blog.malwarebytes.com Open in urlscan Pro
130.211.198.3  Public Scan

Form analysis
3 forms found in the DOM

<form><span class="fieldset">
    <p><input type="checkbox" value="check" id="chkMain" checked="checked" class="legacy-group-status optanon-status-checkbox"><label for="chkMain">Active</label></p>
  </span></form>

GET

<form id="search-form" onsubmit="submitSearchrightrail(event)" method="get">
  <div class="searchbar-wrap-rightrail">
    <label for="cta-labs-rightrail-search-submit-en" aria-label="cta-labs-rightrail-search-submit-en" aria-labelledby="cta-labs-rightrail-search-submit-en">
      <input type="text" id="st-search-input-rightrail" class="st-search-input-rightrail" placeholder="Search Labs">
    </label>
    <button type="submit" id="cta-labs-rightrail-search-submit-en" aria-label="Submit your search query"><span class=""><img src="https://blog.malwarebytes.com/wp-content/themes/mb-labs-theme/images/search.svg" alt="Magnifying glass"></span>
    </button>
  </div>
</form>

//www.malwarebytes.com/newsletter/

<form class="newsletter-form form-inline" action="//www.malwarebytes.com/newsletter/" _lpchecked="1">
  <div class="email-input">
    <label for="cta-footer-newsletter-input-email-en" aria-label="cta-footer-newsletter-input-email-en" aria-labelledby="cta-footer-newsletter-input-email-en">
      <input type="text" class="email-input-field" id="cta-footer-newsletter-input-email-en" name="email" placeholder="Email address">
    </label>
    <input name="source" type="hidden" value="">
    <input type="submit" class="submit-bttn" id="cta-footer-newsletter-subscribe-email-en" value="">
  </div>
</form>

Text Content

Who doesn't like cookies?

We use cookies to help us enhance your online experience. If that sounds good,
click “Accept All Cookies” or review our Privacy and Cookie Policy.


Close
Accept All Cookies


 * Your Privacy

 * Strictly Necessary Cookies

 * Performance Cookies

 * Functional Cookies

 * Targeting Cookies

 * More Information

Privacy Preference Center

Active

Always Active



Save Settings

Allow All

The official Malwarebytes logo The official Malwarebytes logo in a blue font B

We research. You level up.

       
Personal
Personal
 * Security & Antivirus
 * Malwarebytes for Windows
 * Malwarebytes for Mac
 * Malwarebytes for Chromebook
 * Malwarebytes Browser Guard
 * Overview

 * Security & Antivirus for Mobile
 * Malwarebytes for Android
 * Malwarebytes for iOS
 * Online Privacy
 * Malwarebytes Privacy VPN

 * Get Started
 * Explore all Personal Products
 * Explore Pricing

 * FREE TRIAL OF MALWAREBYTES PREMIUM
   
   Protect your devices, your data, and your privacy—at home or on the go.
   
   Get free trial

Business
Business
   Solutions
 * BY COMPANY SIZE
 * Small Business
    1-99 Employees 
 * Mid-size Businesses
    100-999 Employees
 * Large Enterprise
    1000+ Empoyees
 * BY INDUSTRY
 * Education
 * Finance
 * Healthcare

   Products
 * NEXT-GEN ANTIVIRUS FOR SMALL BUSINESSES
 * For Teams
 * ENTERPRISE-CLASS PROTECTION, DETECTION, AND REMEDIATION
 * Endpoint Protection
 * Endpoint Detection & Response
 * Incident Response
 * Remediation for CrowdStrike®
 * ADVANCED SERVER PROTECTION
 * Endpoint Protection for Servers
 * Endpoint Detection & Response for Servers
 * CLOUD-BASED SECURITY MANAGEMENT AND SERVICES PLATFORM
 * Nebula

 * Get Started
 *  * Find the right solution for your business
    * See business pricing
   
   --------------------------------------------------------------------------------
   
    * Don't know where to start?
    * Help me choose a product
   
   --------------------------------------------------------------------------------
   
    * See what Malwarebytes can do for you
    * Get a free trial
   
   --------------------------------------------------------------------------------
   
    * Our team is ready to help. Call us now
    * +1-800-520-2796

Pricing
Partners
Partners
 * Explore Partnerships

 * Partner Solutions
 * Resellers
 * Managed Service Providers
 * Computer Repair
 * Technology Partners

 * Partner Success Story
 * Marek Drummond
   Managing Director at Optimus Systems
   
   "Thanks to the Malwarebytes MSP program, we have this high-quality product in
   our stack. It’s a great addition, and I have confidence that customers’
   systems are protected."

