What the **** is the metaverse?
And why should financial institutions, or for that matter any other businesses, care?
Dateline: Toronto, 27th June 2022.
I've seen so many different descriptions of the new cyberspace for work, rest and play over the last few months that it's really unclear to me what most people actually mean by “metaverse”. In fact, despite Gartner's prediction that by 2026, a quarter of the population will spend at least one hour a day in the metaverse "for work, shopping, education, social and/or entertainment", I doubt that many in the financial services industry can give a cogent and concise description of what that metaverse itself will be, other than it will be a bit like "Call of Duty" with Mark Zuckerberg dressed as a skeleton in it and there will be a tiger wandering around in a JP Morgan branch in Minecraft.
The fuzziness is not confined to the professionals, of course. A March 2022 Wunderman Thompson Intelligence survey of more than 3,000 people between the ages of 16 and 65 in China, the United States and the United Kingdom found that while three-quarters of them had heard of the metaverse, only 15% said they could explain the concept of the metaverse to another person (and half of them were probably wrong).
Interestingly, those same people, when asked about their concerns about the metaverse put children's privacy first and highlighted a number of other data protection, privacy and safety issues. This indicates that there is a challenge here: explaining what the metaverse is so that business people can develop their strategies for exploitation while simultaneously working out how to deal with privacy and security (hint: digital identity). So let me rise to that challenge and try to tackle both of these complex issues head on, starting with developing a simple model.
Fortunately, I had the privilege to chair a discussion about the metaverse at the Identiverse conference in Denver in June 2022, and had great fun discussing the new landscape for identity with Heather Vescent, Jonathan Howle, Katryna Dow and Gopal Padinjaruveetil. In order to frame my thoughts and get the discussion about identity and privacy going, I needed that mental model.
Rather than complain about the imprecision of other people’s visions, I thought it might be a good approach to think from first principles what the metaverse is and therefore what corporate strategies around it will be important. To do this I went ahead and created a model of the metaverse as a framework for this discussion. Using this model did, I think help to frame a useful (and, I have to say, entertaining) discussion and lead to some actual learning (to judge from the very positive feedback on that panel, at least) so I thought I’d expand on it here.
Real But Virtual
It seems to me that the obvious starting point for any metaverse model is virtual worlds. Banks, as others, are already experimenting with more immersive experiences. Accenture say that almost half of bankers believe that customers will use augmented reality (AR) / virtual reality (VR) as an alternative channel for transactions by 2030. They point to early experiments from BNP Paribas, which has launched an app that allows customers to use VR in their banking transactions, and Citi, which has tested holographic workstations for financial trading. Furthermore, according to the 2021 edition of the Digital Banking Report, a third of bankers believed that around a fifth of their customers will use this alternative channel in that timeframe.
(Virtual worlds are already a very, very big business and there are big businesses inside them. I couldn’t help but notice the recent announcement from EVE Online, the long-running sci-fi massively multiplayer online game known for its enormous and long-running space battles, that the game will soon have Microsoft Excel support! This illustrates the point about virtual corporates rather well! The integration means that players will be able to export in-game data out to Excel so that they can “calculate everything from profit margins to battle strategy”.)
These virtual worlds and experiences have been around for many years and financial services organisations have been experimenting with them for a generation (remember those virtual bank branches in Second Life). Therefore it is reasonable to wonder what it is that will transform these virtual worlds into a metaverse? It is not simply VR headsets or AR spectacles. I could use them to play World of Warcraft and it would be a lot of fun, but it would still be nothing more than a virtual world. A metaverse is more than Second Light UHD.
The Financial Times defined the metaverse as a collection of shared virtual worlds which are interoperable in the sense that people can navigate them while taking with them their digital identity and their digital assets. Now this strikes me as a very straightforward and practical description and I like it very much. This is a world where transactions take place between what Jaron Lanier called "economic avatars" (that is, virtual identities that can own property) and reputation is the fundamental transaction enabler.
(That point about property is at the heart of the matter and the reason why the world of finance is paying attention, because property means markets.)
This gives us a good starting point for the simple model. The metaverse is virtual worlds with digital assets and digital identity. But what are digital assets?
Well, that is quite easy to answer: digital assets are tokens and the protocols for moving these tokens around is what is known as decentralised finance (or “defi”). Digital assets and decentralised finance are together loosely known as “web3”. Frances Zelazny of Anonybit set out the relationship between the two plainly when she wrote "the metaverse is dependent on [web3]", going on to say that users can expect "increased democratisation, inclusion and user control, instead of having big tech and centralized gatekeepers".
So you might say that the metaverse is made up of virtual worlds with web3 transactions in them. Now we are getting somewhere.
