NIST continues to study immersive technology cyber, privacy issues

The U.S. National Institute of Standards and Technology (NIST) continues to conduct research it began earlier this year into the known and unknown cybersecurity and privacy challenges and risks that are posed by immersive technologies.

Immersive technologies are those technologies that include virtual reality (VR), augmented reality (AR), and mixed reality (MR), collectively known as XR technology.

NIST has been gathering solicited insights and feedback from the stakeholder community to its Immersive Technologies Cybersecurity and Privacy Topics for Feedback document that it issued in February, which requested input and comments on the draft of the report NIST intends to produce that will outline its findings and recommendations.

NIST’s Draft for USG Use Only document states that while “immersive technologies have the potential to transform the way we interact with each other and the world,” the “exciting potential benefits” these new technologies offer may also come with “new vulnerabilities for cybersecurity and privacy.”

“In cybersecurity,” the paper explained, “digital technologies that bridge into new domains via novel interfaces, protocols, etc. can increase attack surface. These new technologies also have a distinctly human element and so will bring a host of human factors considerations related to cybersecurity. To function, these technologies rely on spatial and body-based data about individuals, which can create significant privacy risks. This includes integration of behavioral data about emotional/psychological states with biometric data used beyond identity verification.”

Immersive technologies can also create limitations for the application of traditional privacy principles, the paper said.

NIST said “these technologies hold promise to drive innovation and economic growth in numerous areas such as workforce, accessibility, and healthcare,” but that “their creation and use can … generate cybersecurity and privacy risks, some of which may be novel.”

These new technologies also have interdisciplinary and integrative implications as well, mixing knowledge and approaches from myriad fields, such as neuroscience, psychology, behavioral studies, and statistics. NIST said that “their integration with other emergent technologies like Artificial Intelligence (AI) and Internet of Things (IoT) adds complexity to the unique context in which cybersecurity and privacy risks can arise and will need to be managed.”

The XR Association explained in its February 2022 response to NIST’s Request for Information regarding its Study to Advance a More Productive Tech Economy that “while immersive experiences have in the past typically been associated with entertainment and gaming, XR technology has undergone dramatic development over the past several years and is now widely considered to be the next major computing platform. Indeed, XR technology is rapidly being adopted across industries as an enterprise solution, particularly in the manufacturing and health care sectors,

The draft NIST paper said “cybersecurity and privacy risks are distinct but can overlap. For example, NIST pointed out, data confidentiality may be both a cybersecurity and privacy consideration for a system. But system availability considerations may not involve privacy, while secondary use of information derived from user engagement may not involve system cybersecurity. Immersive technologies may generate cybersecurity and privacy risks, some of which can be novel or mixed in complex ways.”

Existing, emerging, and future immersive technologies “have a distinctly human element and so will bring a host of human factors considerations related to cybersecurity,” wrote Dylan Gilbert, a NIST privacy policy advisor, and Mike Fagan, a computer scientist working with NIST’s Cybersecurity for IoT Program.

“Immersive technologies may … enhance cybersecurity controls and mitigations. For example, private displays like those utilized in AR and VR headsets can help preserve data confidentiality during display of sensitive information compared to handheld or desktop displays, which are more susceptible to attacks, such as ‘shoulder surfing,’” Gilbert and Fagan said.

“To function,” they continued, “these technologies rely on spatial and body-based data about individuals, which can create significant privacy risks. This includes integration of behavioral data about emotional/psychological states with biometric data used beyond identity verification (e.g., eye tracking). Immersive technologies can also create limitations for the application of traditional privacy principles. For example, physical data necessary for functionality may be generated involuntarily and is measured using complex techniques. This limits individuals’ ability to understand and control how their data is collected and used. Further, integration with other emergent technologies, like Artificial Intelligence, adds complexity to the unique context in which cybersecurity and privacy risks can arise and will need to be managed.”

In its July 26 response to NIST’s request for input, the Washington, D.C.-based Information Technology and Innovation Foundation (ITIF) said “many AR/VR applications present unique cybersecurity and privacy concerns,” pointing out that “these technologies collect large volumes of sensitive personal data, including a constant stream of data from users interacting with virtual environments. Much of the information that AR/VR devices collect is sensitive data not used in other consumer technology devices, yet it is critical to the core functions of AR/VR.”

As an example, ITIF said “AR/VR devices may collect eye gaze and motion tracking data, which developers need to secure because the information users provide can directly reveal details they may expect to keep private, such as demographic information, where they live, or how they spend their free time. At the same time, developers must also ensure that the methods they use to protect user data doesn’t also decrease the enjoyment or quality of the virtual experience.”

ITIF said “the unique challenges AR/VR technologies present, therefore, arise from the risks of aggregating sensitive information and the challenge of adapting security features designed for other consumer technologies into immersive, three-dimensional environments.”

ITIF said there’s the additional challenge of XR devices that are in what it called the “family computer” stage, “in which households own a single device shared by all members,” making it “highly likely that an adult sets up these devices,” meaning that, “unless the adult has diligently created alternate accounts for other household members and assured that all household members effectively use their assigned accounts, anyone using the device will likely be able to access all the content available to the adult’s primary account.”

ITIF said “newer forms of biometric authentication present a potential solution, as is iris recognition, pointing out that Apple’s Vision Pro headset already uses iris scanning as identity verification, eliminating the issue of children accessing adults’ accounts and for multiple users to access the same device.

“Eventually, immersive technologies may also adopt new methods of authentication, such as zero-trust authentication,” ITIF said.

In the conclusion to its response to NIST’s draft paper, ITIF said that as “users continue to construct digital identities within these environments, the volume and sensitivity of the data collected will significantly increase, creating more threats to users’ privacy and security. Therefore, digital identity should play a key role in shaping the governance structures in immersive technologies and NIST is well placed to lead this charge.”

Indeed, it’s a brave new world. But one in which NIST widely seems to be considered to be the one federal agency that’s best positioned and equipped to tackle best practices and standards to best address the risks presented now and in the future by immersive technologies, through the leveraging of its vast technical expertise to identify and analyze vulnerabilities in AR/VR systems, and to identify best practices for data security.

NIST said standards and guidelines “play a critical role in cybersecurity and privacy,” but that “immersive technologies may break existing cybersecurity and privacy assumptions, requiring adaptation or update to tools and techniques documented in standards and guidelines. Additionally, immersive technologies may warrant new standards and guidelines efforts to complement existing resources.”

NIST can build on its Cybersecurity Framework; expanding its Digital Identity Guidelines to integrate user authentication securely into immersive platforms; and to come up with guidelines for integrating biometric identity verification.

In its draft paper, NIST has sought comment and feedback on the specific topics it identified, which NIST said will “help inform future research and development of guidelines, tools, and other resources to support effective privacy and cybersecurity risk management for immersive technologies.”

The topics are:

• Immersive technology ecosystem and use cases;
• Privacy and cybersecurity risk considerations; and
• Immersive technology standards and risk management resources.

Article Topics

augmented reality  |  biometric data  |  cybersecurity  |  data privacy  |  ITIF  |  NIST  |  virtual reality