SoK: Data Privacy in Virtual Reality

The adoption of virtual reality (VR) technologies has rapidly gained momentum in recent years as companies around the world begin to position the so-called"metaverse"as the next major medium for accessing and interacting with the internet. While consumers have become accustomed to a degree of data harvesting on the web, the real-time nature of data sharing in the metaverse indicates that privacy concerns are likely to be even more prevalent in the new"Web 3.0."Research into VR privacy has demonstrated that a plethora of sensitive personal information is observable by various would-be adversaries from just a few minutes of telemetry data. On the other hand, we have yet to see VR parallels for many privacy-preserving tools aimed at mitigating threats on conventional platforms. This paper aims to systematize knowledge on the landscape of VR privacy threats and countermeasures by proposing a comprehensive taxonomy of data attributes, protections, and adversaries based on the study of 68 collected publications. We complement our qualitative discussion with a statistical analysis of the risk associated with various data sources inherent to VR in consideration of the known attacks and defenses. By focusing on highlighting the clear outstanding opportunities, we hope to motivate and guide further research into this increasingly important field.


INTRODUCTION
Virtual reality (VR) has recently become a major investing target for leading tech industry players aiming towards the so-called "metaverse" [115], a paradigm shift towards an internet in the form of a 3D virtual world.This new internet would require VR devices such as headsets and hand-held controllers to digitize and relay users' physical characteristics and movements to other users worldwide for immersive interaction.While the "metaverse" might hold promise, researchers have recently shown how easily an attacker could identify [21,89,103] and profile [91,122,136] VR users with a few minutes of data streaming, and demonstrated that the scope and scale of data collection in VR supersedes the capabilities of current internet platforms [91].Researchers further illustrated how malicious developers could hide artifacts in virtual environments that inconspicuously induce users to reveal personal information, e.g., by playing a seemingly innocent game [91].These attacks are partly possible due to VR's unparalleled immersiveness, which can make users more susceptible to self-disclosure [77,129], and social engineering [3,34].
Unlike the current internet platforms, where users can employ Tor, VPNs, proxies, and incognito mode to fend off user tracking

BACKGROUND & RELATED WORK
In the context of the reality and virtuality continuum of Milgram and Kishino [88], our SoK focuses on virtual reality (VR), i.e, a computer-simulated interactive environment experienced in the first person [118].The considered VR devices stem from reviewing the 74 collected publications.

VR Devices
Since the wave of mature VR products of 2016, the wider public has experienced immersive VR like never before.Primarily, users employ a head-mounted display (HMD) with (integrated) speakers, a microphone, and two handheld controllers with buttons [82].Some HMDs tether to a PC [142], while others can remain wireless [82].The VR system tracks the HMD and the controllers by outsidein tracking (using stationary external sensors [140]) or inside-out tracking (employing built-in optical sensors and inertial measurement units: three-axis accelerometers and gyroscopes [82]).Front cameras for inside-out tracking also enable the user to observe their real-world surroundings.This basic setup generates realistic 3D graphics, spatial audio, verbal interaction, and six degrees of head and hand tracking (X, Y, and Z positions, and yaw, pitch and roll) Manufacturers design VR devices for use in a "controlled" environment (e.g., home, backyard, office, etc.).
Other devices make VR experiences more immersive yet more pervasive, as they require additional sensitive user input.Optical sensors for eye-tracking enable foveated rendering [143], increasing the quality of the visual output [2] and lengthening HMD battery life by reducing GPU load.Moreover, eye-tracking combined with additional optical sensors that register facial features (face trackers [139]) enables telepresence via expressive (photorealistic) avatars [22].Handheld controllers (and HMDs [110]) can provide haptic feedback, have touch sensors for detecting holding gestures [141], and the latest models have outward cameras for improved tracking [83].A natural transition is forced feedback gloves that provide more ergonomic and realistic interactions [53]; in contrast, users can also employ conventional keyboards [120].Full-body tracking [123] enables more expressive and richer experiences with other users in virtual worlds.Additionally, users may dawn haptic vests [14] that deliver positional haptic feedback and prototypical masks that emulate smells [105].Healthcare VR applications include sensors that measure galvanic skin response [57], electrodermal activity [4], heart rate [131], skin temperature [104] and measure brain waves (HMDs with EEGs for brain-computer interfacing) [97] This plethora of sensors and feedback devices facilitate immersive digital interactions in VR, but also pose significant privacy concerns due to the potential exposure of sensitive user data, such as biometrics, behavior, identity, and real-world surroundings [38,89,91,137].While some data points are collectible from other internet mediums (e.g., mobile phones), the unprecedented nature of the VR privacy threat stems partly from the ability to fuse a wide range of attributes that would previously have required the combined data of several devices.
Our systematic search revealed the most relevant related work at the intersection of VR and privacy.We collected 12 relevant literature reviews (LR) [19,30,33,34,38,48,49,64,66,100,124,147], three of which are the closest to our work.Shrestha and Saxena (2017) [124] provided an offensive and defensive overview of eye-wears and HMDs with a focus on optical cameras in the fields of privacy, security (authentication and device integrity), and safety, with an emphasis in the latter two.De Guzman et al. (2019) [30] expanded the augmented reality (AR) privacy and security defense classification of Roesner et al. [117] to MR without an indepth analysis of data attributes and attacks.Odeleye et al. (2022) [100] provided a taxonomy of cybersecurity VR attacks related to authentication and privacy, comprising 5 privacy defenses and 10 attack-focused studies, which we also included in §4, §6, and §7.In contrast, our work presents a more detailed exposition specific to VR and privacy, and, yet, contains a more comprehensive taxonomy of vulnerable data attributes, attacks, and defenses and a technical component on user data to highlight privacy opportunities (unlike any other LR).Overall, extant literature examines VR and privacy as a subset of broader reviews in MR, security, and safety, thus, our detailed study focused on VR and privacy is not part of prior work.
Among the rest of selected LRs, three delved in a specific sub-field of VR and privacy, specifically, Katsini et al. [64], Kröger et al. [66], and Gressel et al. [49] studied the privacy implications and research directions of eye-tracking.In our work, we compiled their findings in our comprehensive taxonomies.Additionally, we included the relevant privacy-related insights and VR application taxonomies of two comprehensive LRs that covered general metaverse topics as varied as data management, privacy, legal issues, and economic threats [38,147].Lastly, we included key information from narrower surveys in security and privacy in VR [33,48], and data attributes and user privacy considerations [19,34].

