LISTEN TO THIS EPISODE OF THE VOICES OF VR PODCAST
On May 20th, Oculus will be releasing a “My Privacy Center” web interface that will allow users to download a copy of the personal data that Oculus has collected, view the information that Oculus collects when you use their platform, and set privacy settings around who can see your real name, real name search, sharing your Oculus apps & activity, as well as who can see your friends list. Hall and Cohen told me that Oculus is really committed to transparency, and these automated privacy tools will be a huge step in actually allowing users to audit what data are being collected.
Both the current and new privacy policies are more likely to grant Oculus permissions for what data they can collect than to detail the obligations for how Oculus plans on capturing and storing that data. Hall and Cohen described to me how Oculus takes a tiered approach to privacy where there are at least three major tiers of data that are collected: data that are collected and tied back to personal identity (which they try to limit), data that are de-identified and shared in aggregate (things like physical movements taken at a low sample frequency), and then personal information that is useful for VR and is only stored locally on your machine (like the height of the player).
None of the de-identified data that’s captured is going to show up in the new My Privacy Center, which means that there is currently no way for users to audit what types of de-identified data are being captured. There’s also no mechanism for users to see if the sample frequency of the recording of physical movements increases, and there’s no disclosure obligation by Oculus to let users know if they do increase the frequency or start capturing new types of physical movements. If Oculus is truly committed to full transparency, then they should provide a master list of all of the different types of data that are being collected in a table format with details about the different tiers of how that data are being stored, and what information is being shared with other Facebook-family services.
The new GDPR law also says that “it must be as easy to withdraw consent as it is to give it,” but there is not any indication that Oculus is going to be providing ways to opt out of having any types of data being captured and recorded as this granularity of control was not shown in initial screenshots of the new My Privacy Center.
But both the old and new privacy policies say that all data collected by Oculus can be also shared with Facebook. “Sharing Within Related Companies. Depending on which services you use, we share information within the family of related companies that are legally part of the same group of companies that Oculus is part of, or that become part of that group, such as Facebook.” It also says that they can use information to “market to you on and off our Services,” which may have been intended to mean e-mail, but it can also read to mean that Oculus data can be used to advertise to you on Facebook.
All of the biometric data experts that I’ve talked with have warned about the concerns about biometric data privacy. Behavioral neuroscientist John Burkhardt warns that there’s an unknown ethical threshold between predicting and controlling behavior with access to biometric data streams like eye tracking, facial tracking & emotional detection, galvanic skin response, EEG, EMG, and ECG.
Privacy advocate Sarah Downey warns that VR could turn out to be the most powerful surveillance technology ever created if companies start recording biometric data, or it could be the last bastion of privacy. She also points out that the more data that companies record, that the more that weakens American’s Fourth Amendment protections which can make it less likely that people will speak freely into their First Amendment rights to free speech.
Jim Preston warns against the dangers of performance-based marketing companies like Facebook or Google having access to biometric data, and that it’s mortgaging our rights to privacy in exchange for free services. He says that privacy is a really complicated topic, and that it’s going to take the entire VR industry to be engaged in these discussions.
Advanced Brain Monitoring CEO Chris Berka says that some biometric data should be considered medical information protected by HIPAA regulations, and that commercial companies will have to be navigating some sensitive issues for how they store and treat biometric data. Tobii’s VP of Products and integrations Johan Hellqvist says that companies should be asking for explicit consent before they consider recording eye tracking data.
So I’ve had many conversations with biometric data experts warning about how this data from your body reveals whole new levels of unconscious information about what you value, what you’re paying attention to, and perhaps even what you find interesting. Biometric data will be a gold mine for performance-based marketing companies like Google and Facebook, and so it’s not incredibly surprising that Oculus is leaving the door open for how they will treat it. But it’s also quite disappointing that Oculus is not being more proactive in participating in a larger conversation about biometric data while also seemingly discounting it as a concern that is really far off in the future when I’m seeing mobile VR prototypes at GDC 2018 from Qualcomm that have Tobii eye tracking technology built in. I expect to see eye tracking and facial tracking technologies released in VR and AR hardware within the next 1-3 years, which is not so off into the future.
