Conservative Plane Releasing for Spatial Privacy Protection in Mixed Reality Jaybie Agullo de Guzman Kanchana Thilakarathna Aruna Seneviratne Data 61|CSIRO & University of Sydney University of New South Wales University of New South Wales Sydney, Australia Sydney, Australia Sydney, Australia kanchana.thilakarathna@sydney. [email protected] [email protected] edu.au ABSTRACT CCS CONCEPTS Augmented reality (AR) or mixed reality (MR) platforms • Human-centered computing → Mixed / augmented require spatial understanding to detect objects or surfaces, reality; • Security and privacy → Information account- often including their structural (i.e. spatial geometry) and ability and usage control; Privacy protections; • Computing photometric (e.g. color, and texture) attributes, to allow ap- methodologies → 3D imaging. plications to place virtual or synthetic objects seemingly ACM Reference Format: “anchored” on to real world objects; in some cases, even al- Jaybie Agullo de Guzman, Kanchana Thilakarathna, and Aruna lowing interactions between the physical and virtual objects. Seneviratne. 2020. Conservative Plane Releasing for Spatial Privacy These functionalities require AR/MR platforms to capture the Protection in Mixed Reality. In Proceedings of MobiXXX 2020. ACM, 3D spatial information with high resolution and frequency; New York, NY, USA, 15 pages. https://doi.org/10.1145/nnnnnnn. however, these pose unprecedented risks to user privacy. nnnnnnn Aside from objects being detected, spatial information also reveals the location of the user with high specificity, e.g. in 1 INTRODUCTION which part of the house the user is. In this work, we propose AR/MR platforms such as Google ARCore, Apple ARKit, and to leverage spatial generalizations coupled with conservative Windows Mixed Reality API requires spatial understanding releasing to provide spatial privacy while maintaining data of the user environment in order to deliver virtual augmen- utility. We designed an adversary that builds up on existing tations that seemingly inhabit the real world, and, in some place and shape recognition methods over 3D data as attack- immersive examples, even interact with physical objects.1 ers to which the proposed spatial privacy approach can be Fig. 1 shows a generic information flow diagram for MR. The evaluated against. Then, we simulate user movement within captured spatial information is stored digitally as a spatial spaces which reveals more of their space as they move around map or graph of 3D points, called a point cloud (labelled Si in utilizing 3D point clouds collected from Microsoft HoloLens. Fig. 1), which is accompanied by mesh information to indi- Results show that revealing no more than 11 generalized cate how the points, when connected, represent surfaces and planes–accumulated from successively revealed spaces with other structures in the user environment. However, these 3D large enough radius, i.e. r ≤ 1:0m–can make an adversary spatial maps that may contain sensitive information, which fail in identifying the spatial location of the user for at least the user did not intend to expose, can be further utilized for half of the time. Furthermore, if the accumulated spaces are functionalities beyond the application’s intended function of smaller radius, i.e. each successively revealed space is (see potential attacker J in Fig. 1) for benign attacks such r ≤ 0:5m, we can release up to 29 generalized planes while as aggressive localized advertisements to malevolent ones arXiv:2004.08029v1 [cs.CV] 17 Apr 2020 enjoying both better data utility and privacy. such as burglaries. Nonetheless, there are no mechanisms in place that ensure user spatial data privacy in existing MR platforms. Moreover, despite 3D data being a structural representa- tion of the real world, 3D data is perceptually latent from the users. With traditional media, such as images and video, Permission to make digital or hard copies of part or all of this work for personal or classroom use is granted without fee provided that copies are what the “machine sees” is what the “user sees”. On the other not made or distributed for profit or commercial advantage and that copies hand, with MR, what the machine sees is different–often even bear this notice and the full citation on the first page. Copyrights for third- more–than what the user sees. With MR, the experience is party components of this work must be honored. For all other uses, contact exported as visual data (e.g. objects augmented on the user’s the owner/author(s). MobiXXX 2020, September 2020, London, UK 1ARKit, https://developer.apple.com/documentation/arkit; ARCore, https: © 2020 Copyright held by the owner/author(s). //developers.google.com/ar/; Windows MR, https://www.microsoft.com/ ACM ISBN 978-x-xxxx-xxxx-x/YY/MM. en-au/windows/windows-mixed-reality. For the rest of the paper, we will https://doi.org/10.1145/nnnnnnn.nnnnnnn be collectively referring to AR and MR as MR. Function G Mixed Reality Device e.g. Microsoft Hololens Privacy True space i Mechanism Adversarial application