There have been a number of previous denials from Oculus saying that they’re not sharing data with Facebook yet, but there is actually nothing in the privacy policy that prevents this sharing from happening. For example, in Oculus’ response to Al Franken’s question as to whether Oculus is sharing information with third parties including its related companies they said, “Oculus does not currently share location information with third parties or related companies.” Their privacy policy certainly allows this sharing to happen at any moment, and so Oculus is basically just saying that they’re not sharing this data yet, as of the date of the response.

In response to data collection privacy concerns last year Oculus said, “Facebook owns Oculus and helps run some Oculus services, such as elements of our infrastructure, but we’re not sharing information with Facebook at this time. We don’t have advertising yet and Facebook is not using Oculus data for advertising – though these are things we may consider in the future.” Again, Oculus is diverting attention from what their privacy policy already allows by emphasizing what they’re not doing, yet.

It’s almost as if Oculus is using their perceived operational independence from Facebook as a compartmentalized buffer to divert any focus on what their privacy policy is already enabling. Making statements that access to VR data streams haven’t been turned on yet do not carry much legal weight when there’s absolutely nothing stopping them from being turned on at any moment.

SEE ALSO
Facebook Study Finds Introverts Feel More Comfortable with VR Social Interaction

For example, Oculus’ privacy policy says “When you post, share or communicate with other Oculus users on our Services, we receive and store those communications.” Oculus responded to Franken that “VoIP communications are not being recorded.” But the real question is does Oculus’ privacy policy enable Facebook to start recording VoIP at any moment? Does Facebook/Oculus mean “we’re not recording VoIP yet“? Or do they mean “we never intend on recording VoIP because we would never do that?” They did not make a strong statement that they would never record VoIP, and so I have to assume that any time that I communicate with anyone on Oculus’ services that this data could be captured, stored, transcribed, shared with Facebook, tied to my personal identity, combined with information from commercial third parties in order to create a Facebook’s super profile to sell me ads either on Facebook or eventually on Oculus’ services.

In a candid moment, Mitchell told me:

“There are a lot of potential pitfalls over the future of VR and AR around user privacy. There’s never been a technology that brings so much of you into the experience, which is sort of that double-edged sword that’s the power of VR. But yeah, used in the wrong way or in the wrong hands, you can be tracked probably more than you would normally expect to be. Right? And I think that that’s only going to become more and more important as we develop new technologies that bring even more of you into the experience. And users are going to want to know and understand what’s actually happening under the hood.”

The problem with Oculus’ privacy policy is that it already provides Facebook a lot of leverage to capture and track a lot of information about you, “probably more than you would normally expect to be,” from just these two provisions of “information about your physical movements” as well as “information about your interactions with our Services, like information about the games, content, apps or other experiences you interact with, and information collected in or through cookies, local storage, pixels, and similar technologies.” This could already include head gaze, what you’re looking at, what you’re interacting with, and what interests you. These data streams could already be recorded and be sent to Facebook.

Oculus says that they’re using 60-second averages of physical movement data to debug their tracking. Mitchell said, “Almost any of the live tracking we’re doing, almost all of it, is all really diagnostics focused. So if there’s a problem with your hardware, like a batch of hardware for example, we want to know that so that we can deliver a high-quality experience, and make sure that if there’s an issue with your system and reach into support, you can send us logs. And we can say, “Hey, clearly there’s a problem the Rift sensor” or something like that.”

Oculus is clearly using this data to debug and improve their technology, but it’s unclear whether Facebook could use this “physical movements” provision in order to record all sorts of eye movements, facial movements, and potentially more biometric data in the future. It’s a vague enough provision to potentially allow Facebook to capture a whole range of biometric data including eye tracking, galvanic skin response, heart rate and heart rate variability with ECG, muscle tension & facial expressions with EMG, and brain waves with EEG. This type of biometric data is usually gathered within a medical context protected by HIPAA or a marketing research context with explicit consent and privacy protections.

It’s also problematic that Oculus’ privacy policy is recording all of this data, tying it back to your personal identity, and storing it forever. The third-party doctrine is a legal theory that says that any data that you give to a third party “does not have any reasonable expectation of privacy.” This means that the government can request access to any data that you provide to any third party without a search warrant or probable cause. So the more biometric data that Facebook is collecting on us and storing forever, the less likely it is that we can have any Fourth Amendment privacy protections over any of this data. Facebook could one day know what you’re looking at and how you’re emotionally reacting to it, and there’s nothing stopping an abusive government from getting access to this same level of intimate data.

