虚拟现实的隐私担忧报告.docx

TableofContentsCorporateownership：Tometaverseandbeyond3Msskup:PersonsIpriv3cy811didentityrisks4Howwerateprivacy8Virtuslrealitydevicespecifications11222226303539464751SecurityResultsComparesecuritypracticesDatasharingUsersafetyAccountprotectionAdvertisements,marketing,andtrackingSoftwareupdatesThird-partyapplicationsVRRisksandHarmsWhatshouldPoIiCymakerSandregulatorsdo?54WhatshouldParentSandeducatorsdo?55Whatshoulddevelopersandmanufacturersdo?57IntroductionWhensuperheroesgathertoconferaboutsavingtheworld,it,susuallyprettyclearnotonlywhethertheywillprevail,buthow.Eachwillusetheirwell-knownandwell-testedsuperpowerstoengagewiththevillainsandbattleforwhatweknowisgoodandrightintheworld.However,tounderstandwhatjusticemeansinthestory,weneedtoknowwhowe,redealingwithinordertosetthingsright.Weneedtounderstandwhoistheantago-nistofourstory,andtoquicklystopwhateverschemestheyhaveinmindbeforetimerunsoutandit,stoolatetosavetheworld.Thisreporttellsthestoryaboutanemergingtechnologyusedbykidsandfamilieseveryday,andtheplotbehindthattechnologytotakeovertheworld.Butfortunately,it'snottoolate.Thisisastoryaboutallofus,andwejustsohappentobetheprotagonistsinthisparticulartimeandplacewhoarefightingforourfundamentalhumanrighttoprivacy.It,salsoastoryaboutwhatprivacymeansforeveryoneatapivotalmomentinthehistoryofhumankind,whenwehaveauniqueopportunitytoreflectandcometogethertodecidethefutureofprivacyofanemergingtechnology.Ifthisstorysoundsfamiliar,it,sbecauseyoumayhavealreadyhearditbefore.Ithasbeenpopularizedinbooks,games,andmediaculture,withrecentmoviesforkidsandteenslikeReadyPlayerOne, See Ready Player One (2018)： whereourheroWade(ParzivaI)declaresanall-outvirtualrealitywaronaprofit-seekingcorporation,calledtheSixers,forcontroloftheOasis.Intherealworld,thisplotsoundsalotlikeourcollectivefightfortherighttoprivacyandcontrolofthemetaversefromprofit-seekingcorporations.Otherpopularizedfilms,suchasRon,sGoneWrong, See Ron,sGone Wrong (2021): areeasilyanalogizedtocorporationssellingusourmust-havetechnology,includingmobiledevices,laptopcomputers,andvirtualassistants.TheMitchellsvs.theMachines See The Mitchells vs the Machines (2021)： For a synopsis, see https:/black-isthestoryofafamily,sfightagainstartificialintelligencerobotsthatdecidetotakeovertheworldforthebenefitofamonopolisticsocialmediacompany.Inanefforttoportraytheethicalquagmirethatisavirtualafterlife,theBlackMirrorepisode"SanJuniperow4andtheTVseriesUploadexplorewhowouldandwouldnotchoosethismodeofexistence,aswellasthecommercialpossibilitiesofsuchavirtualrealityuniverse.Butthesepopularizedmedianarrativesaremovingoutoftherealmofsciencefictionandintooursharedexperienceswithvirtualreality.Atthisverymoment,theantagonistsofourstoryarethesamecorporationssellinguscutting-edgevirtualrealitydevicesandimmersivevirtualrealityapplications.Thisnewimmersiveworldhasalreadybeengivenanamethemetaversewhichismeanttodescribeallthepresentandfuturevirtualrealitydevicesandapplicationsthatuserswillexperienceanddriveanewvirtualcreativeeconomy. SeeThe Metaverse and How We,ll Build It Together - Connect 2021: See Ball, M. (2022, July 18). The metaverse will reshape our lives. Let,s make sure it,s for the better. Time. 202 2-vol-2 OO-no-S-asia-europe-m id dle-east-a nd-africa-south- america-south-pacific. With virtual reality technology, wearing headsets in the real world allows people to interact almost seamlessly in the virtual world. While people are currently limited to using an avatar in VR, or part of one, the avatar is not wearing any sort of apparatus, and it