Regulating the Metaverse: What should we do to protect data sovereignty?

As we enter the metaverse, what happens to our data? How are we going to protect data sovereignty? These are the questions everyone has had in their mind ever since Facebook renamed its platform “Meta”.

According to the Data privacy startup ‘Mine’, an average consumer’s personal data is held by 350 different brands. 32% of data in people’s digital footprint didn’t even require users to open an account. You will be shocked to see the size of your digital footprints!

Now, the question is, do we want the same thing to happen in the Metaverse?

As defined by Facebook, Metaverse is:

“a “virtual environment” you can go inside of — instead of just looking at on a screen. Essentially, it’s a world of endless, interconnected virtual communities where people can meet, work and play, using virtual reality headsets, augmented reality glasses, smartphone apps or other devices”

It is a new virtual reality that promises to be far more immersive and realistic than anything we’ve seen before. But with great new possibilities comes great new risks.

Here in this blog post, we’ll look into why data sovereignty is a bigger concern in the metaverse, why you should be worried, and how web3’s decentralized structure could play a vital role here.


Data sovereignty is an emerging issue in VR:

Web3 promises to restore the data sovereignty of users. At least, that is the premise of this new internet.

As of today, Facebook, Instagram, and Twitter were limited to keeping our search history, cookie data, location, and buying interests. But here, the horizon for data collection will be bigger.

The future metaverses will be filled with massive troves of biometric data, growing exponentially. VR headsets and augmented reality glasses with built-in artificial intelligence can track our eye movements, map our surroundings, and record real voices. It can tell you your heart rate, pupil dilation, vocal inflections, and even your galvanic skin response (GSR).

It’s a bit scary, isn’t it?

High Tech companies have already filed patents for such uses in the metaverse.

This means they will not only know how you act but how you react…Imagine the depth of information Facebook metaverse can collect with such rich data streams. They can build eerily intimate profiles of every user.

Will you be comfortable giving them the superpower over your unique biometric voice or facial data? What if it gets exploited?

There have already been millions of data breaches involving the theft of personal information from people. In the end, not everyone can be a trustworthy custodian of your data. The largest corporate data breaches are shared in the Chainalysis State Of Web3 report for 2022.

Chainalysis State Of Web3 report for 2022

The report also highlights that consumers who have experienced a data breach have a higher risk of cybercriminals gaining their personal information and exploiting it to target them for scams, including the infamous blackmail scam.

That’s not all…

Marketing and real-time advertising will reach another level in the metaverse. It will not be like the overt pop-up ads of today.

What happens today is that you search for an item on Amazon or Google and they retarget you with banner ads or display ads everywhere. In the metaverse, you will be targeted by AI-controlled agents who will also be an avatar just like you and me. But these simulated spokespeople will be programmed in such a way that they can adapt to your emotions in real time. Their intelligent algorithm will convince you to buy.

Sounds like science fiction? That’s gonna be real anon!

Especially, young adults and children will be more susceptible to this as they are likely to be early adopters.

In the real world, impersonating someone is tough. Social media made that easy. Think of thousands of bots or fake accounts running on Twitter. Metaverse can make it even worse. It will be hard to know that the person or business you are interacting with is really whom they say they are.

It’s not the technology I fear, but the fact that it’s often misused by some bad actors.

Hence, we need some kind of identity in the metaverse too. We need ways to control data sharing. The importance of data sovereignty can’t be underestimated. Security considerations must be built into the metaverse from day one.


What if you could take your online data with you?

Hold on for a second and think – what if you could carry your Instagram data wherever you go. Your login credentials, cookies, browsing history, everything. And when you are back the next day, simply authenticate using a wallet, prove it’s you and your newsfeed will show exactly what you like- fully customized.

Quite interesting, huh?

This can be done using Self-Sovereign Identities. It is a concept where users host data on their own storage (IPFS, Filecoin, etc) without relying on a third party. These Self-Sovereign Identities are verified by public identifiers of decentralized networks and don’t rely on a central repository.

It’s “sovereign” because you can choose to share certain elements of that data only up to a point required, and no further, to reach the desired end. This means that your data can only be used with your consent and no unintentional sharing of personal data can happen.

But how do you prove that the person using the digital identity is actually whom he claims to be? How is the user identified?

Decentralized Identifiers (DIDs) and verifiable credentials (VCs) are the two fundamental standards the Worldwide Web Consortium (W3C) has defined for the development of a Decentralized Identity structure.

A DID is a globally unique identifier (Kind of decentralized URL) that doesn’t require centralized authority for its generation or registration as they are registered through Distributed Ledger Technologies (DLT).

Each DID is associated with a series of verifiable credentials (VCs) attached to it from other DIDs (say, your college or organization). They attest to specific characteristics of the DID you own. Like age, qualification, payslips, address, etc.

Since the issuer has cryptographically signed these credentials, DID owners can store them in a wallet linked to IPFS without depending on any intermediator. You don’t need to re-identify yourself for every action. You can simply pull out your wallet and access your identity.

To get a visual idea of how the entire process works, check out the video below:

Building A Trusted Identity: Blockchain ID Demo

For a unified experience, we need to traverse between different metaverses seamlessly. For that to happen, users will need identity authentication to retain the same avatar and individuality across different platforms.

