Privacy in VR is an ever growing issue, especially now that all new Oculus accounts must login to Facebook with their real identity, which includes anyone who wants to use a Quest 2. Now researchers at Stanford University have shown they’re able to reliably identify individuals after only a five minute session in a standard consumer VR headset.

As reported by MIXED (German), researchers at Stanford devised a system that identifies users under “typical VR viewing circumstances, with no specially designed identifying task,” the team says in the research paper.

Using a pool of 511 participants, their system is said to be capable of identifying 95% of users correctly “when trained on less than 5 min of tracking data per person.”

Wearing an HTC Vive headset and given two Vive wand controllers, participants watched five 20-second clips from a randomized set of 360-degree videos, and then answered questionnaires in VR.

Image courtesy Stanford University

Notably, the answers to the questionnaires weren’t figured into the researchers’ dataset, but rather investigated in a separate paper examining head movements, arousal, presence, simulator sickness, and individual preferences.

Instead, VR videos were designed to see how users would react and move, with some including strong focal points such as animals, and others with no discernible focal point at all like the middle of a forest.

Zuckerberg: Meta "almost ready" to Show Off Prototype AR Glasses

All of this nonverbal tracking data (both head and hands) was then plugged into three machine learning algorithms, which created a profile of a participant’s height, posture, head rotation speed, distance from VR content, position of controllers at rest, and how they move—a treasure trove of data points from just wearing a standard consumer VR headset.

“In both the privacy policy of Oculus and HTC, makers of two of the most popular VR headsets in 2020, the companies are permitted to share any de-identified data,” the paper notes. “If the tracking data is shared according to rules for de-identified data, then regardless of what is promised in principle, in practice taking one’s name off a dataset accomplishes very little.”

So whether you login to a platform holder’s account or not may already be a fairly minor issue in contrast to the wealth of information. Companies could harvest that de-identified biometrical data not only to figure out who you are, but predict your habits, understand your vulnerabilities, and create marketing profiles intent on grabbing your attention with a new level of granularity. We’re still not there yet, but as the number of VR consumers grows, so do the rewards for companies looking to buy data they simply never had access to before.

Official Vision Pro Schematics Will Accelerate Development of Headstraps & Third-party Accessories

“With the rise of virtual reality, body tracking data has never been more accurate and more plentiful. There are many good uses of this tracking data, but it can also be abused,” the research paper concludes. “This work suggests that tracking data during an everyday VR experience is an effective identifier even in large samples. We encourage the research community to explore methods to protect VR tracking data.”

Granted, 500 users is a relatively small dataset in the face of what may soon be multiple millions of VR users. And when that number grows, it will undoubtedly become more difficult based on the data points alone the researchers were able to capture. The study however didn’t include a load of other burgeoning VR technologies that could be used to fill out personal profiles in the near future. Eye-tracking, optical mouth tracking, and integrated wearables such as fitness bands and smartwatches may be a part of the next step to filling out that remaining 5 percent—and all of those technologies are on the horizon for the next generation of consumer VR headsets.

Newsletter graphic

This article may contain affiliate links. If you click an affiliate link and buy a product we may receive a small commission which helps support the publication. More information.

Well before the first modern XR products hit the market, Scott recognized the potential of the technology and set out to understand and document its growth. He has been professionally reporting on the space for nearly a decade as Editor at Road to VR, authoring more than 4,000 articles on the topic. Scott brings that seasoned insight to his reporting from major industry events across the globe.
  • Rein Tenebres

    Pretty scary stuff.

    • namekuseijin

      why would they want to identify you by your fapping when it’s so much easier by your troll posts and writing signature and associated IP?

  • piboson

    Yet another reason not to use FB.

    • dogtato

      It kind of applies to all VR. They could take their database of identified user data, post it publicly, and then any app maker could use it to identify users. If you were in a room with other users, they could be extracting your movement data from their client and use it to identify you.

      • Ad

        Sure, I wouldn’t want google on this either, but it’s a little like saying no country should have nukes. Yes no country should have them, but especially not North Korea, that’s a given. Facebook makes 98% of their money from ads and not just from scale of data or platform but from their targeting.

  • Alexander Grobe

    I’m waiting for the next stage were you can determine if somebody is overweight or has a problems with moving the knees.

    • Kevin White

      Maybe they could rank you in terms of level of healthcare you receive based on your VR mo-cap signature.

    • Gait analysis for those purposes is actually a lot simpler and can be done reliably with only IMU data (like Fitbit step counters).

  • MeowMix

    “In both the privacy policy of Oculus and HTC, makers of two of the most popular VR headsets in 2020 …

    Can we start also bringing up Microsoft ? WMR tracking is dependent on Win10 (which includes telemetry features), and many of us have our real identities attached to our Microsoft Accounts (for OneDrive, Office Subscriptions). And lets not forget, the highly anticipated headset for enthusiasts, HP Reverb G2, is a WMR based headset.

    I’m sure the PCVR enthusiasts are just as worried about their privacy with Microsoft as they are with Facebook. (/s if it isn’t obvious)

    • Dick Massive

      I’m sure the PCVR enthusiasts are just as worried about their privacy with Microsoft as they are with Facebook. (/s if it isn’t obvious)

      Nope. I don’t use a REAL identification account on my Win 10 gaming PC, I just use a fake name and a local account – something you can’t do on Facebook.
      And telemetry is easily switched off, there are many guides out there to help switch all of it off. Even then, MS only get your IP address, and your PC specs, they don’t get any REAL info from telemetry.

      • kiwi

        you CAN root Oculus, sideload everything & never login to fb.

  • Ad

    As always, this is another reason facebook is actively dangerous in XR and we need to push back against them as much as possible More people in VR through them is worse than less people in VR.

  • Yeah, I remember this research and I already published it in the weekly roundup on my blog. It is fascinating and scary at the same time and shows how AR/VR are amazing but could also be used for the wrong purposes

  • psuedonymous

    LOL at everyone worrying about Facebook, when this means that literally any and every VR application (including, but not limited to, anything using SteamVR, and any VR web app) can do the exact same thing. AND it is functionally almost impossible to prevent this, as passing accurate motion tracking data is a necessity for VR applications to work. The only theoretical recourse would be to mess with tracking data in a way that accurately reflects movement for the purposes of rendering but obscures actual user movements, but I don’t think this is actually possible (any small tracking discrepency is immediately noticeable and unacceptable, and large discrepancies would be needed to obscure the measured behaviors).

    • Dick Massive

      None of those “others” have THE world’s largest social media platform, and Mark Zuch as their CEO – infact, hardly any of those others have ANY social media. So NO, this is nothing like Facebook.

  • Jonathan Winters III

    The saddest truth in the matter, is that no matter what we do, there’s no way to “opt out” of all forms of ever-changing and highly invasive personal data collection and exploitation. If you own a cell phone, it’s already game over.

  • עמית קיסר

    I have been writing independent articles since 2013
    I set up the first store in Israel in 2013
    And then I set up the site in English:

    On my sites you will find relevant information and links to cheap and safe shopping from Amazon eBay and more.

    Come and be a part of the fans of virtual reality in Israel since 2013