Privacy by Design
Context
- Whereas, the lines between XR devices and biometric devices is are blurred and because systematic generalized analysis of personal data presents risks for the rights and freedoms of individuals;
- Whereas, businesses need to take consent of their employees’ and take acceptance for such devices and thus need full control over their data and it’s security (non-transparent 3rd party / proprietary platforms can put confidentiality, trade secrets, and data sovereignty at risk);
- We bring to the market an alternative, open and transparent solution that respects these concerns which allows companies to handle their own data policy. This is essential to pave the way for the future deployment of the technology.
Our approach
- An open and transparent platform : the code base of the operating system is auditable by customers and third parties for security and data protection purposes.
- Privacy-by-Design as a principle: direct access to deactivate any sensitive sensor or technology, and the ability to use the device completely offline.
- A clear business model: our revenues are made out of the hardware and the appstore. No data harvesting and monetisation attached.
Agenda
- Provide proof of Lynx-R compatibility with data privacy (e.g. in EU, compliance with the GDPR spirit)
- Privacy impact assessment : frequently updated
- 3rd parties associations auditors, testings : from Nov 2022 (for example with NOYB and La Quadrature du Net associations and Exodus Privacy and for auditors)
- Make Lynx-R1 hit the market (Nov/Dec 2022) and change the status quo by introducing an alternative technology that does not exploit data in exchange for subsidized headsets.
- Provide DPOs with toolkits and information applied for healthy deployments in XR.
GDPR Statement
At Lynx Mixed Reality we are committed to ensuring the security and protection of the personal information that we process, and to provide a compliant and consistent approach to data protection. We have created this GDPR Compliance Statement to explain our approach to implementing our GDPR compliance program. It describes the implementation of our data protection roles, policies, procedures, controls and measures to ensure ongoing compliance with GDPR.
Why?
Because the frontier between XR devices and biometric devices is not obvious, and because systematic generalized analysis of personal data introduces risks for the rights and freedom of individuals. Data sovereignty is also crucial for businesses, both for confidentiality and for their employees' privacy.
Our GDPR-based principles:
At Lynx Mixed Reality we take the privacy and security of individuals and their personal information very seriously. Our guiding principles are:
- We build devices and ecosystem with a Privacy-by-Design approach (see the dedicated section below)
- We never process personal information for hidden purposes, or outside of specific scenarios wanted and initiated by customers.
If customers scenarios require personal data processing :
- We process all personal information fairly and lawfully
- We only process personal information for specified and lawful purposes
- Where practical, we keep personal information up to date
- We do not keep personal information for longer than is necessary
- We destroy/export any personal data we possess when requested, to whom may be concerned, without resistance and good will
- We are not interested in customers’ derived information that could be obtained from the use of their device
- We do not collect, or send randomly data to our servers in any circumstances for future post-processing
GDPR toolkit for Lynx-R customers
On top of delivering Privacy-by-Design XR devices, we commit to delivering official guidelines and clear plans to help customers implement their XR deployment, peacefully, without breaching the GDPR rules. We see it as very important knowledge and routine to be set, especially in professional/educational environments.
Here are some examples of the topics Lynx-R customers could address by using our templates, and guidelines available on https://portal.lynx-r.com :
- Laying determined, explicit and legitimate purposes (Article 5.1.b of the GDPR)
- Defining appropriate legal basis (Article 6.1 of the GDPR)
- Clarifying the necessity and proportionality of the device (Article 5.1.c)
- The necessary information of the persons concerned
- Completion of a DPIA and possible appointment of a DPD/DPO
- A fundamental guarantee : The right to object (Article 7 of the GDPR, i.e. the conditions applicable to consent and be a "free, specific, informed and unambiguous expression of will")
“Privacy by Design”
Introduction: At Lynx Mixed Reality, we have taken a fragmented approach in understanding various risks and vulnerabilities at different levels and framed a plan to not only address them at individual levels but also at points where these vulnerabilities intersect. Below we present a diagram where we have bifurcated layers and sections of a XR device in terms of their functioning and level of vulnerability it brings to the users, along with an approach on how Lynx addresses these concerns collectively in an transparent & accessible manner.
Elaboration
Hardware Layer
- Output - This is the least vulnerable hardware component in terms of privacy and security.
- Connectivity & Processing - These two components are responsible for processing and transmission of data both from the sensors as well as from external sources in order to deliver the user an experience.
> Lynx-R was designed to work both online and offline (without any restrictions). Offline mode addresses for instance the fear of having confidential data flowing through 3rd party servers, or the fear of suffering cyber attacks.
- Input - This section consists of the essential Cameras and Sensors that allow the Lynx device to function as a 6Dof Mixed Reality Headset and give the device its spatial awareness for it to deliver true Mixed Reality experience.
