Mandar Prakhar and Aryan Rawat*

Source : VinciWorks

While the rapid development of virtual reality technologies offers unprecedented opportunities forglobal interaction, it also simultaneously poses perplexed ethical and legal challenges. This article seeks to address the legislative vacuum in addressing offences committed in a virtual realm, juxtaposing the inadequacies of the current legal framework in handling the unique nature of these offences. The article delves into highlighting disruptions in Metaverse, and examining the challenges in the determination of perpetrator liability and collection of forensic evidence in the virtual realm. The article comprehensively analyses the existing laws in the framework of reported instances of virtual sexual assault to reveal the challenges of jurisdictional concerns and the lack of corporeal aspects in virtual crimes. The decentralized nature of metaverse and the use of blockchain technology, further reinforces the challenges in its regulation. The article sheds light on the efforts made to address these concerns, which ultimately became insufficient in preventing virtual harassment.
The article underscores the cardinal need for legislative intervention to create an enhanced adjudicatory process to prevent crimes in the metaverse and proposes reforms in that regard. It underlines the need to strike a proper balance between tech advancement and user security while urging the authorities to establish a comprehensive legal framework to regulate the advanced technology of metaverse and deter incidents of virtual bullying and privacy invasion.

.

Introduction

Transcending into a parallel reality has always been the subject of intense philosophical discussion within the confines of fantasy literature. However, the growth of emerging technology has made a near similar simulation, a reality with the introduction of social networks, 3-D immersive games, and metaverse. These domains are constantly redefining social interactions by providing a platform to exchange ideas, emotions, and information, collaborate for business, education, and leisure.

While these domains offer unprecedented opportunities, they simultaneously pose novel legal and ethical challenges, as evidenced by the increasing incidents of harassment, assault, and rape. Although these acts do not threaten the physical integrity of a person, they do tantamount to outrage their morality and tamper with their mental well-being leaving ghastly shadows of such traumatic experiences.  However, the crux of the problem lies in the profound disconnect between our existing legislative infrastructure and these emerging forms of violence. The traditional criminal codes are predominantly restricted to traditional forms of crimes requiring corporeal elements such as physical harm, ‘bodily injury’ or penetration’. This struggles to address offenses occurring in virtual reality (‘VR’) setup, which in essence lack these tangible elements, yet causing devastatingly real impact on the victim’s psyche.

This article examines the complex disruptions caused by the advancing nature of Metaverse and its potential ramification on user safety and regulation. The article explores three dimensions, firstly, the jurisdictional challenge of prosecution in VR offences, secondly, the inadequacy of the existing legal framework in addressing the unique challenges of virtual harassment within the metaverse and lastly,  technical challenges in determining the perpetrator’s liability in VR. The article highlights the urgency of a comprehensive regulatory net to address these emerging challenges and proposes solutions to remedy the same.      

Defining Metaverse

The metaverse is a virtual ecosystem that facilitates global participants to establish social, economic, and cultural interactions. Originating from Neal Stephenson’s sci-fi novel ‘Snow Crash’ as a dystopian society, it has now evolved to embody a more utopian realm, blending virtual reality with physical reality. It enables users to interact by creating three-dimensional animated avatars.

These avatars may closely resemble or diverge significantly from the user’s real-world appearance. This blurs the boundaries between reality and virtual existence as it entrusts users with the freedom to reshape their identities beyond physical world constraints. These avatars offer users escapism and a support mechanism for their physical selves by carving out new identities for themselves. This expands the range of emotions and experiences that the user can accrue through them. As a result, it can be reasonably assumed that the actual experience is done by the individual, not the avatar. The experiences gained through the Metaverse are often considered almost real, partially because these avatars are created to act as agents for the users alongside them. This has contributed to the burgeoning landscape of the metaverse, in attracting a significant userbase of 600 million users by 2024. In India, particularly, is experiencing a massive growth in this sector.

