#641: Oculus’ Privacy Architects on their Open-Ended Privacy Policy & Biometric Data

Oculus will be releasing a new Privacy Policy and Terms of Service tomorrow that will go into effect on May 20th, just five days before the EU’s General Data Protection Regulation (GDPR) privacy law enforcement deadline of May 25th. I had a chance to review the new privacy policy and terms of service as well as talk with the lead privacy policy architect Jenny Hall and a privacy cross-functional team member Max Cohen, who leads product for the Oculus platform. Generally, both the old and new Oculus privacy policies are written in an open-ended way that provides Oculus great leeway in being able to capture and record a lot of different types of data, and the new privacy policy actually adds a number of new passages that allows for new types of data to be collected. Hall & Cohen emphasize that Oculus is committed to transparency and building trust, and that they need this flexibility to account for future applications that haven’t even been imagined yet. But as the line between Oculus and Facebook continues to blur, there are still many open questions for what types of data or biometric gathered from VR is going to prove to be useful for Facebook’s advertising bottom line.


jennifer-hallIn talking with Hall and Cohen, they were able to detail how Oculus is taking a much more conservative approach than a worst-case scenario interpretation of what the privacy policy affords, but up to this point their limited implementations have relied upon a “just trust us” approach with not a lot of transparency on the full range of data that is actually being captured and how it is being stored. Oculus will soon be releasing more GDPR-inspired transparency tools so that users will be able to audit what personal data are being recorded so that users will be able to see for themselves, but these tools still will not reveal everything that Oculus is capturing and recording.

max-cohenOn May 20th, Oculus will be releasing a “My Privacy Center” web interface that will allow users to download a copy of the personal data that Oculus has collected, view the information that Oculus collects when you use their platform, and set privacy settings around who can see your real name, real name search, sharing your Oculus apps & activity, as well as who can see your friends list. Hall and Cohen told me that Oculus is really committed to transparency, and these automated privacy tools will be a huge step in actually allowing users to audit what data are being collected.

The current privacy policy allows users to request to download and review your data, but I found their previous method to be both unreliable and non-responsive. Oculus did not respond to my previous email requests that I sent to privacy@oculus.com in January and March 2017, and so I’m happy to see that the GDPR obligations have catalyzed an automated web interface that will provide immediate access to the private data Oculus has captured. When asked if all of the GDPR obligations will be provided to all of the users around the world, an Oculus PR representative responded, “We are making sure everyone has the same settings, controls, and privacy protections no matter where they live, so not just Europe but globally. The GDPR’s penalties and notification policies are specific to EU law.”

Both the current and new privacy policies are more likely to grant Oculus permissions for what data they can collect than to detail the obligations for how Oculus plans on capturing and storing that data. Hall and Cohen described to me how Oculus takes a tiered approach to privacy where there are at least three major tiers of data that are collected: data that are collected and tied back to personal identity (which they try to limit), data that are de-identified and shared in aggregate (things like physical movements taken at a low sample frequency), and then personal information that is useful for VR and is only stored locally on your machine (like the height of the player).

However, Oculus does not disclose in the privacy policy which tier data will be captured at. For example, in the “Information Automatically Collected About You When You Use Our Services” section, Oculus only says that they collect “information about your environment, physical movements, and dimensions when you use an XR device.” Oculus doesn’t specify that their current recordings of physical movement data are not tied to your identity, that the sample frequencies are too low to fully reconstruct movements, and that it is only presented in aggregate form. This is the type of information that Hall and Cohen provided to me when I asked about it, but Oculus hasn’t disclosed this information in any other way.

The way the privacy policy is written implies that physical movements could indeed be tied to personal identity at as high of a sample frequency as they would want. It’s this level of vague open-ended language that allows Oculus to capture data at a much high fidelity than they currently are. Because Oculus doesn’t commit to any specifics in the privacy policy, then this means that they don’t have to commit to notifying users if their implementation changes. Currently Oculus isn’t tying physical movements to identity, but that could change next month and there are not any notification obligations that are specified in the privacy policy. The privacy policy merely states that Oculus can record physical movements without being overly prescriptive for how Oculus decides to implement it.

