Stealing a Glance: Eye Tracking, AR, & Privacy

The science of tracking eye movements to determine what draws our interest  has been around for more than a centuryRetailers, product designers, and advertisers use it to figure out how to grab consumers’ attention.  Website designers use it when deciding how to lay our content on a page.

But augmented reality eyewear is likely to elevate this psychological curiosity into a full-fledged privacy battleground, for several reasons.

First, unlike virtually any technology that already exists, truly immersive AR depends on knowing exactly what our eyes are looking at. This data will be absolutely indispensable in order for the eyewear to do its job.  So it seems inevitable that such devices will collect eye-tracking information, in one form or another.

Second, the information itself has great commercial value.  Just like with today’s technologies, any provider of augmented digital content will be eager for hard data on how effective and engaging their content is for consumers.  So the temptation to collect and monetize it will prove too tempting for many service providers to resist.

Third, the public’s reaction to internet browser cookies and spyware over the past two decades strongly suggests that consumers will also react negatively to companies archiving their browsing activities in augmented space.  Much of the online tracking that goes on today is quite lawful.  Regardless, a large segment of the population reacts negatively to the idea that someone else knows what they’ve done online.   We see this in the demand for private browsing and the persistent calls for more privacy regulation in the US and Europe.  The resulting patchwork quilt of privacy laws and regulations across multiple jurisdictions already leaves many service providers confused about what information they can and cannot collect, and it’s bound to get only more complicated.

Fourth, augmented “browsing” will be an order of magnitude more personal of an experience than is typing words on a keyboard or scrolling through a display on a monitor.  It’s one thing for a computer to be logging the addresses of websites you visit.  It will be another thing entirely for there to be an electronic record of everything you physically look at. But that’s exactly the type of information that “browser” software inside augmented eyewear will collect.  Integrating our digital experience with our immediate physical surroundings is intended to make that experience feel more immersive–more real.  But such an “immersive” experience will necessarily feel more personal as well.  And the more intimately users experience something, the more deeply they are likely to feel a sense of invasion when someone else intrudes on that experience.

Of course, this viewpoint is just one side of the equation.  Augmented browsing software will undoubtedly come with terms of use, click-wrap contracts, and end user license agreements very similar to the ones governing internet browsing and digital content today.  There will likely be some level of disclosure–either voluntarily or by legal mandate–that users’ visual experiences are being recorded.  And to some extent, we will want augmented browsers to track our eye movements, in order to continuously improve the software’s performance.

Also just like today, however, no matter how many licenses and disclosures are in place, some users will still allege that their privacy is being invaded.  This article isn’t intended to suggest where the AR privacy lines should be drawn–only that fights over those lines are inevitable.

Perhaps by then, the fallout of the internet privacy wars will have resulted in some degree of consensus or regulatory brightlines defining what information is and is not private.  But if lawmakers are going to clarify privacy principles for the augmented age, they’d better hurry–because mass-market AR eyewear and software are just around the corner.

In the meantime, those companies currently developing this technology would do well to think through the related privacy issues, and have well-defined privacy policies in place from Day One.