#520: Oculus’ VR Privacy Policy Serves the Needs of Facebook, Not Users

nate-mitchellI had a chance to catch up with Oculus’ Nate Mitchell at GDC where I asked him about privacy in VR. Oculus has delegated the design and maintenance of their privacy policy to their parent company of Facebook so that Oculus can focus on providing the best VR experiences and growing the VR ecosystem. He acknowledges that there are “a lot of potential pitfalls over the future of VR and AR around user privacy” because VR has a “double-edged sword” of providing incredibly compelling immersive experiences, but that “used in the wrong way or in the wrong hands, you can be tracked probably more than you would normally expect to be.”

I learned more about the relationship dynamic between Oculus and Facebook in that Oculus isn’t thinking too much about how to use the data gathered from VR for advertising purposes, but the language in Oculus’ privacy policy is being shaped and directed by Facebook who is much more interested in using data gathered from virtual reality for advertising purposes. Mitchell claims that privacy is a top priority for Oculus, but a close reading of their privacy policy indicates it serves the needs of Facebook over consumers.

Mitchell and I also talked about Oculus’ announcement of lowering the price of the Rift + Touch by $200, their twelve new games premiering at GDC, as well as a number of important issues concerning the future of virtual reality. There are a lot of exciting new possibilities that could come from Oculus’ support for WebVR and the Khronos Group’s OpenXR initiative, but we also had a chance to talk about some of the challenges that Oculus has faced this year including some of their tracking regressions and some of the limitations of front-facing camera set ups when it comes to abstractions of embodiment.


There are a lot of complicated issues surrounding privacy in VR, and Oculus has delegated the design and maintenance of their privacy policy to their parent company of Facebook. In Oculus’ letter to Al Franken, they say, “We also take advantage of Facebook’s expertise in other areas, including its large team of privacy and security professionals to help design and maintain privacy and security in our products. These collaborations allow Oculus to focus on what we do best: delivering the absolute best VR products and experiences.”

When I asked Mitchell about Oculus’ stance on privacy in VR. He said, “We are committed to really protecting user privacy. That’s one of our #1 focuses, which is why we have a super detailed privacy policy. And it goes hand-in-hand with that we are committed to being really transparent with users about what generally is being collected, and anything we’re doing with that. So that’s part of the reason why I think we have such a rich privacy policy to begin with. Also being part of Facebook, obviously, helps with that. They have an incredible team dedicated to user privacy, and they’re on the bleeding edge of that. And so that’s been great for us.”

I have to disagree in Mitchell’s assessment that privacy has been one of Oculus’ top priorities. Oculus’ top priority has been to deliver amazing VR experiences, and having a “rich privacy policy” that specifies everything that can be captured and recorded just means that it reflects the values and interests of Facebook. Facebook wants to collect and store as much data as they can, and tie back to a singular identity so they can sell advertising. On January 11, I sent an email to privacy@oculus.com to “access data associated” with my account, but I never heard anything back from them after two and a half months. If it really was a top priority for Oculus, then I would have expected to have received a response, and that there would be more systems in place for the type of transparency and accountability that is promised within the “Data Access and Deletion” section of their privacy policy.

Oculus is mostly taking a passive approach to privacy in VR where they’re prioritizing the needs and concerns of Facebook, which is reflected in how much data sharing rights are being provided to Facebook. The following is a sampling of data that when combined together could allow Facebook to determine personal identifiable information about you including your IP address, certain device identifiers that may be unique to your device, your mobile “device’s precise location, which is derived from sources such as the device’s GPS signal and information about nearby WiFi networks and cell towers,” “information about your physical movements,” and “information about your interactions with our Services.” Facebook will know that it’s your VR headset, where you’re located, and different actions that you’re taking from capturing everything you’re doing in VR and correlating it with your identity even if you’re anonymously interacting within the context of a VR experience. Once eye tracking and other technologies that can determine facial expressions are added, then there will be even more biometric data that could be able definitively identify you or whomever is using your VR headset.