It is worth pointing out that both Hall and Cohen emphasized over and over again that they’re really committed to transparency, and that most of their interpretations of the privacy policy are very conservative. They’re not trying to scare users, but rather build trust with them. Users will be able to have tools in May to be able to verify what data are actually being recorded, and if there is a mismatch of expectations of having way more data that’s captured than users were expecting, then that’ll cause users to lose trust with Oculus. It takes a lot of time to build trust, but it can be lost in a moment and Cohen emphasized that losing trust can be detrimental for Oculus. So I took this message to be on good faith that Oculus’ Privacy Policy needs to be flexible enough for them to be able to provide the services that they are providing, but the privacy policy still only provides limited obligations for what Oculus is committed to providing.

It is likely that this is because Oculus is trying to keep their privacy policy simple in response to GDPR obligations to have human-readable privacy policies that give concrete examples. Hall also said that they’re trying to prevent the policy from exploding into hundreds of pages long. Once downloadable access to what exact data are actually collected and tied to identity will also likely solve some of these problems of having open-ended and vague language in the privacy policy, but it won’t solve all of the transparency issues about what exactly is being recorded.

None of the de-identified data that’s captured is going to show up in the new My Privacy Center, which means that there is currently no way for users to audit what types of de-identified data are being captured. There’s also no mechanism for users to see if the sample frequency of the recording of physical movements increases, and there’s no disclosure obligation by Oculus to let users know if they do increase the frequency or start capturing new types of physical movements. If Oculus is truly committed to full transparency, then they should provide a master list of all of the different types of data that are being collected in a table format with details about the different tiers of how that data are being stored, and what information is being shared with other Facebook-family services.

The new GDPR law also says that “it must be as easy to withdraw consent as it is to give it,” but there is not any indication that Oculus is going to be providing ways to opt out of having any types of data being captured and recorded as this granularity of control was not shown in initial screenshots of the new My Privacy Center.

One of the most concerning new passages in the new privacy policy is this statement: “We collect information about the people, content, and experiences you connect to and how you interact with them across our Services.” This could potentially open the door for Oculus to start correlating what content you’re specifically looking at within a VR experience, and then feed that data to Facebook for advertising purposes. One of the passages in the “How do we use information?” section says that the information that they gather is used “To market to you. We use the information we collect to send you promotional messages and content and otherwise market to you on and off our Services.” When I asked Hall about reading these two passages together, she said that the marketing passage currently means to sending promotional emails about VR experience that you might like, and that Oculus doesn’t have any current plans to do any more sophisticated advertising.

But both the old and new privacy policies say that all data collected by Oculus can be also shared with Facebook. “Sharing Within Related Companies. Depending on which services you use, we share information within the family of related companies that are legally part of the same group of companies that Oculus is part of, or that become part of that group, such as Facebook.” It also says that they can use information to “market to you on and off our Services,” which may have been intended to mean e-mail, but it can also read to mean that Oculus data can be used to advertise to you on Facebook.

So even if Oculus doesn’t have any plans to do any advertising, Oculus has set up the legal framework to be able to send data over to Facebook where it can be used for advertising purposes. There is no where that Oculus has committed to disclosing what specific information is ever shared with Facebook, or what type of data might prove to be useful for advertising purposes. Even if Oculus isn’t currently sharing any data with Facebook, and even if they don’t have any near-term plans to do so, they have granted themselves this right in their privacy policy with no further obligations for disclosing what data are being shared to other services.

UPDATE It looks like Oculus’ blog post has a FAQ with the question and answer of “Is my Oculus data used to target ads to me on Facebook? We don’t share data with Facebook that would allow third parties to target advertisements based on your use of the Oculus Platform.” So they’re saying that they’re not currently sharing data that would be used by third parties for advertising, but their privacy policy technically allows this to happen in the future. This is another example of how open-ended their policy is where a close reading of the policy would allow this to happen in the future, and there are not any commitments made in the privacy policy to disclose to users if this changes in the future or any transparency on what specific data (de-identified or identified data) is going to ever be shared with Facebook. Also, does not sharing Oculus data directly to third party advertisers mean that Facebook won’t be using data from Oculus to create more specific psychographic profiles? This could indirectly benefit advertisers. Again, there is no obligation that Oculus has made anywhere to fully disclose what information might be shared between Oculus and Facebook.

