Motion tracking "telemetry" data lies at the core of nearly all modern virtual reality (VR) and metaverse experiences. While generally presumed innocuous, recent studies have demonstrated that motion data actually has the potential to uniquely identify VR users. In this study, we go a step further, showing that a variety of private user information can be inferred just by analyzing motion data recorded from VR devices. We conducted a large-scale survey of VR users (N=1,006) with dozens of questions ranging from background and demographics to behavioral patterns and health information. We then obtained VR motion samples of each user playing the game "Beat Saber," and attempted to infer their survey responses using just their head and hand motion patterns. Using simple machine learning models, many of these attributes could be accurately and consistently inferred from VR motion data alone. Despite the significant observed leakage, there remains limited awareness of the privacy implications of VR motion data, highlighting the pressing need for privacy-preserving mechanisms in multi-user VR applications.

翻译：运动追踪"遥测"数据几乎构成所有现代虚拟现实（VR）与元宇宙体验的核心。尽管通常被认为无害，近期研究表明运动数据实际上具有唯一识别VR用户的潜力。在本研究中，我们进一步证明，仅通过分析VR设备记录的运动数据即可推断出多种用户私密信息。我们开展了一项大规模VR用户调查（样本量N=1,006），涵盖从背景与人口统计学特征到行为模式与健康信息等数十个问题。随后我们采集了每位用户玩"Beat Saber"游戏时的VR运动样本，并尝试仅凭其头部和手部运动模式推断其调查回答。通过使用简单机器学习模型，这些属性中的多数可从VR运动数据中准确且一致地推断出来。尽管存在显著的信息泄露，但人们对VR运动数据隐私影响的认知仍然有限，这凸显了在多用户VR应用中亟需引入隐私保护机制。