Facebook's Metaverse : possible privacy and security issues

An interesting article by Christopher Boyd from the Malwarebytes November Newsletter concerning issues that could arise from some of Facebooks current and future projects .

Zuckerberg’s Metaverse, and the possible privacy and security concerns

Posted: November 2, 2021 by Christopher Boyd

The news is currently jam-packed with tales of Facebook’s Meta project. Of particular interest to me is Facebook’s long-stated desire to introduce adverts into the VR space, and what this may mean for Meta too. I’ve talked about the privacy and legal aspects of adverts in gaming and other tech activities many times down the years.

An advert in every home

Back in the Xbox 360 days, I explained how even in 2009 console dashboards were increasingly filled with adverts. A few years later I also highlighted how gamers resorted to using HOSTS files or OpenDNS to block advertisers from placing adverts onto the screen. Sure, they ended up with lots of black empty boxes but they felt it was preferable to the alternative.

Adverts and tracking in gaming has never gone away, and in many cases has only become worse. In 2017, I presented findings on what gamers could expect to see in many EULAs and privacy policies. I also covered, in detail, what kind of things you should expect with regards advertising in VR/AR platforms.

The Advergaming wilderness years

Things sort of fizzled out in VR/AR for advergaming for a few years. The technology has been there, but the big push has been around advertising in VR more generally. Advergaming is still pretty niche, and VR headsets always seem to be on the cusp of becoming the next big thing…but then not quite getting there.

What this realm has been crying out for, is a massive platform push. Step up to the plate, Facebook. Now with all new Meta.

A frosty Meta reception

The promotional material for Meta hasn’t had the best of receptions. There’s still a lot of things in there which simply don’t make sense, and provide no real indication of how it’s going to work. Even so, something VR/AR-centric is definitely going to be the end result, we just don’t know what specific form it’s going to take. But what we do know is that advertising will be a big part of it. Some of the basic ideas already thrown around suggest a gamification of reality, seen through the lens of Meta.

We’ve been down this privacy road before with Google Glass and other AR specs. What are some of the possible concerns and issues related to privacy and security in this new world of virtual augmented realities?

Avoiding the physical risks of VR

If you’re going to spend a lot more time in headsets, it pays to be mindful of your surroundings. There’s already been one VR death that we know of, and we don’t need any more. I’ve spent a fair amount of time with a headset on for advergaming research, and below are the rules I generally follow to keep myself safe. We don’t know what Meta will say in terms of physical security yet, but encouraging a big push into VR should probably be accompanied by suggestions similar to these:

  1. Some VR games require you to stand up, or move around. They’re quite physical. Others are fine to play sitting down, and you might use a mouse and keyboard or a controller. If you’re doing the latter, you won’t want to accidentally hit your screen. You’re not looking at it anyway, so consider turning it around so it faces away from you. If your layout doesn’t allow for this, you can often align the “front view” of the game (what you see, in other words) to be aligned in a different direction from the TV or monitor the PC is plugged into. So you’re still able to have yourself facing a different direction. Note that this will only work if you’re using a controller or wands. You can’t really sit at a right angle to your screen if you still need the mouse and keyboard.
  2. Wire safety is crucial. It’s incredibly easy to get your legs tangled up and then have a head/floor incident. Some people install overhead hooks to manage wires. Where this isn’t possible, cable ties are also handy. If all else fails, there are apps you can use which will show you if cords are tangling while in-game.
  3. Some platforms use “chaperone” modes. These map out the safe floorspace area while playing.
  4. I’ve seen many “Oh no, I bashed my toddler on the head with my wand” type posts down the years. There used to be no easy way to get the attention of someone in a headset without risking a bash from a flailing arm or leg. Thankfully there are safeguards which can be used. For example, the Steam “knock knock” feature.
  5. Orientation is another problem. I don’t remember where I got this tip from, but placing a fan next to wherever your TFT or TV is located means you’ll always know where everything in the room is related to your position. Finally, if you’re on carpet then put down a rubber mat or similar so you know where the safe zone is. If you’re on wood, then a few squares of carpet or a rug will do.

That’s the physical side of things covered, though there’s probably room for improvement. Now we move onto the digital concerns. Let’s start the ball rolling with what is probably the biggest problem for Facebook/Meta specifically:

Advertising in Facebook related VR realms just isn’t that popular

In June, we looked at what happened when Facebook announced it was going to do some advert testing in games. The title selected for this was something called Blaston. Although the adverts arguably stuck out badly from the game’s futuristic environment, the ad tracking side of things was pretty non-invasive. No movement data was used to determine ad success, no information was processed or stored locally, and conversation content was not recorded. Compared to the kind of deep-dive practices which happen on your desktop every time you open your browser, this is an incredibly light touch.

