You lower a headset over your eyes, pick up two hand controllers, and begin interacting with a virtual world. You might be playing a game, carrying out a training simulation or chatting with a friend. The last thing you’re probably worried about is a data breach — you’re not sharing sensitive information and, well, you’re in another reality.
Hertz Fellow Vivek Nair, however, says users of virtual reality (VR) systems have a reason to be concerned about their privacy. Nair and his colleagues at University of California, Berkeley, recently showed that a trained machine learning program could identify any individual out of a pool of 55,000 VR users using just 100 seconds of a person’s head and hand motions. In a separate study, Nair also discovered that attributes like gender, age, height, health and even marital status, income and education can be inferred from such motion data.
In other words, the way you move gives away a lot about you.
“If you’re friends with someone, you naturally learn what their movement patterns look like compared to other people, and without any training at all you also can make pretty good guesses about some of the attributes of a stranger based on how they move,” says Nair. “It turns out that machine learning programs can do this even better than us.”
As virtual reality picks up steam, Nair says that a person’s movement data could be used to identify them as they move through different programs, shop online, and even attend VR appointments with healthcare providers. This could lead to ultra-targeted advertising and privacy breaches.
The good news: Nair is among the researchers leading the new convergence of VR with data protection and cryptography. His Hertz fellowship gives him the freedom to pursue solutions in this space. There are ways to protect people’s data, he says, and now — before VR’s popularity soars even more — is the time to tackle these questions.
Combining Two Interests
Nair began tinkering with computers and coding at a young age and, in high school, created accessible, cheaply made tablets that he sold online for $99 . Shortly afterward, he started working for a small medical startup company called Holmusk, where he got exposed to cybersecurity challenges in the context of how to keep patients’ sensitive health data safe.
“Right as I was becoming interested in these questions, there was a big wave of attacks called SIM swapping,” recalls Nair. “It motivated me to develop my own cryptographic methods and file patents for various systems that helped prevent SIM swapping.”
Nair’s techniques went on to form the basis for a startup company (Multifactor.com) and Nair received his bachelor’s degree in computer science from the University of Illinois Urbana-Champaign at age 18. Much of his research since has focused on user authentication — the process in accessing a computer resource during which someone verifies that they are who they claim to be.
“If you think of a computer system as a castle, you have all sorts of defenses to make sure people don’t get in the backdoor or climb over the walls,” says Nair. “But user authentication is the front door, and if your front door isn’t secure, then it doesn’t matter how good all your other defenses are because someone can walk right in.”
At the same time his interests in cryptography were progressing, Nair also was developing a new hobby: virtual reality sports. At Berkeley, he is the captain of the “SSS” Beat Saber team, in which players swipe a virtual saber (controlled using VR controllers) to swipe blocks that represent musical beats.
“Because I had these two interests, in VR and in user authentication, it was a very natural crossover to start thinking about what user authentication looks like in VR systems,” Nair says. “I realized that this was something almost no one else was thinking about.”
Your Movements Give You Away
Vivek, along with mentors Dawn Song and James O’Brien at Berkeley, showed just how easy it was to learn information about VR users — all with data that was incredibly easy to obtain. Data from Beat Saber could rapidly identify a person’s computer, language, behavior, surroundings and physical attributes. From those initial data points, the researchers could infer more than 40 personal attributes, including wealth, gender, ethnicity and age. In a second study, they used machine learning to identify individuals with 94 percent accuracy using just a few minutes of their playing patterns.
“It’s comparable to a fingerprint scan or an iris scan in terms of how many people you can uniquely identify using this method,” says Nair.
Today, Nair is pursuing his PhD in computer science at Berkeley with the support of the Hertz Foundation and studying ways to overcome these privacy issues in VR.
“My advice for people already using VR systems is that, even if you’re meeting privately with a person in VR and you feel like you’re not giving anything away, you should basically pretend that the meeting is happening in the middle of the street. Anyone who walks by can see you,” he says.
Nair credits his Hertz Fellowship for enabling him to carry out research at the intersection of VR and cybersecurity. Most research labs focus on one or the other and funding in the crossover space is hard to come by.
“Being able to bridge the gap and not be tied to one lab and one project in terms of funding or advising has been incredibly important to me,” he says.