METHOD: DATA COLLECTION & ANALYSIS
The following summarizes our search approach and results described in detail in Appendix A. We employed seven of the most relevant digital libraries focused on computer science and software engineering in combination with Google Scholar to perform an exhaustive search of the extant literature.We only included publications containing taxonomies of VR data attributes or applications, or aimed to review or implement privacy attacks or defenses in VR, from which we extracted the relevant artifacts to construct our comprehensive models and taxonomies.With a curated set of keywords from our base literature of 12 publications, our initial systematic search generated 1700 hits, which we discussed and filtered, resulting in only 16 studies.After deduplication, our aggregated list contained 23 works.We then queried their authors for additional relevant work, performed a backward search of the references of the 23 studies, and added publications found thereafter, obtaining a final body of 74 publications-the most recent study dates March 2023.Further, to focus our VR attacks and defenses discussion, we designed 10 research questions (RQ).
Lastly, we complemented the taxonomies with an analysis of VR privacy opportunities ( §8) and key findings and future work items ( §9).Part of the analysis quantifies some of the most sensitive and easiest-to-protect data attributes by calculating a PCA of inference attacks and weighted mean accuracy degradation after enabling the corresponding defenses.We replicated these attacks and defenses from the most comprehensive frameworks among the 74 studies.

VR Information Flow
VR device manufacturers or vendors provide app stores where users can download VR applications and games (e.g., from the Oculus Store or SteamVR).Fig. 1 illustrates the information flow after installing such an application.These applications typically run in the host VR system, which ingests user input: geospatial & inertial data, audio, text, video, and physiological signals (1A).The various VR devices process raw sensor data and other input types into useful telemetry, which the application accesses via an API (e.g., OpenVR) (2A).Such application controls how to use this data to generate different stimuli, e.g., visuals via a graphics rendering pipeline, audio through speakers, and haptics using hardware such as feedback vests (2B).The output devices present this processed information to the user as an immersive, interactive virtual world (1B).For multi-user online experiences, the client-side application exchanges processed telemetry with an external server through a network, which can reveal system and network user-specific information (3).Finally, the server updates the global state of the virtual world and relays telemetry to other users (4).As the information flows from steps (1A) to (4), intermediate data processing steps like filtering and compression degrade data quality.

VR Threats
Within the frame of this study, we consider a state of privacy as the lack of a breach of any individual's sensitive data attributes [152].In our threat model, attackers breach user privacy by collecting and inferring enough information to reliably identify and comprehensively profile a user across VR applications over multiple usage sessions (tracking).Attackers (i) identify an individual when they can uniquely distinguish the user from others, and (ii) profile users when they unwarrantedly attach information related to the user's characteristics (e.g., demographics, preferences, etc.) [32,63,136].
The collected studies discussing or proposing threat models consider application developers [26,28,29,31,44,58,59,69,71,73,91,122,125,133,155], servers [6,29,91,119], content creators [38,91], device manufacturers [91,126], other users [103,121,144], and hackers 1 [38,61,133] as the attackers in VR, or rely on general privacy threat models like Lindunn [30,32,63,69].Based on these studies and their system decomposition, we adopt a more comprehensive and pervasive privacy-centered attacker classification specific to VR that encompasses the privacy repercussions of the above threat 1 Hackers can abuse VR devices, servers, networks, or perform shoulder-surfing databases-covered extensively by security literature [51,106,107,107,116]. models.The adversary types of Fig. 1 correspond to four distinct entities associated with data processing in VR applications at different privilege levels.These adversaries might coalesce, e.g., a developer of a VR application can also run the server providing multi-user functionality.Table 1 shows these attackers' capabilities.
(I) Hardware Adversaries control the hardware and firmware of the VR device and, thus, can access raw user inputs and arbitrarily manipulate the information provided to the application (2A) and presented to the user (1B).
(II) Client Adversaries represent the developers of the client-side VR application running on the VR device (Application Adversary [91]) and the content creators (Content Adversary [3,68]).Content adversaries can create immersive falsehoods, i.e., designing immersive experiences with misinformative, manipulative, and deceptive content [3,68].Application adversaries can access the input data via system APIs, and arbitrarily manipulate the rendered frames and signals output to the VR devices (2B) and the information streamed to external servers (3).Further, the current push towards VR multitasking [85], where different apps are running concurrently, sharing the output or competing for user's inputs, increases the attack surface of the client adversary.
(III) Server Adversaries oversee the server enabling multi-user functionality and can arbitrarily process networked data before streaming it to users (4).
(IV) User Adversaries represent other users of the same VR application.They receive user data streams from a server and can interact with the target user.

