As technology develops, the metaverse will probably mimic the real world and we will be able to do anything that we can already do in real life and much more. Anything we can imagine, we will eventually be able to experience. It will basically add a new environment for human interactions. More so, there will be activities that can only be done in the metaverse, since technology will give us the possibility of more types of interactions than in real life. This is why a comprehensive legal framework is not only necessary, but should be mandated as soon as possible by regulatory entities.
Imagine you are enjoying a glass of <insert favorite drink> after an exhausting day of work. Maybe you are getting ready to read that book you were excited to start or maybe just enjoying a nice movie or catching up with one of your friends on FaceTime. All is set for a cozy evening. You are relaxed. Suddenly, you hear a noise. A doorknob turns, you hear some steps. You come to the dreadful realization: there’s someone inside your house.
Now let’s change the scenario a bit. All of the above did not actually happen in real life, it happened while you were wearing a VR headset and relaxing in a virtual space. It still happened; someone trespassed your virtual space. Is it the same as the first scenario, though? Yes and no.
Trespassing involves being on someone else’s property without permission. Depending on the applicable law, trespassing can be treated as a civil or criminal offense. While trespassing your home, your safe place, is a serious offense, should cyber trespassing be judged by the same standards, given that it’s committed in a virtual space? There are no actual perpetrators in your real life home. But can it be considered an actual invasion of your space, irrespective of its virtual or nonvirtual nature, given that there are certainly implications for your emotional (and, if we may speculate, perhaps even implications for your physical) well-being? This is something to think about.
Cyber trespassing can be compared to cybersecurity attacks, i.e. when an individual or an organization deliberately and maliciously attempts to breach the information system of another individual or organization. Only, in this case, we are talking about an attempt to “breach” your virtual space.
In the following article, we will analyze the legal framework that needs to be created around metaverse interactions, to ensure that all users enjoy a safe virtual experience. Our focus will not solely be on criminal offenses, but instead we’ll try to paint a larger picture, reviewing some areas of the law which should also be tackled in the legal framework governing the metaverse, such as data protection law, competition law, land law and tax law.
What is the metaverse?
According to Oxford Languages dictionary, a metaverse is a virtual-reality space in which users can interact with a computer-generated environment and other users. The word was originally coined in 1992 by author Neal Stephenson in his science fiction novel Snow Crash, by joining “meta” and “universe”.
Meta (from the Greek μετά, meaning “after” or “beyond”) is a prefix meaning “more comprehensive” or “transcending”. In essence, the metaverse is a new kind of universe, transcending the real, physical universe. As technology develops, the metaverse will mimic the real world and we will be able to do anything that we can already do in real life and much more – hence ‘meta’; from going to a concert, to enjoying a night out with friends, flying across the Pacific Ocean or even traveling to Mars. Anything we can imagine, we will eventually be able to experience. It will basically add a new layer of human interactions, and each offense from real life will have a correspondent in the virtual world.
More so, there will be offenses that can only be committed in the metaverse since technology will give us the possibility of more types of interactions than in real life. This is why a comprehensive legal framework is not only necessary, but should be mandated as soon as possible by regulatory entities.
Data protection law
According to the General Data Protection Regulation (GDPR), personal data represents any information which is related to an identified or identifiable natural person. An identifiable natural person “is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person”.
Since the definition includes “any information”, the term “personal data” should be interpreted as broadly as possible. In terms of data protection, the metaverse will process new types of data, such as facial expressions, gestures, physiological reactions to virtual objects, interactions and events.
Using blockchain technology will offer intrinsic data protection, because it enables the protection of data against manipulation. As a result, data security, data integrity and data immutability can be solved by default on a blockchain-based infrastructure.
Simply said, this security is provided by making the information kept in the blockchain transparent and immutable, which is accomplished via redundant and distributed storage of each record over numerous nodes across a huge network.
However, when we analyze the criteria of the GDPR, the essence of blockchain security is in direct conflict with the privacy required for personal data protection. As a result, it’s important to consider what kind of data is being stored on a blockchain-based infrastructure and whether that data can be defined as personal data.
