The above article titled “New Research suggests that Privacy in the metaverse might be impossible” is an interesting information that suggests how “Motion data” can be analyzed with AI to identify the avatars on a Meta Verse site.
The study suggests that after analyzing more than 2.5 million VR data recordings from more than 50000 players of “Beat Saber app” it was found that individual users could be uniquely identified with more than 94% accuracy using only 100 seconds of motion data. Nearly 50% of the users were identified within 2 secs of motion data using innovative AI techniques using only three spatial points for each user tracked over a time.
While the findings of the study may be accepted as correct, it still requires the acquisition of motion data over a period of time which only the platform owner may be able to do or some body who is stalking the Meta Verse avatar with a sophisticated software.
However, I donot think this is some thing to be surprised about. Every pseudonymisation or Anonymisation is like encryption. It is done with some degree of efficiency which can always be beaten by use of the right kind of effort and technology.
While the study itself suggests some technology measures, perhaps some measures can be used to pseudonymize the motion data itself by introducing a modification of the real motion data.
What we can however recognize is that “attempting” identification of pseudonymization data whether successful or otherwise is an offence under ITA 2000 (Section 66) and is also a contravention of Section 43. Presently the victim can claim compensation through an adjudication system and also initiate prosecution by the Police for a 3 year imprisonment. The offence is cognizable.
Under Section 66, “Diminishing the Value of Information residing inside a computer resource” is an offence. A Pseudonymized avatar is an electronic information whose value will be diminished on identification. Hence such an activity becomes an offence under Section 66 and Section 43….Naavi
Every Metaverse platform is an “Intermediary” under ITA 200 and even if they are established outside the country, they are bound by the laws of India.
While I cannot comment on the effectiveness of any law enforcement measure to bring foreign websites under Indian law compliance other than blocking them from India, law has the necessary provision.
Hopefully Privacy Protection can only go thus far and no further. But if it is possible to use “VR pseudonymization” at the control of the user, then it is possible to provide better Privacy protection.
It may surprise many to know that Indian law in the form of ITA 2000 has a solution even for this. Under the current provisions of the law, the MeitY can notify a “Due Diligence” requirement that can force the Meta Verse platform to introduce an effective “Avatar Creation” which includes pseudonymization of the motion data.
If MeitY can recognize this, perhaps it can issue a notification similar to what has already been issued for Cyber Cafes and Matrimonial Websites.