Imagine for a moment that you wanted to spend time in what Meta solipsistically calls the metaverse, a keiretsu of interactive cartoon panoramas powered by commercial surveillance and payment persuasion.
That’s no small ask, particularly for those who recoil at the cynical rent-seeking foundation supporting virtual reality or if you’re old enough to recall the unfulfilled hype of 3D worlds and avatars two decades ago when Second Life sold Snowcrash’s dystopia as a social and commercial revolution.
But perhaps you want to see for yourself what possessed Meta to invest $10 billion last year and billions more this year to create a walled garden that’s been described as “eye-gougingly ugly” and “a computer game developed in 1997.” (Spoiler: It was Apple’s kneecapping of its ad business and privacy regulation, but don’t let that deter your VR tour.)
The metaverse is, generally speaking, supposed to be a collection of customized interconnected and immersive virtual-reality worlds in which people shop, work, and play. This is what Meta CEO Mark Zuckerberg has spent the GDP of a minor nation on so far for his internet empire’s implementation:
Looks great! pic.twitter.com/aFFcvLv4ES
— james hennessy (@jrhennessy) August 16, 2022
Vivek Nair (UC Berkeley), Gonzalo Munilla Garrido (Technical University of Munich), and Dawn Song (UC Berkeley) allow that virtual reality, telepresence applications, and whatever is meant by the metaverse aspire to become the next major mode of interaction on the internet. And they have warned about the privacy implications of goggled collective conferencing.
Not only that but the researchers have proposed a defense against the dork arts, MetaGuard.
In a paper distributed via ArXiv, the trio describe MetaGuard as “incognito mode” for VR.
That undersells MetaGuard significantly. Incognito mode is widely misunderstood because its name makes a promise the technology doesn’t keep, just like Tesla’s Autopilot or Full Self-Driving technology that at best are assistive tools and aren’t capable of sustained automated driving.
Incognito mode is a browser privacy option that prevents browsing activity from being stored locally, within the browsing client. It does not prevent browsing activity from being stored on the web server being visited, though it does somewhat segregate browsing sessions so they’re not directly associated via cookies over time. Incognito mode does not hide identifying information from the websites you visit; it’s not an anonymity tool like Tor.
Our ‘incognito mode’ defenses aim to prevent adversaries from tracking VR users across sessions in the metaverse
MetaGuard aspires to be something more like AdNauseum, a web data obfuscation extension, for the metaverse. That name is not as much of a political statement, though.
In their previous paper, “Exploring the Unprecedented Privacy Risks of the Metaverse,” Nair, Munilla Garrido, and Song explored the expansive set of personal data available to metaverse companies. This includes anthropometric (eg reaction time), environmental (eg geolocation), technical (eg device model), demographic, and identity data, all flowing into metaverse providers and those wired into the VR worlds. It’s a broader set of stats than would be available to a web-based adversary.
The researchers’ latest publication, “Going Incognito in the Metaverse,” offers a possible defense against metaverse surveillance. MetaGuard in its initial form is an open source C# plug-in for the Unity game engine, which is widely used for authoring VR content.
“Our ‘incognito mode’ defenses aim to prevent adversaries from tracking VR users across sessions in the metaverse,” their paper explains. “In practice, this means limiting the number of data attributes adversaries can reliably harvest from users and use to infer their identity .”
In an email to The RegisterNair said the “incognito mode” framing was used because it’s familiar to internet users.
“The ultimate goal of MetaGuard is the same as incognito mode on the web: to prevent users from being tracked from one session to another,” he explained. “Even on the web, private browsing does change the network requests between the client and server; in particular, it changes which cookies are attached to outgoing requests as HTTP headers.”
“But … MetaGuard goes a step beyond incognito mode to modify the contents of data sent to the server, rather than just the headers. So MetaGuard is ‘incognito mode for VR’ in that it serves the same fundamental purpose and is just as easy to use, but the mechanism of action is indeed quite different in order to account for the very different threats faced in VR.”
Under the hood
MetaGuard relies on a technique called Differential Privacy, which was designed to allow people to share their data for statistical analysis in a way that prevents those people from being re-identified using that data. For MetaGuard, that means injecting just enough noise into collected metrics to prevent the information from being linked to the person who generated it.
A metaverse participant’s voice pitch, for example, might be recorded as being as much as 85 Hz lower or 255 Hz higher than the actual measured frequency. And the extent of the variation would be set by the desired privacy level: low, medium, or high. Or this person’s geo-coordinates might be altered by as much as 400-500 kilometers.
“It has the potential to significantly improve the privacy of VR users, with our experiments showing an over 90 percent reduction in attack accuracy for several private data attributes, and a 95 percent reduction in deanonymization of users,” said Nair.
The MetaGuard paper observes that its use of adversarial terminology to describe metaverse data gathering may not align with the popular perception of immersive entertainment as a jolly, carefree place.
“Despite using the terms ‘attacker,’ and ‘adversary’ throughout our writing, it’s likely that such actions would in practice be entirely above board, with users agreeing (knowingly or otherwise) to have their data collected,” the researchers explain. ” It is thus more important than ever to give users the ability to protect their data through purely technological means, independent of any warranted data privacy regulations, and to do so in a way that is as easy to use as the privacy tools they have become accustomed to using on the web.”
While it may be more important than ever to provide VR visitors with privacy protection, that possibility now looks less likely than it did when the MetaGuard project began.
Some companies have already begun moving to block this from being a possibility
“Unfortunately, some companies have already begun moving to block this from being a possibility,” explained Nair.
In mid-July, the researchers disclosed their findings about VR privacy and their work on MetaGuard to the VRChat community.
“VRChat is one of the largest metaverse applications and we wanted to give them time to respond to our privacy concerns before going public,” said Nair. “We shared our source code for our prototype MetaGuard plugin for VRChat with them at that time.
“Just a few days later, VRChat announced its decision to ban all client mods from the platform and use DRM tools to make modding impossible,” said Nair. “Therefore, VRChat is now one of the few major applications where MetaGuard cannot be used. “
Nair expressed concern that if more platforms follow VRChat’s lead, it could make it more difficult for those who simply must partake to assert their preference for privacy.
“Cincidentally, VRChat has its own premium subscription that includes trust and safety features,” he added. “I’m worried that there could be a pay-for-privacy precedent being set, and think that banning the use of tools like MetaGuard is a step in the wrong direction.” ®