Securing Virtual Worlds

Let me start right at, so how many of you have used virtual reality before? Almost everyone. That's good. How many of you are aware of a virtual reality program inside of their organizations? Okay, that's even better than I imagined. So I saw four to five hands here. So when I talked to the people in the last days, I could see that virtual reality didn't really lift that off that well. So we have that technology for around eight years by now, and people said to me, well, it has been really nice to, to put on one of these headsets and be in the virtual worlds, but after just using it a bit, like what's, what's the point of it? And Gideon, can you remind me what's, what's the purpose? Why I have to put on one of these fashion disasters to, to join and to do a team score, to, to see someone in virtual reality?
What's, what's the business case with that? And I think this is, this is the reality right now, that which reality is not really where it has where it's supposed to be. It was marketed as the next big thing in technology, but that didn't really happen. And when we look at how the new headsets are being marketed, well, meta calls it headset more or they talk more about the metaverse. They're not really talking about virtual reality, the HoloLens, they're calling it mixed reality. Apple doesn't identify itself as any of these terms. They just call it spatial computing. And when that usually happens, that means the industry has overpromised and under-delivered. But at the same time, these headsets are still being produced. And what I think is the reason why we have still the production going on, but not that great of an adoption rate, is that the technology takes time.
It's very different from, let's say AI, where we have this a breakthrough. And just on the next day we have thousands new businesses. In virtual reality, we have hundreds of problems that we gotta solve. So the headsets, they have to become more lightweight. You're not supposed to sweat underneath them. The battery needs to hold for longer time. You need to get rid of the cables. You have zero tolerance to latency. You have zero tolerance to a bad picture, or you just cannot use it for like more than an hour. So that's why, why the technology just takes time. And over the next years we see that the headsets will become better. And at some point we will all be using one or the other way of rich reality, be it, be it that, or it could be augmented reality. But the technology keeps growing because it makes sense from a stationary computer to a mobile computer to a smartphone.
The devices, they go closer to our sensors. And that's why this technology will at some point be so far that we, it'll be our primary way of communicating. It'll suppress laptops. It'll suppress smartphones in the way we are socially interacting with each other now. But what's, what's so special about that technology and the device we are talking about, it has a load of sensors, so similar to a smartphone, just much more. And the sensors they allow for tracking, they're tracking all sorts of behaviors from you to transpose that into virtual worlds. So there's two things that are obvious. We have a hand tracking, we have a head tracking. Hand tracking means either you have controllers or you have a camera that forms your hands and transposes them into a digital counterpart that you then can use to interact with these virtual surroundings. And then of course you have head wrecking because if you look to the right, then you've gotta see what's to the right.
And then you can, for example, play a game like that. That's a game called Beat Saber. It's a most famous virtual reality eSports game with about 6 million users. And it's been played for years. And what you can see is now that person standing there in front, he has a very unnatural way of standing with his controllers. Most people would rather stand like this or they would stand like this, but we differ. So if you were to play that game for five minutes, we can accurately d determine your identity with a 94 4% chance just by looking at your hat tracking and, and your hand tracking. So for example, I have a stiff neck, so my range of motion is limited. Someone else will not have that issue. So we differ. The thing is, it's not the interesting question to ask to identify you, but more, given the data that we have, what does it tell us about you, about a person using that?
That's the point when eye tracking becomes very interesting. So we also have eye tracking. When you talk to someone in virtual reality, you want to see that the eyes are moving as well. Otherwise, it's quite creepy if you just see the hat moving like this, like a robot. And there's plenty of use cases for that too. So we have eye tracking, but eye tracking tells you a lot about you as a person. At this point, we are not really talking about security directly anymore, but we have to really talk about with behavioral scientists and ask a question, given the data we have about human behavior, what can we learn about that from that person? And for example, if we differ in our, in our social upbringing by, by our eye movement patterns. So for example, if you're brought, brought up in a western society, a very individualistic society, and you would look at a group of people, someone would stand in front of that group of people, you would look first at the person in front of the group, and then later on you would look at everybody else in the group.
