Privacy and the metaverse

Privacy and the metaverse

Share this page

On October 28, 2021, Facebook announced the rebranding of its parent company from Facebook to Meta. Since then, the term “metaverse” has been a hot topic of discussion. 

From facial expressions to biometric data, the metaverse has the potential to collect new and vast amounts of personal information, allowing Meta to target participants with even more personalized ads. With the metaverse, Meta’s ad-based business model poses an even greater threat to online privacy. 

What is the metaverse? 

While Meta may have repopularized the term, the concept of a metaverse has long existed in the pages of sci-fi novels. Author Neal Stephenson first coined the term in 1992 in his book Snow Crash, where he sketched out a virtual world his characters could escape to as means of avoiding their dystopian reality. 

According to Stephenson, the metaverse refers to a “convergence of physical, augmented, and virtual reality in a shared online space”, allowing people to interact with others through 3D avatars. 

Will there be only one metaverse?

Since Snow Crash’s publication, various developments have been made toward a real metaverse. Games like Fortnite and Roblox already provide an immersive environment where you can socialize with other people beyond a simple computer screen. 

However, by using technologies such as virtual reality (VR) and augmented reality (AR), Meta wants to go a step further and make the metaverse a reality. VR refers to technologies that replace a real-life environment with a virtual one, whereas AR augments your surroundings by adding digital elements to a live view.

Meta’s vision of the metaverse consists of social hubs where you can connect, work, play, and shop using a digital avatar, but it isn’t the only one trying to build a 3D virtual reality space. 

In fact, Microsoft, Nvidia, and Epic Games are all developing their own versions of the metaverse. At the end of 2021, Microsoft announced Mesh(new window), a collaborative platform that uses mixed reality technologies to make online meetings more personal and engaging. Nvidia markets its Omniverse(new window) as a “development platform for 3D simulation and design collaboration”.

As VR and AR technologies advance, more and more tech giants will focus on building metaverse platforms. 

The privacy risks of the metaverse 

Compared to traditional social media platforms, the metaverse could create even more avenues for data collection. The technologies underpinning the metaverse — VR headsets and augmented reality glasses — can track eye movement and determine what the participant is focusing on. 

It can pick up physiological responses and biometric information such as heart rate, pupil dilation, and vocal inflections, revealing subconscious interests and preferences. Heart monitors can also pick up neural or heart problems even before the participant feels symptoms. The US Patent and Trademark Office has already approved some eye- and face-tracking technology patents(new window) for use in the metaverse. 

This depth of information would allow Meta to build eerily intimate profiles of participants, alerting them to inclinations or health problems that people themselves aren’t aware of. This could present new avenues for Meta to manipulate the participants in the metaverse without their consent.

According to Facebook whistleblower Frances Haugen(new window), as the metaverse expands, participants will have to install cameras and microphones throughout their homes to generate fully interactive experiences. These cameras would capture everything from the appearance and layout of a participant’s home to the minute details of their daily routines.

With such a setup, Meta would have real-time insight into people’s everyday lives, giving them unprecedented amounts of data they can collect and use for nefarious purposes. As Meta’s losses in the metaverse continue to grow(new window), the company has a greater incentive to extend their existing privacy-invasive business model to the metaverse to make a profit for its shareholders. 

Can Meta be trusted to build the metaverse?

Given that the metaverse enables unprecedented levels of data collection, a critical question remains: Who should be trusted to build it?

Meta is no stranger to controversy when it comes to data privacy. The company has been involved in several major data breaches in the past: 

Meta has had a long history of failing to protect people and their privacy on its platform. But it has proven to be an even worse moderator of its own social media platform. While Facebook claims to remove more than 90% of hate speech published on its site, the actual figure is only 3 to 5%(new window)

In March 2022, London-based watchdog Global Witness tested Facebook’s hate speech safeguards(new window) by submitting eight paid ads to the social media network, each incorporating different versions of real-world hate speech copied from a United Nations report. All eight ads were approved, proving Facebook’s poor ability to detect hateful speech in the Burmese language. As a result, Facebook has been investigated over its role in the genocide of Rohingya Muslims(new window)

It has also repeatedly allowed world leaders and politicians across 25 countries to use its platform to deceive the public or harass opponents(new window)

In fact, Meta itself can’t even keep track of the data it already has. According to a leaked internal document, Facebook’s own engineers have no idea where all of its user data goes(new window), or what it’s doing with it. 