There may also be issues with recording this type of biometric data in what is presumed to be de-identified, but that there could be unique biometric signatures that de-anonymize it. Open BCI’s Conor Russomanno warns that it may turn out that EEG data may actually end up having unique biometric signatures that means that the data may not be able to be fully anonymized.
When I asked why they removed this security section, Hall said that they’re not trying to make a claim that data is 100% secure, but they also didn’t see that this passage was necessary. It also happened to scare people. I don’t think it should have been removed because I think it’s actually honest about the reality of how any data that’s collected actually isn’t 100% secure and that it can never be guaranteed to be 100% secure. People should be scared because we should be trying to limit what data are being captured and recorded.
All data provided to third parties should be assumed that it’s possible to get hacked and potentially leak out onto the dark web. So when I expressed concern to Cohen that de-identified data being collected could be unlocked with the right biometric key his response was that you’d need to have access to the full set of data, and that this data is stored securely on their private servers. But information could have the potential to be hacked and leaked, and there could be a lot of unintended consequences of allowing biometric data to be captured and recorded in what is presumed to be a safe vault, but turns out to get hacked, leaked, and get into the wrong hands.
So Cohen’s response to my concern implies that data are completely safe in their hands, and that we shouldn’t worry about this scenario. Perhaps it’s low probability, but I’d argue that we should be thinking about the real risk that decades worth of biometric data could eventually be leaked out onto the dark web, unlocked with biometric signatures, and what could happen if a bad actor wanted to manipulate us if they had access to the most intimate data about our unconscious behaviors, values, and beliefs. Engineering the future depends upon all sorts of risks and tradeoffs, and it may turn out that some of these dystopian worst-case scenarios are so low risk as to not to worry about them. But perhaps we should be imagining these worst-base scenarios in order to think deeply about the risks of what data is being collected, and whether or not biometric data will be able to be fully de-identifiable.
So overall, the impression that I got from Hall and Cohen is that Oculus is earnestly trying to be on the right side of the transparency, and they’re trying to really build trust with users in order to grow the VR and AR ecosystem. The problem that I have is that there is still a lack of full transparency and communication about the types of data that are collected and how it’s stored, but also what types of data may prove interesting and valuable for Facebook to use for advertising purposes.
Both Hall & Cohen emphasized that they’re taking the most conservative interpretations of these types of passages, and that they’re trying to build trust with users, and that their new privacy tools will be providing new levels of transparency and accountability. A lot of these tools seem to be implemented as compelled by the new GDPR laws, and an open question is whether it requires these types of laws encourage Oculus to continue to implement privacy best practices or whether or not they’ll continue to go above and beyond what these policies require and start to provide even more details and information on what exactly is being recorded and tied to identity, what’s being recorded as de-identified information, and what’s stored locally on your computer.
I’m also happy to start a deeper dialogue with people who are directly on the Privacy XFN team at Facebook/Oculus who are starting to think about these deeper issues about privacy in VR and AR, and some of the privacy challenges that come with biometric data. It’s been difficult to have an embodied conversation with privacy experts at Facebook or Google, and I’m glad that the cultural conversation has changed to the point where I’m able to have an in-depth conversation about these topics. And hopefully this marks a change in how Oculus is engaging with press after not taking any press interviews at either Oculus Connect 4 or GDC 2018.
I was happy to hear how much consideration is being taken about how this data are being collected from this conversation, and I hope that Oculus finds some better ways to share this type of information in a more comprehensive and up-to-date fashion. The GDPR catalyzed a lot of great progress here, and I hope that Oculus doesn’t wait for more laws and regulations to keep on improving and updating their privacy practices.
This is a listener-supported podcast through the Voices of VR Patreon.
Support Voices of VR
[00:04:37.389] Jenny Hall: Great. Thanks, Kent. My name's Jenny Hall. I'm on the Oculus legal team. I head up our privacy programs on the legal side here in the US.