Continue Reading on Page 3 >>
1
2
3
Newsletter graphic

This article may contain affiliate links. If you click an affiliate link and buy a product we may receive a small commission which helps support the publication. More information.


Kent Bye
  • Ombra Alberto

    Excellent article. Important questions.

  • Get Schwifty!

    “On January 11, I sent an email to privacy@oculus.com to “access data associated” with my account, but I never heard anything back from them after two and a half months. If it really was a top priority for Oculus, then I would have expected to have received a response, and that there would be more systems in place for the type of transparency and accountability that is promised within the “Data Access and Deletion” section of their privacy policy.”

    Since we are putting privacy in VR on trial here again in an OP-ED piece (and again focusing only on FB/Oculus) can we please do the same for HTC and other companies? Again, there is little to no evidence that companies outside the US with the exception of those in Europe with having significant value on privacy and collection of data compared to the US and even FB does a better job likely than those since it’s held to a higher standard. However, you can’t make hay with a Chinese or Taiwanese company the way you can with FB because they are just going to blow you off. Let’s keep this point in mind and hold ALL companies to a common standard for VR… and investigate them equally.

    • benz145

      Kent is not singling out FB alone, that’s just whom this article happens to be about. Nowhere in it does he say that FB is the only company that needs to consider the long term implications of privacy and VR.

      Here he is speaking with HTC on the topic back in January:

      http://www.roadtovr.com/htc-vive-gm-new-vive-tracker-privacy-vr/

      I’d also recommend checking out the list of episodes he links to at the end of the article for a lot more great discussion on the topic.

      This goes way beyond just Facebook; Kent has been doing great work in this area by making sure this conversation is happening and not just letting the industry leave it as an afterthought.

    • PK

      I agree a company based in Taiwan need to be looked at closely as well, but to me it’s very clear that Facebook deserves extra attention since they’re still at the forefront of social media. Nate for his part is very knowledgeable and probably would come off better if how he delivered his talking points as well as his freeform human dialogue didn’t always feel like a marketing team making a sales pitch.

  • NooYawker

    SHOCKING!!!

  • wowgivemeabreak

    So HTC/Valve push advertising on the Vive and basically nothing written about here other than mentioning it and how it will work. Meanwhile something negative towards Oculus gets a 3 page article on it.

    • Hivemind9000

      Advertising and protection of privacy are two different topics – this article is about one of them. If HTC/Vive start advertising intrusively or inappropriately, the users will move away from their platform (advertising is generally done as part of some quid-pro-quo with the user, generally the user gets content for free in return). Collection and commercial use of private information is much more insidious as it can often be done without the conscious knowledge of the participant.

      I don’t think Kent is picking on Oculus in favor of HTC/Vive. Facebook is in the business of connecting private information with advertising, as that is where their revenue comes from. They are also behind one of the biggest VR platforms. If their privacy policy is corrupt or insufficient, then it doesn’t really matter what the rest of the VR platform providers do. Industry leaders generally set the norm for those that follow, so it’s a good place to focus the efforts for getting better privacy standards in VR.

    • NooYawker

      1. Pushing ads and siphoning your private data are two different things, even though they often go hand in hand.
      2. It’s HTC Viveport not steamVR.

  • Foreign Devil

    Trump just passed legislation allowing ISP’s to sell your browsing history and activity to anyone. I’d think that is a bigger invasion of privacy than info about your head movements in VR.

    • Hivemind9000

      Yes, but this is a VR site. You can read articles about the rest of reality somewhere else.

      • Foreign Devil

        Right. Virtual Reality, Virtual Problems.

    • PK

      I don’t understand how you have this attitude with Trump’s approach to privacy. If he’s in office for a second term he’ll be able to demand an incredible amount of data from Facebook if we don’t take action now.

  • Farnborough

    Thanks for this article! Oculus/FB’s passive approach to privacy is far from enough!

  • Raphael

    Really defensive octopus users here: ‘don’t pick on my octopus. Go look at Vive as well. It’s just not fair!’

  • rabs

    It may be interesting to see how it goes with the recent recommendations published for the AI field, especially IEEE P7002 “Data Privacy Process”.

  • Flashwork

    Suckerberg should be thrown in jail for letting fackbook be complicit in letting Drumph hijack the election as should Drumph.