appears to be "you." Similarly, augmented reality (AR) adds or supplements our existing reality with digital objects and digital object overlays in the real world. AR enhances our presence by augmenting reality, which while it still allows a user to stay in a real space and time, may collect personal information from users at an astonishing rate. Mixed or merged reality (MR) uses holographic lenses to converge VR andAR where virtual objects interact with real world objects and users can transition between completely immersive VR environments to augmented AR environments. Finally, extended reality (XR) is a catchall term to include all the different types of experiences in VR, AR, and/or MR.Thepromiseisthatthemetaversewillbeusedforsocialgoodandthatitwillbethenexteraofcomputing,followingtheadoptionofmainframes,personalcomputers,mobiledevices,andthecloud.Theimpactofthemetaverseisstillunknown,exceptthatitisintendedtoconnectpeoplewithvirtualrealitydevicestolimitless3Dvirtualexperiencesforthepurposesofentertainment,gaming,education,collaboration,andcommunication.Virtualreality(VR)technology For episode synopses, see httpse, Wikipedia. org/wiki/Upload_(TV_series).existsmostcertainlyinthepresent,ratherthansolelyinthefutureorasthesubjectofsciencefictionmovies,anditisalreadyamultibillion-dollarindustry. SeeAIsopJ. (2022, August 11). Virtual reality (VR) - statistics & facts. Statista. "There continue to be questions around the longevity and potential of the metaverse, with an extreme view regarding it as merely a rebranded gaming platform of little wider interest. We do not share that skepticism and believe the metaverse has the potential to be the next iteration of the internet.* McKinsey & Company. (June 2022). Value creation in the metaverse, https： /www.mckinsevcommediamckinseybusiness%20functions marketig%20and%20salesour%20insightsvalue%20creation% 20in%20the%20metaverseValue-creation-in-the-metaverse.pdf. JeromeJ., & GreenbergJ. (April 2021). Augmented reality + virtual reality： Privacy & autonomy considerations in emerging, immersive digital worlds. The Future of Privacy Forum.https:/fpf.org/wp-content/uploads/2021/04/FP F-ARVR-Report- 4.16.21-Digital.pdf.Thepotentialbenefits1!ofvirtualrealitycouldtransformdifferentsegmentsofsocietyincountlesspositiveways,similartohowpersonalcomputersandmobiledeviceshavechangedoureverydaylivesinwaysthatwereunimaginableevenjustafewdecadesprior. SeeAubrey, J. S., Robb, M. B., Bailey,)., & BaiIensonJ. (2018). Virtual reality 101: What you need to know about kids and VR. CommonSense Media, monsensemedia.org/sites/ default/files/research/report/csm_vrl01_final_under5mb.pdf; See also Bailey, J.0, & BaiIensonJ. (2017). Considering virtual reality in childrens lives. Journal OfChiIdren and Media, 11:1, 107-113. Heller, B. Carr Center for Human Rights Policy, Reimagining Reality: Human Rights and Immersive Technology, https:/carrcenter.hks.harvard.edu/files/cchr/files/ccdp_2O2O- 008_brittanheller.pdf.However,Weneedtomakesurethepotentialharmsofvirtualrealitydonotoutweightheirpotentialbenefitsotherwisewerisktransformingsocietyintoadystopianfuturethatsciencefiction Margaret Atwood, the author of The Handmaid,sTale, has been photographed with a mug saying uIToId You So" (see https：/happymag.tv/margaret-atwood$-i-told-you-so-mug-i$- provig-to-be divisive/) in reference to her dystopian novel where, among other surveillance issues, pregnancy and fertility are managed by the state. For current and future data collection and sale potential, including a discussion of