[00:04:47.331] Max Cohen: And I'm Max Cohen. I lead product for Oculus platform.
[00:04:52.152] Jenny Hall: And I'll take you through a little bit of an intro, and then we can go right into Q&A to discuss the topics that are important to you.
[00:04:58.434] Kent Bye: OK.
[00:07:37.353] Max Cohen: Great. Thanks, Jenny. Yeah, I'll just build briefly off of what Jenny said and talk a little bit about how we think about either new software or new hardware and where privacy fits in. So there's really two core principles that we think about that drive our product development process. The first one is that we only want to collect data that is necessary for a good VR experience. And the second principle is that we have to involve privacy thinking right at the outset. It can't be an afterthought. It has to be something that we're talking about even when we're at the initial PRD phase where we're thinking about what are the actual requirements that are going to go into the product that we're building. So in terms of that first principle, there's going to be some data elements that we have to collect just to make VR function. A good example of this is movement data. So if you turn your head in a headset or if you're using your touch controllers, we need to know the position and space of those devices so that VR can function. And this is analogous, in my mind, to mouse or keyboard input. If you're in VR, that movement data is that actual input. But there's also an element of what data the developers need. So in order for a VR ecosystem to thrive, developers are going to have to know specific things like what kind of hardware people have, the average size of their play spaces, and so on. We're never going to share individual data about this, but we do aggregate and de-identify this data and make it available to developers and people alike. public as part of our Oculus Platform Stats hardware survey. There's also developer dashboards that devs can know how their apps doing. What kind of revenue are they making? How is their app performing? How many installs they're getting? But again, that's always at the aggregated and anonymized level. In terms of that second principle, we've taken a step of explicitly creating what we call a privacy XFM team that brings together people from policy, legal, program management, product, and if appropriate, security, and they get involved right at the beginning of the product development process. So as we think about new products like inside-out tracking that's on our Santa Cruz prototype, we're going to be faced with new privacy challenges and we want to make sure that we stay true to those principles right from the start. And we're going to be open and transparent about the data that we collect and make sure that people know and are able to access that data wherever possible. So with that, Kev, we're happy to engage on any questions you have.
[00:09:43.302] Kent Bye: Great. Yeah, I've got a number of questions here. The first question is, I think there's a difference between using information ephemerally and then recording it in the long term. So why is it that you need to record physical movements and store them and tie them to identity?
[00:10:00.032] Max Cohen: Yeah, so one good example is how we can generate data on the place case. So it's something that by knowing where people are going in terms of the averages of how far they might range from one side to side, we can then generate the ability for developers to know that people who use that application or that experience, that it might be a space that's three feet by five feet or eight feet by eight feet, or maybe people are generally staying seated and not going too far, and that helps them add new updates to those particular applications. It also helps with us knowing things about how often the product is dropped, and it can help inform even the hardware process and give us insights as we develop future iterations of the hardware.
[00:10:39.587] Jenny Hall: And just to build off that a little bit, I wanted to clarify that we actually don't tie this information to your personal identity. When this information is transmitted to our servers, we divorce that from any kind of identifying information. So we may know that like 500 people have a certain play space, but we don't know that Max Cohen's play space is two and
[00:11:07.437] Kent Bye: So I guess one thing that is already possible with physical movement is something like gate detection. That is that even though you're saying that you're de-identifying it, I think already it's possible to identify people as they move through a space. I can identify my partner as she's walking across the hallway. Just the same in these different VR experiences, you can start to identify people just by the way they move. And with AI algorithms on top of that, I think the risk of any information that's recorded, it may turn out there are biometric data markers. And so what is being treated as de-identified data may actually turn out to be personally identifiable. I think that's the tricky thing here with any physical movements. I guess the question is, like, what happens if this information does have a unique biometric identifier and that what has been decided to be de-identified now actually turns out to be personally identifiable within the next two to five to 10 years with AI training algorithms?