To put it in perspective, the targeted market for Metaverse Gaming in India is identified as worth US$ 615.5 million by 2024 with an impressive anticipated annual growth rate of 42.49% (CAGR 2024-2030). The market is projected to reach US$ 5.2 billion by 2030. The market volume according to the current analysis of the market is expected to be US$7.5bn in 2024 with the United States leading in value generation. In all possibility, the user base in India is expected to expand drastically, with projections indicating an increase in the number of interacting users from 3.7% in 2024 to 11.3% by 2030, effectively amassing  171.6 million users. The value per Metaverse gaming user (ARPU) at $ 11.4 highlights India’s massive market comprising an exponentially increasing number of players that engage with virtual experiences.

However, advancements in these emerging technologies have led to concerns about abusive conduct, mental wellbeing, and violations of dignity and privacy.

Rise in Virtual Offenses

Recent studies and instances of violent and abusive conduct on such platforms at an alarming frequency reflect the severity of misconduct within the VR realm. Abusive behaviors are very frequent on such platforms, with such instances occurring approximately every seven minutes. Women and children, in particular, are increasingly subjected to sexual harassment in virtual environments. Many egregious instances of virtual sexual assault have been witnessed, ranging from groping a female user during the beta testing of Meta Horizon Worlds to the reported virtual rape of a metaverse researcher’s avatar by her male counterparts. Even children as young as seven have been threatened with sexual assault.

Pursuant to rising concerns about safety and ethical standards, Meta Horizons attempted to prevent unwanted interactions and harassment by introducing the personal boundary measure, building upon the hand harassment measure. This feature will block the forward movement of an avatar if they maliciously encroach the boundary of any avatar. However, despite such practices, an incident of virtual rape of a minor was reported in January 2024. This raises concerns about the potential of these platforms to be prone to misuse and exploitation by predators and underscores the safety of vulnerable individuals, including minors. This is particularly concerning, given that many metaverse enthusiasts include children around the age of 13.

While no incidents of such nature have been reported in India, the growing appetite of the Indian market for VR gaming is worrying. This can be attributed to the lack of adequate technological literacy required by the majority of the population to navigate this digital landscape despite the  skyrocketing internet accessibility since Jio was launched in 2016. With such increased Internet penetration, a rise in cyber-crimes becomes a natural corollary in the coming years.

While these incidents do not cause any physical harm, they inflict significant psychological trauma on the victims. Moreover, the unbridled advancements of VR realms, by introducing haptic technologies and integrating wearables, would significantly enhance the user experience. These devices have the potential to blur the lines between virtual and physical interactions, as they can simulate physical sensations. This can result in a user experiencing a stimulated touch as impactful as a real-world sensation. This potentially intensifies the impact of such a virtual violation of dignity and privacy. 

The exponential increase in VR offenses poses three critical challenges to be duly deliberated in order to address them. Firstly, since the offenses transcend national boundaries in VR, the determination of jurisdictional authority becomes extremely complex. Secondly, even if jurisdiction is established, the criminal codes are inherently inadequate due to their archaic conception of crime involving both corporeal and mental. Lastly, technical challenges like collection of digital footprints further complicate the culpability determination of the accused.

Conflict of Jurisdiction in the emerging metaverse

With emerging technology, governments have introduced regulatory frameworks for virtual spaces, however, presently, metaverse is an exception. In India, Digital Personal Data Protection Act, 2023 (“DPDPA”) is awaiting enforcement, and currently, transactions and wrongdoings in the VR realm are governed under the Information Technology Act, 2002 (“IT Act”). However, the IT Act is archaic and tends to leave many technologies out of applicability, further leading to a non-comprehensive legal framework. The proposed Digital India Act will replace IT Act and is intended to regulate virtual and augmented reality (“AR”) realms, including the metaverse. Given the limited information available on the specifics of the bill, due consideration needs to be placed on the Digital India Goals, the only document available to shed light on the proposed legislation. The metaverse is not limited by national borders and involves multiple jurisdictions, posing significant challenges in determining jurisdiction. Amidst the lack of metaverse-specific laws in countries, the question regarding the ‘legitimate authority’ governing metaverse remains unanswered.

