Globally, our increasing online presence – and the rising interest in the metaverse – renders cybersecurity as important as ever. More people are using the Internet than ever before: the number of Internet users has grown from 413 million in 2000 to more than 3.4 billion in 2016. Yet, as the Internet becomes normalized, more new ideas continue to emerge. One popular concept is that of the “metaverse.”
The Wall Street Journal describes the metaverse as “an online world where individuals can participate in immersive experiences like virtual concerts, purchase digital goods and hang out with each other as avatars.” In short, the metaverse is an online version of the real world. While the idea of the metaverse has been around for a while, the term has recently entered common lexicon as a result of Facebook’s rebranding to “Meta.”
Yet, unlike the real world, which has national borders, governments, and concepts of sovereignty and jurisdiction, the Metaverse is a private enterprise. While in theory, no singular company will control this virtual reality, questions remain about who is responsible for this all-encompassing platform. Importantly, who collects all of the data that users will upload – consciously or subconsciously – about themselves? In the real world, we have governments to establish and publicize regulations about data protection. In the metaverse, we have private companies who follow no formal social contract.
Moreover, governments are already far behind on establishing regulations for the digital arena. Even in the real world, companies are failing to protect user data adequately. The recent hearings by Facebook whistleblower Frances Haugen come to mind, as do the hundreds of other security breaches we hear about on a daily basis. Cybersecurity is particularly troubling when it comes to defrauding the government – the entity that owns so much of our data.
Government agencies are doing what they can to respond. The DoJ recently launched the Civil Cyber-Fraud Initiative, meant to enforce the False Claims Act against government contractors who do not adhere to cybersecurity standards. In addition, the S.E.C has already launched a number of investigations against companies that lie to their investors about the level of data protection they offer to consumers. Even so, cybersecurity fraud remains a growing area of concern.
Part of the challenge in regulating privacy and cybersecurity arises from questions of jurisdiction. The mandate of the S.E.C. revolves around the “protection of the investing public.”  This financial focus makes it difficult for the agency to address an issue like privacy violations. While the company under scrutiny may be public – and thus subject to S.E.C regulations – there is no clear path of intervention if the company is not also engaging in investor fraud. Howard Fischer, a former trial lawyer for the S.E.C., mentioned this challenge in the context of Facebook’s recent conduct regarding user privacy. “The argument that Facebook prioritized profits isn’t convincing, because that’s what companies do,” Fischer told the New York Times.  He added that it would be “hard to see a clear case.” Another former S.E.C. official – David Rosenfeld – has also commented on the agency’s capability to regulate Facebook’s privacy issues. “Traditionally, this is not the kind of thing the SEC would be looking at,” Rosenfeld said to the Wall Street Journal.
In spite of this, as we have seen in the tobacco and finance industries, a company’s goodwill is limited, and serious reputational harm has always had the ability to derail company’s long-term financial health. In the past, society has drawn lines at youth smoking or vaping and fake bank accounts. As the metaverse grows, privacy will likely act as the same type of catalyst. When faced with the choice of a more tailored, or “targeted,” experience and privacy, internet users are already showing that they overwhelmingly prefer privacy. Since Apple’s release of iOS 14.5 and its AppTrackingTransparency (ATT) policy, Verizon Media’s Flurry Analytics has found that only about 15% of users choose to allow tracking. This has already caused companies like Snap tangible financial harm. This conflict between users who expect greater privacy and companies whose finances depend on accessible user data will only grow with time, as the metaverse promises cybersecurity and privacy risks above and beyond today’s challenges. We could see one company owning data about the virtual workouts you like, the virtual concerts you attend, the virtual meetings you take part in, and the virtual friends you meet. As society evolves and adapts to the metaverse, standards for corporate behavior will also emerge. Once that happens, government enforcement often lurks right around the corner for those who fail to meet what is certain to be a more restrictive corporate advertising standard.
In that context, it is increasingly critical for employees at these companies to speak up when they see data breaches. Sanford Heisler Sharp is experienced in representing whistleblowers in a range of matters, and will continue to advocate for whistleblowers even as the nature and scale of fraud evolves.