policy, see, e.g., brokers-sel ling-pregnancy-roe-v-wade-abortion-1849148426.hastriedtowarnusabout.Inthepast,thoughtsofprivacyandthesocial,ethical,andlegaleffectsoftechnologyhavetypicallyonlybeenconsideredafterthefact.Inthismoment,wehaveararechancetothinkaboutandimplementappropriatedesignpoliciesanduseofinformationrestrictionsandguidancebeforeitsgreateradoptionandintegrationintosociety.Thisisalsoachanceforustodefinewhat“privacy”meansinVRbeforeitbecomestoolatetolookatwhatshouldhavebeenconsideredandadoptedfromthebeginning.TherehasbeenanincreasingfocusonlyonthebenefitsofVR,withverylittleresearchonthecoststousers'privacy.Thisreportseekstoexploresomeofthepotentialrisksandharmsbydeterminingtheactualprivacypracticesaswellasthepotentialdevelopmentalandpsychologicalimplicationsofpopularvirtualrealitydevicesandthird-partyVRapplicationsusedbykidsandfamiliestoday,andhowthedatacollectedinvirtualrealityisusedbycompaniesforcommercialpurposesandprofit. "Expenditure on these technologies in the global education market is expected to grow from $1.8 billion in 2018 to $12.6 billion in 2025,at a CAGR of 32%.” The Metaverse in Education - Market Size & Activity, EdtechX Email Newsletter, May 5, 2022.Ourfindingsindicatethatallofthepopularvirtualrealitydeviceswetestedarenotprivacyprotectiveanddonotmeetourprivacyrecommendationsforusebykidsandfamilies.WhenyoursuperpowerisdataextractionVirtualrealityhardwareandsoftwareenablesuperhumandatacollectionanddistribution.VRhardwarecancollecthumanbiometric "Biometric information" means an individual,sphysiological, biological, or behavioral characteristics that are used to establish individual identity. Biometric information includes, but is not limited to, imagery of theiris, retina, fingerprint, face, hand, palm, vein patterns, and voice recordings, from which an identifier template, such as a faceprint, a minutiae template, or a voiceprint, can be extracted, as well as keystroke patterns or rhythms, gait patterns or rhythms, and sleep, health, and exercise data that contain identifying information. See California Privacy Rights Act (CPRA), Cal. Civ. Code § 1798.40(c).andsensorydata,andthesoftwaregathershumanexperienceandreactions, See list of possible data collection in Zhao, et. al, “VR in Metaverse: Security and Privacy Concerns/ available at https：/arxiv. org pdf 2 2 O 3.0 3 8 5 4. pdf.farbeyondwhatwehavecometoexpectfromsimplytypingourthoughtsandfeelingsintoacomputerormobiledevice.VRworksasanextractionsystemtocollectandprocesspersonalinformationinawaythatnosinglehumanorportalcouldusingprevioustechnology. "Many apps still collect device Information that can be used to track users at a group level (cohort tracking) or identify individuals probabilistically (fingerprinting). We find real-world evidence of apps computing and agreeing on a fingerprinting-derived identifier through the use of server-side code/' Kollnig, K., Shuba,A., Kleek1 M.V., Binns, R., & Shadbolt, N. (2022, May 7). Goodbye tracking? Impact of iOS app tracking transparency and privacy labels.https: /arxiv. org pdf 2 2 04.0 35 5 6. pdf.Thisisaquantitativeandpossiblyqualitativelylargerundertakingtoautomaticallycollectmorepersonalandbehavioralinformationthananyusercouldpossiblyinputvoluntarily. See, for example, media coverage of data collection potential and possibilities, even with early versions of the devices, in 2018 at httpsvrandyourprivacy-howare- these-companies-treating-your-data, and in 2019 at