How cyber secure are VR/AR headsets?

2 min read

As the popularity of virtual and augment reality headsets grows, concerns are being raised about the privacy of their users.

Common Sense Media evaluated the privacy policies of the most popular virtual reality headsets on the market last year. Its report called Privacy of Virtual Reality: Our Future in the Metaverse and Beyond, examined the privacy trends and practices of seven VR devices and found that none of them meet the minimum privacy and security requirements recommended to keep children safe.

Girard Kelly, head of Common Sense Media's privacy program, said that the majority of VR devices use strong encryption and account passwords to protect users’ data. “However, all of the devices we tested were observed sending users’ data to third parties classified as advertising or tracking domains for commercial purposes,” said Kelly.

The Common Sense Privacy Program completed an in-depth, 150-point inspection of a product's privacy policies to offer privacy ratings. In addition, every product with a privacy rating includes an overall evaluation score. Lastly, Common Sense conducted hands-on security testing of each virtual reality or augmented reality device.

“None of the most popular virtual reality headsets have earned our recommendations for children and families,” said Kelly. “Every VR device we tested exploits users' sensitive data collected in virtual reality for profit. There should be more privacy settings for VR applications to restrict sensitive data collection and impose data minimization for first-party and third-party VR applications.

"VR devices should include permission settings related to the usage of user data for advertising, marketing and tracking purposes that also apply to and restrict third-party apps, not just the VR device and its first-party apps.”

VR headset

A man using a virtual reality headset. Picture: Pixabay

VR devices and third-party app developers should use strong encryption to protect users’ data. “Finally, companies need to be more transparent in their privacy policies about new types of data collected from VR, how they protect children’s data, and the new types of biometric-derived advertising that are potentially far more invasive and exploitative than any other form of advertising known to date,” said Kelly.

Going forward, this area could face new regulation laws to protect personal data. Legislators and regulators are uniquely poised to take action to protect vulnerable users in the emerging virtual reality space. Several policy analysts have also offered suggestions on how to effectuate these policies, including supervising children’s use of the technology.

“Policymakers should also consider new forms of legislation that apply to the increasing amount of sensitive personal information collected by virtual reality devices and applications,” said Kelly.

“The following policy recommendations should apply to all virtual reality device manufacturers and software application developers: enforcement of false and misleading privacy information; prohibit behavioural manipulation; prohibit tracking; prohibit targeted advertising; prohibit the use of anonymized data; prohibit unrestricted sharing; prohibit the sale of user data and prohibit the transfer of user data.”