[00:12:09.145] Max Cohen: I think there's two pieces of that. The first piece is that we're not recording the entirety of the data. We're just taking samples that get us what we need, which is to generate those averages in the play spaces. So I think that when you're talking about gate detection, that is actually looking at video or your own eyes of watching someone walk and move. That is not what we are recording. We're recording a small fraction of the amount of movement data, which enables us to generate some of these averages. The second piece of that is around information security. So the aggregated, de-identified information is stored on our Oculus servers. And without physical access to that data, you wouldn't be able to run any AI algorithms or anything like that. So that comes back to also, we take security extremely seriously here. We do get to leverage a lot of the best practices that the industry knows. And so that is a separate component. I think that's almost outside the privacy side to make sure that we are treating your data responsibly.
[00:13:30.900] Jenny Hall: So we are not planning to do anything crazy with anybody's data here. Our interests are aligned with yours. Users are paying attention and users care about this stuff. If we do something that people aren't going to like, if we do something that is scary and we don't inform people about it adequately, they're not going to want to use our services anymore. That's why we're trying to be super transparent in these policies and make sure that people understand what our services entail.
[00:14:04.886] Max Cohen: We know that trust is continuously earned, but it can be lost in a moment. And so one mistake where we did something that users do not feel like they were appropriately disclosed to or that we did something above board would be incredibly damaging to our business.
[00:18:54.354] Max Cohen: So as we design products that may include some of those technologies, those are the questions that the privacy XFM team will have to wrestle with. I don't have answers to those yet because we don't have products that are shipping with any technologies like that. But these are the types of things that we are chatting about internally. I can say one thing. There's a piece of data, which is your height. I can tell you kind of how we handle that right now, which might be illustrative about how we think about these types of problems. So for the Rift to operate properly, we need to have a good sense of how tall you are so that everything is rendered correctly on screen. We actually just store that data on the person's computer. It's on the client side. It's not transmitted back to our servers. Because by doing that, we're able to make the system function, but we are not storing every individual's height. So that's one example as we think about this type of information, the way Oculus has treated this in the past and how we intend to think about these types of things in the future.
[00:19:49.915] Kent Bye: Well, I think the concern is with the third party doctrine. And maybe, Jenny, you can speak a little bit to this specifically in terms of how that third party doctrine is related. My understanding of the third party doctrine is that any time an individual lets a third party, say, Facebook or Oculus, record data, then there's no reasonable expectation of that data to remain private, which means that if the government comes to Facebook without a search warrant and says, hey, we want all of this, eye tracking data, we want the emotional data, we want the facial movements of this individual, then as long as there's the legal jurisdiction, then there's no reasonable expectation for that information to remain private. So there's kind of like this relationship that I see that the more that we have these opportunities to record and track and store this biometric data, then in the long term, the third party doctrine says there's no reasonable expectation of that to remain private and that reduces our fourth minute protections to privacy.
[00:20:45.592] Jenny Hall: So we're totally with you on this one. Oculus and Facebook are about connecting people and fostering authentic communication. We certainly do not want to be the impetus for any sort of chilling effect that would hamper those kinds of authentic communications. So we think about this on the front end and the back end. On the front end, we think about this through some of the privacy protections that we have talked about previously. Do we need to collect this information? If we collect it, do we need to store it in an identifiable format? And then on the back end, we have just a really amazing team of lawyers that makes sure that we are cooperating with law enforcement, but we are fighting hard against overbroad warrants and requests that are not authorized. So I think on the front end and the back end, we are really trying to stay, we're staying consistent with, I think, the sentiment that you feel, which is, We don't want to hamper authentic communications by, you know, reducing people's reasonable expectations of privacy.
[00:21:47.791] Kent Bye: Well, I think I guess the question for you, Jenny, is legally is the movement of the eyes or the movement of the faces of like facial movement, is that considered physical movements?
[00:24:56.697] Max Cohen: And that's part of the Privacy XFN process. One of the tools is the ability to update the policy. But as Jenny said, we don't have to be reliant on that. So we can provide disclosures right in the UI, in companion apps. And so we're going to use everything at our disposal to be as transparent so people don't get surprised.
