‘Reality Dawns’ - New Frontiers in Data Privacy

Written By Abhijit Limaye

Virtual reality (VR), Augmented reality (AR) are new immersive technologies that create distinct experiences by merging the physical world with digital or simulated reality. They are often used interchangeably but have certain differences. They key difference being “Augment” versus “Virtual”! 

Immersive Technology and Data Collection 

Immersive technology is in a nascent stage but adoption of virtual reality across the globe has been widespread and its potential growth is very clear.

 

However, this immersive technology cannot function unless it collects a vast amounts of data from users that can be classified as personal and sensitive.

 

Data Collected by AR/VR Technologies: 

Pupil dilation, Eye tracking, gaze, gait analysis, body movements, voice, fingerprints and IRIS rate. According to research, twenty minutes of VR use can generate approximately two million data points and unique recordings of body language. 

A detailed understanding of the functioning of AR/ VR throws light on how this immersive technology captures data from the human body, which is beyond the existing definition of Personally Identifiable Information (PII) or Sensitive Personal Data (SPD).  

According to this article published in the ACM Digital library, the AR/VR technology can identify users with a very high degree of accuracy. Needless to add, if AR/VR systems are compromised, they pose serious dangers to users by invasion of privacy.

 

New Technology, New Challenges 

What if? 

  • A doctor monitors patients’ vital signs through an AR watch during telerobotic surgery. 
    A compromised AR system can manipulate patient information creating a life-threatening condition for the patient 

  • Data collected or leaked from an AR/VR environment can potentially be used to blackmail users for a ransom. 

  • A user is coaxed to walk into a high security zone with help of AR games like Pokemon Go, thereby revealing damaging details about a secure facility 

 

According to the statistic below, the number of users adopting AR/VR technology in their day-to-day life is growing with time. Just like the present-day dangers of sharing personal information on social media, sharing of the AR/VR data will pose threat, far beyond our current understanding.

Let us review some hypothetical but potentially dangerous scenarios when AR/VR systems are compromised 

What about security?

 As with any fast-growing consumer technology, security is typically an afterthought. With growing adoption of AR/VR technologies, we will soon see challenges similar to when the mobile phones became ubiquitous. Bring your Own Device (BYOD) became the buzzword and Enterprises scampered to protect their environments from such devices by introducing Mobile security technology.

The use of Immersive Technology is growing day by day. It will be an integral part of life in the coming years.

  • End-users: End-user may not be completely aware of the type of data they are sharing while enjoying an immersive technology experience and its subsequent misuse. User education and awareness around potential dangers of such technology and its misuse will be required.

  • Enterprises: Enterprises that wish to use this technology would have challenges in the protection of the vast amount of personal data collected from these technologies. Enterprises will be required to implement privacy by design, and stringent security measures.

  • Regulators: AR/VR systems were not contemplated by lawmakers while designing many privacy laws. It does not fit directly within existing legal definitions of biometric data.  The regulator has to broaden the definition of personally identified information and its protection measures.

 

We at SecureGrid firmly believe that with the widespread use and adoption of such technology in the Enterprises, it will pose serious challenges to regulators, law enforcement and data privacy advocates to define clear laws and regulations around operational use of such technology.

Organization will need to maintain their security posture and yet staying ahead of the curve with adoption of new technology.

We also firmly believe that the use of technology and generated data by organizations will have to be audited according to data privacy regulations such as ISO or GDPR.

Enterprise and end-users will be well advised to understand the potential dangers such technologies pose for data privacy, confidentiality and misuse.

We are always there to help organizations deal with Cybersecurity challenges. Get in touch.

Abhijit Limaye