The convergence of artificial AI and XR technologies (AI XR) promises innovative applications across many domains. However, the sensitive nature of data (e.g., eye-tracking) used in these systems raises significant privacy concerns, as adversaries can exploit these data and models to infer and leak personal information through membership inference attacks (MIA) and re-identification (RDA) with a high success rate. Researchers have proposed various techniques to mitigate such privacy attacks, including differential privacy (DP). However, AI XR datasets often contain numerous features, and applying DP uniformly can introduce unnecessary noise to less relevant features, degrade model accuracy, and increase inference time, limiting real-time XR deployment. Motivated by this, we propose a novel framework combining explainable AI (XAI) and DP-enabled privacy-preserving mechanisms to defend against privacy attacks. Specifically, we leverage post-hoc explanations to identify the most influential features in AI XR models and selectively apply DP to those features during inference. We evaluate our XAI-guided DP approach on three state-of-the-art AI XR models and three datasets: cybersickness, emotion, and activity classification. Our results show that the proposed method reduces MIA and RDA success rates by up to 43% and 39%, respectively, for cybersickness tasks while preserving model utility with up to 97% accuracy using Transformer models. Furthermore, it improves inference time by up to ~2x compared to traditional DP approaches. To demonstrate practicality, we deploy the XAI-guided DP AI XR models on an HTC VIVE Pro headset and develop a user interface (UI), namely PrivateXR, allowing users to adjust privacy levels (e.g., low, medium, high) while receiving real-time task predictions, protecting user privacy during XR gameplay.
Extended reality (XR) data, specifically data related to eye movements, plays a vital role in human cognition, visual attention, and perception [9,12,25]. In addition to eye tracking, other eye-related information is commonly utilized in XR with the help of state-ofthe-art artificial intelligence (AI)-based techniques, such as machine learning (ML) and deep learning (DL) algorithms for iris recognition [33], gaze prediction [29], and emotion recognition [68]. However, integrating DL/ML for these tasks in XR poses a significant privacy risk [18,19,44,67]. This is because eye-tracking data presents a critical risk to users' privacy, as it captures sensitive attributes about users, such as personal identities, gender, and sexual preferences, based on where they look in the virtual environment. Furthermore, this also introduces the potential risk of re-identification through the captured data by applying re-identification attacks (RDA) in which users' identities are revealed by linking anonymized data to their real-world identity using auxiliary information (e.g., behavioral patterns) through the captured data [19,54].
Limitation of prior works. Researchers have applied differential privacy (DP) mechanisms to different representations of gaze data, such as time series of gaze positions [38], eye images [62], etc, to mitigate privacy risks in XR and provide formal privacy guarantees. In addition, other formal privacy mechanisms for mitigating privacy risks, such as k-anonymity and plausible deniability, are also applied to gaze samples to provide privacy in activity recognition and gaze prediction tasks. Unfortunately, as noted by recent work [11,19,20,39], most prior works applied privacy mechanisms in the eye-tracking sample levels to make the dataset private while ignoring the ML/DL part. Moreover, eye-tracking data are already noisy sources of information; thus, adding additional noise to preserve privacy may ruin the user experience. Indeed, protecting the AI model’s privacy is crucial to ensure that individual contributions remain confidential since making only the data private might not guarantee robust protection against privacy breaches [12]. For instance, ML/DL methods are also vulnerable to other types of privacy attacks, such as membership inference attacks (MIA) [65], in which adversaries attempt to determine whether specific individuals’ data was used to train a model. Very recently, Kundu et.al. [35] applied MIA against DL-based cybersickness classification models to leak information about individual users in the training data of a VR cybersickness dataset. However, their methods are typically applicationspecific, focusing only on tasks (i.e., cybersickness), limiting their generalizability to other XR applications. Furthermore, their work only shows the impact of MIA in cybersickness classification tasks. While MIA exposes vulnerabilities in the AI model by determining whether specific user data was used during training, it does not account for de-anonymization (e.g., through re-identification) risks in shared or anonymized datasets, which is common in XR research. Thus, a comprehensive XR privacy risk assessment is required to evaluate, analyze, and mitigate different types of privacy attacks for sensitive XR applications. Furthermore, a key limitation of all these previous works is that they applied DP uniformly to all features without considering the relative importance of each feature to the private DL model’s predictions. Such a blind application of DP may introduce unnecessary noise to less relevant features, significantly increase inference time, and reduce model accuracy, making it very challenging for real-time deployment in XR, thus hampering the user’s immersive experience in XR environments.
Contribution. This paper introduces a novel framework combining explainable AI (XAI) and DP-enabled privacy-preserving mechanisms to defend against privacy attacks in AI XR models. Specifically, at first, we develop three DL models, i.e., convolutional neural network (CNN), long short-term memory (LSTM), and Transformer, for three XR applications classifying cybersickness [30], emotions [68], and activity classification [28] of users. We then apply the MIA and RDA against these developed AI XR applications and show that RDA and MIA can cause serious privacy concerns. Next, we leverage a post-hoc XAI method to identify the most dominant features in these AI XR models for applying ε-DP to only those identified features during inference time. For applying ε-DP, we consider both the XR datasets and AI models. This contrasts the SOTA ε-DP that is typically applied only to the data samples blindly to all features, making the dataset private while ignoring the DL part [19,20,73]. The combination of XAI and ε-DP provides quantifiable resilience against known XR privacy attacks according to an adjustable privacy budget ε, which provides a strong privacy guarantee, enhancing model utility, reducing infere
This content is AI-processed based on open access ArXiv data.