 * See full story

Resources
Resources
 * Learn About Cybersecurity
 * Antivirus
 * Malware
 * Ransomware
 * See all
 * Malwarebytes Labs
 * Explore

 * Business Resources
 * Reviews
 * Analyst Reports
 * Case Studies
 * See all
 * Press & News
 * Learn more

 * Events
 * 
   
   
   
   Featured Event: RSA 2021

 * See Event

Support
Support
 * Technical Support
 * Support
 * Premium Services
 * Forums
 * Vulnerability Disclosure

 * Training for Personal Products
 * Training for Business Products

 * Featured Content
 * 
   
   
   
   Activate Malwarebytes Privacy on Windows device.

 * See Content

FREE TRIAL
CONTACT US
COMPANY
Company
 * About Malwarebytes
 * Careers
 * News & Press

SIGN IN
Sign In
 * My Account
 * Cloud Console
 * Partner Portal

SUBSCRIBE


Save 25% today on your first year of EP or EDR - See offer

Privacy


ZUCKERBERG’S METAVERSE, AND THE POSSIBLE PRIVACY AND SECURITY CONCERNS

Posted: November 2, 2021 by Christopher Boyd

We deep-dive into the possible privacy and security issues which may arise from
the future launch of Facebook's Meta project.

The news is currently jam-packed with tales of Facebook’s Meta project. Of
particular interest to me is Facebook’s long-stated desire to introduce adverts
into the VR space, and what this may mean for Meta too. I’ve talked about the
privacy and legal aspects of adverts in gaming and other tech activities many
times down the years.


AN ADVERT IN EVERY HOME

Back in the Xbox 360 days, I explained how even in 2009 console dashboards were
increasingly filled with adverts. A few years later I also highlighted how
gamers resorted to using HOSTS files or OpenDNS to block advertisers from
placing adverts onto the screen. Sure, they ended up with lots of black empty
boxes but they felt it was preferable to the alternative.

Adverts and tracking in gaming has never gone away, and in many cases has only
become worse. In 2017, I presented findings on what gamers could expect to see
in many EULAs and privacy policies. I also covered, in detail, what kind of
things you should expect with regards advertising in VR/AR platforms.


THE ADVERGAMING WILDERNESS YEARS

Things sort of fizzled out in VR/AR for advergaming for a few years. The
technology has been there, but the big push has been around advertising in VR
more generally. Advergaming is still pretty niche, and VR headsets always seem
to be on the cusp of becoming the next big thing…but then not quite getting
there.

What this realm has been crying out for, is a massive platform push. Step up to
the plate, Facebook. Now with all new Meta.


A FROSTY META RECEPTION

The promotional material for Meta hasn’t had the best of receptions. There’s
still a lot of things in there which simply don’t make sense, and provide no
real indication of how it’s going to work. Even so, something VR/AR-centric is
definitely going to be the end result, we just don’t know what specific form
it’s going to take. But what we do know is that advertising will be a big part
of it. Some of the basic ideas already thrown around suggest a gamification of
reality, seen through the lens of Meta.

We’ve been down this privacy road before with Google Glass and other AR specs.
What are some of the possible concerns and issues related to privacy and
security in this new world of virtual augmented realities?


AVOIDING THE PHYSICAL RISKS OF VR

If you’re going to spend a lot more time in headsets, it pays to be mindful of
your surroundings. There’s already been one VR death that we know of, and we
don’t need any more. I’ve spent a fair amount of time with a headset on for
advergaming research, and below are the rules I generally follow to keep myself
safe. We don’t know what Meta will say in terms of physical security yet, but
encouraging a big push into VR should probably be accompanied by suggestions
similar to these:

 1. Some VR games require you to stand up, or move around. They’re quite
    physical. Others are fine to play sitting down, and you might use a mouse
    and keyboard or a controller. If you’re doing the latter, you won’t want to
    accidentally hit your screen. You’re not looking at it anyway, so consider
    turning it around so it faces away from you. If your layout doesn’t allow
    for this, you can often align the “front view” of the game (what you see, in
    other words) to be aligned in a different direction from the TV or monitor
    the PC is plugged into. So you’re still able to have yourself facing a
    different direction. Note that this will only work if you’re using a
    controller or wands. You can’t really sit at a right angle to your screen if
    you still need the mouse and keyboard.
 2. Wire safety is crucial. It’s incredibly easy to get your legs tangled up and
    then have a head/floor incident. Some people install overhead hooks to
    manage wires. Where this isn’t possible, cable ties are also handy. If all
    else fails, there are apps you can use which will show you if cords are
    tangling while in-game.
 3. Some platforms use “chaperone” modes. These map out the safe floorspace area
    while playing.
 4. I’ve seen many “Oh no, I bashed my toddler on the head with my wand” type
    posts down the years. There used to be no easy way to get the attention of
    someone in a headset without risking a bash from a flailing arm or leg.
    Thankfully there are safeguards which can be used. For example, the Steam
    “knock knock” feature.
 5. Orientation is another problem. I don’t remember where I got this tip from,
    but placing a fan next to wherever your TFT or TV is located means you’ll
    always know where everything in the room is related to your position.
    Finally, if you’re on carpet then put down a rubber mat or similar so you
    know where the safe zone is. If you’re on wood, then a few squares of carpet
    or a rug will do.

