Metaverse security: How to learn the lessons from Internet 2.0 mistakes and build safe virtual worlds

As the building blocks of virtual worlds take shape, tech, business and government leaders need to take on trust, security and safety issues at the same time. Web 3.0 is a chance to shape these worlds based on lessons learned from mistakes from the past.

Meta’s Mark Zuckerberg talks about “the metaverse,” as if there will be only one virtual world to visit. The reality is that there are already several metaverse worlds open for business, and it’s not at all certain that one company will rule them all.

It’s crystal clear for James Arlen, CISO at database-as-a-service company Aiven, that building safe metaverse worlds is not a zero-sum game with only one winner and many losers. It’s much more a Nash’s equilibrium situation, which means each player has to consider the decisions of other players when setting his or her own strategy.

“If everybody loses a little bit, everybody wins,” he said. “It can be a model where everybody wins if we do things for each other.”

Tech and policy experts see several concerns to address as virtual worlds become more common:

• Fixing existing infrastructure problems
• Getting better at managing online identity
• Establishing a shared code of conduct
• Setting trust and safety policies for virtual worlds
• Determining who has the authority to enforce those policies

Tiffany Xingyu Wang, chief strategy and marketing officer at the content moderation company Spectrum Labs, said ensuring a safe environment will be a basic requirement for all virtual worlds.

“Trust and safety are critical to the survival and success of any metaverse,” she said. “4chan will happen in the metaverse if there are no guard rails.”

A persistent and continuous environment such as a metaverse could amplify the frequency and intensity for harassment, according to Wang.

“With Facebook, you close your laptop or the app to leave, and it’s not like you’re constantly there,” she said. “The metaverse is immersive and multisensory, which makes the impact much bigger. The lead time to toxicity is much shorter.”

In addition to setting basic rules of conduct, virtual worlds will need laws to govern financial transactions and legal issues such as intellectual property rights. Navrina Singh, the CEO and co-founder of Credo AI, said that governance issues must be solved in the real world now to keep consumers safe in the metaverse.

“By diving into the metaverse head first with a lack of AI oversight, enterprises put their customers at risk for challenges like identity theft and fraud,” Singh said.

Ahmer Inam, chief AI officer at PacTera Edge, also thinks that the metaverse needs a governing and regulatory framework.

“You would hope that enterprises can self-govern but that has not really proven out, so these rules would have to be enforced and mandated by the public sector,” he said. “The entities that monetize on engagement so far have not truly shown a sense of social responsibility about the impact of this technology.”

These are only a few of the issues tech leaders and government officials need to address to start building the metaverse with more security and stronger codes of conduct than what we’ve got with Web 2.0. Here’s a look at what it would take to solve persistent technology problems, address new ones and establish rules of the virtual road now before the accidents start.

Building on shaky foundations

Arlen sees the recent talk about the metaverse as an “everything old is new again” situation. Layering a new UI over existing infrastructure brings with it all the strengths and weaknesses of those familiar building blocks. Aiven is a database-as-a-service platform that provides access to established and emerging database technologies for new and established companies.

“When you venture into this new user interface, the stuff underneath is still servers and data centers,” he said. “And when you think about the implications of reskinning stuff that is already known to be crappy… .”

Virtual worlds add another layer of abstraction to the experience of technology, which means losing some of the context for the lower layers, Arlen said.

He also sees trouble with the idea of authenticity for individuals and how authenticity and authentication glue together in virtual worlds.

“We know today we are bad at federated identity, and we’re really bad at good, high-quality authentication,” he said. “Look at how we currently lack a meaningful way to cryptographically prove that my ID on LinkedIn and Twitter and Facebook are the same human.”

The flip side of that coin is the issue of anonymity and safety, for people who may be targeted if they have to use their real identity online, such as dissidents and social justice activists.

“Now we are down to the real name policy,” he said. “All of these things tangle with each other in weird ways.”

Just layering a different UI over existing technology is not the problem, he said, instead it’s the implications that matter.

“Super salient point is that we can’t predict what this is going to do to us until after we’ve done it,” he said.

Identifying the risks

Any metaverse faces two basic sets of security problems:

1. Familiar challenges technologists have been dealing with for decades
2. Brand new ones built specifically for a metaverse setting

Some of the security risks in the metaverse and cryptocurrency are familiar ones involving fake identities and false promises. Bad actors sell NFTs and then disappear with the profits before minting anything or they inflate the value of a coin and then cash out their shares. These rug-pull scams accounted for a large share of the $361 million lost to decentralized finance hacks in the first half of 2021.

Then there are problems unique to virtual worlds:

Cisco Talos researchers Nick Biasini, global lead of Cisco Talos Outreach, and Jaeson Schultz, a technical leader at Cisco Systems, said that the biggest problem in both cases is that there is no recourse if a person gets swindled in a virtual world.

“There are only a few places where you can lose $1 million and not be able to do anything about it,” Biasini said.

Schultz said another problem is defending intellectual property.

“People are minting NFT images of characters that are not their intellectual property,” he said.

“Irrational gold rush fever” is also driving a lot of the scams particularly with NFTs, Schultz said. “You have a huge amount of people who have FOMO with cryptocurrency, and they’re jumping in with everything they’ve got.”

Establishing a shared set of rules

Both Cisco Talos security experts agreed that securing virtual worlds will require collaboration between corporations and governments. At the moment, there is no single metaverse. There are many virtual worlds in all shapes and sizes and access mechanisms. Interoperability will be an issue across these virtual worlds, which will work best with a shared code of conduct as well.

“We’re going to need these companies to work together to create some sort of standard across these worlds,” Biasini said.

“The struggle today is: Are we going to have Facebook operating in god mode and running the show, or are we going to have a truly democratic shared metaverse where everybody has equal opportunity?” Schultz said.

Biasini said there will be ongoing concerns around acquisitions as well.

“It’s entirely possible to have someone like Facebook build one metaverse and then buy some of the smaller ones and bring them in,” he said.

Schultz said metaverse managers could use some of the techniques from the early days of email.

“You could keep track of the people who are bad actors and build block lists to exclude them from our networks,” he said.

The public nature of blockchain transactions offers another way to identify bad actors and put pressure on legitimate actors to ban criminals.

“Ultimately the criminals have to cash out somewhere, and law enforcement can follow the money from these wallets and track people who commit crimes,” Schultz said.

The idea of building domain authority also applies to cryptowallets. Wallets that are 10 minutes old as opposed to five years old will be treated very skeptically, similar to suspicions about newly created domains.

“You will want a provenance for the wallets you accept into your world,” Biasini said. “Newness will not help you in any way.

Biasini also expects more traditional controls to expand to metaverse transactions as well.

“If you’re going to move 10,000 in crypto, people are already talking about taking down names and other information, just like we do with fiat money,” he said.