Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

VPVet: Vetting Privacy Policies of Virtual Reality Apps

Yuxia Zhan, Yan Meng, Lu Zhou, Yichang Xiong, Xiaokuan Zhang, Lichuan Ma, Guoxing Chen, Qingqi Pei, Haojin Zhu

TL;DR

The work addresses the gap between VR data collection practices and privacy-policy transparency by introducing VPVet, an automatic vetting system guided by five VR-specific criteria. It builds VRPP, a large-scale VR privacy-policy corpus, and demonstrates substantial gaps in policy availability, completeness, granularity, minimization, and consistency with observed app behavior. Through domain-adapted CUS extraction and ontology-driven analysis, VPVet provides quantitative metrics (CTG, PPG) and actionable insights, highlighting pervasive overbroad data collection and policy-policy/code inconsistencies. The approach yields a foundation for improved VR privacy governance and is releasing both the tool and dataset to the research community to drive future improvements and policy alignment.

Abstract

Virtual reality (VR) apps can harvest a wider range of user data than web/mobile apps running on personal computers or smartphones. Existing law and privacy regulations emphasize that VR developers should inform users of what data are collected/used/shared (CUS) through privacy policies. However, privacy policies in the VR ecosystem are still in their early stages, and many developers fail to write appropriate privacy policies that comply with regulations and meet user expectations. In this paper, we propose VPVet to automatically vet privacy policy compliance issues for VR apps. VPVet first analyzes the availability and completeness of a VR privacy policy and then refines its analysis based on three key criteria: granularity, minimization, and consistency of CUS statements. Our study establishes the first and currently largest VR privacy policy dataset named VRPP, consisting of privacy policies of 11,923 different VR apps from 10 mainstream platforms. Our vetting results reveal severe privacy issues within the VR ecosystem, including the limited availability and poor quality of privacy policies, along with their coarse granularity, lack of adaptation to VR traits and the inconsistency between CUS statements in privacy policies and their actual behaviors. We open-source VPVet system along with our findings at repository https://github.com/kalamoo/PPAudit, aiming to raise awareness within the VR community and pave the way for further research in this field.

VPVet: Vetting Privacy Policies of Virtual Reality Apps

TL;DR

The work addresses the gap between VR data collection practices and privacy-policy transparency by introducing VPVet, an automatic vetting system guided by five VR-specific criteria. It builds VRPP, a large-scale VR privacy-policy corpus, and demonstrates substantial gaps in policy availability, completeness, granularity, minimization, and consistency with observed app behavior. Through domain-adapted CUS extraction and ontology-driven analysis, VPVet provides quantitative metrics (CTG, PPG) and actionable insights, highlighting pervasive overbroad data collection and policy-policy/code inconsistencies. The approach yields a foundation for improved VR privacy governance and is releasing both the tool and dataset to the research community to drive future improvements and policy alignment.

Abstract

Virtual reality (VR) apps can harvest a wider range of user data than web/mobile apps running on personal computers or smartphones. Existing law and privacy regulations emphasize that VR developers should inform users of what data are collected/used/shared (CUS) through privacy policies. However, privacy policies in the VR ecosystem are still in their early stages, and many developers fail to write appropriate privacy policies that comply with regulations and meet user expectations. In this paper, we propose VPVet to automatically vet privacy policy compliance issues for VR apps. VPVet first analyzes the availability and completeness of a VR privacy policy and then refines its analysis based on three key criteria: granularity, minimization, and consistency of CUS statements. Our study establishes the first and currently largest VR privacy policy dataset named VRPP, consisting of privacy policies of 11,923 different VR apps from 10 mainstream platforms. Our vetting results reveal severe privacy issues within the VR ecosystem, including the limited availability and poor quality of privacy policies, along with their coarse granularity, lack of adaptation to VR traits and the inconsistency between CUS statements in privacy policies and their actual behaviors. We open-source VPVet system along with our findings at repository https://github.com/kalamoo/PPAudit, aiming to raise awareness within the VR community and pave the way for further research in this field.
Paper Structure (29 sections, 3 equations, 11 figures, 13 tables, 2 algorithms)

This paper contains 29 sections, 3 equations, 11 figures, 13 tables, 2 algorithms.

Table of Contents

  1. Introduction
  2. Background
  3. VR Devices
  4. Privacy Policy in VR
  5. Motivation and Vetting Criteria
  6. VPVet System
  7. Data Collection (Vetting C1)
  8. Components Parsing (Vetting C2)
  9. VR Domain-adapted CUS Extraction
  10. Synthetic Dataset-boosted CUS Sentence Identification and NER Models.
  11. CUS Tuples Extraction with Extended SoC Verbs.
  12. Terminologization.
  13. CUS Compliance Analysis
  14. Granularity Analysis (Vetting C3)
  15. Minimization Compliance Analysis (Vetting C4)
  16. ...and 14 more sections

Figures (11)

  • Figure 1: Sensors embedded in Meta Quest Pro (Left) and accessories emerging in the VR consumer market (Right).
  • Figure 2: Motivation of VPVet: the current situation of VR app privacy policies and corresponding vetting criteria.
  • Figure 3: System overview of VPVet.
  • Figure 4: Mainstream VR devices and platforms.
  • Figure 5: CUS tuple extraction pipeline.
  • ...and 6 more figures