Their privacy policy contains an open-ended statement about recording communications that could potentially allow Facebook to record and store all VoIP conversations: “When you post, share or communicate with other Oculus users on our Services, we receive and store those communications and information associated with them, such as the date a post was created.” Oculus denies in their letter to Al Franken that they’re recording conversations by saying, “VoIP communications are not being recorded. We do not store the content of these communications beyond the temporary caching necessary to deliver these communications to people who could be in different parts of the world.” But it’s unclear as to whether or not the privacy policy as it’s written would prevent Facebook from starting to record conversations at any time.

There have been a number of previous denials from Oculus saying that they’re not sharing data with Facebook yet, but there is actually nothing in the privacy policy that prevents this sharing from happening. For example, in Oculus’ response to Al Franken’s question as to whether Oculus is sharing information with third parties including it’s related companies they said, “Oculus does not currently share location information with third parties or related companies.” Their privacy policy certainly allows this sharing to happen at any moment, and so Oculus is basically just saying that we’re not sharing this data yet.

In response to data collection privacy concerns last year Oculus said, “Facebook owns Oculus and helps run some Oculus services, such as elements of our infrastructure, but we’re not sharing information with Facebook at this time. We don’t have advertising yet and Facebook is not using Oculus data for advertising – though these are things we may consider in the future.” Again, Oculus is diverting attention from what their privacy policy already allows by emphasizing that they’re not exercising their rights yet.

It’s almost as if Oculus is using their perceived operational independence from Facebook as a compartmentalized buffer to divert any focus on what their privacy policy is already enabling. Making statements that access to VR data streams haven’t been turned on yet do not carry much legal weight when there’s absolutely nothing stopping them from being turned on at any moment.

For example, Oculus’ privacy policy says “When you post, share or communicate with other Oculus users on our Services, we receive and store those communications.” Oculus responded to Franken that “VoIP communications are not being recorded.” But the real question is does Oculus’ privacy policy enable Facebook to start recording VoIP at any moment? Does Facebook/Oculus mean “we’re not recording VoIP yet“? Or do they mean “we never intend on recording VoIP because we would never do that?” They did not make a strong statement that they would never record VoIP, and so I have to assume that any time that I communicate with anyone on Oculus’ services that this data could be captured, stored, transcribed, shared with Facebook, tied to my personal identity, combined with information from commercial third parties in order to create a Facebook’s super profile to sell me ads either on Facebook or eventually on Oculus’ services.

In a candid moment, Mitchell said to me, “There are a lot of potential pitfalls over the future of VR and AR around user privacy. There’s never been a technology that brings so much of you into the experience, which is sort of that double-edged sword that’s the power of VR. But yeah, used in the wrong way or in the wrong hands, you can be tracked probably more than you would normally expect to be. Right? And I think that that’s only going to become more and more important as we develop new technologies that bring even more of you into the experience. And users are going to want to know and understand what’s actually happening under the hood.”

The problem with Oculus’ privacy policy is that it already provides Facebook a lot of leverage to capture and track a lot of information about you “probably more than you would normally expect to be” from just these two provisions of “information about your physical movements” as well as “information about your interactions with our Services, like information about the games, content, apps or other experiences you interact with, and information collected in or through cookies, local storage, pixels, and similar technologies.” This could already include head gaze, what you’re looking at, what you’re interacting with, and what interests you. These data streams could already be recorded and be sent to Facebook.

Oculus says that they’re using 60-second averages of physical movement data to debug their tracking. Mitchell said, “Almost all any of the live tracking we’re doing, almost all of it, is all really diagnostics focused. So if there’s a problem with your hardware, like a batch of hardware for example, we want to know that so that we can deliver a high-quality experience, and make sure that if there’s an issue with your system and reach into support, you can send us logs. And we can say, “Hey, clearly there’s a problem the Rift sensor” or something like that.”

Oculus is clearly using this data to debug and improve their technology, but it’s unclear whether Facebook could use this “physical movements” provision in order to record all sorts of eye movements, facial movements, and potentially more biometric data in the future. It’s a vague enough provision to potentially allow Facebook to capture a whole range of biometric data including eye tracking, galvanic skin response, heart rate and heart rate variability with ECG, muscle tension & facial expressions with EMG, and brain waves with EEG. This type of biometric data is usually gathered within a medical context protected by HIPAA or a marketing research context with explicit consent and privacy protections.

