Rohini Gupta


10 Nov, 2023

Step into the captivating world of Virtual Reality, where your wildest dreams and most fantastical adventures come to life in the blink of an eye. Recent years have seen a meteoric rise in the popularity and diverse use cases of VR devices. From heart-pounding gaming experiences to immersive virtual tours of inaccessible locations, from cutting-edge medical and space training to a glimpse of your dream getaway without leaving your living room, VR has truly expanded our horizons.


But, as we don our VR headsets and venture into these digital wonderlands, there’s a hidden side to this immersive technology that goes beyond the thrill of the virtual experience. VR devices open up a new world of exciting possibilities and experiences, but they also come with their fair share of risks. One of the most pressing concerns in the realm of VR privacy is the startling revelation that data related to head and hand movements can be as effective at identifying users as other biometric markers like fingerprints or face scans, according to two recent studies, one by the University of California in Berkeley and another by a not-for-profit media group, Common Sense Media.


So why is this VR privacy risk a big deal, and whom does it impact? Well, it impacts the user whose privacy is invaded (we’ll get to the how and the way in a minute). VR privacy concerns also have a ripple effect on businesses that harness VR for advertising and marketing. The technology is hailed as a novel way for brands to connect with audiences that are increasingly hard to engage. However, it might not deliver on its potential if it treads the same privacy-invading path as targeted advertising, which is losing its charm due to its intrusive nature (90% of people studied by Hubspot Research find targeted ads bothersome). Imagine this now – “spending 30 minutes or more immersed in VR can create over 2 million unique data points, and newer VR headsets have increasing capabilities to collect even more types of intimate data.”


So, just how bad is VR’s rap sheet regarding privacy? And is there any way to fix problems around VR privacy?


Alarming findings around privacy

Numerous studies have uncovered significant potential for privacy breaches within the realm of applicability of VR technology. The study by the University of California in Berkeley, for example, said that, “Research into VR privacy has demonstrated that a plethora of sensitive personal information is observable by various would-be adversaries from just a few minutes of data.”


The VR privacy risks study stated that attackers could breach user privacy by collecting and inferring enough information to reliably identify and profile a user across VR applications over multiple usage sessions. The study explained that potential attackers can:


1. Identify an individual when they can uniquely distinguish the user from others,
2. Profile users when they unwarrantedly attach information related to the user’s characteristics, including demographics, marital status, and preferences.


The UC study analyzed data collected from 50,000 gaming accounts on Beat Saber, a rhythm-based game somewhat reminiscent of the previously famous Guitar Hero. The researchers found that they could identify individuals with 94% accuracy. Here’s what’s baffling: They achieved this with a pool of 50,000 people and had only a little over a minute-and-a-half of head and hand motion data!


Another study around VR privacy risks by Common Sense Media, a not-for-profit media company, states that “VR technology is able to capture the conscious, unconscious, and constant broadcast of incredibly sensitive information from its users, such as where we look, how long we look, what our pupils are doing, whether our skin is perspiring or not, as well as minute fluctuations in skin color. In many cases, these automatic body responses and functions can betray our innermost thoughts and feelings that we may feel are private.”


The report by Common Sense Media cites the following findings:


1. Users are tracked from the moment they put on their VR device.
2. Sensitive data collected in virtual reality is shared with third parties for profit.
3. Privacy policies were unclear, or said sensitive data is used for targeted advertising, third-party marketing, and tracking purposes.


Meanwhile, here’s one tech giant that has often made headlines for its less-than-popular stance on safeguarding user privacy – Facebook (Meta). The company’s privacy policy has raised eyebrows as it openly acknowledges the collection and processing of data related to a user’s ‘physical environment, physical movements, and dimensions’ when they step into the ‘metaverse’ using their VR headsets or other mixed reality devices.


Cybersecurity and antivirus provider Kaspersky advises vigilance as it weighs in on the hot topic of VR privacy, saying: “A user’s privacy is at risk because [VR headsets] can see what the user is [seeing]. [VR headsets] collect a lot of information about who the user is and what they are doing – to a much greater extent than, for example, social media networks or other forms of technology.”


For example, VR systems can capture and transmit user finger-tracking data when entering a PIN. In a worst-case scenario, if a malicious actor were to intercept this data, they could exploit it to replicate the user’s PIN.


