McDannald is CEO of Environments, an interior-design-turned-software company building so-called immersive work experiences in virtual reality, and it’s testing its own product. Five employees work in the virtual office, each with their own avatar that looks (kind of) like them. The company takes care to make employee avatars resemble their human counterparts only to a point — too lifelike, and they get creepy. Too abstract, and the whole thing starts to feel unprofessional, McDannald said. Employees marking work anniversaries have tiny, celebratory icons above their avatars’ heads, like in the computer game “The Sims.” McDannald can walk over to an employee’s virtual desk and check in at any time. Despite the ramped-up opportunity for managerial oversight, she said no employees have objected.
“I think there will be a merging of our physical and online personas,” she said.
Buzz around shared, 3-D virtual spaces that companies including Meta are pitching as the “metaverse” may only get louder from here. This year’s CES was spattered with companies billing themselves as metaverse tech, with ideas ranging from virtual customer service representatives to a food-delivery robot controlled by real people watching from a perch in virtual reality. All are angling for space in an emerging industry spearheaded by tech giants including Meta and Microsoft, both of which announced their own metaverse products in the past few months. Even Microsoft co-founder Bill Gates weighed in, saying he expects the metaverse to be part of our workplaces in the next three years.
But virtual reality (VR) headsets can collect more data about us than traditional screens, which gives companies more opportunities to take and share that data for profiling and advertising. They could also give employers more ways to monitor our behavior and even our minds. There’s little stopping the government from getting its hands on body-related data from VR tech, and there’s little in place to protect us and our kids from unrestricted data gathering and psychological manipulation, say digital rights advocates and experts following the industry.
Digital rights advocacy group Electronic Frontier Foundation and the Extended Reality Safety Initiative, a nonprofit developing standards and advising lawmakers on safety in VR, have raised the alarm on the privacy threats Big Tech is posing with its vision for a metaverse — not just for employees, but for people and their children at home.
“In some respects, a 3-D headset is not really any different than a 3-D monitor,” said Jon Callas, director of technology projects at EFF. “But then there are other things being done that could be extraordinarily intrusive.”
Companies are already gorging on our data
One of the potential problems with virtual reality is that we still haven’t answered many of the privacy problems we encounter in normal reality, Callas said.
When millions of Americans learned in 2018 that political consulting company Cambridge Analytica had used personal data from Facebook to profile them, it helped secure the passage of a comprehensive consumer privacy law in California called CCPA. But except for Virginia and Colorado, most states still have no such legislation, and critics argue that Facebook and other companies have only ramped up and fine-tuned their data collection since.
Facebook spokeswoman Kristen Morea said the company has released four “responsible innovation principles” to guide its development of extended reality products “with ethics, privacy, safety, and security at the forefront.”
There are few limits on what information companies can collect, store and share about you. Investigations by The Washington Post and other publications have found companies sharing personal data such as your name, email and location with third parties without disclosing who those third parties are. Apps shoot off data about you while you cook, work and sleep — and even after you’ve asked them not to track you.
As our interactions with companies and their applications move from screens in our hands to headsets on our faces, the potential for invasive data collection grows, Callas said. VR itself isn’t a privacy concern, he noted, but it’s reasonable to feel concerned that a giant advertising company like Meta is positioning itself as a leader in the VR market.
Morea pointed to Meta’s $50 million investment in external programs and research she said will help the company build the metaverse safely, though the only listed partnership that explicitly mentions privacy is one with the National University of Singapore. Meta’s revenue totaled $86 billion in 2020.
Facebook parent company Meta is placing itself in charge
So far, Facebook hasn’t had unfettered access to your data. At least on smartphones, it has to play by the rules of the Apple App Store and Google Play Store. As privacy becomes a bigger marketing point for Apple, that’s seemingly caused problems for Facebook’s ad business: It ran campaigns against Apple’s decision to allow people to opt out of some ad tracking on their smartphones.
Facebook won’t want to make the same mistake again, says Rolf Illenberger, CEO of VRdirect, which makes software for VR and lists Nestle, Siemens and Porsche among its clients. That could be why Meta is building its own hardware and operating system for the metaverse.
