The Metaverse is a term for a virtual universe shared by millions of users where one can interact with other people, objects, and environments in an immersive and realistic way. The Metaverse is a vision of the future attracting the interest of large companies such as Meta, Microsoft, and Google, who want to create platforms and services to make this experience possible. In this scenario, the future Internet also risks the security and privacy of users’ digital identities. Digital identities are the information that represents us online, such as our name, our email, our personal data, our preferences, our interests, our relationships, and our activities.

Third parties often collect and manage this information, such as online service providers, social platforms, apps, and websites. In the Metaverse, whose digital identities are managed and secured? This information may be exposed to threats such as theft, misuse, manipulation, and forgery. A malicious person could steal a user’s login credentials or personal data and use them to impersonate them in the Metaverse, accessing their content, contacts, and services. This could cause economic, reputational, and psychological damage to the victim user.

A hacker could use a user’s digital identity to perform illegal or harmful actions in the Metaverse, such as spreading false information, harassing other users, or violating platform rules. This could expose the user to legal or disciplinary sanctions. Then there is identity manipulation: an attacker could alter or modify a user’s digital identity in the Metaverse, changing their appearance, characteristics, or preferences. This could influence the behaviour or choices of the user or their contacts in the Metaverse. There would also be the possibility of creating a false digital identity in the Metaverse, imitating the appearance or characteristics of a real or invented person. This could deceive or confuse other users.

Possible solutions

To prevent or counter these risks, measures must be taken to protect digital identities in the Metaverse. For instance, strong authentication: involves using robust and reliable mechanisms to verify users’ identities, such as biometrics, facial recognition, or digital signatures. This could prevent identity theft or abuse. Encryption for data encryption systems that are secure and resistant to cyber-attacks, such as the HTTPS protocol or blockchain. This could protect the privacy and integrity of digital identities. Decentralization involves distributing the control and management of digital identities among several independent and transparent entities, such as peer-to-peer networks or decentralized autonomous organizations. This could reduce the power and influence of third parties over digital identities. And digital education to raise awareness and inform users about the opportunities and risks of the Metaverse, best practices and existing regulations on the security and privacy of digital identities.

The European Digital Market Act (DMA) will play a key role in regulating big platforms to ensure a secure approach to digital identity in the Metaverse. The DMA aims to counter harmful business practices and distortions of competition by Big Tech to prevent them from abusing their position, ensuring both a level playing field in the digital market and the right of consumers to access secure services.

The Artificial Intelligence Act and the Data Governance Act (DGA) are also considered essential regulations for regulating intermediaries and using artificial intelligence systems in the Metaverse, especially regarding biometric data. Europe and China, with the Beijing Action Plan for Promoting the Innovation and Development of the Digital Human Industry, are working on a plan to regulate the use of digital identity in the Metaverse. At the same time, the US Congress has identified four areas for legislative development: content moderation, privacy, competition, and the digital divide.