From programs that categorize cancer cells to apps that let you try on virtual makeup, it seems like everyone is diving into virtual (VR), augmented (AR), and mixed reality (MR). These technologies are so closely linked it’s hard to talk about one without the others – in fact, some companies are even creating merged reality devices, VR and MR combined.
In essence, virtual reality replaces the real world with a digital one, using a head-mounted display (goggles). Augmented reality adds digital elements on top of the real world, while mixed reality adds digital elements sophisticated enough to interact with the real world.
According to ISACA’s 2016 IT Risk/Reward Barometer, 59% of companies reportedly plan to develop or use AR in 2017 – and that’s only AR. Virtual reality users already number almost 90 million, and a single app, Pokemon Go, managed to hit 50 million users at its prime. Millions more are exploring Cardboard and other easy-access apps, and that brings with it a host of concerns about both privacy and security. These technologies interact with data in waves we’ve never seen, and many of the companies developing applications are startups – who often have little understanding of security risks.
Security Concerns in Immersive Tech
Pokémon Go is a prime example of a relatively small developer (Niantic) being completely unprepared for the security risks posed by success. Pokémon Go wasn’t the first game they created, but it was the first to have such widespread appeal, which means it was the first to be widely targeted by hackers. Fake bonuses were used in phishing scams, email campaigns promoted false free Pokécoins, and robbers lured victims to Pokéstops in deserted neighbourhoods in order to rob them. On top of that, the app linked to Google accounts, opening users’ search histories, emails, and even credit card credentials to potential hacking. Thankfully, existing security controls such as encrypting wireless data transmissions are a good way to protect against these kinds of hacks.
On top of concerns like phishing and inadequate security on cloud-based services, immersive tech opens up entirely new risks. Take, for instance, the potential for users to modify the environment itself. As early as 2006, the video game Second Life made headlines when a virtual news conference was ‘attacked’ by flying pink penises, which other users had hacked as a protest against the event organizer. Even in the real world, such virtual attacks could prove disastrous – imagine if a hacker added a false “proceed” sign over a “road closed” sign on a driver’s window-up display, or used AR glasses to scan a user’s password as they typed it in.
Location-based services, which are indispensable for both AR and MR, are another new area of threat. The modern generation habitually “checks-in,” broadcasting their location to anyone following them on social media. With location-based services, that is amplified a hundredfold. Even when users aren’t choosing to transit information, their accessories will be providing intimate knowledge of their movements to any malicious hacker or overzealous advertising company.
Privacy Concerns in Immersive Tech
Those advertisers are a source of intense concern when it comes to privacy in immersive tech.
Facebook’s acquisition of Oculus, one of the main competitors in the VR space, is a prime example of this. Facebook has a notorious history with privacy, even revealing that they have run psychological experiments on their users. Concerns in the VR space arose when it came out that Oculus were keeping records of online transactions, website and app usage patterns, and even “information about your physical movements and dimensions when you use a virtual reality headset.” This allows a quality and quantity of data collection that we have never seen before, with metrics that have never before existed.
On the other side of the coin, there’s the problem of images being collected by users rather than of users. For instance, does a live-streamed video about how great Burger King is that has an image of the McDonald’s arches in the back violate copyright? What if a user has uploaded video of their day, but hasn’t blurred out children caught in the frame? All of these are new challenges, and the laws surrounding them are often not quite formulated to address new technological needs.
As immersive technology becomes more commonplace, security systems (and laws) will catch up; the danger zone for users is in this nebulous time when they are still taking off. The sheer volume of data that will exist makes securing it a massive, essential task.
Hammer + Tusk: VR Mastery