News

Are The ‘Virtual Burning Man’ Apps Private And Secure? An Analysis

The Bay's best newsletter for underground events & news

Image: Multiverse

The online Burning Man is now underway, after the event decided way back in April that they would not hold an in-person gathering at the Black Rock Desert in Nevada. But it’s not really an online Burning Man — it’s actually eight different online Burning Mans, all built by different groups of people outside the Burning Man Project. Some of these apps and ‘experiences’ require smartphone access, others require a VR headset, and some just a simple web browser. But many of these apps were put together in just a few months, each one of them varies in terms of their privacy policies, potential security risks, and whether they require third-party tech tools like Zoom, Second Life, Twilio, or others. 

We read all eight virtual Burning Man app and website privacy policies, from beginning to end, so you don’t have to. We were impressed to find that most of these were thorough, detailed, and showed great ethics toward the handling of personal data. But we did see some issues.

MULTIVERSE

The app called Multiverse is developed by a commercial company named Clipo Labs. It only works on a smartphone or VR headset, no desktop browser access. So there’s no way to avoid surrendering your phone’s camera, microphone, and location access, among who-knows-what-else. It also accesses all your contacts, as the Multiverse privacy policy says “When you let us access your device phonebook, we may share information about you with other users who have your phone number in their device phonebook,” though adds, “we will not display your phone number to these users.” 

It also says “We may share information about you with business partners.” But a Multiverse representative responded to us that they only shared “registration data with the Burning Man Project,” and that people could opt out of the data-sharing with an email request.

The Burning Man communications team did not respond to request for confirmation of this.

Build-A-Burn

You’ll notice immediately upon visiting Build-A-Burn that it requires camera and microphone access, even on a web browser. The creators did this on purpose. “In order to connect people together, we allow you to video chat. This allows for more ‘playa-dipity,’ if you will,” Build-A-Burn co-creator Dylan Jones told us. “We didn’t focus on graphics, we didn’t focus on crazy 3D worlds, what we focused on was the people.”

The platform’s privacy policy is one of the most robust and ethical we have ever read. “We’re using distributed technology called WebRTC that makes all of the video chats completely encrypted, and end-to-end,” Jones said. “We can’t actually look at or hear you video or audio. Unlike Zoom, which has your video data being scanned by machine learning to detect nudity, and then passed through servers in China and then stored, your video on Build-A-Burn is completely browser-to-browser. It’s peer-to-peer. So that means your browser is just connecting to another person’s browser, we’re not really even in the middle of your video.”

“It doesn’t require you to know how to play a video game, it’s not 3D and complicated and requires WASD keyboard movement, or a fancy expensive VR headset,” he added. “It works for everyone.”

THE BRIDGE EXPERIENCE

There’s a similar video chat structure at The Bridge Experience, a “mixed virtual reality experience” that only works in the Chrome browser on your desktop, but works on any smartphone. It will not operate without camera and microphone access. 

But it does not use a homegrown tool, it uses a third party voice and video platform called Twilio. The Bridge Experience privacy policy notes that they do “not monitor, record or store the audio,” though “if your microphone and camera are on, [the creator] Ozone Universe receives and relays those streams to other users in the scene via our partner Twilio.” 

There are circumstances where you could be recorded, but the creators insist that “there will be a “recording” icon indicating that the scene owner (presenter, host, instructor etc…) is recording.”

BRCvr

BRCvr is a virtual reality platform that we explored last week, it does require a VR headset installed with something called AltSpaceVR. To their great credit, when contacted by BrokeAssStuart.com, the creators quickly changed language in their very thorough privacy policy to remove references to any possible sale of personal information.

“Our attorney wanted to make it as broad as possible because we were a brand new company,” BRCvr chief culture and community officer Athena Demos told us. “It is in compliance with both the California Consumer Privacy Act as well as the EU General Data Protection Regulation, and so she took those two and put them together and created our privacy policy.”

“But I want to be very clear that at this time we do not sell anybody’s personal information, nothing that they give us whatsoever. And we have no intention to,” she said. “We are not going to commodify peoples’ personal data.”

BURN2

This is only available on the Second Life platform, and BURN2 has been around for years. So if there were ever any security issues, they’ve probably been worked out by now. BURN2 itself does not have a privacy policy, but Second Life creator Linden Lab (who is not affiliated with BURN2) did elaborate to us on their privacy policies

“There are a number of security standards which apply to Second Life and our sister service Tilia,” said Linden Lab senior director of marketing Brett Atwood. “We have undergone audits and high scrutiny from the regulatory processes in all 50 states, and each state has a website that details more specifics on their security requirements and other clearances which we passed in order to gain those licenses. For example, New York is among the most stringent, and Texas largely relies on California’s criteria. We are the only operating virtual world platform to have successfully gone through this full regulatory review process – which also requires ongoing audits and scrutiny to maintain these licenses.”

SPARKLEVERSE

You do have to buy a ticket on Eventbrite ($1 minimum) to get into the Sparkleverse. But if you have any kind of Bay Area social life, Eventbrite certainly has your email and credit card number already.

Sparkleverse has a polished and easy-to-understand privacy policy, and a representative explained their security practices to us in great detail. “We have done our best to ensure the platform is solid through careful technology selection, judicious use of permissioning, thorough testing before release, and code review. Every line of code in the platform has been seen by me on its way in, and I’ve made sure no secrets leaked to the code,” the representative told us.

“We rely on Firebase Authentication to provide us a well-designed, secure platform on which to build our authentication UX. Our data is homed in the US. Our backend also makes use of the best parts of AWS, Twilio Video, and Zoom – all equally well-funded companies with their own significant investments in infosec, bug bounty programs, etc.” They add that “We have access logs which allow us to audit in the event of a breach.”

INFINITE PLAYA

There is no privacy policy articulated on the Infinite Playa website, which appears to still be a work in progress as of Tuesday afternoon. We were not able to pull any streams up on the free streaming section, and their “Interactive Paid Experience” section is not yet live.  

MYSTICVERSE

Mysticverse is also not yet live (the website says “Hang tight as we continue to construct our playground” as of Tuesday afternoon). There is no privacy policy on their website, and it is unclear what technologies the experience will use.

No judgement, it is perfectly normal for a Burning Man project to be nowhere-near-complete on Tuesday afternoon of Burn week. And even those that are already up at full speed may have been thrown together on the fly, in four months or less, with a ton of threat vectors to take into account. They may not be perfect, and the third party plug-ins could falter through no fault of the creators. (This year’s online Lightning in a Bottle was reportedly Zoom-bombed pretty hard.) But some very ethical people have put enormous amounts of work into a first-time experiment that could yield amazing results for the future. 

“What new opportunities does this allow?,” Build-A-Burn’s Dylan Jones said. “Does this allow somebody that couldn’t afford a plane ticket, or somebody who isn’t able-bodied or couldn’t make it out to the playa, to maybe just get a little taste of what Burning Man might be like?”

Previous post

Shady New Facebook ‘Terms of Service’ Update Has Users Suspicious

Next post

Update: It Looks Like Tommy's Joynt is NOT Permanently Closed


Joe Kukura- Millionaire in Training

Joe Kukura- Millionaire in Training

Joe Kukura is a two-bit marketing writer who excels at the homoerotic double-entendre. He is training to run a full marathon completely drunk and high, and his work has appeared in the New York Times and Wall Street Journal on days when their editors made particularly curious decisions.