Privacy Is Impossible In The Metaverse (And Everywhere Else)

new study from researchers at UC Berkeley concludes that virtual reality users can be uniquely identified within a few seconds by looking at the way they move their head and hands.

This is interesting but not surprising if you’ve been paying attention. If you value personal privacy, you are living in the wrong universe.

Let’s start with what can be learned from your actions in VR, then zoom out for the bigger picture.

The Berkeley researchers looked at data from 50,000 Beat Saber players, swinging their arms around batting at flying blocks synced to terrible music. It’s a tremendously popular VR game; the study went through 2.5 million hours of game time.

With just 100 seconds of data about a specific person flailing their head and arms around, the researchers could uniquely identify that person and match them to their previous games. Accuracy: 94%.

Half the time, they could correctly identify a unique person with just two seconds of flailing.

Here’s a subtle distinction to keep in mind. At this point, the researchers don’t know who that player is. It’s not like they’ve matched a name and address and they can drive to your house and burst in and say, “We knew you were playing, you’re supposed to be studying!”

All they can do is bring up some data and say, aha, we’ve seen this person before, it’s player number 25,001. And they’d be right! Which is pretty amazing.

The scary part happens because a giant tech company with no ethical boundaries (*cough* Meta *cough*) could combine that motion identification with other data and learn who you are and then they would know every single thing about you. We’ll talk about that below.

For now, stick with that idea of being able to uniquely identify someone – to say, “We don’t know their name and address but this data matches someone already in the system.”

Fingerprints  Think about fingerprints. We grew up believing that each person has unique fingerprints. When the police find a fingerprint at a crime scene, they search a giant database to see if the prints match prints already on file.

Similarly, you might unlock your computer or phone with your fingerprint. The scanner looks at the fingerprint on the button to see if it matches the one it memorized. If it matches, the device unlocks. The accuracy is supposed to be 1 in 100,000 people. It’s not; real world results show that more like 1 in 1500 people would pass the scan and unlock the device. Still, that’s pretty good security.

Similar things apply to all the biometrics you can think of: facial recognition, eyeball scans, voice recognition. Each one is designed to measure something and determine what makes it unique.

There are lots of things that are unique about us. You are indeed a special snowflake – and somewhere there are people studying how to pick you out of a crowd.

Not planning to play Beat Saber? Here are three more ways that you can be identified.

Gait  The way you walk is utterly unique. Gait recognition systems can identify you with nearly 100% accuracy from your silhouette, height, speed, and walking characteristics – even if your face is out of view or concealed. Bear in mind that we live in a world where there are cameras everywhere watching you walk.

Keyboard & mouse movements  Do you need to know more than that “keystroke dynamics” is a thing? It goes back to the late 1800s when telegraph operators began to recognize each other’s tapping rhythms. During World War II, military intelligence paid close attention to the unique signatures of people tapping dots and dashes.

Today you can be identified with precision by the timing, rhythm, and pressure of your keystrokes. It can be used as a form of authentication that is as secure as a fingerprint.

You can take all the precautions you want to be anonymous online, and still be unmasked by your keyboard strokes.

Researchers are also studying mouse movements, which are similarly distinctive. Ten years ago researchers claimed to be able to identify a user within ten taps of an iPhone touchscreen.

All of these systems lead to identification of a unique user. It turns out to be trivial to combine that conclusion with other data to specifically identify you by name.

Want an example?

Location mapping  Companies know where you are.

Cell phone carriers map the towers that your phone connects to. Many apps on your phone report your location continuously. Your Internet provider provides your devices with a unique IP address that may be able to be read by websites and apps.

In one study, 95% of “anonymized” cellphone users could be identified by name using just four random locations visited by the phone – not specific addresses, just the closest cell phone tower, tagged once an hour.

Given 11 locations, the team identified 100% of the users.

From an article about the study: “The danger of being able to identify cellphone users so easily is that you could deduce some pretty private information just from where people go. You could see if someone attends certain religious or political meetings, visits an HIV/AIDS or reproductive clinic, or hangs out with an ex or a business rival.”

There’s more info about the dangers of location tracking here. The big companies know where we are, and that plugs them in to who we are, and from that they can learn everything about us.

Here’s another example of how easy you are to identify. This website will show you how many people share your date of birth, your zip code, and your gender. It will likely be fewer than you think. With just that information, data brokers can easily find your name and address.

Your web browser history is unique to you, just like your fingerprints. Browser fingerprinting identifies users by the properties of their web browser, the device, the network, and more.

There are companies that can uniquely identify many people by the fonts available to their web browser.

If you’ve been reading Bruceb News for a while – and you have, you brave, loyal readers! – then you know privacy is impossible in the modern world. Data brokers know everything about you. Your personal information is freely bought and sold and added to giant databases. Location data is readily available. This is the first article in a five part series that concludes that we’re screwed.

We started with the latest discovery, that movements of our head and hands in virtual reality allow us to be identified. Techdirt said this about the VR research this week:

Researchers found that the data they leave behind in virtual reality is more useful than a fingerprint to identify individuals. It also provides significantly more data to monetize, including a user’s height, handedness, gender, potential disability, strength, personal tics, etc.

Combine this data with the profiles already commonly being built at major companies and ad brokers, and you could see how this might be a bit of an issue in a country that’s literally too corrupt to pass even a basic privacy law for the internet era (there was just too much money to be made, sorry).

The study of VR movements is interesting but it’s more important for you to understand the reality of life in 2023.

Everything that you do leaves a trail that permits you to be identified.

Anything promising anonymity is a lie.