Metaverse is a new emerging concept building up a virtual environment for the user using Virtual Reality (VR) and blockchain technology but introduces privacy risks. Now, a series of challenges arise in Metaverse security, including massive data traffic breaches, large-scale user tracking, analysis activities, unreliable Artificial Intelligence (AI) analysis results, and social engineering security for people. In this work, we concentrate on Decentraland and Sandbox, two well-known Metaverse applications in Web 3.0. Our experiments analyze, for the first time, the personal privacy data exposed by Metaverse applications and services from a combined perspective of network traffic and privacy policy. We develop a lightweight traffic processing approach suitable for the Web 3.0 environment, which doesn’t rely on complex decryption or reverse engineering techniques. We propose a smart contract interaction traffic analysis method capable of retrieving user interactions with Metaverse applications and blockchain smart contracts. This method provides a new approach to de-anonymizing users’ identities through Metaverse applications. Our system, METAseen, analyzes and compares network traffic with the privacy policies of Metaverse applications to identify controversial data collection practices. The consistency check experiment reveals that the data types exposed by Metaverse applications include Personal Identifiable Information (PII), device information, and Metaverse-related data. By comparing the data flows observed in the network traffic with assertions made in the privacy regulations of the Metaverse service provider, we discovered that far more than 49% of the Metaverse data flows needed to be disclosed appropriately.
Keywords
MetaversePrivacy policyTraffic analysisBlockchainData ontology
Institute(s)
Beihang UniversityState Key Laboratory of Cryptology
Year
2023
Abstract
Author(s)
Beiyuan YuYizhong LiuShanyao RenZiyu ZhouJianwei Liu