A checkpoint back to that Financial Times definition though. The metaverse is virtual worlds plus digital assets (i.e., web3) plus digital identity. That’s what’s missing and that's where we need some new thinking. In essence there are two ways forward: we can take things that already exist in web3 (i.e., tokens) and repurpose them to handle identity — and, indeed, this is what Vitalik Buterin and others set out in their proposal for “soulbound tokens” — or we take things that exist outside of web3 and bring them into the metaverse: this is the approach that I favour.
My view is that tokens and defi are not a good way to implement general-purpose digital identity and without identity we cannot complete the metaverse. We need identity to make our metaverse work and to do this we need to bring in something from outside web3 to fix the problem.
Professor Bill Buchanan OBE from the School of Computing at Edinburgh Napier University is a leading expert on cryptography and cyber security (and also an excellent speaker, by the way). I always take what he has to say about things very seriously and I couldn't agree more with him on his comments about the nature of the infrastructure that we need for the online economy. As Bill writes, we joined together a set of interweb tubes with very little trust built in to them and then we patched them up with what he calls "simple methods" but what I might call string and sealing wax. He says that "our digital future must be towards an infrastructure that properly integrates trust" and that when it comes down to it, web3 means the digital signing of transactions to support the true integration of the digital identity of the citizen into the digital world.
That is, web3 plus digital identity gives us the trust infrastructure that we need. We already have the tools and techniques needed to do implement digital identities that work in this context. We have private keys and digital signatures and computers and all of the other components. We already have smartphones that contain Trusted Execution Environments (TEEs) capable of handling advanced cryptography yet we send them completely insecure text messages and call them "security". What we need is a way of using them and this where credentials come into play.
Why do I focus on credentials? Well, in that paper on the topic of soulbound tokens, Vitalik Buterin and his co-authors write “the economic value finance trades on is generated by humans and their relationships. Because web3 lacks primitives to represent such social identity, it has become fundamentally dependent on the very centralised web2 structures it aims to transcend, replicating their limitations”.
That is the missing piece of our jigsaw. Relationships that enable transactions, or what I might paraphrase as "the reputation economy". This is an economy where the fundamental enabler of economic activity is not identity but credentials, not who you are but what you are. Credentials, and more specifically verifiable credentials (that is, if you present your driving licence to me, I can cryptographically verify that it is not a fake and that it really does belong to you) are the way forward.
Verifiable credentials (VCs) have a crucial role in resolving the "clash of the titans" between the emerging metaverse and the growing demands for data privacy. The metaverse wants to harvest new, uncharted personal information, even to the point of noting and analysing where your eyes go on a screen and how long you gaze at certain products. Data privacy, on the other hand, wants to protect consumers from this incessant cherry-picking.
As David Blonder (legal counsel, and data protection officer at BlackBerry) notes, since people will always trade security for convenience and since the metaverse means far more user interaction than, for example, a mobile phone we (i.e., the industry) must assemble an infrastructure that is robust without negatively impacting user convenience. My view is that this will be achieved through the use of smart wallets, but that’s a topic for another day.
There you have it then. The metaverse is virtual worlds plus web3 plus digital identity. Web3 is tokens and defi. Digital identity is DIDs plus VCs. That seems to move us forward.
What I think about the evolution of virtual worlds into metaverses is one thing, but what people who actually know about virtual worlds think about it should have priority. The CEO of Epic Games, Tim Sweeney, is one such person and his views on the topic are fascinating. He, for example, points toward the field of zero-knowledge proofs (the idea that you can verify that something happened without receiving any private details about it), a powerful mechanism for delivering both privacy and security in a decentralised system and he is absolutely right. There is groundbreaking work going on right now to bring zero-knowledge proofs and verifiable credentials together, so when Tim says “I think that's going to be the backbone of a large part of the next century in technology” he's almost certainly correct.
Another visionary in the field is Philip Rosedale, the chap who founded Linden Lab (the home of Second Life) a generation back and has therefore spent more time in the metaverse, or at least the proto-metaverse, than pretty much anyone else on the planet. Hence his views on the topic are of signal importance. After Linden Lab he went on to launch a VR startup that later pivoted to spatial audio (so perhaps Scott Galloway's insistence that the metaverse will come in via AirPods rather than headsets is more considered than I thought).
In an interesting twist, that startup is now investing in Linden Lab and Mr. Rosedale is returning as a strategic advisor. There was a very interesting piece on his perspectives on the metaverse in "The Information". What particularly caught my eye, given my obsession with digital identity as a fundamental platform for the new economy, was his view on "true" names. He says that persistent pseudonyms are at the heart of the metaverse and that “true names, for so many reasons, are not what we want to go toward, because not everybody wants to use their true name or true face”.
(This is in stark contrasts to Meta's metaverse. They are going for photorealistic avatars with Facebook's real names policy as a backdrop.)
When you put all this together — virtual worlds where people want to do business, decentralised finance moving tokens around and persistent pseudonymous identifiers with verifiable credentials — I think you can see a clear and consistent definition of the metaverse as well as the strategic outline for the financial services sector’s response: managing the customer’s digital assets and digital identity.