The other biggest open question that I have for Oculus and Facebook is what their philosophical stance on recording biometric data is going to be. I was disappointed to hear that they are not taking any stance on biometric data yet, which means that they’re still leaving the door open to potentially capturing and recording biometric data in the future. Cohen said that there aren’t any Oculus platform technologies released yet that are recording biometric data, and so they’re currently having those discussions internally on the Privacy XFN team. Hall said that these questions about biometric data seem to be way off in the future, and that they are not prepared to make any statements on it yet. Just because Oculus hasn’t released any products yet to directly capture biometric data or that it is still in the future doesn’t mean that Oculus can’t have an opinion about biometric data and how they plan on treating it. Hall did say that they would likely update their privacy policy to account for biometric data, but it’s also possible that this privacy policy will be unchanged once products that can capture biometric data are released here in the near future.

All of the biometric data experts that I’ve talked with have warned about the concerns about biometric data privacy. Behavioral neuroscientist John Burkhardt warns that there’s an unknown ethical threshold between predicting and controlling behavior with access to biometric data streams like eye tracking, facial tracking & emotional detection, galvanic skin response, EEG, EMG, and ECG.

Privacy advocate Sarah Downey warns that VR could turn out to be the most powerful surveillance technology ever created if companies start recording biometric data, or it could be the last bastion of privacy. She also points out that the more data that companies record, that the more that weakens American’s Fourth Amendment protections which can make it less likely that people will speak freely into their First Amendment rights to free speech.

Jim Preston warns against the dangers of performance-based marketing companies like Facebook or Google having access to biometric data, and that it’s mortgaging our rights to privacy in exchange for free services. He says that privacy is a really complicated topic, and that it’s going to take the entire VR industry to be engaged in these discussions.

Advanced Brain Monitoring CEO Chris Berka says that some biometric data should be considered medical information protected by HIPAA regulations, and that commercial companies will have to be navigating some sensitive issues for how they store and treat biometric data. Tobii’s VP of Products and integrations Johan Hellqvist says that companies should be asking for explicit consent before they consider recording eye tracking data.

So I’ve had many conversations with biometric data experts warning about how this data from your body reveals whole new levels of unconscious information about what you value, what you’re paying attention to, and perhaps even what you find interesting. Biometric data will be a gold mine for performance-based marketing companies like Google and Facebook, and so it’s not incredibly surprising that Oculus is leaving the door open for how they will treat it. But it’s also quite disappointing that Oculus is not being more proactive in participating in a larger conversation about biometric data while also seemingly discounting it as a concern that is really far off in the future when I’m seeing mobile VR prototypes at GDC 2018 from Qualcomm that have Tobii eye tracking technology built in. I expect to see eye tracking and facial tracking technologies released in VR and AR hardware within the next 1-3 years, which is not so off into the future.

The fact that Oculus has said that they can record physical movements could already mean that they’ve created the legal framework to capture other types of biometric data. When I asked whether or not “physical movements” could be interpreted to be eye movements or facial movements, then Hall wasn’t willing to provide a definitive answer and said that they currently had not been thinking about it in that way. But the way that the current privacy policy is written is open-ended enough that it could already give Oculus the right to record eye tracking movements or facial movements, and tie it to our identity if they chose to do so.

There may also be issues with recording this type of biometric data in what is presumed to be de-identified, but that there could be unique biometric signatures that de-anonymize it. Open BCI’s Conor Russomanno warns that it may turn out that EEG data may actually end up having unique biometric signatures that means that the data may not be able to be fully anonymized.

This has implications for what may be presumably be de-identified biometric data, but that there may be a unique biometric key that unlocks the identity information. Oculus ensures us that they use state of the art security practices, but data can never be completely guaranteed to be safe and secure. Oculus is actually removing the Security disclaimer in their privacy policy that used to read, “Please note that no data transmission or storage can be guaranteed to be 100% secure. As a result, while we strive to protect the information we maintain, we cannot guarantee or warrant the security of any information you disclose or transmit to our Services and cannot be responsible for the theft, destruction, or inadvertent disclosure of information.”

When I asked why they removed this security section, Hall said that they’re not trying to make a claim that data is 100% secure, but they also didn’t see that this passage was necessary. It also happened to scare people. I don’t think it should have been removed because I think it’s actually honest about the reality of how any data that’s collected actually isn’t 100% secure and that it can never be guaranteed to be 100% secure. People should be scared because we should be trying to limit what data are being captured and recorded.

