08 Feb The data challenge for extended reality
Extended reality is rapidly gaining ground yet security and privacy are proving to be barriers to adoption. Dr Ryad Soobhany, Associate Professor in the School of Mathematical and Computer Sciences, Heriot-Watt University Dubai, looks at concerns around data collection in this new environment.
The extended reality (XR) market is expanding rapidly every year, with adoption in the gaming, education, manufacturing, and healthcare sectors among others. But, concerns around privacy and how data is collected and used could be holding XR back from reaching its full potential.
XR is what users experience when interacting with immersive technologies such as VR (Virtual Reality), AR (Augmented Reality) and MR (Mixed Reality). VR operates in fully digital environments with the use of VR headsets, AR provides a view of the physical environment with an overlay of digital elements, and MR is the blending of the physical world with virtual elements with interaction between the two environments. But to make this all happen, data needs to be collected – and alongside that there are issues of transparency and how that data is used.
A growing industry
According to Fortune Business Insights, the global virtual reality market is predicted to grow from $6 billion in 2021 to over $80 billion by 2028. In the UAE, the XR industry amounted to an overall revenue of $81.61 million in 2021 and is estimated to more than double to $175.34 million by 2027 – according to a recent report by Statista.
This year, tech giants including Sony, Panasonic and HTC rolled out an unprecedented number of immersive technology-based products during CES (Consumer Electronics Show) – one of the most influential tech events worldwide. The products presented were more user-friendly in terms of software resolution and size of hardware, which would enable better adoption by end-users in everyday life. The GITEX (Gulf Information Technology Exhibition) 2022 event held in Dubai in October presented similar extended reality applications from exhibitors. The advent of the ‘metaverse’, a virtual network of 3D digital environments where users can interact (play, work, socialise) like in the physical world, further extends the possibilities of XR.
Breaking down barriers
However, despite the rapid rise of XR and as with any unproven technology, security and privacy are proving to be a barrier to adoption from some consumer sections. Extended reality applications can collect private information about the user and their activities – to a greater extent than social media for example – to emulate their presence in the virtual world. For a metaverse to operate, tech companies might require the biometric information and location of users to track their interaction in the metaverse. All the data collection and sharing are creating legitimate unease among users.
Privacy issues
Most XR applications require personal data from the users to provide the optimum experience. To enable user profiling activities, pervasive data collection derived from XR sensing such as hand/eye movements, biometric features, auditory sensing and EEG for brain activity can be used for biometric identification. Furthermore, some VR headsets contain sensors and cameras that can track head movements and can monitor user positions and environment in real-time, for tracking users. These can raise privacy concerns since users are unable to control how much information they can reveal about themselves. The use of XR in virtual offices can lead to snooping on employees by managers and in the case of a security breach, confidential user data can be leaked which can lead to social engineering and impostor attacks.
Apart from data directly collected from users, there is associated data, where information collected does not directly identify a user or provide personal details such as IP addresses or personal IDs, but when combined with other related data could expose users to the risks of phishing and hacking. This includes addresses and data included in in-app purchases and micro transactions such as payment information.
Another issue is bystander privacy, where world-facing XR sensors, such as microphones and cameras, can capture details of bystanders who have no opportunity to provide informed consent for the capturing of their data. Most of the time bystanders are not even aware their data is being captured and shared.
Counteracting privacy issues
Most immersive technology platforms are being more transparent about how they collect and distribute data and allow users to control what they share and how they share. Many companies provide stronger access control such as combining a fingerprint with login and two-factor authentication. Research is being conducted into video sanitisation by removing people from video feeds and replacing them by avatars, where the privacy of bystanders can be protected.
Data protection of users, like data sharing and storage, are being improved by using encryption-based techniques and secure multi-party computation, which allows computation of data from two or more users without everybody being aware of each user’s data. This will enable the protection of user interactions, e.g. collaborations and private and public interactions. Blocking third parties from stealing information is equally important in making users feel safe in using the technology.
Knowledge is power
It is vital that users are educated so that they are aware of the type of data that can be combined to avoid exposing their private data and themselves. AR/VR companies are also working on notifying users when this data is being combined so they can choose whether to provide consent. However, disclosure and clear guidelines about how data is used might prove helpful to users. In addition, researchers from Duke University describe a system called EyeSyn that makes analysing a person’s eye movements easier than ever before. Instead of collecting huge amounts of data directly from human eyes, the researchers trained a set of ‘virtual eyes’ that mimic real eye movements.
Pace of change
According to the Information Technology and Innovation Foundation (ITIF), the trouble with privacy policies is that innovation happens much faster than policymaking. There is always a conflict between mitigating privacy concerns and risking overregulation and hindering innovation. However, the answer is hardly simple. Operating in a 3D world gives access to a user’s behaviour, looks, age, location, and other sensitive information. With the increased reliance on the virtual world in general – not only extended reality – privacy has also become a greater concern. Since big companies were themselves victims of misuse of information and cyberattacks, it is more important than ever that individuals are aware of how to protect their data. In addition, laws introduced on a national and global level providing guidelines on data protection practices will be essential in this process.
For example, the UAE has announced the Personal Data Protection Law, which came into effect in January 2022. It is the first federal law to be drafted in partnership with major technology companies in the private sector. Globally, there are some legislations in place addressing the use of extended reality, however much of the challenge lies in implementation. With increased attention to the issue and as the use of this technology becomes more regular, regulation is expected to become more effective.