It’s also problematic that Oculus’ privacy policy is recording all of this data, tying it back to your personal identity, and storing it forever. The third-party doctrine is a legal theory that says that any data that you give to a third party “does not have any reasonable expectation of privacy.” This means that the government can request access to any data that you provide to any third party without a search warrant or probably cause. So the more biometric data that Facebook is collecting on us and storing forever, the less likely it is that we can have any Fourth Amendment privacy protections over any of this data. Facebook will know what you’re looking at and how you’re emotionally reacting to it, and there’s nothing stopping an abusive government from getting access to this same level of intimate data.

There are huge privacy implications that are coming with the technological roadmap of VR, and Facebook is sort of using Oculus as a technological shield to be able to develop this technology independent of the deeper advertising implications of the data that is going to be made available. When I asked Mitchell if the business models need to evolve beyond this type of privatized surveillance, he said that these types of new models are not something that Oculus is thinking extensively about right now. They’re mostly focusing on getting as many people in VR as possible. Oculus is working on the low-level implementation of VR while Facebook can think about what they’ll be able to do with all of this data.

In wrapping up his thoughts on privacy, Mitchell said, “So in summary: Very committed to user privacy. It’s something we take very seriously. It’s something we’re really focused on. We’re committed to taking care of user’s privacy. And you’re asking the right questions, keep asking them. I think right now, everything is in a good place across the industry. But that could change, and that’s something for folks like you to keep chatting about.”

Indeed this is something that the entire VR community needs to keep talking about, and it will change towards a direction that’s not a good place unless some of the deeper open questions listed down below are addressed. I’d also recommend listening to these interviews below about privacy in VR for more in-depth discussions.

Overall, in my assessment, Oculus has delegated privacy considerations to Facebook and it is clearly not a priority for them, despite Mitchell’s claims. If you have any questions regarding Oculus’ privacy policy, then I’d encourage you to follow up with Oculus via the email privacy@oculus.com. I haven’t personally received a response yet, but it’s a way to provide some direct feedback to Oculus. Hopefully they can start to implement more processes for transparency and accountability, as well as engage in deeper and more involved questions about the future of what will and will not be recorded when you’re within VR.

Other recommended interviews about Privacy in VR:

Here are some of the open questions that should be asked of virtual reality hardware and software developers:

  • What information is being tracked, recorded, and permanently stored from VR technologies?
  • How will Privacy Policies be updated to account for Biometric Data?
  • Do we need to evolve the business models in order to sustain VR content creation in the long-term?
  • If not then what are the tradeoffs of privacy in using the existing ad-based revenue streams that are based upon a system of privatized surveillance that we’ve consented to over time?
  • Should biometric data should be classified as medical information and protected under HIPAA protections?
  • What is a conceptual framework for what data should be private and what should be public?
  • What type of transparency and controls should users expect from companies?
  • Should companies be getting explicit consent for the type of biometric data that they to capture, store, and tie back to our personal identities?
  • If companies are able to diagnose medical conditions from these new biometric indicators, then what is their ethical responsibility of reporting this users?
  • What is the potential for some of anonymized physical data to end up being personally identifiable using machine learning?
  • What controls will be made available for users to opt-out of being tracked?
  • What will be the safeguards in place to prevent the use of eye tracking cameras to personally identify people with biometric retina or iris scans?
  • Are any of our voice conversations are being recorded for social VR interactions?
  • Can VR companies ensure that there any private contexts in virtual reality where we are not being tracked and recorded? Or is recording everything the default?
  • What kind of safeguards can be imposed to limit the tying our virtual actions to our actual identity in order to preserve our Fourth Amendment rights?
  • How are VR application developers going to be educated and held accountable for their responsibilities of the types of sensitive personally identifiable information that could be recorded and stored within their experiences?

Subscribe on iTunes

Donate to the Voices of VR Podcast Patreon

Music: Fatality & Summer Trip