The modus operandi of metaverse is not only limited to flow of data from the physical world to the virtual world but also transfer back from the VR to real life by creating a virtual 3D-stimulated world. While the blockchain technology has created financial incentives for the developers and users of metaverse, from the regulatory perspective, it is still a res integra with a legislative vacuum regulating development, operations and functionality of such technologies. The status quo further exacerbates the plight of assault victims on these platforms. With the use of blockchain in metaverse, it has become decentralized by extending more control to users and not a single entity. Sandbox, one of the most actively used metaverse uses Ethereum (a kind of cryptocurrency) for buying and selling of digital assets. These economies are operated through blockchain technologies and easily transferable cryptocurrency. Additionally, the parties are not required to necessarily provide their geographical location for transactions. As the metaverse expands, it will become more decentralized, with no single entity exercising absolute control over it. The adjudication of such harassment cases will be delayed due to ambiguity over applicable laws and lack of governance in the unregulated world of metaverse. The existing laws struggle to construe liability in the metaverse, whether of metaverse as a legal entity or of metaverse operators (like Meta or Sandbox) or individual wrongdoers.      

At the outset of adjudication, it has to be decided where the incident of harassment in the digital world originated and where the impact is felt. Since its inception, Silicon Valley has been the pioneer in the field of developing the metaverse and one such case arose in the US regarding the jurisdictional issue in transactions taking place in virtual space. While ascertaining the jurisdiction of courts in Bragg v. Linden Research, the court opined that for deciding upon the jurisdiction of district court, “the court must determine whether there are minimum contacts with the forum and whether jurisdiction will comport with the traditional conceptions of fair play and substantial justice”. It was ruled that the Court had jurisdiction since the actions of the parties were active and instrumental in encouraging people to transact in a virtual world, meeting the criterion of ‘personal jurisdiction’ and the objectives of fair play and justice. In the US, the ‘effects principle’ has been applied in many precedents. The ‘effects doctrine” empowers US courts to exercise jurisdiction over foreign nationals whose actions, even if committed outside the US, have a detrimental impact within the US borders.

An overview of status quo in India shows that as per Section 1(4) and (5) of BNS and Section 1(2) of the IT Act, 2000, both the laws recognise the extra territoriality principle where the provisions are applicable to any acts or offences committed outside India. However, the offences taking place in VR have neither been covered by the ambit of both these legislations nor dealt by judiciary till now. The Proposed Digital India Bill, 2023 offers an opportunity to India to be in congruence with the global best practices to resolve the jurisdictional hurdle while dealing with offences taking place in virtual reality. The adoption of the ‘effects principle’ is not a novel practice in India as witnessed by the protection regime prevailing in the area of Intellectual Property Rights (IPR) termed as the ‘long-arms principle’. In IPR, courts are conferred with jurisdiction to decide on matters where a non-resident has a sufficient connection with the forum when an act is committed outside India. With adoption of ‘longs-arms principle’ the intended bill would be comprehensive to deal with the offences that have the potential to cause jurisdictional questions. The approach taken by USA Courts, if adopted, would provide a way forward to deal with the mirage of virtual and augmented reality possible through metaverse.

     Most importantly, the metaverse is a novel iteration of technology, these existing laws are jurisdictional and would have limited to no impact on regulating harassment in the metaverse. Even though the jurisdictional concerns can be overcome in determining the applicable law, a new set of challenges follows suit.

Challenges in Addressing These Incidents

     Criminal codes around the world are predicated in cases of assault to be perpetrated by natural persons and inherently envisage corporeal aspects of a crime. Precisely, such offenses require the elements of bodily harm and penetration.  The crux of the issue is that such offenses occurring in the metaverse lack these tangible concepts, and avatars are not recognised as natural persons. Nokia released a whitepaper titled “GenZ and the Metaverse” wherein they observed that the legislative vacuum eventually results in a lack of consequences in the physical world, facilitating an exponential increase in manipulative and deceitful behavior on such platforms.