VR Defenses
We highlight in Fig. 1 where the defenses can counter potential attacks and classify them based on five adapted categories.They consist of the two categories that De Guzman et al. [30] added to the primary three proposed by Roesner et al. [117], which are present in other privacy literature [47,135,149].Given that many researchers highlighted the potential harm of deceptive immersive content [1,17,20,34,55,90,99,138], we add a category for virtual content protection.Note that not all of these protections are related to privacy ( §4.2), but also to security (i.e., measures to impede unauthorized data access [15]) and safety (i.e., measures to preserve the physical and mental well-being of users [34]).We highlight the following literature for guidance in security and safety attacks and protections: [30,33,37,48,68,70,100,124,128,147].We frame our SoK around attacks and defenses related to the privacy aspects of these defenses, mainly to input protection.(cf.[27,91,92,147]).
(II) Data Access Protection (Security & Privacy).Active and passive user inputs are stored, relayed and accessed to deliver userconsumable output.The corresponding privacy and security measures extensively overlap with other systems, which existing literature covers comprehensively [47,54,106,135,149].
(IV) User Interaction Protection (Privacy & Safety).Privacy protections can enhance confidentiality (i.e., data is only revealed to selected entities [47]) in physical or virtual spaces shared by multiple interacting users, e.g., a private virtual enclave that other users cannot enter [43].We add to this category safety measures such as invisible avatar barriers to avoid psychological harm from virtual harassment [17] or buylling [100].
(V) Device Protection (Security & Safety).Device security measures can implicitly protect users and data in the above defensive aspects, e.g., authentication prevents impersonation [75], and defend against cyberattacks targeting devices [100] and networks [50], and VR tracking system jamming [113], which could lead to physical harm.
(VI) Content Protection (Privacy & Safety).Safety measures such as age verification and content moderation can protect users against immersive falsehoods, malicious advertisement [68], and inappropriate, unsolicited, and harmful content that may lead to mental harm, disinformation, or manipulation of opinions and ideals [17,90].The privacy concern involves detecting virtual content and environments nudging users to disclose sensitive information subtly, e.g., puzzles revealing health data [91].

TAXONOMY OF VR DATA & APPLICATIONS
Thanks to the sensor-generated data and the applications processing this information, users can experience VR.However, applications are also the gateway for adversaries to harvest sensitive user data and use such information against them.The following classifies and discusses the data attributes and the applications subject to our threat model.

VR Attributes
Method.We examined each of the 74 publications to extract the highlighted, attacked, or defended data attributes that originate from users employing the input devices of § 2.1.Would-be attackers can collect these attributes at different steps (data sources) of the VR information flow of § 4.1.Fig. 2 presents the resulting taxonomy of VR-derived data.We base our categorization on observable attribute classes and indicate which attributes or observations an attacker can directly capture from a data source (primary), deterministically derive from primary attributes (secondary), and infer from primary and secondary attributes employing ML or other learning procedures (inferred).Furthermore, we use the 74 publications to draw the connections between attributes, thus, there might be other connections outside VR and new ones might arise in future work, e.g., deriving ethnicity or personality traits from VR inertial telemetry.
Geospatial & Inertial Telemetry.The position, orientation, and acceleration of body tracking devices over time reveal anthropometric measurements.Such measurements can be direct (body skeletal  information such as arm-length and height [89]), combined to obtain further biometrics (e.g., wingspan [91]), or compared to draw relationships (ratios may reveal a user's body asymmetries [92]).An attacker may also record kinesiological movements, which can reveal unique gestures [44,124], or biometric movements [103] such as gait [121].Additionally, the devices' coordinates can map the play area's boundries, revealing its surface [91].Even without full-body tracking devices, Winkler et al. [150] showed that reinforcement learning techniques could infer a full-body pose with telemetry from only an HMD, its IMUs, and hand-held controllers.
Furthermore, Chen et al. [122] derived speech from the bone-and air-borne vibrations registered by an HMD's IMU telemetry data.Note that hardware and client adversaries have a privileged position to observe device telemetry.In contrast, server and user adversaries will experience degraded precision in their attribute estimations due to intermediate data processing, e.g., filtering and compression.
Audio & Text.Users can verbally interact with other users in virtual telepresence applications or give voice commands to their VR devices through a microphone [76].Attackers can listen to vocalizations to fingerprint users based on vocal characteristics (e.g., frequency or accent) [91,124] and profile them with communication semantics [38].While voice biometrics may degrade along the data flow, speech semantics are more robust and could remain vulnerable to user adversaries.Additionally, the messaging functionality enabled by physical or virtual keyboards operated with hand-held controllers or gloves increases the attack surface [6,73,120].
Video.HMD's face optical sensors can register and track eye and facial movements and features to render expressive photorealistic avatars [22].However, the facial video feed can also serve to identify an individual (e.g., using IPD, or Iris, and pupil characteristics [21,62]) or infer emotions [119,156].Notably, KrÃűger et al. [66] provided a comprehensive overview of the plethora of attributes that privileged adversaries can infer from eye tracking.Moreover, with expressive avatars, server and user adversaries could also learn other users' mental state.Additionally, while more prevalent in AR applications, the inside-out tracking frontal cameras of a VR HMD [82] also expose the real-world environment surrounding users, which can reveal sensitive information to hardware and client adversaries, such as personal objects [69,154], the surrounding space type [27,52], or bystanders [58,59].
Physiological Signals.As health sensors like EEGs make their way into commercial-grade HMDs [97], the possibilities of VR (and privileged adversaries) expand dramatically.With these sensors, applications can adjust immersive experiences based on physiological signals that meet users' particular needs in real-time [5,34,104,151] and can help users with rehabilitation treatments [4,124,157].Such improvements, however, will also expose critically sensitive user information, such as physical and mental health conditions [34,151,157], behavior [5,13,131], language semantics [40,132], and other sensitive PII like credit cards, PINs, and locations or persons known to the user [78].
System & Network.Adversaries can determine a user's VR device, host PC, network characteristics, and related internet session information [137].Specifically, hardware and client adversaries can query system APIs to collect system specifications (e.g., tracking rate, resolution, etc.), and less privileged adversaries may devise attacks to gauge a target user's refresh rate without access to system APIs or user agents [91].Notably, Trimananda et al. [137] captured the plethora of system information relayed to servers, which included all the above, in addition to PII like a person's name and usage information such as cookies or app names.While not specific to VR, as virtual telepresence applications rely on multiple servers to reduce perceived latency [145], attackers can observe network traffic to determine users' geolocation without an IP address.Altogether, these additional data points help adversaries fingerprint users to track them across internet VR sessions.
Behaviour.Observing users' avatar likeness, expressed emotions, interactions and reactions to virtual stimuli from other avatars or virtual content can reveal various sensitive human characteristics [67,119,129].In practice, malicious developers may carefully and inconspicuously deliver stimuli in a virtual experience to prompt the user to unconsciously reveal their reaction time, handedness, fitness level, visual and mental acuity, etc. [91].Additionally, how a user chooses to represent their likeness as avatars, together with the digital assets they own, can reveal information such as their demographics or wealth [34,61].Lastly, user-to-user interaction in social VR can lead to attackers directly spying on or engaging with the target user [43,144].The information required to meaningfully observe sensitive behavioral data is typically enough at each stage of the information flow [91].
Inferred Attributes.With the appropriate ML algorithm [42,87,108], the discussed attributes above can reveal demographics [3] and other related sensitive attributes such as emotions [119,156], physical and mental health [66,74], wealth, and political or sexual orientation or preferences over different users or products [43,60], among others [19,34].Users may also unintentionally or voluntarily self-disclose such information or additional biographical data (e.g., age, home address, education, social status, work history, etc.) [126,129], or be deceived by the application or other users to reveal inferable attributes [3].Ultimately, adversaries can leverage the breadth of data to identify and profile users across VR applications.