And someone that is more brought up in a collectivist culture like Japan, China, they would first look at the entire group of people and then look at the person standing in front of it. So just by tracking your eye movement, you could already determine something about your race and social upbringing. But it's gets more fancy when we look at the next generation of headsets that you can already purchase, which don't just track the eye movement, but also the ideations or the widening and constricting of the pupil. Now, what does it tell us about you? It has something about your emotional response to what you're seeing. If you look at something that you like, the the pupils will delay, they will widen. And if you don't like it, they will constrict. And this is data. Then you, when you combine these sources of data, then you can learn a lot about a person.
Your headsets also do, and they check your heart rate. So it's more and more information about you that are getting tracked because it makes sense, because there's purpose for it. But in my opinion, we have that set of data that is worthwhile to protect. So let me talk about data privacy first. And one thing, the one topic that I wanted to ditch was, was ai. Because I'm from, also from the other talk, I think at least more than half of the people here know more about AI and the IRS than I do. But there's one thing that I have to mention, which is the deep fakes. We have seen videos here on this presentation too. And this conference, deep fakes are very easy to be done today. It's like cheap. It's widely available. You and, and you can use it to fark an arbitrary identity or make up a new identity.
But what's interesting with virtual reality is it adds another layer of that. So already when we talk about DeepFakes, we have some use cases that are really where people are already today imprisoned for doing some very atrocious and downright illegal things with ai, using AI that has been trained on data, that it itself also atrocious and illegal. And when we have that in virtual reality, we can go one step further and we can create a So-called digital twin, we can create a three dimensional photorealistic copy of you that knows your facial expressions, that speaks in your voice, and someone else can steer that. And for the first time when I saw my own photorealistic face from steered by someone else in virtuality, that's a scary thing. So, so if, if you imagine that it can go a step further, think of your C'S grandmother. You're taking a video train night to make not a video, but a digital twin of her, a three dimensional asset. And then you have your walking, talking grandmother in virtual reality, and you can socially interact with her. Now, whether that's okay for, for us as a society, we, I guess we haven't come up with a conclusion for that, but that's at least something we need to consider. And we can just imagine what else is possible when we consider this technology.
Now, another aspect I wanna talk about is, is neuromarketing. So what is neuromarketing? So we have this perfect record of your physiological and emotional response to controlled stimuli. And that in return can be used to tailor advertisements that are just made for you. What do I mean by that? Imagine you would see an ad or anything in virtual reality, and then you would look, while you're looking at that, someone else, like the one that shows you the ad would tell you or would see how you react to it, it would see where are you looking at the ad in the first place? What's as, what's your isolation? So how, how do you respond emotion? How does your emotion change while you are watching it? How does your heart rate change? And after you've watched it, well use that information to, to tailor the ad, to make the next one to be adjusted to your emotional response. And, and then you being shown next time a very different ad and to, to ultimately achieve, to show you exactly what you want to show a person to get out the desired emotional response. And that's, in my opinion, the most subtle yet, yet and yet powerful way of manipulate our decision making processes.
Now, I want to say at this point also that we have amazing chances as well when it comes to data protection. It's also like the internet, of course, it brings a lot of risk, but also a lot of opportunities. So we, in our company, for example, when we have someone who needs to introduce himself for the first time and he has to speak in front of 200 people and say like, hi, I'm Gideon, and that's what I'm doing. While that's a tough thing to do if you're not used to that, right? So in virtual reality, we can do that and the person is shown as a stylistic avatar, and that helps them overcome their anxiety of public speaking. And there's also many other use cases. Think of Egypts people that are too afraid to live even their houses. They do sports together and social environments because they're not having issues with body shaming or other topics.
So while we have these negative things, virtual reality acts as an amplifier. It brings, or it gives us a lot of chances for improving data protection and also safety. But it also comes with a few risks along with that. Now talking about information security there, the first thing that that came to my, or the first thing that I was actually thinking about VR security was when I was sitting in one of these VR rollercoasters, I'm not sure whether I've done that before, but it's essentially, you, you have a rollercoaster in your amusement park, and it's lame. And, and how, what do you do with it? You, you're building in or you're getting in the virtual reality headsets, and then you make it much more interesting. So if you drive and you have a drop of 10 meters, in which reality, you would have a drop of a hundred meters and you would shoot down a sky, a skyscraper or something like that.
