Study identifies privacy risks in the metaverse • The Register

Experts concluded that more thought – or at least some thought – should be given to protect privacy in the promised metaverse of connected 3D virtual reality worlds.

in paper Distributed via ArXiv, titled “Exploring Unprecedented Privacy Risks in the Metaverse,” boffins at the University of California at Berkeley in the US and the Technical University of Munich in Germany tested a virtual reality game “escape room” (VR) to better understand how a lot of data that a potential attacker can access.

By studying 30 people on the use of virtual reality, researchers did the following: Vivek Nair (UCB), Gonzalo Monella Garrido (TUM) and Dawn song (UCB) – Create a framework for assessing and analyzing potential privacy threats. They identified more than 25 examples of private data attributes available to potential attackers, which would be difficult or impossible to obtain from traditional mobile or web applications.

The wealth of information available through augmented reality (AR) and virtual reality hardware and software has been known for years. For example, a 2012 article in new world Ingress, an AR game from Google subsidiary Niantic Labs, was described as “data goldmine. “This is why monetization companies like Meta are ready to invest billions to make the market for people-hugging devices and AR/VR apps more than just plain sad for tech enthusiasts. With no use of the trunk.

Likewise, issues of trust and security for online social interaction have plagued online services since the days of modems and billboards, before web browsers became a thing. Now that Apple, Google, Microsoft, Meta and other players have found an opportunity to recreate Second Life guarded by their own gates, corporate advisory is once again reminding clients that privacy will be an issue.

“Advanced technologies, particularly in virtual reality goggles and smart glasses, will track behavioral and biometric information at a standard scale,” he explains. Everest group In her latest report: Taming the Hydra: Trust and Safety in the Metaverse.

“Currently, digital technologies can capture data related to facial expressions, hand movements and gestures. Hence, personal and sensitive information that will leak through the metaverse in the future will include factual information about the user’s habits and physiological characteristics.”

Not only is privacy an unresolved metaverse issue, hardware security also leaves something to be desired. related to recent study From AR/VR Devices, “The Security and Privacy Assessment of Popular Augmented and Virtual Reality Technologies,” it found vendor sites full of potential vulnerabilities, their hardware and software lacking multi-factor authentication, and their privacy policies unclear.

An escape room study enumerates the specific data points available to attackers of various types – hardware, client, server, and user adversaries. It is noteworthy that the “attacker”, as defined by the researchers, includes not only the third parties that pose a threat, but also the participants and companies running the show.

Possible data points identified by researchers include: geospatial measurement (height, arm length, interpupillary distance, and room dimensions); Device specifications (refresh rate, trace rate, resolution, field of view of the device, GPU, and CPU); network (bandwidth, proximity); Behavioral observations (languages, hand, sound, reaction time, near vision, distance vision, color vision, cognitive acuity, and physical fitness).

From these scales, various conclusions can be made about a VR participant’s gender, wealth, ethnicity, age, and disabilities.

The paper concludes that “the alarming accuracy and secrecy of these attacks and the push of data-hungry companies into metaverse technologies suggest that data collection and inference practices in virtual reality environments will soon become more pervasive in our daily lives.”

“We want to start by saying that these ‘attacks’ are theoretical and we have no evidence that anyone is actually using them currently, although it would be very difficult to tell if they are,” Nair and Monilla Garrido wrote in an email. to me record. “Also, we use the term ‘attacks’ as a technical term, but in reality, if this data-collection process were to be published, the consent would likely be buried in an agreement somewhere and theoretically be above all.”

If a company wanted to do data collection, they could get a lot more information about users in VR than they could get from mobile apps… Pivoting towards VR would make perfect sense in this context

However, the researchers say there is reason to believe that companies investing in the metaverse do so at least in part because of the expectation that aftermarket advertising will offset losses such as $12.5 billion It was spent by Meta Reality Labs last year to earn just $2.3 billion in revenue.

Nair and Monilla Garrido argued: “Now, assuming a company of this size knows how to calculate a bill of materials, this loss-leading approach should be a strategic decision that they think will ultimately pay for it.” “And if we look at who these companies are, and what revenue methods they have already mastered, we suppose it would be at least somewhat tempting to use these same methods to offset hardware losses. But again, that is guesswork.

“All of our research shows that if a company wanted to do data collection, they could get a lot more information about users in VR than they could get from, say, mobile apps, and that pivoting toward VR would make perfect sense in this context.”

When asked if current privacy rules adequately address metaverse data collection, the two replied that they thought so, unless those rules only pertain to mobile apps.

“But we face a unique challenge in terms of metaverse applications, where there is a plausible reason to broadcast this data to central servers,” they explained. “Essentially, the metaverse apps work by tracking all your body movements and streaming all of that data to a server so that you can make a representation of yourself to other users around the world.

For example, while a company might struggle to argue that tracking your movements is required for their mobile application, it is actually an integral part of the metaverse experience! At this point, it is much easier to argue that records about it need to be stored for exploration Bugs, bug fixes, etc. So in theory, even if the same privacy laws apply, they can be interpreted in very different ways because the underlying data needs of the platform are different.”

Nair and Monila Garrido acknowledge that some of the 25 or so collectible traits they identified in their research can be acquired through cell phones or other online interactions. But metaverse apps are a one-stop shop for data.

“We have a situation where all of these categories of information can be collected simultaneously, within a few minutes,” they explained.

“And because you need to combine multiple attributes to make inferences (eg, length and sound to infer gender), having all of these data collection methods in the same place and at the same time is what makes VR uniquely existential able to accurately infer user data attributes. High. “

They claimed that the sheer volume of information available through the metaverse is enough to de-anonymize any VR user. They argue that this is not the case for apps or websites.

They said the purpose of their paper recordto highlight the broad privacy risks of augmented/virtual reality and encourage other researchers to seek solutions.

A screenshot of MetaGuard in a virtual reality world

Screenshot of MetaGuard in a virtual reality world… Click to enlarge

They already have one in mind: a plugin called Unity Game Engine metaguard. The name indicates the source of the privacy threat.

“Think of it like a virtual reality stealth mode,” Nair and Monilla Garrido wrote. “It works by adding noise, using a statistical technique known as differential privacy, to some VR tracking measurements, so that they are no longer accurate enough to identify users, but without significantly affecting the user experience. Like incognito mode in browsers, it is Something that users can switch on and off and adjust as they like depending on the environment and their level of confidence.”

Here we hope metaverse privacy is that simple. ®