What makes VR/AR privacy concerns different from existing privacy concerns?
“What makes VR/AR privacy concerns different from existing web/mobile/IoT privacy concerns?”
After all, today data brokers collect and sell information on our locations, and more. Browsers and smartphones passively collect data. Employer surveillance software (aka bossware) and smart home devices like Ring doorbells have the capacity to track us during the day. The sensors, cameras, and microphones around us today can feel creepy.
However, there’s also the potential for Virtual Reality and Augmented Reality (hereafter XR) devices to be more invasive. Privacy concerns will be amplified by additional datastreams, including biometric data.
To begin with, there’s only minimal data protections in place in the U.S. to regulate the collection, storage, or sharing of data that is collected on people through consumer products. While certain states have specific privacy laws, the U.S. Congress has only a draft of privacy legislation.
It’s unclear when that privacy legislation will pass, and exactly how it may change data collection and usage practices. Also, it’s worth considering how the government has been benefiting from buying data from data brokers for its own objectives:
- The CDC bought data from SafeGraph, a data broker, during the pandemic to determine if people were following lockdown orders (Cox, 2022).
- The IRS and Homeland Security have bought data from Digital Envoy, another data broker, for identification and tracking purposes (Fang, 2022).
In the absence of laws that regulate data, it continues to be collected and used in ways that surprise and unnerve people:
- Companies installing bossware on computers to spy on work from home employees (Corbyn, 2022),
- A crisis hotline using sensitive and personal data in their for-profit spin-off (Levine, 2022),
- A religious publication using location data to out a gay priest (Cox, 2021).
In this richly monitored data environment, The Extended Mind’s 2021 consumer privacy survey found that 18% of people reported feeling like their privacy had been violated by how their data was being used and 28% (n=283) of people said there were products or services they refused to use due to privacy concerns (Outlaw, 2021). With data being sold to data brokers, and almost anyone being able to buy that data if they wish, it makes sense that feelings of violation and distrust are on the rise. It’s even driving people to take privacy into their own hands. Eighty-seven percent (n=879) of people reported using online privacy or security services such as VPNS, ad blockers, or do not call lists and 50% (n=505) reported paying for the service they were using (Outlaw, 2021).
What data will XR devices use?
XR devices will collect a lot of the data we are used to having collected on us, such as location data, browser histories, etc. But it will also collect new kinds of data such as eye movement, pupil dilation, and facial muscle tracking.
The sensors unique to XR devices are continuous, passive, and ego-centric, which means that they will perpetually monitor and track the user as they wear the device. And these sensors will no longer focus solely on the results of activities (browsing, locations, etc.), they will examine the user as they perform the activity and monitor their physiological responses. And as Brittan Heller has discussed in her paper Watching Androids Dream of Electric Sheep: Immersive Technology, Biometric Psychography, and the Law, these types of data could be used to make inferences about what users like based on their responses to various stimuli (imagine algorithms analyzing your sexual orientation). Lastly, anonymizing and de-identifying this data in meaningful ways poses an extraordinary challenge. (Lomas, 2019).
XR might also use sensors that collect galvanic skin response, electroencephalograms (EEGs), electromyography (EMGs), or electrocardiograms (ECGs). Data from these sensors could also play into determining user’s interests, but could also be profitable when sold to health insurance companies, who in a worst case scenario could raise premiums based on whether or not they had detected warning signs for underlying health conditions in your data.
The sensors on XR devices will capture increasingly personal data and call into question the right to mental privacy or neuro-rights. If XR data is used to analyze your mood or mental health, makes assumptions about your sexuality, or tracks your attentiveness at work, is that a fundamental violation of your privacy?
Or, what if your AR glasses are constantly scanning new environments that you visit? And identifying people, shapes, and more and then storing that information on the cloud? How will public and private locations you visit be impacted by having 3D maps created and stored somewhere they cannot access? How will they be made aware that those maps exist and what they are being used for?
These are the questions the industry needs to reckon with before these devices become widespread. In the interest of promoting discussion of sensitive data issues, The Extended Mind drafted 7 Metaverse Privacy Principles about what privacy will look like in an immersive future.
Resources
Cox, J. (2022, May 3). CDC Tracked Millions of Phones to See If Americans Followed COVID Lockdown Orders. Vice. https://www.vice.com/en/article/m7vymn/cdc-tracked-phones-location-data-curfews
Cox, J. (2021, July 21). The Inevitable Weaponization of App Data Is Here. Vice. https://www.vice.com/en/article/pkbxp8/grindr-location-data-priest-weaponization-app
Corbyn, Z. (2022, April 27). ‘Bossware is coming for almost every worker’: the software you might not realize is watching you. The Guardian. https://www.theguardian.com/technology/2022/apr/27/remote-work-software-home-surveillance-computer-monitoring-pandemic
Fang, L. (2022, February 18). IRS, Department of Homeland Security Contracted Firm That Sells Location Data Harvested From Dating Apps. The Intercept. https://theintercept.com/2022/02/18/location-data-tracking-irs-dhs-digital-envoy/
Klosowski, T. (2021, September 6). The State of Consumer Data Privacy Laws in the US (And Why It Matters). Wirecutter: Reviews for the Real World. https://www.nytimes.com/wirecutter/blog/state-of-privacy-laws-in-us/
Lapowsky, Issie. (2022, June 6). This federal privacy bill is a huge deal. https://www.protocol.com/newsletters/policy/federal-privacy-law-introduced?rebelltitem=10#rebelltitem10
Levine, A. S. (2022, January 28). Suicide hotline shares data with for-profit spinoff, raising ethical questions. POLITICO. https://www.politico.com/news/2022/01/28/suicide-hotline-silicon-valley-privacy-debates-00002617
Lomas, N. (2019, July 24). Researchers spotlight the lie of ‘anonymous’ data. TechCrunch. https://techcrunch.com/2019/07/24/researchers-spotlight-the-lie-of-anonymous-data/
Outlaw, J., Carbonneau, S., et al. The Extended Mind. (2021). “Don’t Track My Life:” Virtual and Augmented Reality Consumer Data & Privacy Survey.
