Ismat Jarin (University of California, Irvine), Olivia Figueira (University of California, Irvine), Yu Duan (University of California, Irvine), Tu Le (The University of Alabama), Athina Markopoulou (University of California, Irvine)
Virtual reality (VR) platforms and apps collect users’ sensor data, including motion, facial, eye, and hand data, in abstracted form. These data may expose users to unique privacy risks without their knowledge or meaningful awareness, yet the extent of these risks remains understudied. To address this gap, we propose VR ProfiLens, a framework to study user profiling based on VR sensor data and the resulting privacy risks across consumer VR apps. To systematically study this problem, we first develop a taxonomy rooted in CCPA definition of personal information and expanded it by sensor groups, apps, and threat contexts to identify user attributes at risk. Then, we conduct a user study in which we collect VR sensor data from four sensor groups from real users interacting with 10 popular consumer VR apps, followed by a survey. We design and apply an analysis pipeline to demonstrate the feasibility of inferring user attributes using these data. Our results demonstrate that user attributes, including sensitive personal information, have a moderately high to high risk (with up to ∼ 90% F1 score) of being inferred from the abstracted sensor data. Through feature analysis, we further identify correlations among app groups and sensor groups in inferring user attributes. Our findings highlight risks to users, including privacy loss, tracking, targeted advertising, and safety threats. Finally, we discuss both design implications and regulatory recommendations to enhance transparency and better protect users’ privacy in VR.