India, with its large population and growing technological consumption, faces particular vulnerability to virtual crimes, necessitating proactive measures. While the concept of VR offence is still res integra, the Indian judiciary has previously acknowledged the concept of virtual rape in the case of State of West Bengal v. Animesh Boxi, where the accused uploaded intimate images of the victim on a porn site. The Court rejected the defense claimed by the accused that his action did not result in any physical injury by liberally interpreting Section 44 of the IPC to construe injury. The rationale was universal accessibility of the the video hosted on a website which subjected the victim to virtual rape every time someone saw the video. Additionally, the atrocious incidents outraging modesty of women seen during the incident of Sully Deal (2021) and Bulli Bai (2022), wherein FIRs were filed for putting up  derogatory auction posts of muslim women, serves as a reminder about the potential of severe psychological harms to the victim.

However, the legal framework still struggles to effectively address such offences within the ambit of the criminal legal framework. The Bharatiya Nyay Samhita defines crimes like outraging a woman’s modesty under Section 74 in terms of physical acts committed by a man. Furthermore, the Code envisages assault as a physical act, or an act done in a physical reality. The Code heavily fixates upon the traditional construction of an offence involving physical aspects of crime such as ‘bodily injury’ or ‘penetration’ as constituting elements of crime. This fails to account for the psychological trauma endured by the victim in virtual space. However, the Code tries to address emerging tech related offenses by including the definitions of obscene material under Section 294 to include content shared electronically, such as revenge porn or violent videos, but it is still not enough. 

In this context, recourse may be sought to the IT Act, which provides for safeguards against online harassment. However, the Act’s purview does not explicitly encompass such offenses. It is only limited to penalising the publication and dissemination of sexually explicit materials and does not provide any framework with respect to virtual assault. To be specific, Section 66E of the IT Act penalises sharing private images without consent with up to 3 years of imprisonment and a fine. Sections 67, 67A, & 67B penalize the distribution of obscene material, including child sexual abuse content. Nonetheless, the Act may become inadequate in addressing such novel challenges, the reason being the outdated nature of the legislation. The IT Act was enacted when the internet was still in its nascent stage in India to counter traditional forms of cybercrime; however, now India’s is the world’s largest digital democracy, vulnerable to new and complex forms of legal and ethical challenges. The Act’s purview only extends to penalizing the publication and dissemination of sexually explicit materials and fails to address virtual assault in any manner.

The outdated legislation is soon to be replaced by the Digital India Bill, 2023, which may provide clarity over addressing these VR offences. The proposed Bill envisages mechanisms for adjudicating user harm, addressing various forms of online misconduct such as cyber bullying, revenge porn, defamation, gender-based violence, etc. It also emphasizes the urgent need for a specialized adjudicatory mechanism for online criminal offences. Moreover, the effectiveness of the Act in addressing such challenges will largely depend on the precise language used in the final draft and the practical enforcement mechanisms put in place. As the legislation continues to evolve, it will be crucial to monitor how these proposed regulations adapt to emerging technologies and their potential impact.

Attempts were made to include built-in safeguards within Metaverse design; however, their efficiency and functioning did not show the intended results. These measures were often regulated by private developers, which shifted the responsibility to users. This underscored user protection rather than balancing safety with an interactive user experience. Therefore, in addressing these challenges, there is a cardinal need to revisit the regulatory framework and modify it to make it more resilient to changing dimensions of crime and society.

Addressing the labyrinth: Need for a regulatory mechanism

Justice Stephen Breyer very aptly observed the need for judicial systems to embrace and incorporate technological advancements, which will guide all of us towards a legal revolution. Since the Digital India Bill is still in its initial stages, best practices globally can potentially guide a robust regulatory framework in India. In this regard, the UK Communication Act, 2003 offers a potential model for addressing virtual offenses, as under Section 127, it penalizes the improper use of public communication networks. A broad interpretation of such provisions could potentially attribute liability to a natural person for the actions of their avatar. Additionally, European Courts recognize the principle of ‘alternative causation’ to trace liability, provided there exists an ambiguity over the causes that triggered the disturbance, all the parties involved in creating the disturbance are held jointly liable for the offense. Furthermore, the Online Safety Act 2023 which mandates regular risk assessments to tackle illicit material for promoting online safety on platforms is under discussions to expand its focus beyond content to include contact harms such as online harassment in the metaverse. 

