MDE#12 Navigating XR Data
Privacy and Safety Risk Assessment 🌊
Summer is over. Back to work! Let’s make it with a smile, after all it’s our choice.
⏳ 4 min read
Before setting sail, a captain identifies hazards by studying maps and weather—that's like spotting risks in XR. The captain prioritizes threats like storms or pirates, similar to evaluating which XR issues are most urgent. To mitigate risks, they might choose a safer route or update equipment, just as you'd implement safety features in XR. Once sailing, continuous adjustments are made based on new info, akin to ongoing monitoring in XR. And just like a captain's log records the journey, documenting your actions in XR is key for future safety.
Today, I’ll introduce a privacy and safety risk assessment for companies from X Reality Safety Intelligence (XRSI), addressing privacy and safety concerns for XR technologies.
The XRSI Framework
The XRSI framework “helps organizations define their privacy goals, identify privacy risks, and optimize the use of personal and sensitive information while limiting privacy violations.”
It’s a risk management tool to achieve transparency and create accountability for XR companies.
The framework is composed of four areas of work to ensure companies’ alignment with privacy and safety measures from diagnosis to prevention. Today we’ll explore their privacy risk assessment for companies.
Let’s set the sail to anchor XR privacy!
XR Privacy Risk Assessment
This assessment helps organizations understand how personal information flows within their systems and operations and what protective measures are needed to ensure compliance with privacy laws and regulations.
XR applications collect a huge amount of data from users and their surroundings to enable the XR experience to happen. For example, positioning a user in space requires collecting data about the surroundings of the user via a camera feed. This data is essential while running the application to position the user.
What is essential is to understand (1) which data is needed to make the experience happen and (2) which of it needs to be stored, or not.
In the case above, we should question whether the data collected to map the space could be deleted upon request after the XR experience has finished.
So what can we do?
To be able to distinguish what is essential from what can be deleted, let’s look at some questions that can help us perform an XR privacy risk assessment to start with.
What data is stored? On-device? Distributed to other users? On an edge cloud? On a remote cloud? How long will the data be retained? Will the personal and sensitive XR data be encrypted, de-identified, obfuscated, and/or aggregated when storing or processing?
What is the data collection pipeline? What is collected by the device? What is stored locally on the device? What data is shared with: other users/ third-party applications/ other companies?
What are the various types of data required by the platform, service, or app?
What are the various types of data being collected, processed, and shared?
What is the legal basis for storing personal and sensitive XR data?
Which third parties will the data be shared with and how will they be processing the data?
What processes are in place to communicate to customers, collaborators, and regulators what data is being collected and why?
What processes are in place to ensure the data is stored securely?
What processes are in place for responding to a data breach or any privacy incident in a timely manner?
Once you’ve answered these questions, you’ll have a good understanding of how the XR experience is handling data.
💡 Curious to know more? Check the XRSI Privacy and Safety Framework
Bye for now!
NEW OF THE PAST MONTH: Last July, I joined Lynx Mixed Reality. A great company with an amazing team building a European headset that doesn’t harvest your data, allowing your own data policy. Too good to be true? Just check it out by yourself!
Thanks for reading until the end! I am looking forward to having you as part of this expanding community. Just click below 👇 to keep updated on the next ones.
Disclaimer: The views expressed here are my own and do not represent the views or opinions of my current or any past employer.