[00:25:15.427] Kent Bye: Cool. There's at least two very important questions that I want to get in here before we run out of time. One is that there seems to be a new passage in here. It says, we collect information about the people, content, and experiences you connect to and how you interact with them across your services, which this is the first time that I've seen that you're basically saying, OK, whatever you're doing and looking at within these VR experiences, we're going to now pay attention to what you're looking at and how you're interacting with different aspects of an experience, which as written is pretty broad in terms of like, you know, what I'm looking at, what I'm paying attention to. So maybe you could unpack that a little bit in terms of what your intention there was to be able to correlate what people are doing and how they're interacting with experiences and then what you're doing with that data.
[00:26:03.117] Jenny Hall: Absolutely. So I think the first example here is with our social experiences, right? So if Max and I are connected, if we're friends on Oculus, then we, Oculus, store data in order to make that connection and allow us to have that connection across different experiences. So, for example, if Max and I are in a party, Oculus has that data. And if we say, oh, we want to launch into Antar Wars together, Oculus can take that data and the information about the connection between Max and myself and launch us into that application. Another example here is content, right? We have thousands of applications in our store and it's oftentimes difficult for people to find apps that they connect with and that resonate with them. So we can do things like understand the types of applications you're typically interacting with. So if you're somebody who's interacting with sports games, we can surface those to you as a priority and not maybe a first person shooter that might not be interesting to you. We also have opportunities for you to designate interests for yourself that can work in the same way.
[00:27:50.628] Jenny Hall: So this already happened today. My understanding, and Max may be able to provide more color on this, is people can record things on existing technology that's not provided by Oculus, and they send us videos of abuse happening in VR. And we want to be really thoughtful about how we enforce upon abuse reports. If we don't have evidence of abuse, then that becomes an ability to abuse people and troll people in its own, right? submit a bunch of abuse reports against Max if I don't like Max and hopefully get him banned from the service.
[00:28:24.781] Max Cohen: I did have friends that got me kicked off the turntable at FM stage every time I got up because they kept on doing that. So this is actually a real life thing that happened to me.
[00:28:32.827] Jenny Hall: I mean, you probably deserved it. The music wasn't very good. But so that's the type of experience that we're talking about there. We think it's really important. I'm sure, you know, you're a VR aficionado. You've been watching the news and you've seen reports of of women having bad experiences in VR. And if that continues to happen, we're not going to be able to create a thriving VR community where people feel welcome. So that's what we're talking about there.
[00:29:00.681] Max Cohen: This isn't surreptitious video recording that's persistent that Oculus is doing and using to enact. This is user-generated abuse prevention reports that then go to a team that can review this. so that we can accurately be an arbiter between whether or not abuse happened. And the reality is that we want to be very responsive to this and do it in a way where we take these reports seriously. And by having video and audio recordings of the abuse, if it took place, that is really helpful for us to quickly action and make sure that VR is safe for as many people as possible.
[00:29:34.386] Kent Bye: I see. So it's it's self-recording. And then how do you prevent from someone fabricating a false report? Because, you know, it's this day and age, you can create basically anything you want and video is submitted. So I guess you're not doing anything on your end, but this is all up to people to record on their end. And then they could potentially edit it if they wanted to.
[00:29:52.750] Max Cohen: So this allows us to generate tools that people can use that we do run that will capture that video. So, again, it would still be initiated as part of the abuse prevention process. But this isn't always video submitted by someone else where it's just being sent in through a contact form. This is something that we do have interest in developing tools right in the user interface that people can do to capture this, which makes it much less subject to the type of editing that you're talking about.
[00:30:21.498] Kent Bye: Okay, and it sounds like on May 20th, these new tools that are being launched, will there be all of the data that you record that is stored? Because I think at this point, it's been a little bit of like a not knowing what's been recorded. And so it's a bit of like assuming the worst until we actually see what's recorded. So I'm guessing from everything, from the physical movements and everything else? Or is that de-anonymized to identity? So there's things that you're recording of me, but isn't it tied to my identity? So I guess everything that is tied to my identity, I'm going to have access to with these privacy tools. Is that correct?