Here are some important considerations around VR privacy:

  • ● If VR headsets offer access to such data, what if a hacker were to gain access to the device itself?
  • ● What do companies who own this data use it for?
  • ● How are they securing it? Does it fall under GDPR (General Data Protection Regulation), a legislation that updated and unified data privacy laws across the European Union (EU) or any of the other privacy frameworks, like India’s Personal Data Protection Bill (PDPB), China’s Personal Information Protection Law (PIPL), or Canada’s Digital Charter Implementation Act?
  • ● Is the data sold or shared with third parties?


Taking the concerns a notch higher is the possibility that aside from gaining tremendous amounts of sensitive data, these loopholes in how VR headsets operate also open users up to plausible attacks.


Kaspersky highlights the unintended consequences of VR privacy risks. They caution against potential social engineering attacks, illustrating the point with a vivid example: Hackers could distort users’ perception of reality through fake signs or displays to lead them into performing actions that benefit the hackers. Look at it this way – Machine learning and VR tech can mimic voices and videos to make them look like genuine footage. These imitations can seamlessly integrate into a user’s VR experience, leading them to make security errors or divulge sensitive information unknowingly.


Meanwhile, Common Sense Media highlights some possible side effects of high volume usage, “Researchers have demonstrated that media-rich VR environments can create unique opportunities to influence users’ behavior, encourage riskier choices, increase prolonged use, and implant false memories.” (Everyone knows what happened on 2 October. #DrishyamMovie)


VR headset companies are taking notice and making changes, but the onus of caution is on users.


So, are researchers and cybersecurity experts like Kaspersky the only ones sounding the alarm on VR privacy risks? Or will it take a legal battle initiated by a disgruntled consumer or business to drive home the need to plug the gaps in VR privacy threats? Fortunately, VR privacy gaps are starting to be tackled by industry and regulators alike, at least to some extent.


For example, Apple’s upcoming Vision Pro headset, which includes 12 cameras, five sensors, and six microphones, will, according to the company, “keep vital user data such as eye-tracking and iris scans fully encrypted and on-device, to assuage the concerns of users.” In other words, Apple has specifically named VR privacy as a product benefit, which could prompt other brands to ensure they match up.


In addition, GDPR does cover some aspects of VR privacy around user data. However, these are far from airtight – they need clarification and extension to be considered adequate.


Nevertheless, market leader Apple’s move, coupled with existing references to VR privacy in compliance frameworks such as GDPR, marks a promising beginning. The impact of recent privacy fines tied to GDPR levies might (hopefully) serve as a compelling incentive for other players to follow suit.


Users can do their bit, too, by educating themselves, being skeptical of free versions, and consciously choosing options that value user privacy. Why should users be skeptical of free versions? Well, every business operates on some sort of profit model. As highlighted in the movie Social Dilemma – If you aren’t paying to use the product that they have invested in developing, they’re getting a return on their investment from other avenues – in other words, you are the product – they benefit by selling your data.


As the popularity of VR technology continues to soar, teenagers emerge as a substantial target audience, particularly in the realm of immersive gaming. However, while VR privacy regulations remain in flux, parents may proactively monitor how their children engage with VR headsets. Just as importantly, parents also may educate children about the potential risks that accompany this mesmerizing technology.


Conversely, businesses harboring a treasure trove of sensitive data bear the weight of their reputations and financial stability in the face of any potential breach. For them, prudence becomes paramount. Until the framework of VR privacy laws solidifies, businesses can opt for reasonable VR usage in their operations. Kaspersky suggests considering a virtual private network (VPN) as an additional layer of defense for safeguarding critical information.


The future outlook for VR headsets looks positive, but caution is the best bet in the current context.


In a world where the lines between the virtual and the real continue to blur, the revelations surrounding VR privacy concerns are both a wake-up call and a testament to the evolving landscape of technology. The capacity of VR headsets to identify users with astonishing accuracy, coupled with the lurking specter of social engineering attacks, may read like science fiction, but they are undeniably today’s reality.


Although there is a glimmer of hope with industry leaders like Apple vocalizing VR privacy as a user benefit, the onus of safeguarding our digital selves now rests on both business and non-business users alike. This translates to being conscious of what data is accessed and utilizing VR technology from reliable brands. Embracing safety precautions around VR privacy, even if it entails higher upfront costs, could be an investment rather than a spend in the digital future. The harmony between the wonders of the virtual world and the assurance of our privacy is a journey that, though challenging, is one we must embark upon together, forging a future where technology and security coexist seamlessly.

Great brands. Great products.
Great stories to tell. Let’s tell them together