16 May, 2022
Privacy and Security on the Metaverse
Concepts of the once science-fiction novel-bound metaverse have crept closer to actualization since the summer of 2021, with talk of its opportunities, challenges, and implications increasing by the day. Just as quickly, this reality has become less abstract, particularly as experts forecast that by 2026, a quarter of people will spend at least an hour a day in the metaverse.
While not fully understood on a commercial level yet, the metaverse and its increasing excitement has bode well for enterprises of all kinds, in that it enables access to new business models that have largely gone untapped in our existing digital realms. This kind of platform shapes the potential for how businesses can connect with consumers; communicate their offerings, and even operate on a day-to-day basis.
This promising medium for social and capitalist connection, however, introduces a host of challenges when it comes to safeguarding the privacy and identities of those who will utilize it.
The precedent is this: while not inherently a part of Web3––a conceptual iteration of the Internet that is based upon blockchain technology––the metaverse is dependent on it. Within a Web 3 reality, users can expect increased democratization, inclusion, and user control, instead of having big tech and centralized gatekeepers. The promise is huge.
But in looking at today’s reality, we can see there is a long way to go. Despite talk of a move towards a Web 3 reality, existing digital spaces are not representative of any efforts being made: the top 2% of cryptocurrency trading accounts own 95% of the $800 billion supply of Bitcoin; the top 9% of Web3 accounts hold 80% of the $41 billion market value of NFTs; and very few Web3 dApps are available for consumers (and the ones that do exist are focused on DeFi). Moreover, the level of fraud and scams related to Web3 platforms are alarming: more than $14B in crypto were accounted as fraud losses in 2021, and more than 80% of the NFTs listed in OpenSea were plagiarized art, fraudulent collections, or spam. And on the consumer side, more than 20% of crypto holdings are either lost or unrecoverable.
Looking at this from the lens of identity, it is clear a lot of work needs to be done to address the issues of consumer protection, security, scale, and interoperability. Until then, it will be increasingly hard for Web3 to become truly mainstream.
Some of the fundamental constraints (at least from an identity management perspective) come from the use of blockchain technology which is the basis for Web3. The blockchain is essentially a distributed ledger that facilitates the recording of information or transactions, as well as the tracking of them in a distributed way––a hyper-secure storage mechanism.
From an identity standpoint, this raises many questions. First, if the blockchain is a storage mechanism, then to conduct any sort of processing (biometric matches), the information stored on the blockchain would have to be retrieved into a central location where the computation functions would run, essentially defeating the purpose of decentralization in the first place. Blockchain is also very heavily dependent on private keys that are stored on user devices. What happens in a use case that requires shared kiosks or shared devices, or when a user gets a new device? From a privacy standpoint too, if the information on the ledger is meant to be public, what does this mean in terms of tracking down a user’s identity and transaction data?
Second, within the Web3 world, there is a proliferation of verifiable credentials and self-sovereign identity schemes that are meant to allow users to dictate where and how their identity and personal data can be used. These credentials also use blockchain technology to create tamper-proof digital credentials that can be cryptographically verified by an issuer. This puts the onus on the issuer to not only generate the credentials, but to make sure they are issued to the right person. With account takeovers overall increasing 90% and new account fraud in which fraudsters open accounts using stolen consumer data increasing by 109% in just last year, it is not hard to imagine an attacker convincing an issuer to “reissue” them a credential because of a lost or new device.
On the KYC/AML side, there are increasing regulations requiring identity verification when opening accounts. But this identity data is not kept; and at best, users are left with usernames, passwords, and private keys that are standalone––any attacker can use this data to access a user’s account. At worst, since the data collected in the onboarding process is not linked to the transaction verification process, this can potentially open a huge market for money mules and suspecting or unsuspecting individuals whose data can be used just for opening accounts while money moves freely thereafter.
Lastly, since there is no central ownership or authority, what happens when something goes wrong? For governments distributing payments with cryptocurrency, if an attacker takes over a beneficiary’s account, will they reissue a payment? If the pandemic relief programs that the US set in place are any indication, fraudsters will flock at this new opportunity. (For readers not aware, it is estimated that about 10 percent of the $800 billion distributed in the Paycheck Protection Program was fraudulent. This is on top of the $90-$400 billion believed to have been stolen from an unemployment relief program––with at least half taken by international fraudsters and another $80 billion potentially pilfered from a separate Covid disaster relief program.) None of this was crypto-related, but it gives an idea of the scale of fraud that could occur if identity management within a Web3 world is not thought through. I recently came across a website that tracks Web3 scams, and reading through it is like reading through just another series of hacks and frauds that we have become used to in Web2, and perhaps worse because consumers have no protections built in.
The good news is that resolving these issues does not mean having to give up on the fundamental tenet of decentralization. Multi-party computing (MPC) provides a viable alternative that supports biometrics and other PII in a decentralized way that enables users to safely navigate the metaverse - and, importantly, that compliments blockchain implementations.
With multi-party computing, different entities participate in a computation while keeping the inputs private. For biometrics, this means sharding data, distributing it over a network, and doing its matching in a distributed way as well. The elements that are distributed are anonymized both during the storage and the computation process, and there is no single point for an attacker to exploit. More specifically, a biometric MPC network can bind true individuals to their identity and digital assets. This type of system can be used to connect siloes of the identity management stack that attackers most often exploit. They also have the capacity to store and manage private keys, which are the essential underpinnings to blockchain applications.
To be clear, the blockchain remains the underpinning of a Web3 world, but biometric MPC networks will surely become a critical enabling infrastructure. In a fully optimized Web3 world, identity management will involve credentials stored on the blockchain, along with biometrics managed via MPCs to authorize the issuance of these credentials, ensure proper authentication from any device or cloud-based application, and control private key storage and migration so that only the bonafide person will have access to them. In all, consumers will have complete command of their metaverse experience with opt-out capabilities (not possible on the blockchain), direct ownership of their assets, and full control of their digital identity without compromising on security.
There’s no doubt that, conceptually, the metaverse is still rather undefined in its actualization. In many ways, companies and conglomerates leading the charge towards its launch are still in the beginning stages of planning and development. However, as it relates to anticipated privacy and security concerns, it’s safe to say that, as a collective, we have a very clear idea of the sort of threats that can emerge in such powerful digital ecosystems and these should not be ignored. By starting these important conversations now, industry-wide efforts can be made to preemptively address concerns in the metaverse’s first iterations and not leave privacy, identity and security as afterthoughts. Web3 and the metaverse may not be mainstream yet, but it is coming, and the entities that take the identity management aspects into consideration from the beginning will be much better positioned to deal with the complicated threat landscape and deliver on the promise of democracy, inclusion, and more individual control.
To learn more about how we are enabling privacy and security in the metaverse at Anonybit, click here.