Without a doubt, the data processed in the metaverse will pique the interest of the advertising industry, which will want to know how a user reacts to specific products or brands. Artificial intelligence is already changing the online shopping industry by enabling online retailers to create personalized product recommendations for users based on their previous searches and purchases.
Just imagine all the new data that can be collected in the metaverse. According to a Stanford University study on protecting nonverbal data tracked in virtual reality, “with VR, in addition to recording personal data regarding people’s location, social ties, verbal communication, search queries, and product preferences, technology companies will also collect nonverbal behavior—for example, users’ posture, eye gaze, gestures, facial expressions, and interpersonal distance.”
As the authors of paper ‘Securing the Metaverse – Virtual Worlds Need REAL Governance’ so eloquently put it, “Data is the heartbeat of the Metaverse. Meaningful experiences can only be realized when we use data about an individual for that individual’s experience. This is the immersive nature of the technology. This inherently means developers need to know information about people – where you are, what you’re looking at, if you’re moving or not etc.”.
Read that again – meaningful experiences can only be realized when we use data about an individual for that individual’s experience. And virtual worlds represent just that – meaningful experiences beyond our day-to-day lives.
The Metaverse thus adds new types of personal information that must be protected, and this requires serious regulation.
How will brands choose to market their products in the metaverse, which will offer a plethora of possibilities? Some companies may opt for exclusive licensing partnerships with each other. For instance, in certain virtual rooms avatars could be allowed to wear only a certain brand of clothes.
The EU’s digital chief Margrethe Vestager declared that “The metaverse will present new markets and a range of different businesses. There will be a marketplace where someone may have a dominant position.”
Antitrust enforcement could result in hefty penalties if companies conspire to fix prices or give each other uncontested, dominating positions in specific agreed-upon sub-sectors of the metaverse. Furthermore, jurisdiction would be crucial, given that practices that are legal in one country may be challenged successfully in another.
Although the concept of owning virtual land may appear strange at first, individuals and businesses have already spent large quantities of money to hold property in the metaverse, making virtual real estate an NFT as well.
When we say large, we mean millions of dollars. For instance, the most expensive metaverse property sale was a plot of virtual real estate in The Sandbox, bought for $4.3 million by Republic Realm, one of the most active investors in and developers of the metaverse real estate ecosystem.
The value of a virtual property is proportional to its popularity and traffic. For example, someone bought a $450,000 plot of virtual land next to Snoop Dogg’s NFT house.
Do the complexities of land law apply in these cases? What laws should apply to trespassers on private property in the metaverse? Can you rent your virtual land and, if so, will tax laws apply to your income? Is it possible to get a mortgage on your virtual home? All these aspects need to be considered when elaborating regulations.
The metaverse is an environment ripe for user-on-user crimes, such as violence, sexual assault, deception, harassment or even cyber trespassing as presented in the introduction of this article. People have been committing such offenses on the internet since its launch, ranging from online bullying, hate speech, harassment on grounds of race, religion, belief, disability, sex, sexual orientation, political views or just because. So, there is no reason to believe they won’t do this and even worse in the metaverse. Given that the sensory experience is much more powerful in the metaverse than when you are behind your PC/phone screen, such an event can affect you emotionally more.
There have already been quite a few reports of sexual assaults in the metaverse, and this opened the conversation about the legal issues that need to be addressed. If your avatar is sexually assaulted, does it count as an actual assault? You could have just easily taken off the VR headset, right? Or were you so immersed in the virtual experience that, for a moment, you forgot it’s not happening in real life?
Following the highly publicized “virtual gang rape” report, Meta has added the ‘Personal Boundary’ feature to combat virtual-reality harassment. According to Meta representatives, ‘Personal Boundary’ will prevent other users’ virtual avatars from “invading your avatar’s personal space” and “if someone tries to enter your Personal Boundary, the system will halt their forward movement as they reach the boundary”. The feature will activate if other users come within about four feet of each other, according to Meta.