“Mark Zuckerberg wants to make sure that in the new technology era, there’s no one between him and the customers,” he said.
Companies and employers could have unprecedented access to our brains and our homes
Current and previous generation Oculus devices don’t come with eye-tracking technology, but the forthcoming model, nicknamed Project Cambria, will be able to mirror your face and eye movements in VR, Meta’s Morea said.
Features like eye-tracking have plenty of benign applications, Callas said, like helping game developers determine which objects in the game need to be rendered in high definition and which can remain blurry in your peripheral vision.
Callas said it’s not hard to imagine a world in which Meta gives advertisers information on where our eyes are focused to help them better measure our attention, target us with ads and compel us to buy stuff.
Meta doesn’t currently collect eye-tracking data, Morea said, but the company won’t commit to not collecting and sharing it in the future.
With almost no limits on what data employers can gather about employees on the job, companies could also use eye-tracking and facial movements to determine whether we’re “paying enough attention” during virtual presentations at work, or even to try to measure our cognitive load during job interviews, Kavya Pearlman, CEO of Extended Reality Safety Initiative, said.
Microsoft, which is making its own virtual reality software, would not say whether it currently uses the tech to collect or share data from our bodies and whether it plans to do so in the future.
“At Microsoft, we believe data-driven insights are crucial to empowering people and organizations to achieve more,” Vasu Jakkal, corporate vice president of security, compliance and identity, said. “We’re deeply committed to the privacy of every person who uses our products.”
Additionally, it’s hard to know how easy it would be for law enforcement and government organizations to get their hands on this data. Right now, there are legal limitations on what data the government can collect, Callas explained, but few on what data it can buy.
Anand Agarawala, co-founder and CEO of Spatial, which makes an app where brands and artists can build virtual spaces, said eye-tracking in VR is similar to mouse movements on a desktop, which many companies already collect and use for advertising purposes. And some retailers track our movements as we move through physical stores. There’s certainly potential for companies to use data from VR to target us with ads, he noted, and no laws stopping them in most U.S. states — but the data generated by video of our homes and logs of our movements is so complex companies may not find it useful, he said.
Meta’s Morea said the company currently doesn’t use hand positions to serve ads or sponsored content, though it won’t commit to not doing so in the future. “We collect some movement data and certain physical features, such as your estimated hand size when you opt-in to hand tracking.”
Theoretical or not, VR headsets could provide a frightening pathway to biometric information previously inaccessible to companies, employers, law enforcement and the government, Pearlman and Callas said. And that includes any inferences drawn from that information, they noted. VR companies and their advertising partners could use the way we move our eyes, heads and arms to infer things about our personalities, health and habits, and use that information to market to us.
There are still ways to make this better
Governments could step in and regulate how much control Meta and other companies have over VR spaces and how they must treat our data, Pearlman said. Meta could also impose stricter limits on what data it can collect in its “metaverse,” what that data can be used for and who it can be shared with — and allow outside organizations to contribute to and audit that plan, she said.
The Extended Reality Safety Initiative has formed its own oversight panel and is planning to issue guidance to lawmakers on the privacy risks of VR, as well as guidance to companies on how to handle various privacy and cybersecurity concerns.
XRSI asked Andrew Bosworth, head of Meta’s Reality Labs VR development segment, to share details of its plans for data collection in the metaverse, Pearlman said. His team talked through its data plan, but refused to release the schema for her team to review.
“We believe it’s important that the metaverse is built safely. Data classification is a key element of that but it’s early days for understanding new types of data that may be generated by AR/VR across the industry,” Meta’s Morea said. She declined to comment further on the exchange between Bosworth and Pearlman.
Until the federal government steps in to regulate Meta more strictly, people should be wary of the company’s plans for Meta-controlled virtual reality, Callas said.
For McDannald, the CEO bringing workforces including her own into virtual copies of their physical offices, the privacy implications are noteworthy, but not novel.
The key, McDannald said, is that we can still opt out, at least for now.
“You can’t get locked in the metaverse. You can get out of the metaverse any time you like.”