Abstract

The integration of extended reality (XR) technologies such as augmented reality (AR), and artificial intelligence (AI), is transforming virtual shopping and virtual relationships, but also raising significant privacy concerns. We therefore develop two frameworks to examine privacy issues in both virtual shopping and virtual AI companion platforms, emphasizing the need for enhanced transparency and user protection. For virtual shopping, our analysis of 138 virtual try-on (VTO) websites and 28 Android apps reveals that 65% of websites and 18% of apps transmit user images to servers, often involving third-party servers. Additionally, 43 websites and 2 apps store user images, and 37% of websites use providers that extract facial geometry. Privacy policy violations were found in 17% of websites which collect user images. Significant security vulnerabilities were also identified in one VTO provider, putting both merchants and users at risk. In parallel, the study of 21 Android AI companion chatbot apps reveals discrepancies between privacy policies and chatbot responses to questions about privacy practices. All apps showed inadequate age verification and extensive tracking practices. Specifically, 13 apps used at least three tracking services, and 18 apps sent detailed device information to these services. None of the apps implemented measures to prevent users from falsifying birthdates, continuing conversations with underage users. This thesis highlights critical privacy and security issues in two growing domains in the virtual world (virtual shopping and AI companions), calling for improved transparency, better privacy practices, and stronger user protection measures.