3 Major Security & Privacy Concerns Over Virtual Reality

The wonders of Virtual Reality (VR) have been promised to us for sometime: thanks to sci-fi saturation, it feels like an important component of the future, a statement about how far technology has come since the invention of television. And now, that future might be the present.

2016 is purported to be "the year of VR", with at least three major devices expected imminently; Google Cardboard strives to make this idea commonplace; and many will jump on the PlayStation bandwagon.

But there's something unsettling about it. Here are just a few of the security and privacy concerns that need addressing before the masses can happily embrace VR.

Will Greater Immersion Lead to Greater Identity Theft?

Questions were asked when Facebook acquired WhatsApp: the social network already knows so much about us, and it doesn't take much imagination to consider how it can be used to spy on you. It gives a mostly-accurate picture of the user.

It's perfectly understandable, then, that further queries are raised over VR.

Eyebrows when Facebook paid the equivalent of $2 billion for Oculus Rift a couple of years ago -- so much so that Markus Persson, creator of Minecraft, announced that Facebook "creeps [him] out" and withdrew from talks about bringing the brick-based game to that VR device. Mind you, things have changed since then: Minecraft will be on the Oculus Rift imminently.

Depending on how much data you pour online, Facebook is a big security and privacy concern. It seems natural that greater immersion would be an increased risk too.

Information is generally used to tweak advertising to your specific needs; we can only gather that the same would be true for VR. Knowing more about you via a VR headset will prove useful to anyone gauging an audience and selling products or services. It's in the companies' interests to make more money this way, and it'd be churlish to complain about such a thing. Nonetheless, that doesn't stop anyone moaning about promoted tweets, however unobtrusive they appear.

Oculus Rift has admitted that it will collect some private data about users; notably your email, occupation, date of birth, and place of residence -- all of which is good news for scammers. Anything that collects and stores personal information is of interest to thieves: just consider how much private data can go for on the Dark web.

Naturally, customers are assured that all such information will be kept safe, but no concerns are ever fully quashed by comments like that. Apple devices were supposed to be secure; look how that turned out. "Oculus continues to operate independently!" Oculus Rift founder, Palmer Luckey says. "I guarantee that you won't need to log into your Facebook account every time you [want to] use the Oculus Rift."

Still, it wouldn't be a great leap for identity thieves to put two and two together...

Is VR Another Means of State Surveillance?

We only have to look at how smartphones pose a risk to privacy and scale this up to VR headsets.

Location-based services cause all sorts of headaches. They're very useful on your cell phone, and vital for the Augmented Reality (AR) side of VR, a project actively incorporated by Microsoft and Google (the latter of which has a history of AR anyway -- one that's greatly split opinion already). In exchange for directions via Map apps or nearby deals at restaurants, information is collected about your habits. Once again, it means more specific ads. It also means you're traceable.

But most of us consider the benefits outweigh the drawbacks: so what if advertisers know where you go to dinner via Vouchercloud? And without it, Find My iPhone wouldn't exist!

Why should we care about promotions garnered specifically for us? Because it's a reminder that unknown eyes are watching. That could be ID thieves or it could be intelligence services like the National Security Agency (NSA) or the Government Communications Headquarters (GCHQ). The NSA is finding new ways to store records, and to keep tabs on citizens: the future of surveillance will adapt to VR too.

Oculus Rift, for example, also collects records of any online transactions, and website and app usage patterns. And that could mean a more accurate picture of our daily lives than ever before.

VR headsets require the ability to track and record your movements, including where you're facing, what you're looking at, and how you're interacting with the things around you: that's how we'll interact with games. Information like that could improve gameplay... or be used to spy on us.

This might sound solely a risk with expensive VR headsets, but cheaper ones like Google Cardboard also run on the same principle; these typically utilise your cell phone's accelerometer and gyroscope to determine your orientation and movement respectively.

Perhaps even more worrying, VR headsets will listen in to what users are saying. A microphone will be used for better interaction in games, and for "increasing the social experience." There's even an odd degree of secrecy over where a mic might be. Again, if we refer back to how smartphones listen in to us, many of us feel uneasy when presented with ads corresponding to what we've been talking about. We're compromised because voice assistants are so useful.

In the past, Facebook has stood up against state surveillance techniques; presumably the same will apply to Oculus Rift. Not that Government agencies haven't found ways around companies resistant to their methods...

How Will Third-Party Influences Be Monitored?

Naturally, not everyone who uses VR will have good intentions. The Internet is bad enough already, but open-source multi-platform servers present further opportunities.

Interaction and particularly manipulation of virtual environments is the main selling point of Virtual Reality, but it's not always what it's cracked up to be. One famous case on Second Life, one of the first (and most successful) immersive experiences, involved guests at a company's public VR event being bombarded with flying phalluses. That might've just come across as a comical incident, but it's a solid example of how situations can get out of hand.

OpenSimulator, which hosts the shared virtual Metaverse, runs Avination through grid-mode, offering a virtual society with its own economy. A further extension, Hypergrid, allows the connection of multiple virtual environments over the Internet: users can teleport from one world to another via hyperlinks.

The worry here is how these links will be monitored, how they'll be deemed suitable for users.

Fortunately, OpenSimulator's latest update, Hypergrid 2.0 includes firewalls and a secure inventory that is restrained purely to their local region, not cast adrift into an unknown environment. This is a relief to anyone who has ploughed cash into their virtual life, even in the eventuality of Bitcoin being incorporate into VR scenarios. Unfortunately, this update came a few years ago, and some still view OpenSimulator as insecure.

Similarly, Oculus Rift's own privacy policy assures us that our data is safe -- but won't have any responsibility when it comes to third-parties. Users will have to check on the individual policies of any sites and apps they use via their headset.

There's a rift between public and business VR worlds too. AltspaceVR is a social experience that can be used to play games, attend events, or even watch stand-up comedy; alternatively, its CEO, Eric Romo says it's been used for business functions, interviews, and conference calls. The amount of input from users, however, differs greatly. Monitoring social networks is enough of a headache already, without an intangible world to oversee too.

3DICC's Terf, on the other hand, is an immersive platform designed solely for business. Limitations are impressed on employees by company heads, including how far users can customize their avatars and if real photos or webcam footage can be used. "We have a very substantial access control model," Terf CEO, Julie LeMoine says. "Our customers don’t want a client or student in a virtual location changing what they are supposed to see or others need to see in the next meeting, or for a CEO coming in for a global meeting to find his VPs have deleted the floor by accident."