Are You Listening,Facebook? On Cybersecurity and Virtual Worlds

In the ultimate vision of virtual reality (VR) and augmented reality (AR), these technologies inspire a deep sense of connectedness and exploration. They should be seamless and accessible enough to allow wide swaths of people to immerse themselves in new worlds, dynamic perspectives, and meaningful experiences. However, before VR/AR can become truly ubiquitous, developers, policy makers, and consumers must engage in a careful discussion of cybersecurity, ethics, and the realities of putting increasingly large portions of our identities online.

In the midst of large-scale data breaches and security lapses, the past few years have been tumultuous in the world of cybersecurity. A study released by Javelin Strategy and Research found that $16 billion was stolen from 15.4 million U.S. consumers in 2016, compared to $15.3 billion and 13.1 million victims in 2015. ¹ Additionally, the 2016 Emerging Technology Domains Risk Survey identified AR as a technology domain that could result in significant disruptions to safety, privacy, finance, or operations if breached. ² And as consumers recovered from a series of headlines in 2017 about leaked personal data such as the Equifax and Uber data breaches, Facebook was forced to revisit accusations of using people's microphones to listen to their conversations and serve relevant ads, a level of intrusion that cuts deeper, somehow, than having our personal accounts hacked.

Facebook has flatly denied this accusation. ³ Realistically, the company doesn't need to listen to people's conversations to serve highly individualized retargeting ads. Tech giants such as Facebook and Google already have access to reams of user data based on people's shopping habits, age, and location, among other granular factors—including the personal information we readily provide, such as credit card details and phone numbers.

These same companies stand at the forefront of digital innovation. Facebook's latest VR venture, Facebook Spaces, uses the profile photos of Oculus Rift and HTC Vive users to create avatars that can interact in virtual worlds. But with a year of large-scale security hacks behind us, we must question the ways VR/AR technologies may expose us to identity theft in the hands of companies that already maintain dossiers of user data. In the near future, who's to say a savvy hacker couldn't infiltrate a person's Facebook Spaces avatar, posing as another person and gaining access to their personal data? And when we're able to interact with people with new levels of immersion, how do we protect ourselves from catfishing and similar scams?

As VR and AR seek to enmesh themselves with our everyday lives, developers must reckon with the ways they will protect the information of their users in new digital territory—both the information they gather, such as our browsing habits, and the data we relinquish for the sake of convenience, such as our account information. In its public data use policy, Facebook has published how it stores and encrypts user data, stating, “We work hard to protect your account using teams of engineers, automated systems, and advanced technology such as encryption and machine learning.” ⁴ But these policies may not be enough, particularly in light of the Ethically Aligned Design guide released by the Institute of Electrical and Electronics Engineers (IEEE). The guide is intended to establish frameworks to guide and inform dialogue and debate around the implications of intelligent and autonomous technical systems.

Regarding mixed reality, the IEEE maintains that “mixed reality could alter our concepts of identity and reality as these technologies become more common in our work, education, social lives, and commercial transactions,” raising ethical questions about individual rights and control over one's “multifaceted identity.” ⁵ VR/AR aren't solely intended for entertainment—they present a range of compelling benefits for therapy, industry, and communication. As tech giants such as Facebook continue to develop these technologies, the mainstream adoption of VR/AR will benefit greatly, but at the same time, consumers deserve to know how their identities are being stored, how their likenesses and interactions may be used for marketing purposes, and how their information is being protected.

One may argue that when users create accounts and use these Web sites, they effectively opt in to the ways companies control their personal data. To an extent, that may be true for desktop and mobile applications, but VR/AR are—and will continue to be—different. If these technologies will one day be fully integrated into our everyday lives, we must begin exploring ways to advocate for consumer interests today. Significant numbers of students will one day be able to attend virtual lectures remotely as part of their regular coursework; professionals will be able to use VR/AR in their everyday work, from inventory management to data processing; and virtual technologies will be used to diagnose and treat medical conditions. These applications, and many others, will disrupt the ways we interact, much in the way that cell phones have become essentials parts of our social identities.

Mixed reality will change the way we think about privacy in public, which is why the policies that surround VR/AR must advocate appropriate protections. As the IEEE recommends, users who divulge personal or identifying data should have clear assurances that their identities—both persona and virtual—will be protected and secured against tampering. Facebook may not be listening to users' conversations for ad retargeting, but one can only hope that they're listening to and anticipating conversations about cybersecurity. The time to set ethical, transparent standards is now—that way, we can move toward a safer, connected future.