Understanding Extended Reality Technology & Data Flows: Privacy and Data Protection Risks and Mitigation Strategies

This post is the second in a two-part series. Click here for FPF’s XR infographic. The first post in this series focuses on the key functions that XR devices may feature, and analyzes the kinds of sensors, data types, data processing, and transfers to other parties that power these functions. 

I. Introduction

Today’s virtual (VR), mixed (MR), and augmented (AR) reality environments, collectively known as extended reality (XR), are powered by the interplay of multiple sensors, large volumes and varieties of data, and various algorithms and automated systems, such as machine learning (ML). These complex relationships enable functions like gesture-based controls and eye tracking, without which XR experiences would be less immersive or unable to function at all. However, these technologies often depend on sensitive personal information, and the collection, processing, and transfer of this data to other parties may pose privacy and data protection risks to both users and bystanders. 

This post examines the XR data flows that are featured in FPF’s infographic, and analyzes some of the data protection, privacy, and equity issues raised by the data that is processed by these devices, as well as strategies for mitigating these risks.

Key risks include:

• Sensitive inferences: XR devices collect, process, and share large quantities of data about users’ bodies and environments. This data could be used to make inferences—whether accurate or not—about sensitive aspects of peoples’ lives, such as their sexual orientation or health conditions.
• Digital fingerprinting: Tracking users’ and bystanders’ bodies could allow for digital fingerprinting and the loss of anonymity in XR environments.
• Bystander data collection: Non-users in proximity to XR technology may be unaware that it is collecting and processing data about them, as well as for what purposes and with whom the technology is sharing this information.

Key mitigation strategies include:

• On-device processing and storage: Processing and storing data on a user’s device, as opposed to remotely on a processor’s server, to ensure that the data remains in the user’s hands and not accessible to others.

• Purpose limitation and data minimization: Limiting data collection, storage, and/or usage, including third-party use, to particular, specified purposes, and requiring data controllers to provide notice to or obtain consent from users if they plan to use this data for a different purpose. 
• Privacy-enhancing technologies (PETs): Certain technological innovations can also be useful tools for managing privacy risks. For example, advances in encryption and differential privacy can allow for privacy-preserving data analysis and sharing, and the use of synthetic data sets can alleviate concerns about data sharing or secondary data use.
• Bystander protections: Designing XR devices so that they ensure bystanders’ data is not unduly collected. This could include automatically blurring bystanders’ faces, or using a system of lights on a head-mounted display to signal to non-users the device is on and potentially collecting data.

II. Processing Large Volumes and Varieties of Sensitive Personal Data

XR technologies raise traditional privacy and data protection risks, but also implicates larger questions around surveillance, social engineering, and freedom of expression. As noted in the first blog post in this series, XR technologies require large volumes and varieties of data about the user’s body and their environment. Certain collection and use limitations may therefore be challenging or impossible to implement, since some of XR’s core functions require extensive data collection and processing. Now and in the future, XR technologies may also transfer data to other users and third parties, such as software companies, hardware manufacturers, and advertisers. While devices generally process raw sensor data on device, they may transmit raw or processed sensor data to an application and other parties for further processing to improve representations of virtual content or enable shared experiences. While these transmissions of data may improve a user’s XR experiences, they can also create new privacy and data protection risks for users and bystanders.

Eye tracking underpins many current and future-facing use cases, such as enhanced graphics, expressive avatars, and personalized content, but it may pose privacy and data protection risks to users. This is due to eye tracking data’s sensitive nature, its potential role in significant decisions affecting users, and the unconscious nature of the behaviors from which some of this data is derived. Organizations could use data related to pupil dilation and gaze to potentially infer information—whether accurate or not—about the user, such as their sexual orientation, age, gender, race, and more. Organizations may also use this data to attempt to diagnose medical conditions, such as ADHD, autism, and schizophrenia. Despite the sensitive nature of this data, users often lack the capacity to meaningfully control its collection or use. Without proper controls, this information may be further shared with third parties. This raises the likelihood of organizations using this data to inform major decisions about a user, which could have real-world impacts on XR users.

Sensors that track a user’s bodily motions may also cause harm due to their potential to undermine anonymity. The first post in this blog series analyzed how tracking a user’s position can enable functions like mapping the user’s space to help place virtual content. But this tracking could also be a means to digitally fingerprint users and individuals, including bystanders, especially given the volume and variety of data that XR devices gather and process. At the same time, this tracking data raises the same de-identification and anonymization concerns that exist regarding similarly granular non-XR data types, such as behavioral biometrics, historical geolocation, and genetic information. Digital fingerprinting may therefore undermine individuals’ ability to maintain anonymity in XR environments. This may discourage users from fully expressing themselves or participating in certain activities due to worries about retaliation.

III. Statutory Obligations 

It is unclear how well current legal protections mitigate the privacy risks posed by certain processing activities in the XR context. Whether or not bodily information like gaze and gait are covered by existing biometric regulations may depend on these laws’ definitions of biometric data. For example, under the EU’s comprehensive privacy law, the General Data Protection Regulation (GDPR), this type of data qualifies as “personal data” if it relates to an identified or identifiable person, such as a user or bystander. Thus, an organization that records, collects, assesses or uses this data in any other manner would be subject to GDPR obligations such as transparency, fairness, data minimization or storage limitation. 

