Lassonde researcher examining privacy concerns in virtual reality environment

Imagine travelling to the peak of Mount Everest to observe the mountainous region, or floating in space to study the stars, constellations and planets – all during a class at school. Virtual reality (VR) technologies have made immersive learning experiences like these possible, expanding the opportunities available in traditional education settings. Though convenient and often exciting, some VR technologies pose significant privacy risks by improperly collecting and sharing users’ personal data.

Yan Shvartzshnaider, an assistant professor in the Electrical Engineering & Computer Science Department at York University’s Lassonde School of Engineering, is one of many researchers working to address virtual privacy concerns and develop practical solutions for growing cybersecurity needs.

Professor Shvartzshnaider and Karoline Brehm, an international exchange master’s student at York from Bauhaus-Universität Weimar, recently developed a paper titled, Understanding Privacy in Virtual Reality Classrooms, which discusses the concerns of VR platforms in education settings and proposes a privacy assessment framework to address these issues.

“VR technologies are powered by an array of sensors and collect large amounts of data about users and their surrounding environment,” says Professor Shvartzshnaider. “Though VR applications are designed to mimic real-world experiences, the extensive data collection practices intrinsic to VR technology expose users to a range of novel privacy and security threats.”

VR platforms allow both real and virtual environments to exist simultaneously, however each environment may adhere to different privacy norms. For example, if a student uses VR technology to attend a virtual lecture while at home, they are in two vastly different environments at the same time. Many VR platforms do not recognize these differences and may collect sensitive information about the user’s home environment, causing a violation of privacy of which the user may not be aware.  

“As technology develops and becomes mainstream in established contexts like education, workplaces and healthcare, we need to examine and mitigate the associated privacy risks,” says Professor Shvartzshnaider.

The paper presents a framework to help examine and address such privacy risks by applying the theory of contextual integrity (CI). This theory helps ensure information flows in accordance with the established norms of a given context, to avoid privacy breaches and violations.

The CI-based framework, ENCASE, consists of four phases: engagement with community members, capture information flow, assessment of breaching information and enforcement of CI.

Starting from the engagement phase, the framework is used to gather information from stakeholders of a given VR technology regarding privacy expectations and contextual norms. For example, when examining VR technology used in an education setting, information would be gathered from faculty, students, VR providers and other impacted individuals.

Next, the capture phase analyzes how VR technology impacts privacy expectations and information flows, followed by the assessment phase which examines and identifies potential privacy violations of the technology. Finally, the enforcement phase applies gathered information to help inform solutions, ensuring the VR technology adheres to privacy expectations and avoids breaches.

The ENCASE framework can also be used to identify other privacy concerns related to technologies in established social contexts like healthcare and workplace settings to inform protective solutions.

This work was started by Karoline Brehm as part of Professor Shvartzshnaider’s course project on Privacy in Sociotechnical Systems: Theory and Applications (EECS 6350). 

Learn more about Professor Shvartzshnaider’s research, teachings and ongoing projects.

His work helps contribute to global cybersecurity efforts, celebrated during Data Privacy Week, an annual campaign that takes place during the last week of January to highlight the impact of technology on privacy rights and the importance of protecting personal information.

Acknowledgement:

The project was supported by Lassonde Minor Research Grant and partially funded by the Office of the Privacy Commissioner of Canada (OPC). The views expressed herein are those of the authors and do not necessarily reflect those of the OPC.