That’s the physical side of things covered, though there’s probably room for
improvement. Now we move onto the digital concerns. Let’s start the ball rolling
with what is probably the biggest problem for Facebook/Meta specifically:


ADVERTISING IN FACEBOOK RELATED VR REALMS JUST ISN’T THAT POPULAR

In June, we looked at what happened when Facebook announced it was going to do
some advert testing in games. The title selected for this was something called
Blaston. Although the adverts arguably stuck out badly from the game’s
futuristic environment, the ad tracking side of things was pretty non-invasive.
No movement data was used to determine ad success, no information was processed
or stored locally, and conversation content was not recorded. Compared to the
kind of deep-dive practices which happen on your desktop every time you open
your browser, this is an incredibly light touch.

Despite this, the test didn’t seem to go very well. The developers were told by
players “We don’t want this” and they decided not to do it anymore. Like many
popular VR games, it’s a paid title and not a freebie. Ads in expensive console
and PC games tend to get a rough time of things by default. It seems the same is
true for VR titles. The fact that players on some VR platforms would see these
ads as opposed to others pretty much sealed their fate.

There’s no easy way round this, and Facebook/Meta has a big hill to climb here.


DATA BREACHES ARE STILL A THING EVEN IN VR LAND

Users of a pornography-based VR app were in the news back in 2018. Researchers
found it was possible to view information including email addresses and device
names for app users along with download details for anyone who’d paid using
PayPal. Even though you’re interacting with a virtual or augmented world via
headset or mobile, your data is still ending up somewhere other than the visor
on your head.

It’s never been easier to pick up cheap DIY tools and get making some VR apps.
We often wonder how much security work goes into cheap IoT devices and regular
mobile apps, and the same thing applies to VR and AR. At this point, we simply
don’t know what the future holds in this respect. If Meta allows for third party
apps somewhere down the line, we need to know what security measures are in
place to protect user data, and also screen for potentially malicious or
insecure apps.


AUGMENTED REALITY SPECS ARE ON THIN ICE REGARDING PRIVACY CONCERNS

Look, we’ve been here before. People were so carried away with the idea of tiny
digital lenses on their face that we soon ended up with lots of privacy invading
overreach. Oh no, my fancy glasses are banned from public restrooms. Ah, this
eatery won’t let me sit inside with other customers. Whoops, the local cinema
has accused me of recording a movie and sent me to space prison.

And so on.

Any maker of AR glasses must surely be aware of the privacy furore just waiting
to explode again the moment someone does something bad with their branded specs
in the accompanying news stories.

Facebook seems to be conscious of the Glass issues years prior, but some of its
solutions to these privacy issues are arguably a little bit lacking in solid
details so far. Tying real world product functionality to be dependent on social
media accounts generally is also risky. We need to see a lot more meat on the
bone where addressing safety and privacy issues arising from AR glasses is
concerned. Whoever manages to crack this problem will reap the benefits, but
will they be able to pull it off in the first place?

The privacy concerns issue isn’t really helped by some of the commentary from
Mark Zuckerberg himself. He commented that a “killer use case” for AR glasses is
being able to do something the person you’re talking to is unaware of.



We’re in a time where privacy focused people have seen years of awful tech
practices. At this current moment, we’re all waiting for the next privacy
fallout from a data breach. With the myriad ways bad people can abuse people
through technology placed in their homes, the stakes for real/digital crossovers
have never been higher.

And then, in all of this, we have the man at the forefront of a new, unreleased
real/virtual crossover normalising a (mildly) deceptive use of technology
towards people unaware that it’s happening.

This seems like a bad idea.


DON’T MAKE IT EASY FOR CRIMINALS

Another selling point of Meta is being able to reproduce your home inside the VR
space. This sounds cool, but there’s already plenty of VR apps and desktop-based
programs you can do this in already. Yes, I made my home in Fallout 4. Yes, I
blew it up shortly afterwards.