And I was afraid not beca, because I was thinking, what happens if they lie to me? And I see, I seen upwards curve and I prepare for that. But then in reality, it, it actually Schutze downwards. So that would be called cyber sickness. It's what it means essentially. You don't wanna sit in the row behind the ones that get, get it. And now the thing is, there's a few more, but the thing is, we need to consider in virtual reality that whatever we do, it affects human health and safety. And that's a crucial difference towards other technology. We have to think about human health, wellbeing, and safety. When we talk about cybersecurity in virtual reality, well, the most extensively researched area would be the one of authentication. So biometrics, for example, this is very easy. You just, like you put on your headset, you can scan your eye and or have face ID or something like that.
So you can do that. But also you can use three dimensional patterns, like you can make use of the third dimension that you suddenly have. Think about your, your phone lock screen where you have a swipe pattern. You can have a three-dimensional swipe pattern. But this is not really the interesting part. What I think is the most interesting one is that all this data we, we collect about a person that we have to actually collect to make it an immersive experience. We can use that to ident not just to identify, but also to authenticate a person. So let's say suddenly in virtual reality, my, my stiff neck is gone and my height movement pattern changed, and I can suddenly look around like I have. If I would be in that environment for the first time, then there could be an algorithm that is trained on my behavioral patterns and see, wait, something is different. Suddenly you might not be the person that you're used to be. Your behaviors change, please re-authenticate.
Well, the the interesting part is it makes sense because we have the first time actually that we have something called a continuous authentication where you're not just authenticated once, but while you're using that technology, you're keeping authenticated. So think about you're doing an exam and virtual reality. Virtual reality is amazing. Use case for, for vi, for trainings, for, for safety trainings, operator trainings. And then you, like, you do test runs and then at some point you do an exam. Let's say you're in a clean room environment, your hands are not supposed to move at a certain speed. All of that you can track and make use of it. But now what happens if someone then authenticates and gives the headset to someone else and he does it for you? Now you can ensure with that, with that setup, you can ensure the person is, is kept being authenticated.
And that's actually quite useful. You could even take a record that's from two years ago and and just analyze how that person behaved during that training. And you could see these anomalies in their behavior, and that's where you can, you can actually properly authenticate someone. So that's considered that scenario together with deep fakes that we talked before or all sorts of impersonation attacks. Imagine like you would see a person in VR and, and that's a person you're talking to all the time. And, and suddenly your algorithm that runs maybe locally on your computer tells you, well, you're talking to that person all the time, but, and he's still the same person, same facial expressions, same hat move or same, same visuals, but he behaves differently. So, so maybe that's actually not the person you're seeing. And that's sort of an antidote towards, towards the deep fake scenario that we can use that to also prevent fakes.
Now there's of course, plenty, plenty more. One thing that I don't think is an discussed enough is that the market is still mostly dominated by, by companies that don't have data protection as their primary concern. So think about like two years ago, if you want to use Facebook meter, you had to actually use, get a Facebook account. Like good luck trying to do that in your company to tell everybody they have to use their private Facebook account. So that has been an issue for a long time. But I think by now we are at a state, at a ca at a moment when we, when we can say that the systems are, are really useful for, for a particular set of business use cases, bringing in enough data protection and enough security to support them. So if you have a virtual reality program in your organization, I think there, there's three things I want you to consider.
The first one is it's an evolving technology. It's not, it's like cyber evolution, revolution. It's an evolution. And evolutionary technologies come with a healthy risk profile because every year there's more security, but there's also more use cases. And the value at risk increases at the same time, which means that this is a technology that we can keep having balanced in contrast to something like vr, like ai, where we just don't know exactly what we even have to secure. A second thing is if you can go for a closed system, something that you can control, maybe something that has, that is business ready, like it has mobile device management, the kiosk mode, customer friendly data protection agreements, that sort of thing. Because if you can close it down, you essentially eradicate almost all cases of abuse. And last but not least, and this is actually something that Sun mentioned before in the, in the, when we talked about AI and he said the CSOs might become in 10 years might become the chief AI officer, AI safety officer. And for this year, I think we have to consider that the, the news technologies being it wearables, be it ai, be it vr, especially vr, we have to, we have to ensure and we have to understand that our responsibility extends towards the health and safety of our human wellbeing. Thank you. Thank.