Privacy and the metaverse

On October 28, 2021, Facebook announced the rebranding of its parent company from Facebook to Meta. Since then, the term “metaverse” has been a hot topic of discussion. 

From facial expressions to biometric data, the metaverse has the potential to collect new and vast amounts of personal information, allowing Meta to target participants with even more personalized ads. With the metaverse, Meta’s ad-based business model poses an even greater threat to online privacy. 

What is the metaverse? 

While Meta may have repopularized the term, the concept of a metaverse has long existed in the pages of sci-fi novels. Author Neal Stephenson first coined the term in 1992 in his book Snow Crash, where he sketched out a virtual world his characters could escape to as means of avoiding their dystopian reality. 

According to Stephenson, the metaverse refers to a “convergence of physical, augmented, and virtual reality in a shared online space”, allowing people to interact with others through 3D avatars. 

Will there be only one metaverse?

Since Snow Crash’s publication, various developments have been made toward a real metaverse. Games like Fortnite and Roblox already provide an immersive environment where you can socialize with other people beyond a simple computer screen. 

However, by using technologies such as virtual reality (VR) and augmented reality (AR), Meta wants to go a step further and make the metaverse a reality. VR refers to technologies that replace a real-life environment with a virtual one, whereas AR augments your surroundings by adding digital elements to a live view.

Meta’s vision of the metaverse consists of social hubs where you can connect, work, play, and shop using a digital avatar, but it isn’t the only one trying to build a 3D virtual reality space. 

In fact, Microsoft, Nvidia, and Epic Games are all developing their own versions of the metaverse. At the end of 2021, Microsoft announced Mesh(new window), a collaborative platform that uses mixed reality technologies to make online meetings more personal and engaging. Nvidia markets its Omniverse(new window) as a “development platform for 3D simulation and design collaboration”.

As VR and AR technologies advance, more and more tech giants will focus on building metaverse platforms. 

The privacy risks of the metaverse 

Compared to traditional social media platforms, the metaverse could create even more avenues for data collection. The technologies underpinning the metaverse — VR headsets and augmented reality glasses — can track eye movement and determine what the participant is focusing on. 

It can pick up physiological responses and biometric information such as heart rate, pupil dilation, and vocal inflections, revealing subconscious interests and preferences. Heart monitors can also pick up neural or heart problems even before the participant feels symptoms. The US Patent and Trademark Office has already approved some eye- and face-tracking technology patents(new window) for use in the metaverse. 

This depth of information would allow Meta to build eerily intimate profiles of participants, alerting them to inclinations or health problems that people themselves aren’t aware of. This could present new avenues for Meta to manipulate the participants in the metaverse without their consent.

According to Facebook whistleblower Frances Haugen(new window), as the metaverse expands, participants will have to install cameras and microphones throughout their homes to generate fully interactive experiences. These cameras would capture everything from the appearance and layout of a participant’s home to the minute details of their daily routines.

With such a setup, Meta would have real-time insight into people’s everyday lives, giving them unprecedented amounts of data they can collect and use for nefarious purposes. As Meta’s losses in the metaverse continue to grow(new window), the company has a greater incentive to extend their existing privacy-invasive business model to the metaverse to make a profit for its shareholders. 

Can Meta be trusted to build the metaverse?

Given that the metaverse enables unprecedented levels of data collection, a critical question remains: Who should be trusted to build it?

Meta is no stranger to controversy when it comes to data privacy. The company has been involved in several major data breaches in the past: 

Meta has had a long history of failing to protect people and their privacy on its platform. But it has proven to be an even worse moderator of its own social media platform. While Facebook claims to remove more than 90% of hate speech published on its site, the actual figure is only 3 to 5%(new window)

In March 2022, London-based watchdog Global Witness tested Facebook’s hate speech safeguards(new window) by submitting eight paid ads to the social media network, each incorporating different versions of real-world hate speech copied from a United Nations report. All eight ads were approved, proving Facebook’s poor ability to detect hateful speech in the Burmese language. As a result, Facebook has been investigated over its role in the genocide of Rohingya Muslims(new window)

It has also repeatedly allowed world leaders and politicians across 25 countries to use its platform to deceive the public or harass opponents(new window)

In fact, Meta itself can’t even keep track of the data it already has. According to a leaked internal document, Facebook’s own engineers have no idea where all of its user data goes(new window), or what it’s doing with it. 

Given its record of data breaches and privacy violations, we should not trust Meta to build the metaverse.

What would a metaverse that respected privacy look like? 

The real promise of the metaverse lies in its new data-rich experiences and services that can enhance our lives. However, for it to be successful, the metaverse should embody some core principles to ensure your safety and privacy. 


For one, the metaverse should be open and interoperable to prevent the creation of walled gardens. This interoperability is crucial in connecting people and providing them with a unified and seamless experience. An open metaverse would also mean people are not locked in on a single platform and can easily transfer their digital assets from one service to another.


What makes the metaverse potentially harmful is that a handful of powerful corporations will have the ability to mediate every aspect of our lives, selling access to our personal data to the highest bidder. However, decentralizing the metaverse would mean that no single entity “owns” or has the power to sell our information. A decentralized metaverse would enable us to enjoy a new world of possibilities where we are fully in control of our virtual experiences.

Switching from an ad-based model to a subscription model

The metaverse should offer an unparalleled user experience by breaking away from Big Tech’s traditional ad-based business model. Rather than operating as a service designed to extract data and monetize people’s lives, the metaverse should utilize a subscription model to avoid ads and maintain user privacy. 

Consent to data collection and marketing

If an ad-supported metaverse must exist, then all data collection should require the consent of participants. With the impending deprecation of cookies(new window) and cookie-based marketing, companies and brands can start from a clean slate and support more privacy-first tracking alternatives in the metaverse.

We need to be ready

The metaverse is likely the next stage of the internet’s evolution as 3D experiences continue to blur the line between fiction and reality. However, similar to the rise of social media, lawmakers can take a long time to react to new technologies like the metaverse.

Privacy concerns are not the only risks — bigger questions of content moderation(new window), codes of conduct(new window), sustainability(new window), and accessibility(new window) have to be addressed before the metaverse can be a safe and welcoming space for all.

Despite its potential pitfalls, the metaverse promises to offers us new and interactive experiences where we can work, play, and socialize with each other. Its advent offers us another chance to redefine data protection and put privacy and consent at the forefront of our new virtual societies.

Protect your privacy with Proton
Create a free account

Related articles

If you’re comparing different password managers or researching password security, you’ll quickly run into terms like hashing and salting. While these terms might sound like steps you take to make breakfast potatoes, they’re actually processes that ar
People often choose to remove their personal information from the internet due to privacy and security concerns. For example, oversharing on social media can expose you to phishing attacks, identity theft, and cyberstalking. Plus, your data is highl
It’s been roughly three months since the European Union’s Digital Markets Act (DMA), which aims to restore competition and fairness to the internet, came into effect for Big Tech monopolies. Since then, Google has done precisely nothing to comply wit
Today we’re announcing enhancements to our business plans, further enriching our commitment to delivering the best privacy experience for businesses. These upgrades will help us continue expanding our feature suite for organizations, while giving mor
Proton Pass brings secure and private password management to all devices
Today, we’re excited to announce the launch of the Proton Pass macOS app and the Proton Pass Linux app. One of the most popular requests from the Proton community was a standalone desktop app, which is now available on every major platform — Windows,
When you use the internet at home, connected to everything from fitness equipment to game consoles, smartphones, and laptops, marketing companies could be watching you with a tiny piece of surveillance tech you might not even know about. We’re talki