This summer, Facebook finalized its $2 billion purchase of Oculus VR, a virtual reality headset maker. The purchase promises to usher in a new era for virtual reality-more immersive, lower cost and simply more usable than ever before.
In fact, even though the Oculus Rift and similar devices have not hit the market yet, companies are already using virtual reality for training, simulations, manufacturing prototypes and marketing. Insurer Travelers, for example, has developed a virtual warehouse using the Oculus Rift to teach workplace safety strategies. But virtual reality comes with its own set of risks that can have serious implications for compliance, information security and user behavior. By being aware of those risks early on, companies can make better choices when evaluating potential involvement in virtual environments.
It might seem surprising that virtual reality would pose any physical risks to users, but it does. For example, the Oculus Rift is still an experimental device, so its head tracking has not been perfected yet. If the user wearing the device moves his or her head, that motion might not register as accurately or quickly as necessary inside the virtual environment. Any discrepancy between what the user sees and feels could lead to motion sickness.
As a result, the U.S. Army has deemed the Oculus Rift too risky. “I do not put anything in front of soldiers unless it is ready to go,” said Douglas Maxwell, science and technology manager at the U.S. Army Simulation and Training Technology Center. “If one of these devices makes me or my staff sick, there is no chance that I will put it in front of a solider.” Instead of using the $350 Oculus Rift development kits, the Army uses higher-end virtual reality gear, priced in the $8,000 to $12,000 range.
Nausea is not the only physical risk associated with virtual reality devices. “Some individuals may also experience severe dizziness, epileptic seizures or blackouts when exposed to certain flashing lights or patterns,” Oculus VR warns in its terms and conditions policy. Restaurant chain Chuck E. Cheese reportedly pulled the “Ticket Blaster” virtual reality simulation from its locations due to fears that the flash-heavy simulation might trigger seizures in children.
At least for the foreseeable future, virtual reality is nowhere near good enough to be confused with actual reality. It is good enough, however, to trick the subconscious brain into thinking that the user is really in a given situation. Because of this, wearing the Oculus Rift can trigger phobias such as a fear of heights or spiders. While this can be used therapeutically to help patients deal with those phobias in a safe and controlled way, it can also cause a severe shock to a user who is not expecting to confront their fear. This may make for a funny YouTube video, but it could also cause problems for both users and companies using virtual reality experiences as marketing tools.
Another risk that the U.S. Army is extremely cognizant of is information security. Not all virtual environments are created equal when it comes to protecting information and communications. “The reality is that there are significant risks in the way virtual environments are deployed,” Maxwell said. Because the technology is open source, he agreed to talk about OpenSimulator, software that is currently being used to power thousands of virtual worlds, including one owned by the U.S. Army.
“Civilians think about security differently than we do,” he said. “The normal deployment of OpenSimulator is actually pretty insecure.” Some of the security issues have to do with features that enable virtual world owners to allow users to travel between different worlds or to upload their own content and have complex interactions.
Some issues are very basic. There is no encrypted communication whenever a client sends a password to servers, for example. But proprietary, enterprise-focused virtual environments, such as ProtoSphere, AvayaLive Engage and 3DICC’s Terf, typically put a much higher priority on information security.
ProtoSphere, from Pennsylvania-based ProtonMedia, Inc., is tightly integrated into Microsoft’s unified communications offerings, Active Directory and Sharepoint, and claims about 10% of the Fortune 500 as customers. All communications, including voice, presence and instant messages, go through Microsoft’s Lync server, which offers encryption for all of these channels. The platform uses the Microsoft Sharepoint document repository and allows for very nuanced role management to restrict access to particular areas of the virtual environment or specific documents. Even when ProtoSphere is run as a cloud-based service, content and communications can be kept secure. In fact, most customers opt to run ProtoSphere in the cloud, said CEO Ron Burns, but 20% use it as traditional software that runs behind the corporate firewall. The latter are primarily used in the defense industry, he said, including the U.S. Defense Department itself, and companies such as Airbus, Lockheed Martin and Boeing.
The Terf virtual environment platform by 3DICC also connects to Sharepoint, Active Directory and other standard enterprise infrastructure. For communications, it is typically paired with Cisco’s Jabber platform. The company currently claims more than 100,000 users, including customers from government agencies, major universities and Fortune 10 companies. CEO Julie LeMoine used to be the vice president of advanced collaboration and engineering research at Fidelity Investments, so she is especially concerned about security. “We have a very substantial access control model,” she said.