Virtual realism and avatar attachment
We would even dare to say that people are more likely to exhibit reprehensible behavior in a virtual environment, given that the offender may justify their actions by saying “it’s not real life”. For most people, however, and especially for the victims, virtual experiences may feel almost like real life.
Virtual realism represents the view that virtual reality is genuine reality and that the victim’s experience can be as meaningful as if it happened in the physical world. It all depends on the importance each person attaches to their avatar or virtual body. The less importance is given to their avatar than to their physical body, the less damage is caused.
If, however, our connection with our virtual bodies develops and the metaverse becomes an extension of our lives, it will become harder to make a clear distinction between real and virtual experiences.
Imagine using the same virtual body for several years, experiencing daily activities and interactions with this online persona – you attend meetings, play games, meet friends, practice sports. In a way, it becomes who you are in the virtual world and you start identifying with it. This concept is called “avatar attachment” and has been analyzed in detail by Jessica Wolfendale in her paper “My avatar, my self: Virtual harm and attachment”. The author argues that ‘this dismissal of virtual harm is based on a set of false assumptions about the nature of avatar attachment and its relation to genuine moral harm’ and that ‘we cannot dismiss avatar attachment as morally insignificant without being forced to also dismiss other, more acceptable, forms of attachment such as attachment to possessions, people and cultural objects and communities’.
Arguments against according moral significance to virtual harm fail because they do not reflect participants’ and programmers’ experiences and expectations of virtual communities and they have the unintended consequence of failing to grant significance to attachments that we take for granted, morally speaking. Avatar attachment is expressive of identity and self-conception and should therefore be accorded the moral significance we give to real-life attachments that play a similar role.
Categories of punishments
How should offenses committed in virtual worlds be punished? One option would be the banishment from the virtual world for a certain period, which would be determined according to the gravity of the offense. However, the banished user will eventually return to the virtual environment and could relapse and commit one or more offenses again.
We can also imagine pecuniary penalties, i.e. (crypto)monetary fines, but there needs to be established who imposes and collects these fines and the factors taken into account to determine the appropriate fine. What if the collected fines would be sent to a fund meant for rewarding the users who have exceptionally good behavior in the metaverse? This is eerily similar to the People’s Republic of China’s social credit system ranking ‘good’ and ‘bad’ citizens. It’s not hard to imagine that we could eventually go there.
Real-life punishment, ranging from fines to imprisonment to death, may be a possibility in theory, but it may be difficult to implement if the offending user is difficult to identify. Although at the moment user anonymity should not be an issue. According to David Lucatch, CEO at Liquid Avatar Technologies, a blockchain-based platform that helps individuals manage and control their digital identity and data, “Anonymity isn’t necessarily the issue — it’s uncertainty. If folks want to have their real identity remain anonymous, these users still have to be verified as real persons before entering the metaverse”.
However, we do not exclude that in the future people will find a way to keep their anonymity. Humans are, after all, extremely inventive. This will make it difficult to identify and hold offenders accountable for their crimes.
As virtual worlds become more important in our lives and virtual crimes become more serious, we may find it difficult to create punishments that are appropriate for the offense. How should one treat a virtual crime that has repercussions in the physical world? Imagine you get so scared by a virtual assault (which should not actually harm your physical body), that you trip and fall in real life and suffer real injuries. This kind of case is possible.
Virtual worlds are frequently viewed as escapist game environments in which our activities don’t truly matter. But, as technology develops, virtual reality could be an integral part of our daily lives. What you do in the virtual world can be as meaningful as your real-world actions.
In conclusion, at the moment it’s debatable whether it should be considered an offense or not if someone trespasses your virtual space without your permission.
What’s not up for debate, however, is that the metaverse could use some law and order.
 Art. 4 GDPR – Definitions – General Data Protection Regulation (GDPR) (gdpr-info.eu)
 Protecting Nonverbal Data Tracked in Virtual Reality (stanfordvr.com)
 Securing the Metaverse – Virtual Worlds Need REAL Governance -Final Version (sisostds.org)
 Quoted by Paul Sawers in his article “Identity and authentication in the metaverse”, available here