A privacy-preserving approach to streaming eye-tracking data

TL;DR

This paper presents a novel privacy-preserving framework for streaming eye-tracking data in mixed reality, significantly reducing user identification risks while maintaining gaze prediction accuracy.

Contribution

It introduces the first privacy-by-design approach for eye-tracking data in mixed reality, combining API gatekeeping and software mechanisms to protect user privacy.

Findings

Privacy mechanisms reduce identification from 85% to 30%.

Gaze prediction error remains below 1.5 degrees.

Framework supports privacy without compromising gaze-based applications.

Abstract

Eye-tracking technology is being increasingly integrated into mixed reality devices. Although critical applications are being enabled, there are significant possibilities for violating user privacy expectations. We show that there is an appreciable risk of unique user identification even under natural viewing conditions in virtual reality. This identification would allow an app to connect a user's personal ID with their work ID without needing their consent, for example. To mitigate such risks we propose a framework that incorporates gatekeeping via the design of the application programming interface and via software-implemented privacy mechanisms. Our results indicate that these mechanisms can reduce the rate of identification from as much as 85% to as low as 30%. The impact of introducing these mechanisms is less than 1.5$^\circ$ error in gaze position for gaze prediction. Gaze data streams can thus be made private while still allowing for gaze prediction, for example, during foveated rendering. Our approach is the first to support privacy-by-design in the flow of eye-tracking data within mixed reality use cases.