Movement- and Traffic-based User Identification in Commercial Virtual Reality Applications: Threats and Opportunities

TL;DR

This paper explores how user movement and network traffic in virtual reality applications can be used to identify users, highlighting both potential benefits for customization and significant privacy risks from fingerprinting.

Contribution

It presents an analysis of user identification methods based on movement and traffic data in VR, revealing privacy threats and opportunities for secure identification.

Findings

User movement patterns can reliably identify users.

Network traffic analysis poses privacy risks.

Potential for automatic user customization.

Abstract

With the unprecedented diffusion of virtual reality, the number of application scenarios is continuously growing. As commercial and gaming applications become pervasive, the need for the secure and convenient identification of users, often overlooked by the research in immersive media, is becoming more and more pressing. Networked scenarios such as Cloud gaming or cooperative virtual training and teleoperation require both a user-friendly and streamlined experience and user privacy and security. In this work, we investigate the possibility of identifying users from their movement patterns and data traffic traces while playing four commercial games, using a publicly available dataset. If, on the one hand, this paves the way for easy identification and automatic customization of the virtual reality content, it also represents a serious threat to users' privacy due to network analysis-based fingerprinting. Based on this, we analyze the threats and opportunities for virtual reality users' security and privacy.