Journey into the Immersive Frontier: Preliminary NIST Research on Cybersecurity and Privacy Standards for Immersive Technologies

Words like “metaverse” and “augmented reality” may conjure up thoughts of friends in headsets wielding virtual sabers or folks roaming the streets at night in search of PokéStops. Virtual, augmented, and mixed reality technologies (“immersive technologies”) have entered the popular conscience thanks in part to the success of games, but their applications go well beyond new experiences in entertainment. They are already being utilized to increase access to education, improve manufacturing, bolster accessibility, and train workforces in healthcare and retail.

Immersive technologies have the potential to transform the way we interact with each other and the world. In the future, electrical utilities workers could use augmented reality technologies linked into smart cities infrastructure to identify the location of faulty grid equipment, while family and friends could use immersive technologies to virtually explore a new city, see a natural wonder, or just get together more often.

With these exciting potential benefits may come new vulnerabilities for cybersecurity and privacy that, if ignored, could create economic and societal harms.

In cybersecurity, digital technologies that bridge into new domains via novel interfaces, protocols, etc. can increase attack surface and break existing trust balances (i.e., balance of risk mitigations). These new technologies also have a distinctly human element and so will bring a host of human factors considerations related to cybersecurity. Consider that a phishing email can cripple you today, but the access afforded by similar attacks using something like a QR code with AR glasses could conceivably wreak havoc for individuals that rely on the technology. Immersive technologies may also enhance cybersecurity controls and mitigations. For example, private displays like those utilized in AR and VR headsets can help preserve data confidentiality during display of sensitive information compared to handheld or desktop displays, which are more susceptible to attacks, such as “shoulder surfing.”

To function, these technologies rely on spatial and body-based data about individuals, which can create significant privacy risks. This includes integration of behavioral data about emotional/psychological states with biometric data used beyond identity verification (e.g., eye tracking). Immersive technologies can also create limitations for the application of traditional privacy principles. For example, physical data necessary for functionality may be generated involuntarily and is measured using complex techniques. This limits individuals’ ability to understand and control how their data is collected and used. Further, integration with other emergent technologies, like Artificial Intelligence, adds complexity to the unique context in which cybersecurity and privacy risks can arise and will need to be managed.

In the coming months, NIST will research the current state of immersive technologies, gathering insights and feedback on cybersecurity and privacy considerations from our stakeholder community. This work will include soliciting stakeholder feedback through a call for input and comments, holding a workshop, and issuing a final report outlining findings and recommendations for next steps.

We hope you will contribute your expertise as we engage with the community to learn more about these technologies. We welcome all feedback from interested parties. Comments, feedback, and questions can be sent to immersivetech [at] nist.gov (immersivetech[at]nist[dot]gov). Please keep an eye out for more from NIST on immersive technologies!