BehaVR: User Identification Based on VR Sensor Data

Ismat Jarin; Yu Duan; Rahmadi Trimananda; Hao Cui; Salma Elmalaki; Athina Markopoulou

BehaVR: User Identification Based on VR Sensor Data

Authors: Ismat Jarin (University of California, Irvine), Yu Duan (University of California, Irvine), Rahmadi Trimananda (University of California, Irvine), Hao Cui (University of California, Irvine), Salma Elmalaki (University of California, Irvine), Athina Markopoulou (University of California, Irvine)

Volume: 2025
Issue: 1
Pages: 399–419
DOI: https://doi.org/10.56553/popets-2025-0022

Download PDF

Abstract: Virtual reality (VR) platforms enable a wide range of applications, however, pose unique privacy risks. In particular, VR devices are equipped with a rich set of sensors that collect personal and sensitive information (e.g., body motion, eye gaze, hand joints, and facial expression). The data from these newly available sensors can be used to uniquely identify a user, even in the absence of explicit identifiers. In this paper, we seek to understand the extent to which a user can be identified based solely on VR sensor data, within and across real-world apps from diverse genres. We consider adversaries with capabilities that range from observing APIs available within a single app (app adversary) to observing all or selected sensor measurements across multiple apps on the VR device (device adversary). To that end, we introduce BehaVR, a framework for collecting and analyzing data from all sensor groups collected by multiple apps running on a VR device. We use BehaVR to collect data from real users that interact with 20 popular real-world apps. We use that data to build machine learning models for user identification within and across apps, with features extracted from available sensor data. We show that these models can identify users with an accuracy of up to 100%, and we reveal the most important features and sensor groups, depending on the functionality of the app and the adversary. To the best of our knowledge, BehaVR is the first to analyze user identification in VR comprehensively, i.e., considering all sensor measurements available on consumer VR devices, collected by multiple real-world, as opposed to custom-made, apps.

Keywords:

Copyright in PoPETs articles are held by their authors. This article is published under a Creative Commons Attribution 4.0 license.