A privacy-preserving approach to streaming eye-tracking data
This work is significant for mixed reality users and developers, providing a privacy-by-design approach to mitigate the risk of user identification from eye-tracking data.
This paper addresses the privacy risk of unique user identification through eye-tracking data in virtual reality, showing an identification rate of up to 85% under natural viewing. The authors propose a framework with API design and software mechanisms that reduces identification to 30% while maintaining gaze prediction error below 1.5 degrees.
Eye-tracking technology is being increasingly integrated into mixed reality devices. Although critical applications are being enabled, there are significant possibilities for violating user privacy expectations. We show that there is an appreciable risk of unique user identification even under natural viewing conditions in virtual reality. This identification would allow an app to connect a user's personal ID with their work ID without needing their consent, for example. To mitigate such risks we propose a framework that incorporates gatekeeping via the design of the application programming interface and via software-implemented privacy mechanisms. Our results indicate that these mechanisms can reduce the rate of identification from as much as 85% to as low as 30%. The impact of introducing these mechanisms is less than 1.5$^\circ$ error in gaze position for gaze prediction. Gaze data streams can thus be made private while still allowing for gaze prediction, for example, during foveated rendering. Our approach is the first to support privacy-by-design in the flow of eye-tracking data within mixed reality use cases.