VR Applications
For decades, the gaming industry has advanced 3D graphics hardware and low-latency content delivery to create immersive, timeintensive online user experiences.Their expertise has pushed gaming to become the current dominant application in VR [10].However, VR promises applications beyond entertainment: social life, education, healthcare, fitness, military training, architecture, retail, business, productivity (virtual offices), engineering, and manufacturing [23,98].Specifically, social VR has recently increased in popularity with titles such as VRChat, whereby users worldwide interact with each other in real-time [129].
Method.Among the 74 collected studies, only two classified VR applications based on the above target industries [38,147].In contrast, we provide an orthogonal categorization from a privacy standpoint inspired by [30,91,92] and our (i) adversary, (ii) protection models, and (iii) taxonomy of attributes.Accordingly, we contemplate privacy risks in VR from three perspectives: (i) adversarial, (ii) user protections, and (iii) data.VR application developers may consider answering three questions: (i) How much adversarial exposure could the application suffer?Fig. 3 shows the prevalence of hardware and client adversaries across all applications and the rise in privacy risks as users require servers to interact with others.While massively multi-user VR applications such as social VR are the most privacy-hostile environments, single-user applications are at least vulnerable to the VR firmware itself, as it may have direct network access to exfiltrate collected data from an application (e.g., Oculus Quest 2).(ii) How much privacy is the user willing to forgo using the application?Some users are willing to expose all the information necessary to experience VR at its full immersive potential, while others are more reserved [33].Hence, if protecting or opting out of specific data inputs is enabled (akin to internet cookies) [92], the privacy risks an application entails may vary from user to user.We suggest developers offer these protections and design their applications and games such that user experience for the privacy-conscious is not significantly deteriorated.

Multi
(iii) How sensitive is the data handled by the application?Most VR applications ingest geospatial and inertial telemetry and audio, and require a system and a network to join interactive experiences, where adversaries can extract behavioral information.These attribute classes form a privacy risk baseline.The application context raises the risks above this baseline, e.g., virtual health clinics, classrooms, and offices handle more PII and critically sensitive data than a game, e.g., physiological signals, text in homework or emails, and context-specific behavioural information such as attention to the lecturer or emotions during a meeting.

