Just A Few Minutes Of VR Motion Data Can ID You According To New Research

Virtual reality is quickly becoming a disruptive technology, and its adoption is surely being accelerated by enforced lockdown and work-from-home mandates. As with any technology that’s starting to gain traction in wider society, issues are going to come up that might not have been obvious on paper. 

Certainly, most early VR researchers in the late 80s and early 90s would never have considered that VR could be a potential privacy problem, but in this modern connected world, it offers yet another way for you to be identified. At least according to a new research paper published in Nature.

Making VR IDs In The Lab

A group of researchers from Stanford University took just over 500 participants and recorded their motion while watching VR content and wearing an HTC Vive. Participants took part in an activity that provided a few minutes of motion training data. 

Then machine learning technology was used to build up a classification system for these motions. The end result is that individuals could be identified by their VR motion data with 95 percent accuracy. The worst performing algorithms from the study still hover around 90 percent.

The end result of this is that once enough motion data has been captured, you can then easily match the motion of a person to new motion data. Your unique motion parameters would essentially act as a sort of fingerprint.

The Quest 2 Facebook Hot Potato

The release of this report comes at a time when VR privacy is under the public spotlight. This is largely thanks to the release of the Oculus Quest 2. A standalone VR headset which is turning out to be a superlative product. 

It offers cutting edge VR technology, has an affordable price, and it can also work as a tethered PC VR solution. 

It seems easy to recommend, until you get to the part where Facebook, who owns Oculus, now absolutely requires that you have a Facebook account to use the Quest 2. 

Current owners of the Quest 1 don’t get off free either. They have two years to merge a Facebook account with their existing Oculus one before effectively losing the use of their hardware purchase.

As you might imagine, plenty of Oculus customers are not keen to create or merge Facebook accounts to use VR, especially since Facebook is in the business of collecting and selling data. 

Now, Oculus is already collecting data, and as a Facebook-owned entity I’m sure they are monetizing that data, but there’s an extra layer of paranoia that comes with a full-blown social media account.

The Wider Implications Of Motion-based ID

The release of this study makes the enforced Facebook account issue an even hotter potato. Because, as the researchers point out, you cannot share VR motion data anonymously. 

There’s a greater issue with the anonymization of data that’s sold to third parties anyway. Since often, using machine learning as one method, you can piece together individual identities by having access to the anonymous data that surrounds them.

What this study shows is that VR motion data alone, without needing additional triangulation, can be used to link a specific person to different VR sessions. 

If you strapped on a VR system in a public arcade, for example, it’s feasible that the system would know that you’re the same person who used another headset in the past. 

Unless the data is destroyed locally and not logged, it means it’s now impossible to use any VR system anonymously, at least in theory.

A Small Part Of The Bigger Privacy Puzzle

So now we REALLY have to pay attention to what exactly our VR providers say they will do with our data. Do they give you the option not to send it to them? Do they sell or share it with third parties? 

Any claim in the terms and conditions that say VR motion data is anonymized now means nothing because the research has demonstrated that VR motion data by itself can be used to identify individuals with high levels of confidence.

Let’s take this out further than virtual reality itself. In principle, it might be possible to take VR motion data and then match it to another source of motion tracking. 

For example, a machine vision system linked to a smart camera system might one day have the ability to infer 6DoF motion from video and match motion data that way. 

We’re already seeing this with machine learning facial recognition. With all the selfies people post online, there has been a ton of training data to help computer software tell us apart. 

Now the photo you post of yourself on social media can be used to identify you wherever you walk within sight of an internet-connected camera.

None of these different identification methods are accurate enough to be trusted completely by themselves, but when you start to combine different types of digital ID the level of confidence will shoot up to near certainty. Which means we may be entering a future where you can’t go anywhere without being tracked.

What Should You Do?

So what should you actually do about all of this? The nuclear option would be to simply refrain from using VR. For me, that’s not an option, since the technology is just too transformative to give up. 

Instead, as with any technology-based privacy issue, the solution needs to be policy-related. We need to get companies to use the data responsibly and give us full control over what data is recorded and with whom it is shared.

If a part of the price you have to pay to use a particular headset or platform is the resale of identifiable personal information, that should be a strong motivator to move to a provider who doesn’t do that. 

It might be the time for OpenVR to shine or for a provider like Valve to step in with a Quest competitor since they don’t have a business model built around the collection and resale of user data.