The hidden risk of virtual reality – and what to do about it

virtual reality 19

(Credit: Unsplash)

This article is brought to you thanks to the collaboration of The European Sting with the World Economic Forum.

Author: Jessica Outlaw, Director, Outlaw Center for Immersive Behavioral Science, Concordia University & Susan Persky, Head of Immersive Virtual Environment Testing Area, National Human Genome Research Institute


It seemed like a game when Riley first started the virtual reality (VR) maze. He used a room-scale setup, so by physically walking around his living room, he could solve puzzles and visit different parts of the virtual maze. His friends were networked into the game, so even though they were in their own living rooms, when Riley turned his head he could make eye-contact with them. He could even give them virtual high-fives – slapping avatar hands gave him the sensation of haptic feedback from his controller.

What Riley didn’t know was that the startup that created this game had decided to sell its users’ tracking data. Riley also didn’t know that a 20-minute VR game session recorded 2 million points of data about his body movement, and that an insurance company was one of the customers buying the game data. A month after playing the game, Riley was turned down for a new life-insurance policy. Given his excellent health, he couldn’t understand why. Several appeals later, the insurance company disclosed that Riley’s tracking data from the VR maze game revealed behavioral movement patterns often seen among people in the very early stages of dementia. Later, Riley’s sister, who had not played the VR maze game, was also rejected for life and long-term care insurance policies, as dementia tends to run in families.

This is a hypothetical situation, but the science of using movements tracked in VR to predict dementia, and the technology to do so, are very real. Currently, there are no standards or regulations as to how this data is collected, used or shared.

Virtual and augmented reality (VR and AR) biometric tracking data – micro-movements of head, torso, hands, and eyes – can be medical data. It can diagnose or predict anxiety, depression, schizophrenia, addiction, ADHD, autism spectrum disorder and more about a person’s cognitive and physical function. Because VR and AR applications can detect changes over time in these disease-linked states, developing successful therapeutic interventions will be possible.

The issue here, though, is the unintended consequences that arise when such medically-relevant data is fed into users’ psychometric profiles. Such profiles may start out as relatively harmless, merely predicting when someone might be getting ready to buy a new car. However, sprawling psychographic profiles with medical inputs could leave people vulnerable to the type of scenario outlined above.

Anonymizing VR and AR tracking data is nearly impossible because individuals have unique patterns of movement. No person throws a ball exactly the way that someone else does. Using gaze, head direction, hand position, height, and other behavioral and biological characteristics collected in VR headsets, researchers have personally identified users with 8 to 12 times better accuracy than chance.

In one study where researchers collected data at 95 time points in VR, they could identify an individual with 90% accuracy. Just like zip code, IP address, and voiceprint, VR and AR tracking data should be considered potential ‘personally identifiable information’ (PII) because it can be used to distinguish or trace an individual’s identity, either alone or when combined with other personal or identifying information.

This is an issue that professionals in the medical research world have been grappling with for decades. Researchers have shown that health and medical information like DNA sequences, medical records, and health research data stripped of names and other identifying information, can be traced back to individuals by combining this data with other publicly available data sources. Unlike medical data, however, data collected by VR technologies is currently unregulated, and how it is collected, used and shared is not monitored by any external entity.

In late 2018, VR and AR privacy policy professionals representing major players in hardware and software, as well as experts from academia and non-profits, were invited to attend a privacy summit at Stanford University to review the risks of this technology and to ideate potential solutions. The main areas of concern raised were loss of freedom, harm to reputation, and decrease in access and opportunity due to online identities becoming inseparable from offline ones.

 

VR and AR data misuse could cause people to lose control of their identity and how they choose to present themselves to employers, insurers and others. There was special concern for the vulnerability of children who may be tracked using this technology from a young age and who are not capable of consenting to these risks.

Summit attendees generated a range of solutions that could be employed to protect user privacy, which were subsequently voted on. Some recommendations were:

· Limiting the collection of biometric data by VR and AR devices, either by disallowing collection of raw data, or automatically deleting the data after a defined period to eliminate the possibility of longitudinal data collection

· Explicit communication of the data policy (what’s being collected and how it being used) in plain, clear language

· Not limiting access to an experience based on who opts-in to data collection, and never making opt-in the default setting

· When data policies change, all users should be asked to opt-in again; consent should not be grandfathered through multiple iterations of a company’s privacy policy

· Awareness that acquisition is a weak spot in privacy policy – if one company is acquired by another, user biometrics should not be transferred to the purchasing company without re-consenting users

One solution rose to the top at the summit: the adoption of a system similar to the institutional review boards (IRBs) that exist in universities, medical centers and companies across the world. A traditional IRB reviews researchers’ proposals to ensure that when research participants consent to become part of a research study, the study is conducted in an unbiased way that preserves their autonomy, and that the risks of their participation are minimized. Unlike more general tech advisory boards, IRBs are independent by definition, with diverse membership, and are focused on ethics, justice and respect for those who are the source of research data.

We believe that an IRB model can be successful in the context of VR and AR because potential harms are relatively well-understood, and possible solutions (for example, requiring clear, prospective user consent to data use activities) align with existing IRB approaches. The hope is that this type of review model will be adopted industry-wide for VR and AR. One way it could work is for a centralized group of experts to review the privacy policies of each company. Their role would be to assess the risks to users of each company’s data collection, storage, and usage policies. This independent board would be responsible for identifying the magnitude and probability of harm and recommend steps that can be taken to minimize potential harm to the user.

