Saturday, May 4, 2024

Vogon Today

Selected News from the Galaxy

StartMag

Metaverse dossier for the Privacy Guarantor

4 months ago babelfish

Metaverse dossier for the Privacy Guarantor

The metaverse confronts us with phenomena with a very high level of technical complexity, with notable repercussions on user privacy. Maurizio Stefanini's interview with Ginevra Cerrina Feroni, professor of Constitutional Law at the University of Florence, taken from the quarterly magazine of Startmag

The theme of the defense of privacy and the processing of personal data takes on a completely different dimension if placed in the dimension of the metaverse. Ginevra Cerrina Feroni is the most qualified person to guide us through the labyrinth of a new and very rapidly evolving phenomenon. Professor of Italian and comparative constitutional law and vice president of the personal data guarantor, Cerrina Feroni periodically deals with these aspects also through dissemination work in the national media. Particular focus in this interview is the triangle between businesses, privacy (and data collection) and the metaverse.

What are the main risks to user privacy related to the use of the metaverse by companies?

Let's start with one fact. The metaverse promises an epochal change, something that humanity has never known before, namely the overlap between physical and digital experiences and the pervasiveness that this experience exerts on some parts of our brain. From this perspective, it seems to me that the risk for privacy is that of massive profiling of the user's most intimate sphere. Unlike digital profiling, where the will is externalized, in the "lived" metaverse it is more difficult to choose whether or not to share one's data. The information flows could, in fact, be collected and processed through simple biometric methods, observing posture, heartbeat or simply the movement of the iris.

And what new responsibilities will companies have to take on when it comes to privacy in the metaverse?

First of all, it is more correct to speak of metaverses in the plural. There is an infrastructure metaverse in which apps with various metaverses are located. Regarding the organization of the interface, i.e. the framework that guarantees interoperability between the various metaverses, an issue that appears essential is that of the storage and transfer of the data used to make the applications work. Regarding apps, the problems that may arise have to do with responsibility for data management: conservation, safeguarding, as well as all measures to guarantee its integrity. Of course, there is also the issue of theft or misuse of data. No less important issue is that relating to the development of simple to use systems (so-called user friendly ) to ensure effective and immediate exercise of the rights of interested parties.

What are the key privacy laws and regulations already in place that may apply to the metaverse?

The European Union is moving to formulate a regulation capable of regulating its use, but to date there are still no hard law acts that regulate the matter. Certainly the draft of the Artificial Intelligence Act , in addressing the problems of transparency, responsibility and respect for fundamental rights in the use of artificial intelligence, is the one that most touches, albeit indirectly, the topic. Therefore the pivot around which regulation currently revolves is and remains the GDPR, the General Regulation on data protection. The question of whether or not the GDPR is "sufficient" to regulate the new dimension of the metaverse is debated. The question is: must the GDPR be integrated to meet the needs that the new ecosystem will entail or is an interpretation by extension to the new reality sufficient? I believe that the legislation will need to integrate some aspects.

And what do you think are the future prospects for privacy protection in the metaverse?

Talking about privacy in the metaverse almost seems like an oxymoron. In the metaverse there will, perhaps, be protection of personal data, but not privacy understood in the original sense of the term, such as the right to be let alone . The problem that arises is no longer how to have access to the personal data of the inhabitants of this reality, but only how to manage their processing. I said it before: we are faced with completely new phenomena, with a very high level of technical complexity, and in very rapid evolution. What in my opinion we can realistically build is not so much a detailed legal corpus, which risks being overtaken in a short time by technological evolution, but rather establishing strong basic principles around which to conceive concrete responses, both legislatively and in practice. I've been kicking around the idea of ​​a privacy authority for the metaverse for some time now. Obviously this is a provocation, but it has the aim of underlining how the answers to future problems in the metaverse will have to deal with the nature, with the needs and with the timing of this parallel reality in many respects.

How can businesses protect user privacy in the metaverse?

Certainly the first point is to find a balance between the massive tracking of users' personal data and the principle of data minimization. A first step that the metaverse will require is to limit, as precisely as possible, the quantity and quality of data that can be collected within the limits of the declared purposes. But without this process burdening exclusively the interested party. In fact, I don't think that the formal rules on the legitimacy of consent in force today would be enough. Let's think about the management of sensitive data such as that following telemedicine visits: only the information essential to the treatment should be saved, while that which is not relevant should be deleted. Furthermore, for the system, users should be anonymized or, at least, encrypted. However, all of this must be put in black and white and compliance must also be ensured through reliable operating models.

How might the metaverse change the way businesses collect and use personal data?

An interconnected metaverse linked to the person's daily activities (and therefore no longer just to his divertissement , as is largely the case today), involves the collection of massive quantities of data, including the monitoring of consumption habits, opinions and tastes and even emotions through the analysis of behavioral and biometric data. This pervasiveness manifests itself above all from the point of view of communication and data portability: will interoperability lead to automatic sharing of data between metaverses even if they belong to different companies? It's possible. It is obvious that recomposing the picture through pieces of information provided here and there both increases the efficiency in collecting personal data and significantly reduces the ability of users to avoid precise and massive profiling. So the fundamental issue is to understand how to develop this data transfer while safeguarding user privacy . Not to mention that, in addition to guarding against predatory commercial interests, users must protect themselves from state interference, I am thinking in particular of countries like China.

What about the protection of minors? What are the implications of the metaverse?

At the moment for the access of minors to the metaverse in Europe, as there are no ad hoc rules, the rules established by the GDPR apply and therefore, the metaverse is prohibited to those under fourteen years of age. The problem arises where minors, once they access the metaverse, are not recognizable as such, nor do their avatars enjoy particular protections. This allows other users to take advantage of their natural fragility in many ways. Not even parental supervision tools are particularly useful for this purpose since they essentially involve managing access to apps. And it could not be otherwise considering that even the minor enjoys his own privacy . Therefore the danger arises in terms of recognition or not of the user's minor age. And this can be all the more dangerous as the minor is much less equipped and aware of his rights.

What are the challenges and opportunities for privacy research in the metaverse?

When we talk about privacy we are not limited to the protection of information. That's just the first layer. In fact, there is the problem linked to the fact that we do not know who our interlocutor is – I spoke before about minors – which is connected to the risk of the digital identity of users and that of the theft of avatars. An important step forward will concern the possibility – which will increasingly be a necessity – of making profiles unique. What can certainly help is developing the so-called responsible metaverse .

This is a machine translation from Italian language of a post published on Start Magazine at the URL https://www.startmag.it/innovazione/metaverso-privacy-intervista-ginevra-feroni/ on Sat, 06 Jan 2024 06:19:09 +0000.