parameters since the people using this data are nothing like as smart as the people developing ways to collect it. This is the system's weak point. These scores will impact you because decisions, often ones you're unaware of, will be taken about you based on these scores so you have to be prepared to accept random consequences not of your making (people in the UK are learning all about this sort of thing with their 'credit score', an arcane index that describes your fitness as a citizen -- your life should be dedicated to getting and maintaining the best score you can because only that way can you be a productive and happy citizen.... et cetera...)

    I always tell people to forget "1984", its "Brazil" you've got to watch out for.

  22. robertodip

    Metaverse security and privacy issues.

    The metaverse promises a host of bright opportunities, but it also sports a few critical aspects, such as security and privacy, plus a number of far-reaching implications...

    For a preliminary analysis:

  23. aerogems Silver badge

    What's the surprise?

    A company known for raping people's privacy to make a buck is going to continue raping people's privacy to make a buck. Where does the surprise part come in?

  24. navarac Silver badge


    Don't use a smart (Apple) watch, or a VR headset. One of these days, AR (Actual Reality) is going to smack Meta-people in fairy land, round the back of the head :-( !

  25. Toni the terrible Bronze badge

    Buy in?

    So you dont have to indulge in VR/AR like you do not have to use twitter/facebook/meta, unlike smartyphones where you are almost forced to use it

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like