Y M Output X Z i i Example Output Input Point Cloud Transformed Point Cloud e.g. Pokémon walking around of the True space of the True space Attacker H: I|S modify them to operate in the scale on which 3D data is J Hypothesis Adversarial pipeline captured by MR platforms. We demonstrate how easy it is 1 Historical or previously 2 collected 3D data to extend these methods to be used as an attacker in the Function MR scenario whilst quantifying the privacy leakage. Then, Y G Output we propose spatial plane generalizations with conservative Mixed Reality Device Si e.g. Microsoft Hololens Input Point Cloud as a privacy-enhancing approach which can True space i Main MR processing pipeline of the True space Example Output plane releasing e.g. Pokémon walking around potentially be easily integrated with existing MR platforms– Privacy Mechanism ~ i.e. inserted as an intermediary privacy mechanism as shown M Si Transformed Point Cloud in Fig. 1. Finally, we evaluate not only the privacy leakage, Inserting Privacy Preservation of the True space but also the reduction of utility in terms of quality of service Figure 1: Information flow diagram (following the green utilizing real-world 3D point cloud data captured through solid arrows) for an intended MR function G, with an at- the Microsoft HoloLens from a variety of spaces. To this end, tacker J which can perform adversarial spatial inference: (1) we summarize the major contributions as follows: adversarial inference modeling or learning from, say, histor- ical 3D data, and (2) adversarial inference or matching over currently released 3D data. Then, inserting an intermediate (1) We present a 3D adversarial inference model that reveals privacy-preserving mechanism M which aims to prevent ad- the general space of a user, i.e. inter-space inference, and versarial spatial inference. their specific location within the space, i.e. intra-space inference. view) while the user is oblivious about the captured spatial (2) We compare the performance of the two spatial inference mapping, its resolution, and exactness. This inherent percep- attack approaches and show that a ‘classical’ descriptor- tual difference creates a latency from user perception and, based matcher can outperform a deep neural network- perhaps, affects–or the lack thereof–how users perceive the based recognizer. sensitivity of 3D information. Aside from the spatial struc- (3) We demonstrate that the insufficient protection provided tural information, the mapping can also include 3D maps of by spatial generalizations can be improved by conser- objects within the space. Furthermore, the spatial map can vatively releasing the plane generalizations; specifically, also reveal the location of the user: both the general loca- controlling the maximum number of released generalized tion, and their specific location within the space. Moreover, planes instead of naively providing the generalizations most users are oblivious about the various information that entirely. are included in the spatial maps captured and stored by MR (4) We present an in depth analysis over a realistic scenario platforms. when user spaces are successively released and experi- As majority of the work on MR have been focused on mentally determine the maximum number of releases, delivering the technology, only recently have there been and generalized planes that prevents spatial inference, efforts in addressing the security, safety, and privacy risks both inter-space and intra-space. For example, revealing associated with MR technology [7, 9]. There have been a no more than 11 generalized planes can make an adver- few older works that have pointed out the issues on ethical sary fail in identifying the spatial location of the user for considerations [14] in MR as well as highlighting considera- at least half of the time. tions on data ownership, privacy, secrecy, and integrity [13]. (5) Lastly, we show that better data utility can be achieved Moreover, potential perceptual and sensory threats that can with a smaller size, i.e. r = 0.5m, of revealed generalized arise from MR outputs such as photosensitive epilepsy and spaces while providing adequate–or even better–privacy; motion-induced blindness have also been looked into [4]. specifically, we can release up to 29 generalized planes In conjunction to these expositions, the EU have recently while enjoying both better data utility and privacy. legislated the General Data Protection Regulation (GDPR) which aims to empower users and protect their data pri- vacy through a policy approach. This further highlights the The rest of the paper is organized as follows. First, we importance of designing and developing privacy-enhancing discuss the related work in §2, and present the theoretical technologies (PETs) especially those that can be applied to framework of the spatial privacy problem, and associated the MR use case. definitions in §3. Then, in §4, we describe two attack methods In light of this, first, we present two adversary approaches an adversary may utilize for spatial inference.