VR ATTACKS
Method.Among the 74 collected studies, we found 34 attacks introducing explicit, offensive mechanisms (23) or methods that an attacker could leverage for adversarial purposes (11).For example, an attacker can leverage motion device authentication software to perform identification attacks across VR sessions.Two researchers iteratively discussed and systematically classified these attacks in Table 2 (labeled with IDs A1 to A30) based on the threat model of §4.2 and attribute classification of §5.1.We categorized the attacks according to the information presented in the associated papers, and included the most distinct or prevalent metrics to benchmark the attacks.Where information was lacking, e.g., not all attacks had an explicit adversary model, we used our best judgment supported by the publications artefacts, e.g., the client was the most common adversary and studies such as A9, A11-12 developed an application.The two researchers designed the following six RQs to focus our findings: RQ1-2 discuss opportunities for attacks, and RQ3-6 give an overview of critical attacks and explore their viability and risk.
(RQ1) How can VR devices enable attack opportunities?According to the literature, the most accurate identification attacks Accuracy † An attacker can leverage the defense/mechanism for adversarial purposes.‡ Although the study is defense focused, there is an adversarial component.
Names: Names in italics correspond to the authors' selected title, otherwise, it is a descriptive name.rely on HMDs and hand-held controllers (position and acceleration) to capture kinesiological movements (A6-12), while eye trackers mainly have a supportive role (A10-12).Profiling attacks that predict critically sensitive information, namely emotions (e.g., arousal and stress levels), rely on health sensors.These attacks use devices such as EEGs (A26), electromyograms (EMG) (A23), and ECGs (A20, A26), but also blood pressure (A25), galvanic (A20, A25-27), thermal (A24-25), respiratory (A26-27), and photoplethysmographic (A9, A22) sensors.Particularly, accelerometer and EMG data are an effective combination for identifying users' reactions to virtual stimuli (A23), and EEGs are especially suitable for emotion prediction (A20).However, an attacker can also derive emotions from facial expressions reconstructed from a target ML model (A32).Lastly, we note that some VR devices and applications have security vulnerabilities [98], and current VR devices enable more accurate identification attacks than AR glasses (A11).(RQ2) How can VR data attributes expose attack opportunities?The geospatial telemetry of HMDs and the hand-held controllers are a low-hanging fruit for adversaries.Attackers can simply measure biometrics like height and wingspan to uniquely identify a small set of users (A1, 30 users), and register unique motions such as pointing (which exhibit more identifiability than grabbing motions) and rich gestures from the dominant hand (A11).If the application is not sand-boxed, malicious code could exploit resource monitoring and allocation APIs from the game engine to derive voice commands or hand gestures (A33).Combined with inertial telemetry, an attacker can infer a user's full-body pose (even with avatars of different scales, A4), inferred typed words (A34), perform highly accurate identification attacks (A7, A8, A12), and infer age (A10).We found evidence that hand-eye coordination (A11) could provide stronger signals for identifiability than individual features, and eye-related patterns have considerable influence in gender prediction (A10), requiring the fusion with eye movement video feeds.In addition to proactive attacks, there is always the danger of unintentional or intentional self-disclosure (A30).Wrt the latter, user's digital presence, such as avatar likeness and assets, can disclose sensitive demographics, offering attack opportunities.(RQ3) How invasive can VR attacks be?The malicious accumulation of user data through profiling and tracking across internet sessions can lead to surveillance advertisement [24,68], price discrimination [46], cyber abuse [17], personal autonomy curtailment [34], and pushing political agendas [102], among others [1,55].These threats accentuate when adversaries can infer users' deep emotions, and reactions to stimuli [34], which, given how immersive experiences can be (A20), are more easily observable in VR.Accordingly, we find critically invasive the adversarial capability to design VR experiences that can adjust users' arousal (attention) (A26) and stress (A27) to the desired level, predict anxiety (A20), and recognize emotions (A32) and their causes (A16), in the name of personalized VR experiences.Other attacks include generative AI producing deepfakes to create false memories (A2), and virtual content nudging users to unintentionally leak information (A1).(RQ4) How practical are privacy attacks?User adversarial attacks are easy to execute (A3, A30), as they can, at a minimum, join a VR session and social engineer information from users.These attacks aggravate when exploitable bugs allow, e.g., invisible avatars (A3).In contrast, attacks relying on physiological signals still require researchers to enhance their own VR hardware to register ECGs (A22), electrodermal and muscular activity (A21), or photoplethysmographic data (A24), indicating a lack of maturity of such attacks.Lastly, given current practices and the low establishment of VR privacy standards and enforcement [137], an adversary in control of the client application or the server running multi-user functionality could easily put into practice the associated attacks the researchers have demonstrated.Most critically, they can infer in a few minutes more than 25 attributes, including sensitive demographics (A1), hide malicious operations that collect or infer information from an otherwise honest application (A18), run emotion detection using video feeds (A16), and run authentication algorithms to tag users (A6-A12).(RQ5) How effective are privacy attacks?Based on the literature, identification attacks targeting kinesiological movements are highly accurate.Particularly, the most effective identification attack targets gait and relies on dynamic time warping and sparse representation classifiers to achieve an accuracy of 98% using only IMUs (A6, experiments with 20 users).Others reach such accuracy by additionally feeding translational movements to a CNN (A7, 41 users), in addition to eye tracking fed into kNN and SVM classifiers (A12, 15 users).In contrast, most robust attack, i.e., tested with 50, 000+ participants, achieved an accuracy of 94.33% feeding a gradient boosting decision tree [65] the positions of the HMDs and controllers of a 100-s interval (A31).Techniques that improve the resulting accuracy comprise normalization of height and arm lengths (A9), and smoothing methods for pre-processing (A7).
Regarding profiling, one particularly effective and broad attack (A1, 30 users) accurately measured from an HMD and its hand-held controllers multiple primary attributes such as height, wingspan, handedness, and interpupillary distance, among others.With this data, A1 inferred gender, age, and ethnicity with close to 100% accuracy, using variations of SVM and random forest classifiers.Furthermore, the most effective emotion profiling attacks in the literature achieved an accuracy of 80-90%.They used ECG's signal amplitude and eye tracking data (A20, 12 users) or primarily EEG (A26, 12 users) as inputs to an SVM, or fed facial and surroundings video to tailored ML pipelines (A16, 20 users).(RQ6) How these VR attacks conform with a well-established threat model?To conclude, we briefly examine these attacks from the perspective of a non-VR specific, highly-cited threat model: Lindunn [32], which guides the systematic elicitation and mitigation of privacy threats in software architectures.All the successful attacks in Table 2 imply users' Content Unawareness and system's Policy and Consent Non-Compliance because the users are unaware of the hidden malicious operations that exploit the permissions granted and advertised by the VR application.Moreover, these attacks would not be possible without incurring a Linkability or Detectability threat, as a successful attack must correctly link and assess the existence of a user and an attribute.Furthermore, attacks profiling and identifying users map to the Information Disclosure and Identifiability threats, respectively.Furthermore, although it was not explicitly specified, some of these attacks could also Non-Repudiate, i.e., adversaries could show proof of the user's private virtual activities or attributes (A1, A3, A17).