But virtual reality also poses other kinds of risks. For example, if users are able to modify the appearance of their avatars, they could potentially impersonate other users. “This has been a virtual reality topic since the early days of immersive worlds such as Second Life,” LeMoine said. Terf addresses the issue by allowing companies to limit how avatars can be customized, controlling whether avatar names can be changed, and whether photos or webcam videos can be used in addition to, or in place of, avatar faces.
Another unique concern of virtual environments is the ability for users to modify the environment itself. In one highly publicized case, a company that held a public event in Second Life was attacked by flying phalluses. Diverse virtual environments put different levels of restrictions about what users can and cannot do inside the platform, with enterprise-oriented companies offering management features to restrict certain types of behaviors.
“Our customers don’t want a client or student in a virtual location changing what they are supposed to see or others need to see in the next meeting, or for a CEO coming in for a global meeting to find his VPs have deleted the floor by accident,” LeMoine said. “This is a critical focus difference between a consumer open grid environment and one for secure use.”
Canadian telecommunications company Telis uses the AvayaLive Engage virtual environment to onboard employees. So far, more than 1,200 new hires have used it to get basic orientation training. Telis finds that the virtual environment helps break down geographic barriers between people. Another Avaya customer, a large financial services organization, finds that the technology helps reduce social barriers, with junior staff in particular demonstrating a higher level of collaboration in a virtual world than in a traditional physical meeting.
“Based on the feedback that we’ve seen, customers seem to very much appreciate the experience of the avatar,” said Paul McDonagh-Smith, Avaya’s learning practice leader. “It is almost like a mask that they can sit behind.”
But this mask could also have a dark side, as employees may use the avatar to channel more destructive behaviors. Virtual reality environments offer the same potential for rudeness, harassment and stalking as any other communication channel while also making the interaction seem even more real and personal.
“It’s similar to social media, to a certain extent. When somebody is going into a virtual world or virtual environment as an avatar for the company, you want to have a code of conduct,” said attorney Charles Lee Mudd, president of Chicago-based firm Mudd Law Offices. “Just because you’re in a virtual space that might be game-like doesn’t mean that your employees can have alter egos that act differently than they would in real life.”
Companies need to clearly address this from the beginning. Mudd recommends holding orientation sessions for relevant staff before starting a virtual reality project to ensure that the employees understand that they are representing the company, and to establish what kinds of behaviors are expected of them. “Some companies might have a looser conduct code than others,” he said. “Some might want all their employees dressed in suits and ties in a virtual world, just as in the real world, while others might have a more casual dress code.”
But even in environments that are used only by employees and are not open to the public, behavioral issues can occur and must be taken into account. “You have the same risks that you do in a physical workplace,” he said. “Someone can’t physically touch an individual in this virtual space, but someone might say something that they might not otherwise say in the workplace that might get them-and their employer-into trouble.”
Facebook’s acquisition of Oculus VR highlighted another risk of virtual reality environments: privacy. Facebook has repeatedly raised the ire of its users by changing privacy policies and further angered the public when it recently revealed that it has run psychological experiments on users.
A virtual environment can dramatically expand the scope of potential privacy violations because every single behavior in a virtual environment can be tracked, and every element of a virtual environment can be manipulated.
Mudd recommends that companies decide in advance how much monitoring they will do, and communicate that policy to employees or customers. You do not want to have a situation where an employee or customer goes into a virtual world, uses a personal avatar, and then claims they expected their actions to be private, for example
Violations of customers’ privacy could also land companies in hot water with the FTC and state regulators, and violations of employee privacy rights have legal consequences. “Companies need to talk to their legal counsel so that the excitement of the technology does not lead to litigation,” Mudd advised.
Risk of Wasting Money
Most companies will not be spending $2 billion on virtual reality projects like Facebook did, but price tags for custom virtual environments can easily climb into the six digits and higher.
According to Irwin Lazar, an analyst at Chicago-based Nemertes Research Group, it was common for early entrants into the space to spend a lot of time and money on these projects. “If people do not use it, it is an investment that did not pay off,” he said. “If I am going to make a big investment, I need to figure out what the ROI is, and what it gives me that I cannot get otherwise, so I do not spend a couple of millions dollars and then do not see any value in it.”
He recommends that companies do smaller pilot projects first, and make sure they find appropriate uses for the technology. It is also important not to jump too quickly, as the technology is not fully developed.
On the input side, the technology is still in flux, according to Anders Gronstedt, president of Colorado-based virtual worlds consulting firm The Gronstedt Group, Inc. For example, many of the devices currently getting the most attention, such as omnidirectional treadmills and motion-tracking gloves, guns and other accessories, are more suited for gaming than for business. “There are obviously a lot of issues still to be worked out,” he said. “So any large-scale deployment is out-you can’t even plan for things yet.”