Privacy and the metaverse

Share this page

On October 28, 2021, Facebook announced the rebranding of its parent company from Facebook to Meta. Since then, the term “metaverse” has been a hot topic of discussion. 

From facial expressions to biometric data, the metaverse has the potential to collect new and vast amounts of personal information, allowing Meta to target participants with even more personalized ads. With the metaverse, Meta’s ad-based business model poses an even greater threat to online privacy. 

What is the metaverse? 

While Meta may have repopularized the term, the concept of a metaverse has long existed in the pages of sci-fi novels. Author Neal Stephenson first coined the term in 1992 in his book Snow Crash, where he sketched out a virtual world his characters could escape to as means of avoiding their dystopian reality. 

According to Stephenson, the metaverse refers to a “convergence of physical, augmented, and virtual reality in a shared online space”, allowing people to interact with others through 3D avatars. 

Will there be only one metaverse?

Since Snow Crash’s publication, various developments have been made toward a real metaverse. Games like Fortnite and Roblox already provide an immersive environment where you can socialize with other people beyond a simple computer screen. 

However, by using technologies such as virtual reality (VR) and augmented reality (AR), Meta wants to go a step further and make the metaverse a reality. VR refers to technologies that replace a real-life environment with a virtual one, whereas AR augments your surroundings by adding digital elements to a live view.

Meta’s vision of the metaverse consists of social hubs where you can connect, work, play, and shop using a digital avatar, but it isn’t the only one trying to build a 3D virtual reality space. 

In fact, Microsoft, Nvidia, and Epic Games are all developing their own versions of the metaverse. At the end of 2021, Microsoft announced Mesh, a collaborative platform that uses mixed reality technologies to make online meetings more personal and engaging. Nvidia markets its Omniverse as a “development platform for 3D simulation and design collaboration”.

As VR and AR technologies advance, more and more tech giants will focus on building metaverse platforms. 

The privacy risks of the metaverse 

Compared to traditional social media platforms, the metaverse could create even more avenues for data collection. The technologies underpinning the metaverse — VR headsets and augmented reality glasses — can track eye movement and determine what the participant is focusing on. 

It can pick up physiological responses and biometric information such as heart rate, pupil dilation, and vocal inflections, revealing subconscious interests and preferences. Heart monitors can also pick up neural or heart problems even before the participant feels symptoms. The US Patent and Trademark Office has already approved some eye- and face-tracking technology patents for use in the metaverse. 

This depth of information would allow Meta to build eerily intimate profiles of participants, alerting them to inclinations or health problems that people themselves aren’t aware of. This could present new avenues for Meta to manipulate the participants in the metaverse without their consent.

According to Facebook whistleblower Frances Haugen, as the metaverse expands, participants will have to install cameras and microphones throughout their homes to generate fully interactive experiences. These cameras would capture everything from the appearance and layout of a participant’s home to the minute details of their daily routines.

With such a setup, Meta would have real-time insight into people’s everyday lives, giving them unprecedented amounts of data they can collect and use for nefarious purposes. As Meta’s losses in the metaverse continue to grow, the company has a greater incentive to extend their existing privacy-invasive business model to the metaverse to make a profit for its shareholders. 

Can Meta be trusted to build the metaverse?

Given that the metaverse enables unprecedented levels of data collection, a critical question remains: Who should be trusted to build it?

Meta is no stranger to controversy when it comes to data privacy. The company has been involved in several major data breaches in the past: 

Meta has had a long history of failing to protect people and their privacy on its platform. But it has proven to be an even worse moderator of its own social media platform. While Facebook claims to remove more than 90% of hate speech published on its site, the actual figure is only 3 to 5%

In March 2022, London-based watchdog Global Witness tested Facebook’s hate speech safeguards by submitting eight paid ads to the social media network, each incorporating different versions of real-world hate speech copied from a United Nations report. All eight ads were approved, proving Facebook’s poor ability to detect hateful speech in the Burmese language. As a result, Facebook has been investigated over its role in the genocide of Rohingya Muslims

It has also repeatedly allowed world leaders and politicians across 25 countries to use its platform to deceive the public or harass opponents

In fact, Meta itself can’t even keep track of the data it already has. According to a leaked internal document, Facebook’s own engineers have no idea where all of its user data goes, or what it’s doing with it. 

Given its record of data breaches and privacy violations, we should not trust Meta to build the metaverse.

What would a metaverse that respected privacy look like? 

The real promise of the metaverse lies in its new data-rich experiences and services that can enhance our lives. However, for it to be successful, the metaverse should embody some core principles to ensure your safety and privacy. 


For one, the metaverse should be open and interoperable to prevent the creation of walled gardens. This interoperability is crucial in connecting people and providing them with a unified and seamless experience. An open metaverse would also mean people are not locked in on a single platform and can easily transfer their digital assets from one service to another.


What makes the metaverse potentially harmful is that a handful of powerful corporations will have the ability to mediate every aspect of our lives, selling access to our personal data to the highest bidder. However, decentralizing the metaverse would mean that no single entity “owns” or has the power to sell our information. A decentralized metaverse would enable us to enjoy a new world of possibilities where we are fully in control of our virtual experiences.

Switching from an ad-based model to a subscription model

The metaverse should offer an unparalleled user experience by breaking away from Big Tech’s traditional ad-based business model. Rather than operating as a service designed to extract data and monetize people’s lives, the metaverse should utilize a subscription model to avoid ads and maintain user privacy. 

Consent to data collection and marketing

If an ad-supported metaverse must exist, then all data collection should require the consent of participants. With the impending deprecation of cookies and cookie-based marketing, companies and brands can start from a clean slate and support more privacy-first tracking alternatives in the metaverse.

We need to be ready

The metaverse is likely the next stage of the internet’s evolution as 3D experiences continue to blur the line between fiction and reality. However, similar to the rise of social media, lawmakers can take a long time to react to new technologies like the metaverse.

Privacy concerns are not the only risks — bigger questions of content moderation, codes of conduct, sustainability, and accessibility have to be addressed before the metaverse can be a safe and welcoming space for all.

Despite its potential pitfalls, the metaverse promises to offers us new and interactive experiences where we can work, play, and socialize with each other. Its advent offers us another chance to redefine data protection and put privacy and consent at the forefront of our new virtual societies.

Join the Proton ecosystem
Create a free account

Share this page

Related articles

Over 300 billion emails are sent and received daily around the world, making it one of the most popular forms of communication. However, most modern email providers, such as Gmail or Outlook, do not adequately protect your emails.  Gmail stopped rea
Your calendar is more than just a planning tool — it’s a record of your life. It lists what you’ve done, where you’ve been, and who you’ve met. This information deserves the same level of protection as your email and files, which is why we created Pr
Everyone has files that need to be encrypted. From intimate personal details to legal and financial documents, your files contain information that should be private and secure. But many internet services we all use every day are not private. Compani
For years, Apple watched Google and Meta make billions by collecting every scrap of people’s data to target them with ads. Now it appears it was just taking notes. Apple’s advertising operation follows the surveillance capitalism model of its rivals
When we launched Proton Drive two months ago, we wanted to create a truly private and secure cloud storage service. An encrypted cloud that allows anyone on the internet to safely store, access, and share their files without worrying about unauthoriz
From our initial crowdfunding campaign to the recent launch of our encrypted cloud storage service Proton Drive, Proton has always been supported by the community. Your feedback tells us what new features to develop and which we should improve.  For