Motion tracking "telemetry" data lies at the core of nearly all modern virtual reality (VR) and metaverse experiences. While generally presumed innocuous, recent studies have demonstrated that motion data actually has the potential to uniquely identify VR users. In this study, we go a step further, showing that a variety of private user information can be inferred just by analyzing motion data recorded from VR devices. We conducted a large-scale survey of VR users (N=1,006) with dozens of questions ranging from background and demographics to behavioral patterns and health information. We then obtained VR motion samples of each user playing the game "Beat Saber," and attempted to infer their survey responses using just their head and hand motion patterns. Using simple machine learning models, over 40 personal attributes could be accurately and consistently inferred from VR motion data alone. Despite this significant observed leakage, there remains limited awareness of the privacy implications of VR motion data, highlighting the pressing need for privacy-preserving mechanisms in multi-user VR applications.

翻译：运动追踪“遥测”数据几乎是所有现代虚拟现实（VR）和元宇宙体验的核心。尽管通常被认为无害，但近期研究表明，运动数据实际上具有唯一识别VR用户的潜力。在本研究中，我们更进一步，证明仅通过分析VR设备记录的运动数据，即可推断出多种用户私人信息。我们对VR用户进行了一项大规模调查（N=1006），涵盖背景与人口统计、行为模式及健康信息等数十个问题。随后，我们获取了每位用户游玩《Beat Saber》游戏时的VR运动样本，并尝试仅利用其头部和手部运动模式来推断其调查回答。通过使用简单的机器学习模型，仅凭VR运动数据即可准确且一致地推断出超过40项个人属性。尽管存在这种显著的隐私泄露，但人们对VR运动数据隐私影响的认识仍然有限，这凸显了在多用户VR应用中亟需引入隐私保护机制。