The difference is, the only person able to see it before it went kaboom was me.

There’s almost certainly going to be a social dimension to Meta’s home building.
Friends will want to come and hang out at your (digital) place, right?

Where this could be a cause for concern is privacy settings. We need to make
sure people are able to make their homes private, or inaccessible to strangers.
I’ve seen similar situations in games where your home can be opened to the
public. Sometimes you can port accessibility restrictions from house to house.
Other times, homes or apartments are listed in public databases in-game and
you’re free to visit wherever you want.

VR and AR allows for a lot more realistic homebuilding in digital spaces. There
are furniture store apps which allow you to use AR and place items in your home
to see if it fits the space intended for it. Could we see people scanning
portions of their home and inserting it into Meta spaces? How about accurate
replicas of rooms and their furniture?

The danger is we’ll be making scale models which could be used for any dubious
purpose you care to mention. What if you’re able to make the outside of your
home resemble the real thing too? Why stop at your home, when you can port in
the whole street via public map databases?

Now you have a proper digital replica of your everyday life which strangers can
visit. They can use this data and OSINT (open source intelligence) to figure out
where you live. A dubious character might keep an eye on your social media feeds
till you say you’re on holiday for 2 weeks. At that point, you might have your
first burglary using VR as a launchpad…and an incredibly accurate floorplan of
your home for reference while doing it.


MAKING META MOUNTAINS OUT OF MOLEHILLS?

This is all wild speculation, but it’s very easy to see a way several unrelated
aspects of VR/AR could unintentionally help people up to no good. If the right
privacy tools don’t exist, if users aren’t given warnings as to why doing x or y
in VR isn’t safe, it could be bad. A senior lecturer in digital cultures
recently said “Facebook’s VR push is about data, not gaming”. I’d have to
respectfully disagree.

All of the proposed coolest looking features seen so far are indeed all about
gaming. If it isn’t Force ghost chessplayers, it’s Force ghost fencing battles.
Wanting to make your own home digital and show it off is gamifying the
experience. You can’t get any more gamey than oft-frustrated attempts to jam
adverts into popular video game titles.

The games are absolutely the hook, and the way in, to vast quantities of data.
Regardless of which direction Meta goes in with this, it’s up to the people
wearing the headsets and glasses to be comfortable with their choices and be
aware of the privacy perils of VR and AR.

It’s a whole new digital world out there.


RELATED

SHARE THIS ARTICLE

--------------------------------------------------------------------------------

COMMENTS



--------------------------------------------------------------------------------

RELATED ARTICLES

Privacy


IS IT GAME OVER FOR VR ADVERGAMING?

June 28, 2021 - An ad trial in paid-for VR game Blaston has... not go well. Is
it a temporary setback, or has Advergaming met its end-of-level boss?

CONTINUE READING0 Comments

Conferences | Security world


EXPLORING THE VIRTUAL WORLDS OF ADVERGAMING

May 17, 2018 - With a spot of tracking-related controversy ruffling feathers in
gaming circles, now is a good time to become familiar with some of the
advertising methods used for, and in, video games. Ladies and gents, welcome to
advergaming.

CONTINUE READING0 Comments

--------------------------------------------------------------------------------

ABOUT THE AUTHOR

Christopher Boyd
Lead Malware Intelligence Analyst

Former Director of Research at FaceTime Security Labs. He has a very particular
set of skills. Skills that make him a nightmare for threats like you.


Contributors


Threat Center


Podcast


Glossary


Scams


Write for Labs

CYBERSECURITY INFO YOU CAN'T DO WITHOUT

Want to stay informed on the latest news in cybersecurity? Sign up for our
newsletter and learn how to protect your computer from threats.



Imagine a world without malware. We do.

FOR PERSONAL

FOR BUSINESS

COMPANY

ABOUT US

CAREERS

NEWS AND PRESS

MY ACCOUNT

SIGN IN

CONTACT US

GET SUPPORT

CONTACT SALES

3979 Freedom Circle, 12th Floor
Santa Clara, CA 95054
One Albert Quay, 2nd Floor
Cork T12 X8N6
Ireland

   English
Legal
Privacy
Accessibility
Terms of Service


© 2021 All Rights Reserved

Select your language

 * English
 * Deutsch
 * Español
 * Français
 * Italiano
 * Português (Portugal)
 * Português (Brasil)
 * Nederlands
 * Polski
 * Pусский
 * 日本語
 * Svenska

Cybersecurity basics

Your intro to everything relating to cyberthreats, and how to stop them.