Virtual Reality: Real Privacy and Security RisksTechnology Attorney Steven Teppler Discusses Evolving Concerns
As evolving virtual reality technologies are embraced by corporate environments, including healthcare entities, for training and other purposes, organizations need to carefully consider the privacy and security risks they pose, says technology attorney Steven Teppler.
Virtual reality encompasses computer technologies that simulate environments and allow users to interact in those environments. While the defense and aerospace industries have utilized virtual reality technologies for flight simulation training and other purposes, virtual reality products are also becoming increasingly popular with consumers for gaming, as well as for training and educational programs in the healthcare sector, Teppler notes.
"As these new technologies are being rushed to market, the appropriate privacy and security considerations are not being adhered to or paid attention to," Teppler contends in this interview with Information Security Media Group.
Potential privacy and security concerns include the risks of breaches involving improperly protected personal information that consumers and other users submit to the makers of virtual reality gear and related software applications as part of product registration and payment processes, he says.
But another risk is the hacking of recordings and other private information while the products are in use, Teppler says. "You really don't know what it is that you might communicate, that might be recorded, about you - [such as] your geolocation - that might be used for marketing purposes without your consent," he says.
Payment and personal information submitted to technology and app vendors from within the virtual reality platforms could also potentially be accessed by hackers, he says. "We don't even know what is 'up to par,' in terms of security" with evolving virtual reality products, he contends.
Because of the potential risks, users of these technologies must carefully examine the terms of service for the devices and related software and learn about the information being collected and used by the virtual reality vendors, Teppler says.
Some of the environments where these types of devices are used could pose other risks as well, he notes.
In healthcare, for example, virtual reality may be used to help guide a medical procedure, such as one surgeon using virtual reality tools to instruct another surgeon, Teppler explains. "If there's a combination of the virtual reality with the actual operation, and the information [is] shared, that could be extremely problematic."
"There are privacy and security implications because these VR providers are going to be using cloud-based technology to run their operations. And the typical cloud-based security may not be visible to the user because the user just sees the front-end terms of service - and they don't understand what the terms of service [are] between the VR provider and the cloud [vendor]," Teppler says.
In the interview (see audio player below photo), Teppler also discusses:
- Steps organizations can take to vet the security and privacy practices of virtual technology providers, as well as their related cloud computing services vendors;
- Measures that virtual reality vendors can take to improve the privacy and security of new products under development;
- Potential liability issues involving virtual reality technologies.
Teppler is a partner at the Abbott Law Group in Jacksonville, Fla., and leads the firm's electronic discovery and technology-related litigation practice. He was also one of the attorneys who represented plaintiffs in a data breach class action lawsuit against health plan AvMed that ended in a $3 million settlement in 2013. Teppler is also an adjunct professor at Nova Southeastern University Law School.