VR DEFENSES
Method.Following an equivalent method to VR attacks, we classified the 35 identified defenses (labeled with IDs D1 to D35) according to the defense model of §4.3 and attribute classification of §5.1.Table 3 systematically categorizes the defenses based on the corresponding papers.Similarly, we designed four RQs.While RQ1-6 draw researcher attention to areas where attacks usually excel, RQ7-10 highlight where defenses do not necessarily do: we classify defenses (RQ7) to provide a frame, and highlight usability (RQ8), limitations (RQ9), and practicality (RQ10) as focus areas for researchers- §8 discusses opportunities.(RQ7) What are the types of defensive mechanisms?
(ii) Information abstraction.Software that extracts key features from the surrounding space (e.g., surfaces, D16) or shares only the events triggered by sensitive inputs (e.g., unique gestures, D25).
(iii) Recognizers.Automated deepfake detection (D32), and middleware that detects and warns the user of sensitive surrounding objects and bystanders (D15).(iv) Static & Dynamic Analyzers.Detection of application vulnerabilities that could lead to, e.g., unauthorized access to a private VR room (D33), and malware that, e.g., detects and exfiltrates sensitive surrounding objects (D13).
(v) Platform features.These solutions comprise mainly userinteraction protections.The primary examples include virtual (and physical) private enclaves that only authorized users can trespass (D31).Moreover, other defenses focus on confusing adversaries, e.g., with avatar clones dispersed across multiple VR applications, teleportation to new virtual locations, private copies of the virtual public environment, and platform-generated non-identifiable or invisible avatars (D30).Furthermore, platforms could include embedded voice modulators and social media privacy settings, whereby, e.g., only friends could see one's avatar (D32).
(vi) Authentication.Biometric movement recognition for logging into a VR device (D26-29).(RQ8) How defenses balance usability and privacy?Usability is critical for immersion in VR applications; thus, researchers design utility metrics to assess the loss of usability when the user enables privacy protections.Aspects that impact usability are battery energy consumption (D14, D17), latency (D2, D4), and playability (D1, D4, D9, D14), i.e., how enjoyable or productive a VR experience is.Approaches that help to minimize device energy consumption are a tethered PC, offloading computation to the cloud (although bandwidth may become a challenge, D17), and sharing processing resources like object detection with other applications, which also reduces latency (D14).VR protections can decrease playability if the defense perturbs data, which is measurable primarily with metrics such as game scores (D1), subjective enjoyment (D4), attentiveness, comfort (D9), naturalness (D23), and accuracy loss (D1, D4, D16), among others.Additionally, enabling users to manage their privacy makes protections more usable (D31).Hence, applications empower users by giving them a choice (and the responsibility) to switch protections on depending on the context (D11), select their privacy strength with modulators like sliders (D1, D4), and providing visual prompts that communicate the impact of applications accessing user data (D15).In the background, these choices change the parameters quantifying privacy (e.g.,  in DP), values which we suggest setting empirically ex-ante (D1-2, D4, D5).(RQ9) What are the limitations in privacy defenses?Based on the literature, we suggest several key improvement areas: (i) Update perturbation protections that use generative adversarial networks, considering the rapid advancements in generative AI [35], as the latest study available is almost four years old (D24).(ii) Enhance biometric-movement authentication to cover activities beyond walking, like running (D28).(iii) Expand provable privacy guarantees to eye tracking (D4, D8, D10) and geospatial (D1) time series.(iv) Increase research on user privacy preferences in VR to contextualize protections, (v) improve permission structures of VR operating systems (D13), and (vi) develop a standard vetting program to verify VR library functions (D16).However, the closedsource nature of VR systems [83] may limit defensive deployments.(RQ10) How practical and effective are privacy defenses?Researchers typically implement defenses as middleware (D15-16, D18) that pre-processes data before a potentially malicious application ingests it, or as an easy-to-install plugin within the application (D1).In terms of effectiveness, the latter would only defend against server and user adversaries.Further, unless the implementation is at the firmware level, users have no protection against a hardware adversary.Additionally, we identified in the literature promising prototypical defenses that significantly reduced the accuracy of identification attacks based primarily on geospatial (D1) and eye tracking (D4) data to random-guess levels.Moreover, we found works demonstrating substantial accuracy degradation in profiling attacks at reasonable privacy levels (DP with 3 ≤  ≤ 6).Notable examples include gender inference based on eye tracking, whose accuracy D5 reduced to random guessing, and deriving age primarily from geospatial telemetry, which D1 reduced by 58.25%.