Given its record of data breaches and privacy violations, we should not trust Meta to build the metaverse.

What would a metaverse that respected privacy look like? 

The real promise of the metaverse lies in its new data-rich experiences and services that can enhance our lives. However, for it to be successful, the metaverse should embody some core principles to ensure your safety and privacy. 


For one, the metaverse should be open and interoperable to prevent the creation of walled gardens. This interoperability is crucial in connecting people and providing them with a unified and seamless experience. An open metaverse would also mean people are not locked in on a single platform and can easily transfer their digital assets from one service to another.


What makes the metaverse potentially harmful is that a handful of powerful corporations will have the ability to mediate every aspect of our lives, selling access to our personal data to the highest bidder. However, decentralizing the metaverse would mean that no single entity “owns” or has the power to sell our information. A decentralized metaverse would enable us to enjoy a new world of possibilities where we are fully in control of our virtual experiences.

Switching from an ad-based model to a subscription model

The metaverse should offer an unparalleled user experience by breaking away from Big Tech’s traditional ad-based business model. Rather than operating as a service designed to extract data and monetize people’s lives, the metaverse should utilize a subscription model to avoid ads and maintain user privacy. 

Consent to data collection and marketing

If an ad-supported metaverse must exist, then all data collection should require the consent of participants. With the impending deprecation of cookies(new window) and cookie-based marketing, companies and brands can start from a clean slate and support more privacy-first tracking alternatives in the metaverse.

We need to be ready

The metaverse is likely the next stage of the internet’s evolution as 3D experiences continue to blur the line between fiction and reality. However, similar to the rise of social media, lawmakers can take a long time to react to new technologies like the metaverse.

Privacy concerns are not the only risks — bigger questions of content moderation(new window), codes of conduct(new window), sustainability(new window), and accessibility(new window) have to be addressed before the metaverse can be a safe and welcoming space for all.

Despite its potential pitfalls, the metaverse promises to offers us new and interactive experiences where we can work, play, and socialize with each other. Its advent offers us another chance to redefine data protection and put privacy and consent at the forefront of our new virtual societies.

Protect your privacy with Proton
Create a free account

Share this page

Lydia Pang

Lydia is a lifelong book-lover and her professional experience spans several industries, including higher education and editorial writing. She's excited to write for Proton and champion privacy as a fundamental right for everyone.

Related articles

The last thing you want when showing funny videos or holiday photos on your phone or tablet to friends and family is for them to see your sensitive and private photos. Although there are third-party apps dedicated to hiding your personal photos and
It can be slightly difficult to encrypt a zip file using the tools available on your Windows or Mac. Unlike encrypting a PDF or an Excel file, there’s no standardized software to use. You’ll need to rely on your device’s built-in encryption methods. 
Last week, the Spanish Presidency of the European Council delayed a vote regarding the Council’s position on the controversial Child Sexual Abuse Regulation (CSAR) due to a lack of consensus over the issue of encryption, among others. This proposed r
At Proton, we’re always working on new and innovative ways to protect the privacy and data of the Proton community. Sometimes that means developing entirely new services, like our Proton Sentinel program, which combines AI and human security analysts
How to unsend an email in Gmail, Outlook, Proton Mail, and Apple Mail
“Undo Send” gives you a chance to stop an erroneous message you’ve just sent. We’ve all done it. You hit Send on an email only to spot you’ve misspelled someone’s name, forgotten an attachment, or accidentally sent a cringing joke to half your conta
Google has already taken privacy washing to the extreme by trying to brand itself as “privacy focused”, even though its business model is based on surveillance.  Lately, the company’s marketing strategy has turned toward outright Orwellian doublespe