Exploring the risks of eye-tracking technology in VR security

March 18, 2024  |  Sam Bocetta

The content of this post is solely the responsibility of the author.  AT&T does not adopt or endorse any of the views, positions, or information provided by the author in this article. 

Virtual reality (VR) offers profound benefits across industries, particularly in education and training, thanks to its immersive nature. Through derivatives, such as 3D learning environments, VR enables learners to gain a deeper understanding of theoretical concepts more quickly and efficiently. 

However, with the benefits come some dangers. One such risk is the integration of eye-tracking technology within virtual reality environments. While eye-tracking promises to make experiences better and improve security through biometric verification, it also raises privacy concerns. 

This technology, though handy, could be exploited by cybercriminals. For instance, a recent paper by Rutgers University shows that hackers could use common virtual reality (AR/VR) headsets with motion sensors to capture facial movements linked to speech. This could lead to the theft of sensitive data communicated through voice commands, like credit card numbers and passwords. 

This article explores the risks of this new technology, looking into how the information collected from our eyes could be misused and what it means for our security in virtual worlds.

How does VR eye-tracking work?

Eye-tracking technology in virtual reality (VR) is a sophisticated system designed to monitor and analyze where and how a user's gaze moves when they are immersed in a VR environment. 

It achieves this through the use of infrared sensors and cameras embedded in the VR headset. These sensors aim infrared light toward the eyes, and the cameras capture the reflection of this light off the cornea and the position of the pupil. It then analyzes these reflections and positions to accurately determine the direction in which the user is looking. 

Once the eye-tracking system gathers this data, it processes the information in real time, using sophisticated algorithms to interpret the user's gaze direction, eye movements, and other metrics such as pupil dilation and blink rate. 

This comprehensive data allows the VR system to understand precisely where the user is focusing their attention within the virtual environment. 

At the rate at which VR technology is growing, most people instantly think of monitoring and data selling, but also, at the same time, it’s not all doom and gloom. We might be moving towards a futuristic workplace, where we can focus on creative aspects of our job. Imagine a developer being able to receive suggestions about cloud cost optimization or writing cleaner, more readable code. Still, the concerns are yet to be addressed.

Privacy concerns with eye-tracking technology

Don’t get us wrong—eye-tracking technology can have many benefits. For instance, it has been used to identify cognitive disorders such as autism and attention deficit disorder, as well as mental and psychological illnesses like schizophrenia and Alzheimer's. It can also provide insights into a person's behavior, including potential indicators of drug and alcohol use. 

The data that it collects sometimes can also go beyond just where an individual is looking, and it’s been one of the main issues surrounding VR games. While the notion of monetizing eye-tracking data is still a theoretical one, there’s a lot that companies can infer from it. 

This capability extends to understanding which advertisements catch our attention, how we process information on a webpage, and our reactions to various stimuli. While it may seem great to have your VR headset track your activity in the game and serve you the best suggestions to buy a WordPress plugin, provide you with ideas for your domain name, or use AI to generate helpful answers, the true possibilities are much more sinister. 

Thus, safeguarding this data through robust privacy policies and data-centric security practices is essential to mitigate the risks associated with its misuse. As eye-tracking devices are starting to parallel the ubiquity of webcams, regulators must stay ahead of data-hungry corporations.

Potential for misuse of eye-tracking data

Eye-tracking technology, while innovative and rich in potential for enhancing user experiences in various fields, including VR, also harbors significant risks regarding data privacy and security. 

The detailed data captured by eye-tracking — ranging from where individuals look, and how long they gaze at specific points to more subtle metrics like pupil dilation — can reveal an enormous amount about a person's preferences, interests, and even their emotional or psychological state. 

This raises a significant ethical dilemma: What if companies like Google suddenly begin collecting and storing data on users' eye movements? This could pose a problem for organizations planning to adopt VR technology in the future, especially those handling sensitive data. 

With an ever-more privacy-aware consumer base, they might even be compelled to look for a GCP alternative, different email hosting providers, and a host of other solutions to protect their users' privacy and adapt to their preferences. 

The potential risks of eye-tracking data misuse are vast and varied — here is a concise overview of some of the more pressing issues: 

  1. Personal profiling. Eye-tracking data can be used to construct detailed profiles of users, including their interests, habits, and behaviors. This information could potentially be exploited for targeted advertising in a way that infringes on personal privacy.
  2. Surveillance. In the wrong hands, eye-tracking data could serve as a tool for surveillance, allowing unauthorized tracking of an individual's focus and attention in both digital and physical spaces.
  3. Manipulation and influence. Figuring out what captures a person's attention or triggers emotional responses could give other people or organizations the power to manipulate decisions. Imagine WordPress taping into its database of 455 million websites and using eye-tracking data to suggest plugins and other products to those they think will be more likely to purchase them.
  4. Security breaches. Like any digital data, eye-tracking information is susceptible to hacking and unauthorized access. If such data were compromised, it could lead to identity theft, blackmail, or other forms of cybercrime, particularly if combined with other personal data.
  5. Unintended inferences. Eye-tracking could inadvertently expose sensitive information about a person's health (e.g., detecting conditions like Parkinson's or Alzheimer's disease based on eye movement patterns) or other personal attributes without their consent. 

To mitigate these risks, robust data protection measures, transparent user consent processes, and strict regulatory frameworks need to be established and enforced. Users should be fully informed about what data is being collected, how it is being used, and who has access to it, ensuring a balance between technological advancement and the protection of individual privacy rights.

Mitigating the risks

To mitigate the risks associated with eye-tracking technology, VR companies can encrypt the data collected by eye-tracking technology to ensure that even if the data is intercepted, it remains inaccessible to unauthorized users. Encryption should be applied both during data transmission and when storing data. 

For instance, a contractor should be able to use a Star Trek-like iteration  of virtual reality, not as the holodeck, but in the form of specialized roofing software that allows them to observe roofs they’ll work for in VR without worrying about leaving traces of their personal data online. 

Companies can also anonymize data. Anonymizing data means stripping away personally identifiable information so that the data cannot be traced back to an individual. This technique can be particularly useful for research or aggregate analysis, where individual user details are not necessary. 

Innovation in privacy-preserving technologies can enable the benefits of eye-tracking in VR while minimizing data collection. For example, processing data locally on the device and only transmitting necessary, anonymized data to servers can reduce privacy risks.


As eye-tracking tech grows, it'll take us to amazing places we've only dreamed of. But the real success is making sure we protect people's privacy and respect them in these digital worlds. As we explore these new technologies, we must also remember the values that make us human. 

Talking and working together — tech creators, law experts, policymakers, and users — is key to making sure eye-tracking in VR and AR is good for us without risking our privacy or safety. It's important to be open, let people control their own data, and work with others to find a good balance between new inventions and privacy.

Share this with others

Tags: vr, arvr, eye tracking

Featured resources


Insights Report

2023 AT&T Cybersecurity Insights Report: Edge Ecosystem



2023 AT&T Cybersecurity Insights Report: Edge Ecosystem

Get price Free trial