VR PRIVACY OPPORTUNITIES
This section complements the taxonomies by exploring privacy practices and opportunities based on a quantitative analysis of attacks and defenses (Tables 4 and 5), and a qualitative examination of research gaps (Table 6), and in practice.

Quantitative Analysis
Our primary objective is not to verify the results of the studies, instead, it illustrates a possible method of ranking attributes based on their protectability, with an intent to inspire researchers to routinely incorporate this analysis in their investigations.To accomplish this, we searched for pairs of complementary open-source works (one attack and one defense) that considered a wide range of granular attributes that could be ranked in terms of privacy risk and defensibility.Within the limited pool of only four open-source defense-focused works, only MetaGuard (D1) [95] satisfied our criteria, primarily due to its unambiguous coupling with an attack study ((A1) MetaData [94]).While we have corroborated these studies' results, note that they still await peer-review.Evaluation Method.Tables 4 and 5 present the results of this analysis, which consists of three steps: (i) Risk.We ran a PCA with Azure ML [86] over the anonymized ground truth of the participants of the MetaData study to calculate the amount of variability explained in PC1 by each attribute (e.g., height, or wingspan) for each inferred data point (e.g., gender, or age).Summing attribute contributions yields a summary statistic of the risk of attribute leakage, representing the information adversaries could obtain from their observations (Table 4).
(ii) Weighted Mean Degradation.For this metric, we relied on the anonymized frame-by-frame telemetry data of the 30 participants of the MetaData study, which we used to replicate the attacks with nearly identical accuracy.The replicated attacks measured the sensitive target attributes.Consecutively, we repeated the attacks with MetaGuard enabled at three privacy levels: low, medium, and high, to measure the degraded new attack accuracy.With these results, we performed a weighted average on the degraded attack accuracy at different privacy protection levels to reveal the attributes easiest to protect, i.e., with the highest accuracy degradation (Table 5).
(iii) Opportunity.Finally, we ordered the attributes with the highest accuracy degradation and risk in Table 5, highlighting the most sensitive and easiest-to-protect attributes.Opportunities.We suggest privacy practitioners to prioritize deploying differential privacy defenses that protect room size, height, and interpupillary distance (IPD) in their devices and applications, as they show the highest leakage risk and sensitivity to noise.Ethical Considerations This SoK does not contain original data collected from human subjects.We replicated prior studies employing anonymous data collected directly from the authors of those studies or publicly available online repositories.We verified that OHRP-registered institutional ethics review boards processed and approved those prior studies and considered them non-deceptive.Additionally, those studies' informed consent documents included permission to re-use collected data for follow-up research work, and we handled such data rigorously according to the corresponding original consent documentation requirements.

Min-Set Coverage of Defenses & Attacks
Method.We selected the most comprehensive attacks per attribute class and mapped them to the most fitting defenses in Table 6, considering identification and profiling privacy breaches and highlighting privacy opportunities.
On the one hand, while most of the attacks had an associated defense, some protections did not defend the full spectrum of the attack vector.For instance, audio identification protection has seen more defenses outside of VR [96], (D35) ReconViguRation did not  , Opportunity = WMD * Risk.
account for (A29) VR-Spy (which leverages the channel state information of WiFi signals to infer unique gesture patterns), and (D1) MetaGuard could not protect against malicious content, with which (A1) MetaData covertly assessed the cognitive abilities.Thus, we encourage researchers to re-examine the proposed defenses and improve them for completeness.On the other hand, we highlight in Table 6 larger research gaps in the landscape of VR threats and protections as opportunities for researchers to advance the field.Primarily, despite existing orthogonal research [40,78,132], physiological signals are understudied from an adversarial and defense perspective, specifically in the context of VR.There is a dearth of defenses against using geospatial and inertial data for identification and profiling (e.g., A5-6, A10, A12), and research on usability impact of defenses, like blurring bystanders effect on user recollection [41].