All data provided to third parties should be assumed that it’s possible to get hacked and potentially leak out onto the dark web. So when I expressed concern to Cohen that de-identified data being collected could be unlocked with the right biometric key his response was that you’d need to have access to the full set of data, and that this data is stored securely on their private servers. But information could have the potential to be hacked and leaked, and there could be a lot of unintended consequences of allowing biometric data to be captured and recorded in what is presumed to be a safe vault, but turns out to get hacked, leaked, and get into the wrong hands.

So Cohen’s response to my concern implies that data are completely safe in their hands, and that we shouldn’t worry about this scenario. Perhaps it’s low probability, but I’d argue that we should be thinking about the real risk that decades worth of biometric data could eventually be leaked out onto the dark web, unlocked with biometric signatures, and what could happen if a bad actor wanted to manipulate us if they had access to the most intimate data about our unconscious behaviors, values, and beliefs. Engineering the future depends upon all sorts of risks and tradeoffs, and it may turn out that some of these dystopian worst-case scenarios are so low risk as to not to worry about them. But perhaps we should be imagining these worst-base scenarios in order to think deeply about the risks of what data is being collected, and whether or not biometric data will be able to be fully de-identifiable.

So overall, the impression that I got from Hall and Cohen is that Oculus is earnestly trying to be on the right side of the transparency, and they’re trying to really build trust with users in order to grow the VR and AR ecosystem. The problem that I have is that there is still a lack of full transparency and communication about the types of data that are collected and how it’s stored, but also what types of data may prove interesting and valuable for Facebook to use for advertising purposes.

The line between Oculus and Facebook continues to blur, and so I can’t help but to read the privacy policy with a lens of the worst-case scenario of how Facebook might want to gather biometric data about people to feed into their advertising systems. Oculus provided a lot of transparency with the data that are being collected, and hopefully their My Privacy Tool will help with that. But there are entire classes of data, and the specifics of how the data are captured and stored that are completely opaque. And on top of that, there are no obligations for notification or disclosure that they’re writing into their privacy policy, and so whatever is happening today doesn’t mean that this is what will be true tomorrow.

Just because Oculus isn’t living into the full extent of what their privacy policy affords, it’s written open-ended enough for them to grow into it and create new products that weren’t even imagined or implemented at the time of the writing. This allows them flexibility, but this also means that there are many passages in their privacy policy that are written in such an open-ended and vague way as to be possibly interpreted to mean a lot of scary things. Hall claimed that the new privacy policy isn’t trying to gain new rights, but the passage of “We collect information about the people, content, and experiences you connect to and how you interact with them across our Services” could open the door to allow Oculus to more precisely track how you interact with specific content within a VR experience.

Both Hall & Cohen emphasized that they’re taking the most conservative interpretations of these types of passages, and that they’re trying to build trust with users, and that their new privacy tools will be providing new levels of transparency and accountability. A lot of these tools seem to be implemented as compelled by the new GDPR laws, and an open question is whether it requires these types of laws encourage Oculus to continue to implement privacy best practices or whether or not they’ll continue to go above and beyond what these policies require and start to provide even more details and information on what exactly is being recorded and tied to identity, what’s being recorded as de-identified information, and what’s stored locally on your computer.

I’m also happy to start a deeper dialogue with people who are directly on the Privacy XFN team at Facebook/Oculus who are starting to think about these deeper issues about privacy in VR and AR, and some of the privacy challenges that come with biometric data. It’s been difficult to have an embodied conversation with privacy experts at Facebook or Google, and I’m glad that the cultural conversation has changed to the point where I’m able to have an in-depth conversation about these topics. And hopefully this marks a change in how Oculus is engaging with press after not taking any press interviews at either Oculus Connect 4 or GDC 2018.

I was happy to hear how much consideration is being taken about how this data are being collected from this conversation, and I hope that Oculus finds some better ways to share this type of information in a more comprehensive and up-to-date fashion. The GDPR catalyzed a lot of great progress here, and I hope that Oculus doesn’t wait for more laws and regulations to keep on improving and updating their privacy practices.

This is a listener-supported podcast through the Voices of VR Patreon.

Music: Fatality

Support Voices of VR

Music: Fatality & Summer Trip