New research has uncovered some worrying findings regarding user privacy in Meta’s Virtual Reality (VR) ecosystem, the Metaverse; more specifically, that you don’t really have any.
Graduate researcher Vivek Nair led a team at the University of California, Berkley, in the largest VR study (opens in new tab) of it kind at the Center for Responsible Decentralized Intelligence (RDI (opens in new tab)), analyzing user interactions with VR to determine the levels of privacy.
Most alarming of all, it appears that minimal information is required to pinpoint the individual identities of users, making the preservation of anonymity a real challenge – if Meta and other VR firms are even interested in providing this.
Kinetic fingerprints
When it comes to VR and privacy, previous studies (opens in new tab) have focused on the myriad of cameras and microphones within them, that can recognize faces, voices and the surroundings of the user. Looking forward, privacy advocates are also worried about the emergence of advanced brain scanning technologies that can be incorporated within headsets.
But, as the UC Berkeley research shows, none of that is even needed to reveal someone’s identity – all that’s needed is simply the movement data of the user’s head and hands.
Over 50,000 subjects were studied, with over 2.5 million VR data recordings associated with them when playing the VR game Beat Saber, which requires near-constant movement from the hands and sometimes the head.
With only 100 seconds taken from this motion data, individuals could be uniquely identified with a staggering 94% accuracy, by using advanced AI analysis. What’s more, over half could be identified with only two seconds worth of data.
This means that people’s movements can be used as a unique identifier, much like a fingerprint. However, as some have pointed out, this movement data may actually be more accurate than a fingerprint, with most common devices (opens in new tab) able to correctly identify an individual out of less than 1500 others.
Moreover, such VR data can also be used (opens in new tab) to determine the dominant hand, height and even gender of the user with a high degree of accuracy. Combined with yet more data that VR systems generally collect (opens in new tab), and you have a real problem with being able to maintain any sort of privacy whatsoever.
If the Metaverse does expand to the point that Meta hopes it will, then the issue of preserving privacy will be greatly magnified. For instance, if online shopping is conducted in VR, then the store will be able to tell how you are just by how you move around its virtual shop floor.
VentureBeat (opens in new tab) spoke to Nair about the issue, and said that the problem is “the streaming of motion data is a fundamental part of how the metaverse currently works.”
Some solutions have been put forward to prevent the abandonment of user privacy in VR. One is to obfuscate the motion data as it travels to external servers. However, this would mean the introduction of noise, which could hamper the precision of VR headsets and controllers in detecting user movement, which would be a problem for games like the aforementioned Beat Saber which require these to the utmost.
Another is to enforce regulation that prevents Meta and other companies from collecting this data, but getting this through would not be easy, given how entrenched big tech companies are in harvesting all sorts of user data.
The Berkeley researchers are also looking into techniques that could be used to maintain user privacy by masking uniquely identifiable movement data without compromising the precision and effective operation of VR devices.