AsVRtechnologybecomesubiquitousinpublicspaces,processingabystander'sdataposesaseparateprivacyriskbecausethatbystandermaynothavesituationalawarenessthattheirfacialrecognitionorotherbodilyinformationisbeingcollectedfrompotentiallymultipleVRdevices.Inaddition,bystandershavenowayofoptingoutofthecollectionoruseoftheirpersonalinformation Pahi,S., & Schroeder, C. Extended privacy for extended reality: XR technology has 99 problems and privacy is several of them. httpsabstract=4202913.bycompaniestheydonotknowandhavenorelationshipwith.Furthermore,VRdevicesmayblurthelinebetweenpublicandprivatespaces,wherethroughuseofvisualandauditorysensors,privatespaces(suchasbedrooms)canunexpectedlybecomepublic. See footnote 19.However,wedonotneedtoacceptthatourrawprivateexperiences,feelings,andemotions ZhangfS-, Feng,Y., Bauer, L., Cranor, L.F., Das,A., & Sadeh, N. (2020). 'Did you know this camera tracks your mood?*: Understanding privacy expectations and preferences in the age of video analytics. Proceedings on Privacy Enhancing Technologies (2)： 282-304. https:/doi.org/10.2478/popets-2021-0028.invirtualrealityarethesolepropertyofcorporations.Wedonotneedtoacceptthatvirtualrealitydevicemanufacturersandthird-partyapplicationdevelopersareallowedtocaptureourcollectiveexperiencesinvirtualrealityasbehavioraldatatobeusedforcommercialpurposesandprofit. Advertising in VR isimmersive and pervasive. See Heller and Bar-Zeev, “The problems with immersive advertising: In ARVR, nobody knows you are an ad, available at https:/tsjournal.org/index.php/jots/article/view/21/10, for a discussion of "playable" ads.Wecanrejectthepremisethatvirtualrealityissimplyameanstoanendforcompaniestoengageinamplifieddatacollection,behavioralmanipulation,andcommercialexploitationfortheirbenefit,notours.Perhapsourfundamentalhumanrighttoprivacydoesoverridethe“rights“oftechnologicalinnovationdrivenbysurveillancecapitalism. Surveillance capitalism 1$ an economic practice centered around the commodification of personal data with the core purpose of profit-making. The term "surveillance capitalism" was popularized by the authorShoshana Zuboff in her book TheAge of Surveillance Capitalism, published in 2019.ThisisacriticalmomentinourhistorytodemandbetterprivacypracticesfromcompaniesandputinplacestrongerprivacyregulationsofVRtohelpreshapewhatprivacyinvirtualrealityandthemetaversemeansforallofus.Weneedtoexaminewhattypesofpersonalinformationandusesofdatashouldbeoff-limits.IfweilluminatethecurrentstatusofVRprivacy,wehaveauniqueopportunitytocreateparametersforprivacyprotectioninlawforthislargelyunregulatedsphere.Wecanconsidertherisksandharmstochildrenandothervulnerableusers,andcraftstandardstomeettheirneeds. Kelly, G., GrahamJ., BronfmanzJ., & GartonfS- (2019). Privacy risks and harms. CommonSense Media.monsense.org/content/resource/privacy-risks- harms-report/pri vacy-risks-harms-report.pdf.ThesestandardscanbebakedintofutureVRdevicesandapplicationsasamatterofprivacybydesign,industrystandards,andregulatoryrequirements.Corporateownership:TometaverseandbeyondUnlikethebirthoftheinternetasadistributedmedium,themetaverseisshapinguptobeacorporate-controlledenvironment. SeeSteam Hardware & Software Survey: May 2022, http$:/store. SSoftWare-SUrVey-WelCome-to-Steam?Platform=Combined; Meta now has a dominant market share in virtual reality thanks to its 2014 acquisition of Oculus and its Quest VR headset. See Third Room： https:/thirdroom.io. Even just sharing with affiliates opens a rather large market. wNo matter which VR you,reusing, your data will be shared with network affiliates and subsidiaries." Hunt,C. (2018, November 21). VR and your privacy: