Nascent metaverse raises complex cybersecurity questions

The metaverse anticipates that users will have creative and social controls, in games or on platforms, that are designed for people to share beyond that core game or platform. This will require interoperability, cross-platform, at a scale that existing cybersecurity legislation does not necessarily contemplate. Beyond the practical difficulties of building platforms with that technical capability, the metaverse also raises complex cybersecurity issues.

A fundamental legal issue for all entities involved in the metaverse will be the allocation of responsibility. Interoperable code is subject to vulnerabilities in the same manner as any other code or platform. The allocation of responsibility for any such vulnerabilities, where they arise, is likely to raise legal and commercial complexities for all parties involved. We highlight three key risk considerations below.

Risk of exploitation

Newzoo notes that mass concurrency and interoperability in platforms is immature. New protocols are being developed and more is yet to come, but building those protocols in a way that mitigates the risk of the transfer of malicious code from platform to platform will be an extremely difficult technical challenge.

The current experience of video game companies (themselves a key component of the metaverse) offers a glimpse of what companies participating in the metaverse may encounter. Video game companies have long been a target for cyberattacks – including espionage, data theft and financially motivated ransomware attacks – given the volume of valuable personal data and intellectual property that they hold. Where data and intellectual property exists within (and will be shared across) the metaverse, the attack surface is increased and the metaverse may well to become a prime target for cyber attackers.

Entities within a metaverse ecosystem will need to focus beyond their own security measures as they will be ever more dependent on the cybersecurity of the other entities involved in that ecosystem. Entities participating in the metaverse will need to be confident in, and take steps to satisfy themselves of, the security measures being adopted by the other entities within it. Supply chain due diligence will be of critical importance.

Personal data breaches

By its nature, the interoperability of the metaverse will require the storage and transfer of even greater quantities of personal data. For example, a core component of the metaverse is the creation of users' persistent avatars which have the capacity to remain consistent across platforms. As they are connected to a person, those avatars and the data associated with them will necessarily require a large volume of personal data to be stored and processed in relation to that user. Attackers will be aware that these data sets are at the heart of the services offered by an entity operating in the metaverse, and, for example, that the company therefore may pay significant sums to prevent that data being released following an attack.

Existing legislation centres around the concept of the "data controller" as the entity responsible for ensuring that appropriate technical and organisational measures are in place to protect personal data. Where multiple entities will be running interoperable platforms, questions as to who is the data controller and who carries the associated responsibility are likely to be a complex issue. Will entities be joint controllers of personal data? How will entities manage the blurred lines between processing and controlling that data? And how will entities coordinate a response to an incident where it affects multiple entities?

Account verification

The risk that an avatar is duplicated to impersonate others, including for the purpose of disinformation, harassment and identity theft, is an important issue to address in order to build customer confidence in using avatars across multiple platforms.

One proposed route to provide that confidence is user verification: the use of a decentralised identification network that is built on an international standard and is used to validate an account being used across platforms in order to ensure that users can only access their own personal data. However, the risk associated with a unified approach is that, if it is capable of being exploited, it enables an attacker to exploit it across multiple platforms.

As with other facets of the metaverse ecosystem, achieving a unified approach will present various challenges not only from a technical perspective, but also in relation to the legal and commercial arrangements regarding responsibility and liability for that account verification process.

Blurred lines

The increasingly blurred lines between entities operating in the metaverse is likely to raise further novel issues in the management of responsibility and liability between entities. As these platforms develop and mature, they are likely to bring ever greater complexity to the security, legal and commercial considerations behind them.



Philip Kemp Senior Associate, UK +44 207 105 7076