On the front of broadening the scope of criminal codes, two solutions can be proposed to address these challenges. The first solution involves extending legal personality to the avatars, in order to qualify their act of touch to satisfy the requirements of the Codes. However, this reform opens floodgates to multiple other tangents such as the rights extended to these virtual bodies.

The second solution on the other hand proposes prosecuting these offenses under the existing offense of attempt. Section 62 of the BNS penalizes the attempt to commit an offense if an overt act is done in furtherance of committing the offense. While virtual rape or sexual harrasment lack the corporeal elements, the intent to commit rape and an overt act in furtherance of that intent can be established by the perpetrator’s actions in VR. Since the users consciously control the virtual actions of their avatars, the intent of the user is reflected in the avatar’s action. Consequently, subjecting the victim to virtual assault would constitute an overt act. It can inferred that while subjecting the victims to virtual rape, the perpetrator is aware of the nature and consequence of their overt act. This approach would facilitate regulation of such harmful behaviour in virtual spaces by bypassing the corporeal requirement of an offence.       

Consent Concerns and amplified online harassment

The DPDPA, has clarified the importance of ‘free, specific, informed, unconditional, unambiguous and clear’ consent. In consonance with the concept elucidated by the General Data Protection Regulation (GDPR) of the European Union, wherein the principle of fairness is practiced to meet the reasonable expectations of the users giving consent. The consent regime for data collection becomes a significant factor in the metaverse since an operational metaverse accumulates a large amount of  data, which can lead to multiple incidents of harassment through exploitation of shared data. There is a possibility of intellectual property theft, digital asset theft, data brokering (the use of data for unrelated reasons), sexual harassment for instance, exploitation of personal information through deep fake images, and other malicious acts against minors. The element of anonymity that persists among users of the metaverse amplifies the challenge of establishing liability in cases of harassment.

Vulnerability by digital footprints

The intrusion of metaverse into the personal surroundings of a user is extensively greater as compared to widely used digital platforms like social media apps. It poses a high privacy risk and can lead to unsolicited and non-consensual observation of habits, personal details and information about the user. Essentially, metaverse offers a third-person perspective and it can induce unauthorised indulgence and surveillance over an individual’s personal space based on the shared data. This information collected by illegally observing avatars can trigger illegal stalking, voyeurism and extortion. With progressing times, metaverse has been incorporated into several sectors including online dating. Tinder and Bumble have expressed interest in launching dating metaverse apps highlighting the paramountcy of user consent to limit the VR dangers.

Metaverse is a conglomerate of numerous intertwining technologies that can be called sub-metaverses. The data is collected by all these subsets and the transfer of data among such subsets causes difficulty in attaining interoperability (the ability to exchange information from one system to another). Primarily, such transfers, from one subset to another, cause concerns regarding data leaks. Moreover, the evidence of any online harassment is spread across different platforms. The dynamic nature of metaverse and the anonymity feature of avatars make it difficult for the concerned authorities to investigate digital forensics. Also, in future, deep fakes can be deployed to illegally frame an innocent user due to blurring lines between real-life and augmented VR.

Way forward

The rapid evolution of virtual worlds offers unprecedented avenues for global interaction; however, it also poses novel ethical and legal challenges. Instances of virtual harassment underscore the urgent need for a legislative framework capable of addressing these offenses effectively. Presently, the IT Act and Bhartiya Nyaya Sanhita (BNS) fail to address these challenges due to their traditional construction in determining an offense. It is equally strenuous to trace the origin of a malicious event that occurs in the metaverse. The current legal inadequacy reflects a critical gap that must be addressed to safeguard individuals’ mental well-being and uphold dignity in virtual spaces. Bridging this legislative vacuum will be crucial in fostering global collaboration and technological innovation without compromising safety and ethical standards.

*Mandar Prakhar and Aryan Rawat are 4th year law students at National Law University Odisha.