Virtual reality (VR) is an emerging technology that enables new applications but also introduces privacy risks. In this paper, we focus on Oculus VR (OVR), the leading platform in the VR space, and we provide the first comprehensive analysis of personal data exposed by OVR apps and the platform itself, from a combined networking and privacy policy perspective. We experimented with the Quest 2 headset, and we tested the most popular VR apps available on the official Oculus and the SideQuest app stores. We developed OVRseen, a methodology and system for collecting, analyzing, and comparing network traffic and privacy policies on OVR. On the networking side, we captured and decrypted network traffic of VR apps, which was previously not possible on OVR, and we extracted data flows (defined as <app, data type, destination>). We found that the OVR ecosystem (compared to the mobile and other app ecosystems) is more centralized, and driven by tracking and analytics, rather than by third-party advertising. We show that the data types exposed by VR apps include personally identifiable information (PII), device information that can be used for fingerprinting, and VR-specific data types. By comparing the data flows found in the network traffic with statements made in the apps' privacy policies, we discovered that approximately 70% of OVR data flows were not properly disclosed. Furthermore, we provided additional context for these data flows, including the purpose, which we extracted from the privacy policies, and observed that 69% were sent for purposes unrelated to the core functionality of apps.
翻译:虚拟现实( VR) 是允许新应用的新兴技术, 但也引入了隐私风险。 在本文中, 我们侧重于 VR 空间的主要平台 Oculus VR (OVR) 。 我们从网络和隐私政策的角度, 首次全面分析OVR 应用程序和平台本身暴露的个人数据。 我们实验了 Quest 2 headet, 我们测试了官方 Oculus 和 SideQuest 应用程序中最受欢迎的 VR 应用程序 。 我们开发了 OVR Seeen, 一个用于收集、分析、比较网络流量和隐私政策的方法和系统。 在网络方面, 我们捕获并破解了VR 应用程序和平台本身的网络流量。 我们发现, OVR 生态系统( 相对于移动和其他应用程序的生态系统) 更加集中, 由跟踪和分析驱动, 而不是由第三方广告驱动。 在网络的网络中, 数据类型( 包括 VR 数据流的可识别性数据流, 用于我们所发现的数据类型 ), 数据流中的数据类型 包括用于 VR 数据流中的可识别数据流 。
相关内容
微信扫码咨询专知VIP会员