Concerns with Privacy in Virtual Reality
by Simran Bhatia | February 26, 2021
Jamie was only 13 when she started playing her first game in Virtual Reality (VR). She loved it because she was able to create her own avatar, do virtual fist bumps with people from across the world, all while just wearing a headset and some haptic clothes. However, Jamie didn’t know that her “just 20 minute” VR game session was recording 2 million data points about her. She also didn’t know that the owners of the game that she was playing were selling her data to health insurance companies. Years later, when Jamie went to apply for health insurance, she was turned down because her body movement in VR data classified her as having high likelihood for chronic pain regional syndrome. While this is a made up situation, this is the power of data collected through VR. As of 2021, there are no regularizations or standards for data collected through VR which is scary because the VR market will hit $108 billion this year.
With the VR field expanding into a range of different fields, from healthcare to entertainment, there is high concern of the privacy of data being collected in this field. More different applications for VR means a diverse portfolio and volume of data being collected on each user, and currently with no regulation.
What is VR?
Virtual Reality (VR) is a technology that creates simulations of environments, and enables users to interact in these environments, through different devices. In the past, industries such as aerospace and defense have used VR for training and flight simulation purposes, but more recently, it has become an avid gaming tool, especially in the post-pandemic world. It has been pitched as the next great communications platform and user interface.
What does privacy in AR/VR mean?
As said, with great power comes great responsibility, the fascinating technology of VR brings with it an unprecedented ability to track body motions and consequently collect data on it’s users. Research has shown that the identifiability of users under VR, with specific tasks, the system was able to identify 95% users correctly when trained on less than 5 minutes of tracking data per person. Another research shows that with combined data of eye-gaze, hand position, height, head direction, biological and behavioral characteristics, there is 8 to 12 times better accuracy of identifying users, as compared to chance.
With each individual’s unique patterns of movement, anonymizing VR tracking data is nearly impossible, at least so far. This is because no person has the same hand movement as another. Similar to IP address, zip code and voice print, VR tracking data should be considered as “personally identifiable information” because it can be used to trace an individual’s identity. This type of data is similar to data in health and medical research, such as DNA sequence, which even when stripped of names and other identifying information, can be traced back to individuals through simple compilation with other public data sources. The reason of concern is that unlike medical data, VR tracking data is currently unregulated on how it is collected, used and shared, as it is not monitored by any external entity.
With Oculus dominating the hardware space in the VR industry currently, another area of concern was Oculus’ announcement that it will require a Facebook account for all users. This means that users are forced to accept Facebook’s Community Standards, which means that users can no longer remain completely anonymous on their device and that Facebook will own all VR tracking data along with their social media data, through Facebook, Instagram and Whatsapp. This puts Facebook, as a company, on having monopoly on most parts of a users’ data.
Another privacy threat is posed by the setup of VR devices, with densely packed cameras, microphones and sensors that collect data about a users’ environment. This environment can be a users’ home, office, or community space which is getting exposed, as well.
What can be done in the future?
Privacy in VR will depend on concrete action now, not just through one person or organization, but instead as a community driven action. VR enthusiasts and technology reviewers need to prioritize privacy-conscious practice, and encourage the community to take actions towards regularization of the VR tracking data. VR developers need to take steps to ensure that they make their work transparent, yet secure. Most importantly, industry leaders need to introduce unique principles for monitoring and creating transparency on each part of the VR data process – collection, aggregation, processing, analysis and storage with utmost importance and security. As an industry practice, only data necessary for core functionality of the VR device or it’s software should be collected; moreover, each data point collected should be purposeful and companies should be transparent about the sensitive functionality of the data they collect.
The next step’s responsibility lies on the shoulders of VR users. Users need to be more aware about what they are giving consent to, when they sign up for VR games or other applications. Novice users, like Jamie, need to read the current Terms and Conditions for each part of the VR process and raise their voices to the industry if they are not comfortable with the data that they collect. Users need to be aware of their rights with the VR tracking data now, or else it might be too late.
Bailenson, J. (2018). Protecting Nonverbal Data Tracked in Virtual Reality. JAMA Pediatrics, 172(10), 905. https://doi.org/10.1001/jamapediatrics.2018.1909
Erlich, Y., Shor, T., Pe’er, I., & Carmi, S. (2018). Identity inference of genomic data using long-range familial searches. Science, 362(6415), 690–694. https://doi.org/10.1126/science.aau4832
Oculus. (2020, August 27). Facebook Horizon Invite-Only Beta Is Ready For Virtual Explorers | Oculus. Oculus Blog. https://www.oculus.com/blog/facebook-horizon-invite-only-beta-is-ready-for-virtual-explorers/
Pfeuffer, K., Geiger, M. J., Prange, S., Mecke, L., Buschek, D., & Alt, F. (2019). Behavioural Biometrics in VR. Proceedings of the 2019 CHI Conference on Human Factors in Computing Systems, 1–12. https://doi.org/10.1145/3290605.3300340
The Yale Tribune. (2019, April 12). VR/AR Privacy Concerns Emerging with the Field’s Development. https://campuspress.yale.edu/tribune/vrar-privacy-concerns-emerging-with-the-fields-development/
Miller, M.R., Herrera, F., Jun, H. et al. Personal identifiability of user tracking data during observation of 360-degree VR video. Sci Rep 10, 17404 (2020). https://doi.org/10.1038/s41598-020-74486-y
Diez, M. (2021, January 29). Virtual Reality Will Be A Part Of The Post-Pandemic Built World. Forbes. https://www.forbes.com/sites/forbesrealestatecouncil/2021/02/01/virtual-reality-will-be-a-part-of-the-post-pandemic-built-world/?sh=a08553348ded