VPVet: Vetting Privacy Policies of Virtual Reality Apps

TL;DR

VPVet is an automated tool designed to evaluate the compliance and quality of privacy policies in VR apps, revealing significant privacy issues and inconsistencies in the current VR ecosystem.

Contribution

This paper introduces VPVet, the first system to analyze VR privacy policies for compliance, completeness, and quality, supported by the largest VR privacy policy dataset to date.

Findings

Many VR privacy policies are incomplete or poorly written.

There are significant inconsistencies between policies and actual app behaviors.

VR privacy policies lack granularity and adaptation to VR-specific data collection.

Abstract

Virtual reality (VR) apps can harvest a wider range of user data than web/mobile apps running on personal computers or smartphones. Existing law and privacy regulations emphasize that VR developers should inform users of what data are collected/used/shared (CUS) through privacy policies. However, privacy policies in the VR ecosystem are still in their early stages, and many developers fail to write appropriate privacy policies that comply with regulations and meet user expectations. In this paper, we propose VPVet to automatically vet privacy policy compliance issues for VR apps. VPVet first analyzes the availability and completeness of a VR privacy policy and then refines its analysis based on three key criteria: granularity, minimization, and consistency of CUS statements. Our study establishes the first and currently largest VR privacy policy dataset named VRPP, consisting of privacy policies of 11,923 different VR apps from 10 mainstream platforms. Our vetting results reveal severe privacy issues within the VR ecosystem, including the limited availability and poor quality of privacy policies, along with their coarse granularity, lack of adaptation to VR traits and the inconsistency between CUS statements in privacy policies and their actual behaviors. We open-source VPVet system along with our findings at repository https://github.com/kalamoo/PPAudit, aiming to raise awareness within the VR community and pave the way for further research in this field.