Are The ‘Virtual Burning Man’ Apps Private And Secure? An Analysis
The online Burning Man is now underway, after the event decided way back in April that they would not hold an in-person gathering at the Black Rock Desert in Nevada. But it’s not really an online Burning Man — it’s actually eight different online Burning Mans, all built by different groups of people outside the Burning Man Project. Some of these apps and ‘experiences’ require smartphone access, others require a VR headset, and some just a simple web browser. But many of these apps were put together in just a few months, each one of them varies in terms of their privacy policies, potential security risks, and whether they require third-party tech tools like Zoom, Second Life, Twilio, or others.
We read all eight virtual Burning Man app and website privacy policies, from beginning to end, so you don’t have to. We were impressed to find that most of these were thorough, detailed, and showed great ethics toward the handling of personal data. But we did see some issues.
It also says “We may share information about you with business partners.” But a Multiverse representative responded to us that they only shared “registration data with the Burning Man Project,” and that people could opt out of the data-sharing with an email request.
The Burning Man communications team did not respond to request for confirmation of this.
You’ll notice immediately upon visiting Build-A-Burn that it requires camera and microphone access, even on a web browser. The creators did this on purpose. “In order to connect people together, we allow you to video chat. This allows for more ‘playa-dipity,’ if you will,” Build-A-Burn co-creator Dylan Jones told us. “We didn’t focus on graphics, we didn’t focus on crazy 3D worlds, what we focused on was the people.”
“It doesn’t require you to know how to play a video game, it’s not 3D and complicated and requires WASD keyboard movement, or a fancy expensive VR headset,” he added. “It works for everyone.”
THE BRIDGE EXPERIENCE
There’s a similar video chat structure at The Bridge Experience, a “mixed virtual reality experience” that only works in the Chrome browser on your desktop, but works on any smartphone. It will not operate without camera and microphone access.
“But I want to be very clear that at this time we do not sell anybody’s personal information, nothing that they give us whatsoever. And we have no intention to,” she said. “We are not going to commodify peoples’ personal data.”
“There are a number of security standards which apply to Second Life and our sister service Tilia,” said Linden Lab senior director of marketing Brett Atwood. “We have undergone audits and high scrutiny from the regulatory processes in all 50 states, and each state has a website that details more specifics on their security requirements and other clearances which we passed in order to gain those licenses. For example, New York is among the most stringent, and Texas largely relies on California’s criteria. We are the only operating virtual world platform to have successfully gone through this full regulatory review process – which also requires ongoing audits and scrutiny to maintain these licenses.”
You do have to buy a ticket on Eventbrite ($1 minimum) to get into the Sparkleverse. But if you have any kind of Bay Area social life, Eventbrite certainly has your email and credit card number already.
“We rely on Firebase Authentication to provide us a well-designed, secure platform on which to build our authentication UX. Our data is homed in the US. Our backend also makes use of the best parts of AWS, Twilio Video, and Zoom – all equally well-funded companies with their own significant investments in infosec, bug bounty programs, etc.” They add that “We have access logs which allow us to audit in the event of a breach.”
No judgement, it is perfectly normal for a Burning Man project to be nowhere-near-complete on Tuesday afternoon of Burn week. And even those that are already up at full speed may have been thrown together on the fly, in four months or less, with a ton of threat vectors to take into account. They may not be perfect, and the third party plug-ins could falter through no fault of the creators. (This year’s online Lightning in a Bottle was reportedly Zoom-bombed pretty hard.) But some very ethical people have put enormous amounts of work into a first-time experiment that could yield amazing results for the future.
“What new opportunities does this allow?,” Build-A-Burn’s Dylan Jones said. “Does this allow somebody that couldn’t afford a plane ticket, or somebody who isn’t able-bodied or couldn’t make it out to the playa, to maybe just get a little taste of what Burning Man might be like?”