XR Safety Initiative (XRSI) Launches Novel Privacy Framework for XR and Spatial Computing Domain

The XR Safety Initiative (XRSI) releases the XRSI Privacy Framework Version 1.0. to help individuals and organizations address a comprehensive set of privacy needs, enabling more innovative and effective solutions to improve privacy in the Extended Reality (XR) and Spatial Computing domain.

The Framework can be downloaded HERE.

The framework is a free, globally accessible baseline rulebook built by bringing together a diverse set of experts from various backgrounds and domains, including privacy and cybersecurity, cloud computing, immersive technologies, artificial intelligence, legal, artists, product design, engineering, and many more.

The XRSI Privacy Framework sets a baseline set of standards, guidelines, and best, regulation-agnostic, practices. It incorporates privacy requirements drawn from the General Data Protection Regulations (GDPR), National Institute of Standards and Technology (NIST) guidance, Family Educational Rights and Privacy Act (FERPA), Children’s Online Privacy Protection Rule (COPPA), and other evolving laws. The framework is designed to adapt and include novel requirements as new regulations come into effect.

A new definition of personal data

XR expands the definition of personal information that must be protected, including biometrically-inferred data, which is especially prevalent in XR data pipelines. You need to consider new rights for data subjects—​the people whose information is collected and used—​to know what’s being collected, how it is used, and how it is shared.

Given the potential immersion of XR experiences and breadth of sensitive information available to XR hardware, informed consent is especially important.  This concept includes ensuring age-appropriate design and awareness for parents to increase child safety.  The framework guides what, why, when, how, and where to INFORM via Context, Choice, Control, Child Safety.

The framework emphasizes PREVENTION, not protection, including content moderation, proactive actions to preserve privacy, differential privacy, decentralization, anonymization, etc.

A Novel Approach to Privacy

While understanding user privacy expectations is challenging, it is crucial in immersive technologies. The expectation in immersive environments is the basis for a layered approach to privacy in creating a safe and trustworthy experience.  The framework introduces three levels of privacy expectations: Minimum, Desired, and Ideal.

Combining the seven Privacy by Design principles with the Human-Centric design principles, first outlined by the Cyber XR Coalition, The XRSI Privacy Framework helps achieve a much-needed outcome: Human-Centric Privacy By Design.

A Human-Centric design and development approach for immersive technologies lies on three pillars—Trust, Inclusion, and Accessibility. It fuels the creation of products that resonate more deeply with an audience, ultimately driving engagement and growth.

When used as a risk management tool, The XRSI Privacy Framework can help organizations build trust, achieve transparency, and create accountability during development and innovation, minimizing unintended consequences for individuals.

Extended Reality, extending guidance

While XR brings with it new challenges for the privacy-conscious, few regulations exist to ensure organizations take the proper steps to protect novel data types and address the human, societal, informational financial, and legal risks inherent to XR.

The Privacy Framework as a Toolkit

The Framework uses a familiar format to break subject matter into an increasingly specific language, starting with focus areas, followed by functions and controls.  The four focus areas—Assess, Inform, Manage, and Prevent—are the backbone of the framework. Depending on the use case, individuals and organizations can find what they need from the framework effectively using its intuitive yet straightforward layout.

The framework contains over 100 individual controls to help developers, policy creators, data subjects, and decision-makers align their intents, using a clear human-readable language.

For example, the INFORM focus area contains a Child Safety function, with seven individual controls.

There is no inherent expectation to “comply with The XRSI Privacy Framework.” Instead, use it as the baseline measure to optimize privacy efforts in minimizing risks within the Spatial Computing and XR Data Processing Ecosystem. At its best, the XRSI Privacy Framework intends to create Accountability in the Immersive domain.

Using this toolkit, we can now understand our shared responsibility to ensure privacy, safeguard data, and build trust.

What’s Next for The XRSI Privacy Framework:

This announcement is only the beginning of XRSI’s commitment to building a global privacy framework for XR. Together with its liaison organizations Open AR Cloud, University of Michigan, and Georgia Institute of Technology. There are many other challenges to tackle, including:

  • Geolocation and geo privacy
  • Standardized semiotic labels for XR
  • Adoption and enforcement of the framework
  • Data protection impact assessment for Spatial Computing and XR
  • Analysis of dark patterns and their impact on trust in Spatial Computing and XR
  • XR Data Classification Framework (continue XR-DCF effort XRSI started in 2019)