> A large portion of the data collection for undisclosed/hidden purposes could typically happen on this layer. However, Lynx has taken measures to allow customers to control/restrict/derisk its exposure at the OS layer as well as at the Application Layer. (see section 7)
- Non-essential components and Accessories - These are components that do pose a certain amount of vulnerability towards the data they generate but are non-essential in nature in order to have a Mixed or Virtual Reality experience. Additional Sensors (Future devices) - These are sensors and technologies that will be made available in future iterations of Lynx devices and pose the greatest vulnerability towards the data they generate as it can help analyze deeper behavioral and psychological data as well as biometric data.
> The majority of the most sensitive data collection for undisclosed/hidden purposes could typically happen on this layer. However, Lynx has taken measures to allow customers to control/restrict/derisk its exposure at the OS layer as well as at the Application Layer. (see section 7)
OS Layer
- Control Connectivity Access - Much like other computing devices, Lynx devices allow its users to have full control on data flow funnels like Wifi, Bluetooth and USB.
> Lynx-R is NOT attached to a proprietary cloud service. Lynx-R was designed to work both online and offline (without any restrictions). Offline mode addresses for instance the fear of having confidential data flowing through 3rd party servers, or the fear of suffering cyber attacks.
- Data Sharing Preferences - Lynx devices extend the sharing preferences, and force transparency when 3rd parties are involved.
> After providing general consent to use the basic functions of device (to fetch the launcher, and then open the settings panel), customers can decide if the data is processed on the device only, or on a distant server (of its choice), if the data can flow in the EU territory only or outside EU, if data will be anonymised or not, etc.
- Core Settings -
> A unique feature to Lynx devices is that all essential functions involving spatial awareness of the device happens completely offline. Even if one were to turn off connectivity funnels in section 5, the device would function to its full extent when it comes to its spatial awareness. Further, the data processed for SLAM; point cloud, frames, etc. not only remain on device at all times, but are instantly destroyed post their use (except for applications/use cases that require data sharing or storage, within the consent of the customer; in this case data could be encrypted for maximum protection). The closing remarks below detail a possible scenario.
- Decouple Sensitive Sensors -
> All the sensors are exposed through the core settings, and the related features can be disabled at the OS layer (regardless the type of sensors, since data privacy is a case-by-case matter). E.g. toggles to turn on/off the RGB vision cameras, the B&W hand tracking cameras, etc. The process involved is transparent, and flags responsible for the dismissal of the feature is documented, and the system is auditable afterwards.
Application Layer
- Lynx Verified Applications - (Lynx Appstore) -
> These sets of applications which consist of Lynx Core applications and Applications vetted by Lynx to make sure they follow the privacy policies set out by Lynx as well as GDPR Norms. A creation of an account is necessary to access the Store and manage your purchases, however the data is not used for analytics and not shared outside of Lynx.
- Other App Stores & SDKs - Lynx being an open platform, we give the capability to the users coming from various Libraries and SDKs to be able to operate their application on the Lynx devices. But certain data may be shared with the application provider or the platform thus,
> Lynx will issue a warning to the users before entering such applications.
- Unregistered APKs & Prototypes - During certain cases and early prototype stages an application might not comply with all or any privacy norms for the sake of development.
>To prevent access by unknown applications that are neither registered with Lynx or Other Libraries, one will need to enable Developer mode and consent to the risks involved in doing so.
- Sensitive Data Access by Applications - In certain cases, sensitive data such as point cloud or eye tracking data will need to be accessed by the Application for functions unique to the application.
> In such cases the user will not only be warned of such access, but will also have the ability to restrict such access under the OS layer. Further Lynx will mandate encryption and/or anonymization of such data when flowing out of the device.
Closing remarks
Our goal is not to restrict the functions and potential of the Lynx devices or to literally provide the ability to mend with each and every layer but, with our multifaceted approach it simply means transparent access and information regarding what is taking place in each layer, each segment, where you have control and where you have choices to move beyond a certain level of security.
For example; if one needs to disable a feature considered unessential or a threat to them, like the need to turn off RGB cameras and microphones when the device is not utilized, all one has to do is select from the launcher: Settings > Sensors, out of the list of sensors: RGB cameras (or Microphones) > toggle On/Off. We provide captions about the possible risks for the personal data with all the device sensors, and information about the subsequent limitations of the device when turned off. Further, the Lynx documentation also provides access to OS flags involved for further inspection if and when needed by the developers (IT) or auditors.
We choose to do this in a manner that is easily understood and accessible by our users. Not hidden under long form documents or deep settings. But simple prompts, allowing our users to take the best out of our devices while providing an open platform to explore the infinite possibilities of the world of XR. “PrivacyByDesign” is an approach that sets the Lynx platform into a different category of its own, one that many others should adopt and we feel we at Lynx are playing an important role in building this for the greater industry and the community.