Despite this, the test didn’t seem to go very well. The developers were told by players “We don’t want this” and they decided not to do it anymore. Like many popular VR games, it’s a paid title and not a freebie. Ads in expensive console and PC games tend to get a rough time of things by default. It seems the same is true for VR titles. The fact that players on some VR platforms would see these ads as opposed to others pretty much sealed their fate.

There’s no easy way round this, and Facebook/Meta has a big hill to climb here.

Data breaches are still a thing even in VR land

Users of a pornography-based VR app were in the news back in 2018. Researchers found it was possible to view information including email addresses and device names for app users along with download details for anyone who’d paid using PayPal. Even though you’re interacting with a virtual or augmented world via headset or mobile, your data is still ending up somewhere other than the visor on your head.

It’s never been easier to pick up cheap DIY tools and get making some VR apps. We often wonder how much security work goes into cheap IoT devices and regular mobile apps, and the same thing applies to VR and AR. At this point, we simply don’t know what the future holds in this respect. If Meta allows for third party apps somewhere down the line, we need to know what security measures are in place to protect user data, and also screen for potentially malicious or insecure apps.

Augmented reality specs are on thin ice regarding privacy concerns

Look, we’ve been here before. People were so carried away with the idea of tiny digital lenses on their face that we soon ended up with lots of privacy invading overreach. Oh no, my fancy glasses are banned from public restrooms. Ah, this eatery won’t let me sit inside with other customers. Whoops, the local cinema has accused me of recording a movie and sent me to space prison.

And so on.

Any maker of AR glasses must surely be aware of the privacy furore just waiting to explode again the moment someone does something bad with their branded specs in the accompanying news stories.

Facebook seems to be conscious of the Glass issues years prior, but some of its solutions to these privacy issues are arguably a little bit lacking in solid details so far. Tying real world product functionality to be dependent on social media accounts generally is also risky. We need to see a lot more meat on the bone where addressing safety and privacy issues arising from AR glasses is concerned. Whoever manages to crack this problem will reap the benefits, but will they be able to pull it off in the first place?

The privacy concerns issue isn’t really helped by some of the commentary from Mark Zuckerberg himself. He commented that a “killer use case” for AR glasses is being able to do something the person you’re talking to is unaware of.


The Ten Laws of the Metaverse:

  1. Make as much money as possible
  2. Find ways to make even more money
  3. Do not let the users or clients get in the way of making money
  4. Whatever you do, do it invisibly (plausible deniability)
  5. If threatened, appear to be contrite and respectful. If that doesn’t work, create something that will give the appearance of a solution, but will not have actually done anything
  6. Do not take a step back unless the money is threatened
  7. If you have to take a step back, do so in a way that lets you take another step forward quickly
  8. If any other product looks like it may develop into a threat, take it over quickly
  9. Always expand until you are in charge of everything
  10. See rule one

:stuck_out_tongue_winking_eye: :rofl:


There possibly is 11,

  1. Collect as much data from anyone that uses any service, so that even more money can be made.

Its just another way to remove people from the real world and basically control everything they see and hear. The Metaverse is evil.

1 Like

Inspired, :wink:
It’s just rules 2 and 9 added together.

“Find ways to make even more money + Always expand until you are in charge of everything”

I’ve a feeling some of the other rules add up to the same number. Ten is a more than adequate number of commandments for the MetaVerse.

Not the only Start-up seeking the ultimate authority.

1 Like

If I join this religion, will I be afforded the protections provided under the religious discrimination bill?



Only if you wear a circuit board on your head.


FB unsurprisingly takes different positions on different topics much like a PM might. The positions are each designed to make themselves look as good as possible without diluting profits (or losing a vote).



Facebook Inc has since attempted to have the case against it effectively thrown out, arguing it does not carry out business or collect or hold personal information in Australia, so it cannot be sued under the country’s privacy laws.

The full bench of the federal court on Monday threw out the argument, describing parts of Facebook’s case as “divorced from reality”.

It found the social media giant’s installation of cookies on the physical devices of Australian users was enough to show it was carrying out business in Australia.

The interpretation of installation of a cookie on a physical device located in Australia might have implications for many other business models.

Is it worth repeating the view of the full bench concerning Facebook’s case as “divorced from reality”!


A FB prompt this morning. Interesting for USA users only, but instructive.


Very official looking (not) but dinkum.

We ‘turnips’ can worry about ourselves since nobody else (such as our privacy laws and so-called regulators) seem to.

An an individual’s level the amount of settlement will be almost a joke but it makes a point.