XRSI releases VR/AR user privacy framework, citing ‘urgent’ need

Virtual and augmented reality technologies have continued to improve at a brisk pace, with Facebook’s Oculus Quest VR headset and Nreal’s Light AR glasses setting new standards for mobility and comfort. But as the hardware and software evolve, concern over their user privacy implications is growing, so the nonprofit XR Safety Initiative has released its own solution — the XRSI Privacy Framework — as a “baseline ruleset” to create accountability and trust for extended reality solution developers, while enhancing data privacy for users.

The XRSI Privacy Framework is urgently needed, the organization suggests, as “[i]ndividuals and organizations are currently not fully aware of the irreversible and unintended consequences of XR on the digital and physical world.” From headsets to other wearables and related sensors, XR technologies are now capable of gathering untold quantities of user biometric data, potentially including everything from a person’s location and skin color to their eye and hand positions at any given split second. But there aren’t comprehensive regulations to protect XR users; the National Institute of Standards and Technology has offered basic guidance, while regional laws such as GDPR, COPPA, and FERPA govern some forms of data in specific locations. XRSI’s document ties them all together and goes further.

Developed and vetted by a group of academics, attorneys, XR industry executives, engineers, and writers, the Framework is a 45-page document with around 25 pages of regulatory and guideline meat that will be of more of interest to lawyers and corporate privacy officers than end users. Broadly, the Framework pushes companies such as Facebook to responsibly develop and use immersive technologies, rather than just creating tools to harvest as much information from individuals as is now possible, using the aggregated threat of legal consequences as a stick to encourage voluntarily appropriate corporate behavior. It’s designed to get XR stakeholders to think before acting — arguably the opposite of moving fast and breaking things.

From a user perspective, the XRSI aims to deliver transparent, easy to understand solutions that are inclusive while protecting individual privacy by design and default, including modern understandings of identity and respect for the user’s individual characteristics and preferences. It’s also timely: As schooling from home is taking off, with XR potentially taking a larger role in remote education, the Framework canvasses existing laws protecting both children under 13 and older students against discrimination and inappropriate record keeping, helping XR companies to understand their existing and future legal obligations in the scholastic arena.

The XRSI is working with liaison organizations including Open AR Cloud, the University of Michigan, and the Georgia Institute of Technology to further develop the Framework beyond its current “version 1.0” status, as well as to get it adopted and enforced. While the group credits individual experts from known organizations such as HERE and Niantic with helping to craft the document, it’s unclear at this stage whether XR platform developers such as Facebook, HTC, or Valve will support the initiative.