Pursuant to the GDPR, “biometric data” includes personal data resulting from the specific technical processing of a person’s physical, psychological, or behavioral characteristics, and which allows for identification. Organizations are subject to heightened obligations under the Regulation depending on the purpose for which they process biometric data. Specifically, the GDPR prohibits organizations from processing such personal data, unless one of the permissible grounds strictly defined by the law applies. The Regulation defines biometric data to include only that which an organization could use for identification purposes. As described in FPF’s prior blog post, however, an organization may process eye and other bodily information for non-identification purposes, such as to debug applications or improve products . This raises questions as to whether the GDPR’s protections for sensitive data categories would always apply to these XR functions. Notably, even if this eye and other bodily information does not meet the “sensitive data” criteria, the rest of the Regulation would still apply to this data. Furthermore, European ePrivacy rules may apply to a user’s system that connects to or pairs with XR equipment.

Similar lack of certainty exists in U.S. law. For example, the Illinois Biometric Information Privacy Act (BIPA) applies to information based on “scans” of hand or face geometry, retinas or irises, and voiceprints. This definition of “biometric identifiers” does not explicitly cover the collection of behavioral characteristics or eye tracking. Whereas the GDPR may still apply to an organization that processes eye and other bodily information if it is personal data or qualifies as other sensitive data categories, BIPA may not apply at all. This highlights how existing laws’ protections for biometric data may not extend to every situation involving XR technologies. However, protections may apply to other special categories of data, given XR data’s potential to draw sensitive inferences about individuals.

IV. Bystander and Environmental Data

Bystanders’ privacy can also be impacted when XR devices and third parties collect and process sensor data. Some of the privacy and data protection issues affecting bystanders mirror the  privacy risks to XR users. However, unique notice challenges arise with respect to bystanders. Non-users in proximity to an XR user may be unaware that the device is collecting and processing data about them, as well as for what purposes and with whom the device is sharing this information. Like users, bystanders also cannot control the unconscious behaviors that provide the sensor data inputs for XR experiences. Even if a bystander generally understands that a device is collecting data about them, the unconscious nature of some behaviors means that bystanders may neither be aware of the behaviors nor specifically understand that a device is processing data about these behaviors. 

Bystander data could facilitate both use cases that are detrimental to a non-user’s privacy and decisions that negatively affect them. Future XR technologies will likely incorporate facial characterization or analysis technologies that can allegedly sense cognitive states or infer emotions—whether accurate or not—based on sensor data. Insights from these technologies could help organizations construct a portrait of the locations a non-user frequents, their interests, and medical conditions. 

IV. Strategies for Mitigating Risks

Organizations that provide XR technologies can implement a number of strategies to address the risks raised by XR data collection, use, and sharing. While no single intervention by itself mitigates all of these risks, some combination of strategies is likely to decrease risks and help minimize harms that may result. For instance, processing and storing data on a user’s device, as opposed to remotely on a processor’s server, helps ensure that the data remains in the user’s hands and not accessible to others. Organizations can also work to limit data collection, storage, and/or usage, including third-party use, to particular, specified purposes, and provide notice to or obtain consent from users if they plan to use this data for a different purpose. Companies should set policies and guidelines for third-party developers’ data practices, and monitor to ensure compliance with said policies.

Certain privacy-enhancing technologies (PETs) are useful tools for managing privacy risks. For example, advances in encryption and differential privacy can enable privacy-preserving data analysis and sharing, and the use of synthetic data sets can address concerns about data sharing or secondary data use. Another option is to provide greater user controls, allowing users to control the kinds of data collected about them—particularly sensitive data like eye tracking and facial expressions data—and with whom this data is shared. 

Some organizations have chosen to design XR devices so that they ensure bystanders’ data is not unduly collected, for instance by automatically blurring bystanders’ faces, or using a system of lights on a head-mounted display to signal to non-users the device is on and potentially collecting data.

Organizations using XR should be transparent about how they use and plan to use XR data, and publicly commit to guidelines and/or ethical principles. This could also include something akin to an institutional review board (IRB) to ensure compliance with these principles. Finally, organizations can build privacy into an organization’s culture and processes and create bodies like oversight boards to ensure privacy protections endure beyond other changes in mission and values.

V. Conclusion

The complex web of data, sensors, algorithms and automated systems, and parties that enable important and sometimes central XR functions also can raise privacy and data protection concerns. Devices and ML models may collect and process large volumes and varieties of sensitive personal data, over which users and bystanders may lack meaningful controls, and that other parties could use to make important decisions affecting these individuals. The disclosure of this data may also undermine user anonymity, which could discourage users from freely expressing themselves due to fears of retaliation. Providing bystanders with notice that communicates that a device is collecting data about them, let alone for what purpose and to whom the data is transmitted, is challenging and may not be possible. This creates difficulties related to obtaining affirmative express consent to data processing activities in XR, where consent is predicated on the individual being informed. There is also uncertainty about how existing laws interact with XR technologies, such as how body-based data fits within existing legal definitions of biometrics. The risks to users and bystanders outlined in this post underscore the importance—and, sometimes, challenge—of ensuring appropriate safeguards exist at the technical, policy, and legal level to mitigate against harms that may arise in this space.