Practising in the metaverse: Business opportunities; cyber and privacy risks

7 minute read
22 June 2022


This article was originally published by JUST and has been republished with permission.

Many lawyers were surprised, confused and/or amused by recent news that a New Jersey firm had opened the first personal injury firm in the metaverse (the virtual world existing alongside our physical reality, in which people explore, play, and engage in commercial activity as digital avatars). This reaction was probably to be expected; law firms are notoriously slow to adapt to new business models or even to adopt productivity-improving technology. But some lawyers have been thinking about what this world means for the profession for some time. Now that some are setting up shop in Decentraland and other similar platforms, it will be possible for clients to meet with lawyers, avatar-to-avatar, in 3D simulations of law offices, probably with expensive NFT artwork hanging on virtual walls.

The metaverse not only provides new virtual "places" to practice, but also raises legal issues that should keep litigators and courts busy for some time. You can buy virtual property (real and personal) in the metaverse that exists only in the metaverse, so can you sue if your property is damaged or vandalized? What are your rights if you buy a product in real life based in false representations about the product in the metaverse (e.g., it looked better in the 3D virtual "store" where you browsed for it)? YouTube is full of clips of people having accidents while wearing VR headsets; is the headset manufacturer liable if you trip and are injured because you were seeing the virtual world instead of the real staircase in front of you? What if someone in the virtual world is using your real-world trademark to sell their virtual products in the metaverse? What court has jurisdiction over these disputes, and what's the governing law?

Hanging over the prospect of practicing in the metaverse are the cyber security and privacy issues that attend any computer-mediated interaction. How secure is my conversation with a client in my metaverse office from interception and leaking? All clients provide personal information to lawyers, if only in the course of setting up a retainer; some clients provide valuable but not-yet-patented intellectual property. It is not difficult to imagine that my metaverse office may attract hackers looking to extract ransoms, or to carry out industrial espionage against my clients.

As a mere user of the platform (even if I bought the digital real estate where my virtual office stands), the only control I have over the safety of my client's data in the metaverse is to make sure I don't discuss or receive it in the metaverse. That is why lawyers already operating on these platforms aren't practicing there as such. Their virtual offices provide a place to advertise their services and make contact with potential clients, but from there, client intake and the giving of actual advice are quickly redirected to physical offices or to encrypted, private communications tools (e.g., the chat or videoconference platforms lawyers have grown used to using during pandemic remote deployment).

Downstream, it seems likely that as more businesses move the metaverse and seek to do more with it than just advertise, the technology will evolve to address security and privacy concerns. Recall how quickly videoconference platforms moved to end-to-end encryption as they became more crucial in the early months of the pandemic. Even the data sovereignty issue should be surmountable, either through the harmonization of international privacy laws, or the offering of local hosting options.

For now, though, what can a lawyer actually, safely do in a metaverse office? Until security and privacy features are in place to protect privilege, its safest use is to allow lawyers to establish a marketing presence in a space where clients already are (or will be). Imagine a Facebook ad that your target audience can walk around in, where they see your branding, read about and even ask questions about the firm. Your metaverse office can also double as your virtual event space, where clients come to meet your lawyers socially, or attend more immersive versions of the content firms currently deliver in webinar form. There is no reason that courts could not evolve from hearing cases by videoconference to conducting public hearings in 3D recreations of courts, with all the symbols, costumes and pageantry we've lost in the move from physical courts to the web. As these proceedings are public anyway, security issues (except perhaps the avatar equivalent of Zoom bombing) are less of a concern than in the giving of privileged advice in a public virtual space.

Virtual legal practice aside, the mere act of showing up in the metaverse raises concerns that go to the heart of current and evolving privacy laws. Today, to visit a virtual law office in Decentraland, I need only make up a username, create an avatar (that can look like me, or look nothing like me, if I prefer), and provide an email address. I could be anyone, and all the platform really knows about me is the email address I gave (which I may have made up, as there's no identity authentication barrier to my starting to walk around in this virtual world).

At this level of engagement, I am like a lurker on Twitter with no bio and no photo. But: if I want to customize my experience, engage in commerce, or otherwise have a richer and more immersive experience, then just as with social media, I'll be providing a lot more personal data (e.g., about my preferences, my reactions and interactions inside the virtual world, possibly biometric data as the interface technology becomes more sophisticated, and certainly my crypto wallet information if I want to buy goods and services). What if I want to access my personal data, or wish my data to be forgotten? Will the platform be able to move my stored data across jurisdictions without my consent, and if it does, what guarantee will I have that it's protected?

As with seemingly every technological advancement, the metaverse has arrived before the legal framework for managing it has been worked out. It will be fascinating to see how lawmakers, regulators and courts grapple with the legal issues the metaverse is already raising.

Should you have any specific questions about this article or would like to discuss it further, you can contact the author or a member of our Cyber Security & Data Protection Group.

NOT LEGAL ADVICE. Information made available on this website in any form is for information purposes only. It is not, and should not be taken as, legal advice. You should not rely on, or take or fail to take any action based upon this information. Never disregard professional legal advice or delay in seeking legal advice because of something you have read on this website. Gowling WLG professionals will be pleased to discuss resolutions to specific legal concerns you may have.