Metaverse identity authentication will be a key part of the VR experience. SSI, blockchain and web3 can really help us protect our hyper-real identity in the metaverse. They are not only the key to building the metaverse, but they will also help protect your data as you go. Here’s how:


Digital Identity: The Key to User Sovereignty In The Metaverse

Metaverse will usher in a new way of interacting and building communities in digital spaces. But one must understand its foundations and core values in order to appreciate its potential fully. It’s about privacy, control, openness, and interoperability.

Here are some examples of how SSI, Blockchain, and NFTs may be used in conjunction to unleash the true power of the Metaverse while preserving its foundational principles.


     I. Building Cross-chain Identity Solutions:

A company’s approach to identity will decide a lot about its relationship with users. If the sign-up process is lengthy and tedious, if they collect too much personally verifiable data, it can drive many potential customers away.

A one-click verification process using decentralized identifiers can deliver the highest level of trust without asking for too much information. It can even break the present barrier of closed and siloed systems. In the metaverse, we need interoperable identities. And SSI can be a great solution for all types of Identity access management.

We can even tailor our public personas. We can choose how we are represented on different platforms. For instance, you might present yourself as professional on LinkedIn, less so on Twitter, and as an anonymous degen who lives like a gamer on Discord. This is going to be the layout for an interconnected world.


   II. Setting up secure data channels with real-world brands:

Imagine, you want to plan a vacation and visit a virtual travel agency in the metaverse. There you are attended by an AI-powered bot that can suggest you a few locations based on your tastes and past travel experiences. Now, was this possible without access to your personal data?  For better user experiences and customized services, we need to share our data with brands. But it becomes a headache when they sell your data to a third party or start sending too many promotional emails.

Self-sovereign identities can help here. You can decide what to share, for how long, and what they can do with your data. You can revoke access at any time using your SSI-powered wallets. This makes it easy to rely on real-world brands.


 III. NFTs for ownership-based access:

While SSI is for proving who you are, NFTs are for proving what you own. For ownership-based access management, they work best.

For example: In a few years from now, if you visit an internet platform to open an account, they will request your biometric information. This might involve voice and facial recognition, iris or fingerprint scanning, etc. If the data is compromised in some way, criminals may simply use your photorealistic digital avatar to communicate with others in the metaverse. And they won’t be able to tell if it’s you or not. As a result, it will be much harder to fight fraud and create a network of trust.

NFTs are a perfect answer in this case. I can create an NFT that represents my biometric data and give it to the platform. While I can use it for multiple purposes, I have full control over it.

Sebastien Badauilt, VP Metaverse of Ledger, rightly said:

“If the metaverse is the next tech frontier, blockchain technologies will be its main operating system, enabling you to own your data…in the metaverse, blockchain will be a gateway to self-sovereignty”

But technology alone is not sufficient. Standards are necessary for fairness.


Metaverse needs aggressive Regulation:

We have the strictest data collection and storing regulations in almost every country. Like:

–       General Data Protection Regulation (GDPR) – European Union

–       Lei Geral de Proteção de Dados (LGPD) – Brazil

–       Personal Data Protection Law (PDPL ) – China

–       Privacy Protection Authority (PPA) – Israel

Still, people’s data is misused. Guess, what happens in the metaverse if there is no one to watch out for criminals!

The below chart shows the total percentage of illicit crypto transactions from 2017-2021.

Chainanalysis Report - illicit crypto transactions from 2017-2021

Source: Chainalysis Report 2022

Though the good news is, that such transactions make up a smaller and smaller share of total usage over time.

Theft, money laundering, and scams will be a big concern in the metaverse, mostly due to its decentralized nature.

Governments and platform owners should implement robust KYC verification and AML screening to stand strong against money laundering thefts.

However, if we wait for the government to create thorough regulations, this won’t happen tomorrow. Regulating technology advancements takes time and doing so globally is challenging. However, those who are building the metaverse can take the initiative and develop their own meta code of conduct.

There should be rigorous restrictions on what companies can track and for what purposes. The toughest regulations should apply to advertising algorithms. Unless it is officially restricted, extreme levels of interactive manipulation will occur.

If a third party pays for virtual product placement in your augmented environment, the platform should be compelled to disclose that it is a targeted placement and not a chance encounter.

And we must act quickly before the issues become intractable due to their deep integration into the infrastructure and business models.

The genie is out of the bottle, so better we start preparing. Want it or not, the metaverse is coming soon.


We have just scratched the surface, and going ahead, possibilities are endless:

This is just the start. Things could evolve faster than we anticipate.

In ‘Metaverse In 2040’, Louis Rosenberg, CEO of Unanimous AI predicted:

 “By 2035 people will laugh at images of the 2020s that show people walking down the street staring down at a phone, neck bent, thinking it looks awkward and primitive”.

The Metaverse is expected to be a huge industry, but we need to figure out how to protect our data. If we don’t, we’ll be repeating the same mistake. Once more, there will be business models where the user will be at the center of the strategy—but not to deliver value. We’ll be there to sate the big giants’ insatiable appetite for data.

Let’s be honest: who does not like the idea of a digital avatar of themselves? We get to recreate ourselves with superpowers, enhance personality traits, redefine looks, and even the way we earn money. Simply put, we don’t want it in exchange for our valuable data.

Hopefully, with the advancement of Zero Knowledge technology and perhaps a few other technologies we don’t even know about now, complex identity verification, and ownership management, will become easier without compromising on privacy and security.

But the question is whether we can get there in time!

Related Articles


  1. Thank you Ravi for your Articles, they are transformative, and enlightening. I am absolutely interested in working with you as we move through this process of change from old traditional networks into new self-governing digital systems