Feds eye virtual reality as the next privacy and security battleground

At the Federal Trade Commission’s annual PrivacyCon this week, a top regulator and outside experts zeroed in on digital risks posed by the nascent virtual reality industry.

The Federal Trade Commission’s marquee PrivacyCon event Tuesday focused on the latest developments in automated decision-making systems, commercial surveillance, and other consumer privacy and security concerns.

But one cutting-edge privacy and security arena stood out at the daylong virtual event: Virtual reality (VR) and augmented reality (AR).

“VR and AR are both essentially still in beta without a clear business model,” FTC chairperson Lina Khan said. “But that hasn’t stopped some of the world’s biggest technology firms from investing billions. Enforcers and regulators shouldn’t wait until a new sector matures before thinking about the issues it could raise.”

Khan added that “the FTC is already taking steps to ensure that we’re fully abreast of the issues emerging in these emerging sectors before problematic business practices have time to solidify.”

PrivacyCon brings together an array of officials, academics and industry groups to unpack the latest trends and research into data security. This year’s event arrived days after the FTC announced a crackdown on alcohol delivery company Drizly and its CEO over a 2018 data breach that exposed the personal information of about 2.5 million customers. Greater FTC scrutiny of VR and AR technologies could spell trouble for tech giants like Meta that have already invested heavily in the technologies.

At PrivacyCon, Rahmadi Trimananda, a project scientist at the University of California, Irvine, shared findings of a study he and his co-authors published last year that warns about privacy and data security risks as users move to virtual digital worlds. The team at UC-Irvine developed OVRSEEN, a methodology and system for collecting, analyzing, and comparing network traffic and privacy policies on Oculus VR (OVR), the top platform in the VR space.

Using their system, the researchers captured and decrypted network traffic of 140 popular OVR apps and extracted data flows from the traffic. They found that the data types exposed by VR apps include personally identifiable information, device information that can be used for fingerprinting and VR-specific data types.

After analyzing the extracted data flows, the researchers found that approximately 70% of OVR data flows were not adequately disclosed in the apps’ privacy policies and that 38 apps did not have privacy policies, including apps from the official Oculus app store. They also found that 69% of the data flows were used for purposes unrelated to the core functionality of apps.

They further found that 70 of the apps were sending 21 different data points to third-party destinations, including Oculus owner Meta (which also owns Facebook), cross-platform game engine Unity, and social and analytic domains. Notably, 58 apps exposed VR sensory data, such as physical movement and play area captured by gyroscopes, curves, proximity sensors, and accelerometers, to non-app parties. The researchers did not find data exposure to advertising services because ads on OVR are still experimental, and their sample size was not large enough.

Adrià García Sarceda / Unsplash

Although apples-to-apples comparisons are difficult to make given the technological differences between VR and non-VR apps, Incogni, a firm that deals with data brokers on behalf of users, studied the privacy and security practices of the top 1,000 paid and unpaid apps available on the Google Play Store. It found that Meta apps such as Facebook, Facebook Lite, Messenger Lite, Messenger, and Instagram claim they share only four data points with third parties but collect 36 data points. The worst offenders in Incogni’s study were shopping apps; on average, these apps share 5.72 data points per app.

Biometric data is the next big VR concern

“In the real world, the sensors on the device may collect body in motion data on top of our data collected as well as personally identifiable information,” Trimananda told PrivacyCon attendees. “The services that are coming can be immersive using sensors and biometrics information. In short, VR is the next big thing [in privacy and data security], but the implications are not well understood yet.”

Virtual reality is no doubt a booming segment of the tech sector. Given a push by housebound users during the pandemic, the worldwide market for VR and AR headsets grew 92.1% year over year in 2021, with shipments reaching 11.2 million units, according to IDC. The market intelligence firm predicts that headset shipments will grow 46.9% year over year in 2022 and experience double-digit growth through 2026.

Trimananda told README that the sharing of physical movement data is one of the study’s most important findings. “On the one hand, these are needed for them to make the game or the app function correctly. Of course, they have to track everything,” he said. “But on the other hand, they can be a privacy issue. Because then the company, which is Meta, knows everything about you, about me.”

As VR technology advances, the sheer amount of data, particularly biometric data, that companies like Meta collect from users will mushroom, increasing the importance of putting privacy policies upfront into place. For example, Meta just released its latest VR headset, Meta Quest Pro.

Meta Quest Pro “is putting a lot more sensors on your face so they can detect the facial expression,” Trimananda says. “The reason for this is that they want to make the avatars more realistic. They promise that they’re going to process the data locally so that it’s not going to be a privacy issue, and they’re going to send the processed data up to their cloud. That’s a problem because I don’t think there’s a clear boundary between raw and processed data and how much processing there would be before it gets sent to the cloud.”

Even though VR headset sales are growing at a booming pace, it’s unclear how quickly users will flock to the more immersive VR experiences that make up the “metaverse,” including nascent offerings from Meta and other firms. Meta, for example, predicted that its flagship metaverse offering Horizon Worlds would reach 500,000 users by the end of 2022 but, in October, was forced to revise that figure downward to 280,000. Horizon Worlds actually lost 100,000 monthly active users from February to October, slipping from 300,000 to under 200,000.

Privacy policies fall short

The UC-Irvine researchers found VR app developers don’t consistently mention the massive amount of data shared with Meta, Unity or other platforms. They contacted the developers of the 38 apps that failed to mention this data sharing in their privacy policies, and 24 developers thanked the researchers and said they would change their policies. They also disclosed their findings to Meta but said Meta did not respond. (Meta did not respond to a request for comment from README.)

“Our recommendation is that as an app developer, you should know the third-party libraries you’re using in your app,” Trimananda says. “And you have to mention everything, all of them.” The privacy policies should say, “hey, we’re using Unity as our game engine. Please check their privacy policy. We’re using Meta as our platform. So read their privacy policy.”