IRBs were borne out of an unfortunate history of unethical scientific research in which people were unfairly injured, particularly those from disadvantaged backgrounds. Although AR and VR are relatively new consumer technologies, we perceive that the current industry is heading toward an experiment in human behaviour with the potential to harm.

Our proposal is to create an independent voice in VR and AR that advocates for the protection of users. In turn, we believe that these protections will draw more consumers to immersive technology. A significant amount of testing, iteration and refinement would be needed to make a review board strategy viable. Given the correct level of execution, we are optimistic about the potential for this solution to make VR and AR a truly user-friendly technology.

Advertising

Advertising

Advertising

Advertising

Advertising

Advertising

the sting Milestone

Featured Stings

Can we feed everyone without unleashing disaster? Read on

These campaigners want to give a quarter of the UK back to nature

How to build a more resilient and inclusive global system

Stopping antimicrobial resistance would cost just USD 2 per person a year

Spread of polio still an international public health concern

EU-US to miss 2015 deadline and even lose Germany’s support in TTIP’s darkest week yet

EU-Turkey deal on migrants kicked off but to who’s interest?

A Sting Exclusive: “Digital and mobile technologies are helping to achieve an economic success in Spain”, the Spanish Secretary of State for Telecommunications and Information Society Víctor Calvo-Sotelo reveals to the Sting at Mobile World Congress 2015

Climate change hits the poor hardest. Mozambique’s cyclones prove it

The world is a book and those who do not travel read only one page

Guterres hails historic Convention banning violence and harassment at work

The sad plight of fledging doctors

4 ways Africa can prepare its youth for the digital economy

How to provide health education and thus create better health systems

Boris to end up in jail if he loses the next elections?

ECB offers cheaper money despite reactions from Germany

Brexit mission impossible: Theresa May was so desperate that had to appoint Boris Johnson as Foreign Secretary

North-east Nigeria displacement crisis continues amid ‘increased sophistication’ of attackers, warns UN

Most US students aren’t learning about climate change. Parents and teachers think they should

MWC 2016 LIVE: Mobile World Congress shows off planes, trams and automobiles

The IMF overstates the risks for Eurozone and downgrades the threats for the US economy

This AI outperformed 20 corporate lawyers at legal work

Three scenarios for the future of geopolitics

“BRI cooperation is entering a new stage: we need a new and more constructive approach rather than waste time on suspicion”, China’s Ambassador to EU Zhang Ming underlines live from European Business Summit 2019 in Brussels

2 trillion drinks containers are made every year – so where do they go?

It’s time to end the stigma around mental health in the workplace

MWC 2016 LIVE: Zuckerberg warns mobile industry not to ignore the unconnected

China Unlimited – The chinese tourism in Lisbon

Sudan: ‘Violence must stop’, says UNICEF chief, ‘gravely concerned’ over 19 child deaths since military backlash

Lessons from the Global Entrepreneurship Index

The European Commission and EU consumer authorities publish final assessment of dialogue with Volkswagen

GSMA Announces New Speakers for Mobile 360 Series – MENA, in association with The European Sting

COP25: Developing nation’s strike hard

More international support needed to curb deadly measles outbreak in DR Congo

MEPs back plans to promote water reuse for agricultural irrigation

EU budget: Commission proposes most ambitious Research and Innovation programme yet

European Innovation Scoreboard 2018: Europe must deepen its innovation edge

Free flow of non-personal data: Parliament approves EU’s fifth freedom

MWC 2016 LIVE: Industry looks to reduce mobile gender gap

UN chief calls for ‘far greater support’ for Cyclone Idai response

IMF asks Europe to decide on bank resolutions and the Greek Gordian knot

Break taboo around menstruation, act to end ‘disempowering’ discrimination, say UN experts

Why home is the least safe place to be a woman

Why the merchant ships can pollute the atmosphere with CO2 quite freely

The Fourth Industrial Revolution is redefining the economy as we know it

5G will change the world – but who will keep it safe?

6 things to know about the General Assembly as UN heads into high level week

UN postal agency ‘regrets’ US withdrawal

Politicization of migrant ‘crisis’ in Hungary making them scapegoats, independent UN human rights expert warns

UN chemical weapons watchdog adds new powers to assign blame, following attacks

Korea should adapt its migration programmes to ensure continued success in the face of expected challenges

Europe is now practically divided as in the Cold War

Scientists in Sweden are studying the climate-cooling effects of spruce forests

After swallowing effortlessly the right to be forgotten time for Google Ads now to behave

Yemen update: UNICEF chief condemns attack in Taiz that claims lives of seven children

Can the banking union help Eurozone counter its imminent threats?

UN chief welcomes new Government in Lebanon, after eight-month impasse

Who is culpable in the EU for Ukraine’s defection to Russia?

Three ways batteries could power change in the world

Forced pregnancy in Italy violated ‘woman’s human right to health’, UN experts rule

Fragile countries risk being ‘stuck in a cycle of conflict and climate disaster,’ Security Council told

How trade tariffs could help combat climate change

COP21 Breaking News_04 December: Building a Sustainable Future – speech by UNEP Deputy Executive Director Ibrahim Thiaw at the LPAA Thematic Event on Buildings

Uncovered liabilities of €5 billion may render EU insolvent

More Stings?

Speak your Mind Here

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s