Augmented Reality (AR) is the technology of the moment. While some of us have already experienced the thrill of catching a Dragonite in Pokemon Go, AR is not just all fun and games. In fact, depending on how an AR gadget is used, it can have significant privacy implications.
Privacy in Public
Augmented reality enhances real images with digital special effects — it’s reality assisted by coding. These gadgets generally let you record a scene, and then they give you the option of sharing on social media.
In the public space, you don’t have an expectation of privacy. As an amateur photographer myself, I was always told to be polite and ask permission of a stranger before taking a picture. If you’re curious, there’s a professional code of ethics that spells this out.
But doctors, bankers, lawyers, and some others are under real legal obligations when it comes to taking picturse of people and personal information.
Privacy at the Doctor’s
Suppose a doctor armed with an AR device (or a video-recorder), films his waiting room filled with people. The doctor may not necessarily need consent in this case, but some states and hospital associations may have their own laws and guidelines in this area.
If the doctor photographs a patient’s face for clinical purposes, usually the general HIPAA consent form would be sufficient.
But if the doctor were to use the video of the waiting room or clinical pictures for marketing purposes, HIPPA requires additional authorization.
In general, hospital employees and visitors (except when recording family members) need consent when photographing or video-ing people in a hospital setting.
Mark my words, but at some point a HIPAA case will be brought against hospital workers fooling around with Pokemon Go as they wander the medical corridors hunting for Vapereons.
By the way, photos or videos showing faces are considered protected health information (PHI).
If they were then stored, they would have to be protected in the same was as HIPAA text identifiers. And an unauthorized exposure of this type of PHI would be considered a breach.
Outside the Hospital Setting
These AR gadgets can also be a privacy problem in business and legal settings. If an outsider or unauthorized person with AR glasses were recording confidential data, trade secrets, or PII on someone’s desk or on their screen, then that would be considered a security leak.
And relevant laws such a Gramm-Leach-Bliley and Sarbannes-Oxley would kick in.
A judge recently banned Pokemon Go in the courtroom, but this seems to be more a case of legal etiquette. Another judge was somewhat upset — and tweeted about it — that a defense counsel was using AR glasses, but apparently nothing illegal was done.
It’s a little premature to become too worried about the privacy and security issues of AR gadgetry with so many more pressing security problems.
However, it’s not a bad idea for your company to come up with initial guidelines and policies on AR device usage by employees and visitors.