Virtual reality (VR) is an emerging technology that enables new applications
but also introduces privacy risks. In this paper, we focus on Oculus VR (OVR),
the leading platform in the VR space, and we provide the first comprehensive
analysis of personal data exposed by OVR apps and the platform itself, from a
combined networking and privacy policy perspective. We experimented with the
Quest 2 headset, and we tested the most popular VR apps available on the
official Oculus and the SideQuest app stores. We developed OVRseen, a
methodology and system for collecting, analyzing, and comparing network traffic
and privacy policies on OVR. On the networking side, we captured and decrypted
network traffic of VR apps, which was previously not possible on OVR, and we
extracted data flows (defined as <app, data type, destination>). We found that
the OVR ecosystem (compared to the mobile and other app ecosystems) is more
centralized, and driven by tracking and analytics, rather than by third-party
advertising. We show that the data types exposed by VR apps include personally
identifiable information (PII), device information that can be used for
fingerprinting, and VR-specific data types. By comparing the data flows found
in the network traffic with statements made in the apps’ privacy policies, we
discovered that approximately 70% of OVR data flows were not properly
disclosed. Furthermore, we provided additional context for these data flows,
including the purpose, which we extracted from the privacy policies, and
observed that 69% were sent for purposes unrelated to the core functionality of

Go to Source of this post
Author Of this post: <a href="">Rahmadi Trimananda</a>, <a href="">Hieu Le</a>, <a href="">Hao Cui</a>, <a href="">Janice Tran Ho</a>, <a href="">Anastasia Shuba</a>, <a href="">Athina Markopoulou</a>

By admin