As VR headset adoption grows, privacy issues could emerge
Head and hand motion data gathered from virtual reality (VR) headsets could be as effective at identifying individuals as fingerprints or face scans, research studies have shown, potentially compromising user privacy when interacting in immersive virtual environments.
Two recent studies by researchers at the University of California, Berkeley, showed how data gathered by VR headsets could be used to identify individuals with a high level of accuracy, and potentially reveal a host of personal attributes, including height, weight, age, and even marital status, according to a Bloomberg report Thursday.
Demand for VR headsets has grown significantly in recent years, as increasingly powerful devices become available at lower prices. Sales of VR and augmented reality (AR) headsets are forecast to hit 10 million this year, according to IDC analysts, and reach 25 million in 2026.
Despite backlash against the concept of a so-called metaverse, large tech companies such as Meta, Apple, and HTC continue to invest tens of billions of dollars into the development of VR and AR devices annually in a bid to push mainstream adoption.
Devices contain a range of cameras and sensors that can track body, eye, and facial movements. These serve as inputs for VR software applications, enabling users to interact with virtual environments. Data is processed on a device, but may also be shared to external servers, software applications such as games, and virtual meeting platforms — leading to the risk of personal data being leaked.
One study, published by the UC Berkeley authors in February, examined how motion data generated in VR devices can be used to “uniquely identify” an otherwise anonymous user.
The study involved data collated from more than 55,000 user accounts on Beat Saber, a popular rhythm-based VR game that has sold millions of copies since launch. Researchers analyzed public data from 2.5 million game recordings using machine-learning algorithms and were able to identify individuals from a pool of 50,000 with a 94% accuracy rate using just 100 seconds of head and hand motion data.
It's been known for decades that motion data can be used to identify individuals, but the UC Berkeley researchers claim this is the first study to show the scale of the threat to privacy. The wider adoption of VR headsets and games such as Beat Saber now offer access to a much larger dataset than earlier studies, which relied on much smaller groups of participant — the largest being 511 users, researchers said, referencing a 2020 study.
“This work is the first to truly demonstrate the extent to which biomechanics may serve as a unique identifier in VR, on par with widely used biometrics such as facial or fingerprint recognition,” the research paper states.
The difference is that facial and fingerprint recognition are not required to access existing internet services, the researchers note in a PDF document related to the studies, whereas motion data is a “fundamental part” of how AR and VR devices work and must be shared with “a variety of parties to enable metaverse experiences.”
Another study, published in June, involved a survey of more than 1,000 participants who answered a range of questions about 50 attributes involving personal background, demographics, behavioral patterns, and health information. The results showed that more than 40 could be “consistently and reliably” inferred when machine learning and deep learning algorithms were applied to motion data generated by Beat Saber players.
The purpose of the study was to demonstrate that “a wide variety of personal and privacy-sensitive variables can be inferred from head and hand motion,” the researchers said. The findings should serve to highlight the “urgent need for privacy-preserving mechanisms in multi-user VR applications.”
Although many people are accustomed to data harvesting on existing internet platforms, there’s little awareness of privacy concerns in immersive virtual environments, the researchers contend — and a lack of available tools to preserve anonymity.
Privacy challenges are hardly new, but AR/VR devices and virtual environments present a new frontier.
“As we’ve seen, increased digitization introduces new risks in exposing private information,” said Tuong Nguyen, director analyst at Gartner. As well as creating customized experiences for users, VR headset data can also be “reconstructed into a behavioral profile – another, highly detailed vector of private information,” Nguyen said.
“As they are worn on users’ faces, VR headsets are inherently intimate,” said Leo Gebbie, an analyst at CCS Insight. Increasingly sophisticated devices “see what a user sees thanks to external cameras and can track users’ movements and behaviors, thanks to their array of sensors,” he said. “This clearly generates questions around user data and privacy, as this is arguably a more invasive form of wearable technology than anything we have seen before.”
As adoption grows, VR headsets vendors are already working to address privacy concerns. That includes“limiting how much biometric data is available to third-party applications, processing and keeping additional tracking data on device, anonymizing and aggregating any shared data, etc,” said Nguyen.
The issue of user privacy will become “hugely important” to the VR industry, said Gebbie. “We’re already seeing companies gear up their efforts to get ahead of concerns here.”
Gebbie cited Apple’s upcoming Vision Pro headset, which includes 12 cameras, five sensors and six microphones, but “will keep vital user data such as eye-tracking and iris scans fully encrypted and on-device, to assuage the concerns of users.
“I expect to see this become a more significant area of focus for rivals like Meta, which will also be keen to show it respects user privacy,” he said.
In a recent interview, Meta’s product lead for Horizon Workrooms platform discussed the company’s commitment to user privacy on its premium Quest Pro device.
In recent years, various VR headset vendors have shifted attention to enterprise use cases, where adoption rates remain low. To date, business uses have largely involved employee training and remote assistance, though vendors hope VR will eventually be used for workplace collaboration and productivity, too.
Data privacy concerns could lead to resistance from employees, said Gebbie. “Employees may feel as though VR headsets are an invasion of their privacy, especially as many people now work flexibly and may resist the idea of bringing a device with multiple cameras and sensors into their home,” he said.
The ability to identify individuals via motion tracking data could present a variety of problems. For instance, it could prevent the separation of work and personal profiles, the UC Berkeley researchers said.
“Consider a public figure who regularly uses a VR system with their corporate credentials to hold meetings and do professional work. In the evening, they log on with a different account to play multiplayer VR games (where they might not behave in the most professional way), and later in the evening, they use a third account for adult VR experiences,” the researchers said.
“Most people in this situation would reasonably prefer that the service providers not be able to tie these accounts together. As it stands, the user’s unique motion patterns would allow any observer (or group of colluding observers) to quickly link all of these accounts to together.”
Users of smartphones and cloud services have shown a remarkable willingness to swap privacy for convenience in the past. The same may hold true for VR.
“Once upon a time, employees may not have wanted a smartphone from work, as this device also has cameras, microphones and makes people more contactable outside of working hours; but this has been gradually normalized as a behavior,” said Gebbie. “VR may follow a similar path, where there could be some initial resistance, which relaxes over time.”
From a business perspective, data privacy risks are so far limited, given the muted enterprise adoption of VR to date. “Enterprise VR usage is still nascent,” said Nguyen. “There are both privacy and security concerns, but at the moment the small scale somewhat mitigates the potential risk.”
As an example, he said, rolling out six smartphones compared to a company-wide roll-out means differing levels of risk.
“There’s risk in both, but the magnitude of the latter changes increases the risk substantially in a non-linear way,” he said.