VR Defenses in Practice
Method.We examined the 58 studies on attacks and defenses to find open-source implementations of their proposed mechanisms, and briefly explored privacy threats and protections in the industry.Unfortunately, we found that only 21% had a functional repository: 4 defenses (D1, D16, D25, D33) and 8 attacks (A1, A7-8, A16-17, A21, A27, A31).Despite their defensive efforts, e.g., (D1) MetaGuard packaged the first VR "incognito mode" as a Unity plugin [95] for any VR application using MelonLoader [80], only (D25) Prepose had an official affiliation with Microsoft (with no evidence of its use in production), and the Bigscreen company used the recommendations from (D33) MitR Defense to patch their privacy vulnerabilities.On the other hand, (A16) EMOShip forms part of the technology stack of Pupil Labs.Overall, we observe little transfer of privacy research into the VR industry.Additionally, the conclusions from the 2022 evaluation study OVRseen [137] indicated a significant lack of privacy measures in commercial-grade applications: 70% of VR data flows from the most widely adopted VR device were not appropriately disclosed, and 69% of them were used for purposes different to the core apps' functionality.Hence, we encourage researchers to systematically open-source their code and engage with companies to bring privacy protections to consumers.
On the industry side, several indicators are forming a trend not conducive to enhancing privacy.Companies have not shipped a "VR incognito mode" to avoid user tracking across VR applications, some developers ignore their own privacy policies [137], consumers need to pay extra to sign in to their VR headsets without a social media account [111], the patents of a major VR company reveal how face tracking will help with personalized advertising in future metaverse applications [134], policy updates trend towards more data collection [137], VR devices and applications are shown to be vulnerable to exploits [98], and companies can ban plugins [56] that could help with privacy, safety, and user disabilities.
Nonetheless, the most advanced commercial-grade VR device released on late October 2022 [83] has proposed a set of privacy features that update the industry standards [84]: (i) monitoring features are turned off by default, (ii) tracking is paused at headset removal, (iii) cameras and microphone are turned off during headset's sleep mode, (iv) raw images are processed, stored, and deleted locally, (v) the extracted features are not used to identify users, and (vi) external lights on the headset signal bystanders that outwards cameras might record them.However, there exist caveats, e.g., the company's eye-tracking notice [81] indicate that abstracted facial tracking information could be stored and processed by servers (e.g., potentially for psychographic profiling), abstracted gaze data can be shared with third parties (where the data is subject to their own privacy policies), and dark patterns are prevalent, namely, "Enable" buttons are more highlighted than the "Not Now" option.Overall, given these industry and research privacy gaps, there are numerous opportunities for academics and practitioners to improve the stateof-the-art in privacy-enhancing VR systems, e.g., adding features

DISCUSSION & FUTURE WORK
We distill key findings (KF) and future work (FW) from studying the 74 selected publications and our results: (KF1) There is a fundamental imbalance in the deployment of offensive and defensive VR research.While most reviewed papers focused on defensive techniques, none were deployed.This indicates limited knowledge transfer to industry, as evident by the absence of open-source code in academic papers..In contrast, we have so far seen a plethora of device vulnerabilities [98], an increased data collection and privacy policy disregard [137], along with one deployed academic offensive technique (A16).This contrasts with web privacy research, where vulnerabilities are highlighted yet countermeasures are widely available.(KF2) Only a few defense studies (17%) provided provable privacy guarantees.Provable privacy appeared in eye tracking studies (D2, D4-5, D8, D10) and spatial telemetry (D1).However, provable privacy is still uncommon in VR, possibly due to its relative immaturity.(KF3) VR authentication mechanisms should remain in the device.
Selected studies indicate biometric movement can leak identity, supporting the inclusion of continuous authentication within the device, such as secure enclaves akin to face ID verification on mobile phones, to prevent user switching during activities like exams.(KF4) There is a lack of hardware-level privacy defenses.E.g., practitioners could use (D1) MetaGuard at the firmware level or execute a signed function in a trusted execution partition instead of relying on performance variations to detect application misbehavior (D13).(KF5) Attack benchmarks should use appropriate metrics, and defense proposals should generally include usability and performance studies.We encourage researchers to add F1-Scores or equal error rates, as false positives and negatives are essential for security and privacy, and measure performance degradation in, e.g., execution time, battery consumption (D14, D25), and usability (D1, D9).(KF6) We identified the most dangerous attacks.Based on the literature, (A31) [93] and (A1) MetaData are the most effective and practical identification and (broadest) profiling attacks, respectively.
Beyond the privacy opportunities highlighted in §8 and the limitations of RQ9, we encourage researchers to: (FW1) Design protections for spatial and inertial telemetry against adversarial interference.The majority of surveyed defenses focused on protecting information extracted from video feeds.Moving forward, we hope to see defensive research fill the remaining gap.(FW2) Explore attacks of VR-native stimuli.While some reviews discussed the safety dangers of maliciously manipulating video output [9, 20,138], none investigated if such dangers apply to audio, stereoscopic vision, haptic feedback, or other VR-specific outputs.There is a corresponding lack of defenses against such risks.(FW3) Develop concrete countermeasures against malicious content design.Mitigating the ability of adversaries to gain information or influence users by manipulating the immersive VR environment is amongst the most difficult open problems in VR.Achieving an appropriate balance between flexibility and consumer protection in VR environment design remains a significant outstanding challenge.(FW4) Resume research in privacy protections for VR user interaction.The deeply immersive nature of VR makes social engineering a salient threat, but many extant studies on this subject are outdated by more than 10 years [30].(FW5) Study the inference of health conditions based on physiological signals in VR.The studies inferred emotions and arousal in VR, revealing how adversaries could deduce neurological and physical disabilities, addictions, and health conditions like asthma, highlighting the deeply personal nature of VR privacy threats and need for defensive research.

CONCLUSION
In this SoK, we present a threat and defense framework for data privacy in VR and outline privacy opportunities for practitioners.Despite more defense proposals than attacks in literature, existing defenses are not exhaustive, some are missing, and most remain undeployed.The rise of data-hungry companies and pervasive data collection in VR highlights the need for increased cross-collaboration between industry and academia.Our frameworks and taxonomies aim to provide a foundation for future collaborations and research on metaverse privacy issues.

Figure 3 :
Figure 3: Privacy risk of VR applications as adversary exposure increases.
(FW6) Explore the use of trusted execution environments (TEEs) in VR.At server or client level, TEEs could enhance privacy beyond surveyed defenses.Deploying TEEs for GPUs might open new privacy avenues.

Table 2 :
Systematization of VR attacks from collected papers.

Table 3 :
Systematization of VR attacks from collected papers.

Table 4 :
Cumulative explained variability (%) of PC1 for each primary and secondary attribute per inferred attribute.