By: Soniya Shah
Virtual reality (VR) simulates environments and allows users to interact in those environments. The technology is embraced by many corporate entities, such as the healthcare sector for use in training or the aerospace industry, which uses VR for flight simulation. Virtual reality is also popular with consumers who use it in video games. Games like Pokémon Go allow a player to walk around searching for virtual characters in their real-world surroundings. Most users access the environment through an interface, which is usually a headset the user wears during the interaction. The virtual reality and augmented reality industry was valued at $26.7 billion in 2018 and is expected to increase to $814.7 billion by 2025. Such a valuable industry is likely to be a target for privacy and security concerns.
Many devices connected to the Internet of Things, which includes virtual reality devices, are likely to have been designed and developed without security protocols in mind. Of course, many emerging technologies raise questions about the privacy of the user, especially when that is not a key design question. The main concern is that VR companies have a whole new level of access because the programs access the video and audio feed of a user’s surroundings. Many of the privacy policies state that information will be shared with third parties.
Many VR devices also track biometric data – movements of the body including the head, hands, and eyes. This data can be medical data. What happens if that information falls into the lap of an insurance company who uses it to make determinations about medical coverage? The issue is that the unintended consequences of doing something fun have very real, potentially damaging consequences when third parties have paid for access to that information.
As security and privacy concerns form, developers are now making devices that have a private mode feature that prevents the device from recording data while you are using it. The burden falls on users to choose devices that incorporate such a feature if they want to keep their information safe because there are no laws regulating the devices. Users should also be cognizant of privacy policies and check to see what data companies are releasing and what permissions are given away when you agree to use a VR device. There are also potential implications because many VR companies use cloud technology, which the users never interact with. There may be different terms of service between a VR company and the cloud provider.
Regulations are likely necessary now but the law tends to move slower than the pace of new technology. To protect users, regulations should limit the amount of biometric data VR devices can collect, either by deleting it immediately or not allowing its collection at all. Further, it is critical that VR companies provide their users with explicit information regarding the type of information they collect and who – including third parties – has access to that information. If a data policy changes, all users should be required to opt-in again. User awareness is ever-critical in an era where security and privacy are afterthoughts.