[00:32:43.531] Jenny Hall: So we provide a variety of tools that allow developers to get data in order to make the product function. So we have APIs. Of course, developers need to understand information about where you're positioned in order to deliver you the content. And then we have some social APIs that we provide that provide developers with information in order to make social experiences on their end as well. And we have a robust system of protections in place surrounding the information that we provide to developers. On the front end, we have a app review process where our team scan apps to make sure there's no security vulnerabilities that could impact user privacy. We've rejected a number of apps from the Oculus Store because we thought that they would create these security vulnerabilities. We also have contractual protections in place with our developers to make sure they're using data appropriately. We surface developer privacy policies in our Oculus Store so users can have the opportunity to review those privacy policies and make informed decisions about whether they want to interact with the content. And then after third-party apps are in distribution, We also periodically audit our APIs to make sure we're not seeing any evidence of nefarious behavior.
[00:34:08.216] Max Cohen: And two more things worth flagging. We don't actually provide the email addresses of people who have that application, which is something that is different from a lot of other stores and platforms out there, because we don't want to make it so that developers can market based off email address. That's information that we protect. We are also auditing the permissions requested by applications. And so when apps are being submitted to us, we will push back at times if we feel like there is a permission being requested on a mobile device that we don't think is actually necessary for that app to run.
[00:34:41.811] Kent Bye: Great. And finally, I'd be curious to hear from each of you what you think the ultimate potential of virtual reality is.
[00:34:51.576] Max Cohen: Sure, I'll start. One of the reasons I came to Oculus and got involved is I just had a newborn son at the time. And I was thinking about the way I learned when I was growing up and how education, there's always new studies that are coming out, but the fundamentals haven't really changed that much. And I was just thinking about how inefficient it is to really read a textbook or to have to look at a static webpage to understand about how the pyramids were built in Egypt, or to understand ancient Rome, or to understand what's going on in the world today, where it's hard to build that empathetic connection. And so I would love for my son, when he's in high school, to be using VR as a primary interface in order to educate himself about culture, about history, about subjects like learning languages and math much more efficiently. And so the passion that I followed by coming here was creating this enabling technology that allows developers to try to figure out a lot of these things. And I will say that my expectations have been surpassed in all of the new and innovative ways that people have been using VR, that I think that if you look 5, 10, 15 years in the future, I do think that VR, while not yet an inevitability, is going to be something that all of us will be using all the time.
[00:36:10.372] Jenny Hall: And I will say my example here is not one that I had initially when I started at Oculus, but it has evolved over time. I have an 18-year-old son who recently unforgivably left me to go off to college. They always do. I know, it's so rude. But I love the potential for VR to enable us to have meaningful connections, even though I'm in California and he's in Colorado.
[00:36:39.505] Kent Bye: Hmm. Great. Yeah. And, you know, there's lots of more little nuggets here that changes the nuances. I'm going to be talking about, you know, things I noticed that, you know, that was taken out, that security is not 100% safe, that, you know, there's other things that I'll be sort of unpacking in the takeaway. But I just want to see if there's anything else that's left unsaid that you guys would like to say.
[00:36:58.755] Jenny Hall: Is there anything else that you want to dive into? I don't want to leave your questions.
[00:37:05.651] Kent Bye: No, I think that, well, the other, I guess the thing that I saw was that there was a passage in the original thing that said security is not 100% safe. There's no guarantee that we can protect your information. And that was taken out. I still think that's true. I don't think that anything that can be online can be 100% secure. And I'm just wondering why that sort of caution about this data can never be 100% safe was taken out.
[00:37:29.477] Jenny Hall: So we're not, representing that data is 100% safe. We are absolutely with you on that one. We do have state-of-the-art security systems here that make every attempt to keep data safe. The reason that we took that out was just because it seemed unnecessary. It seemed like it was scaring people.
[00:39:11.394] Jenny Hall: So we're not currently doing any advertising on the Oculus platform. And we don't have any plans to in the near future. So I don't think we have thought through that.
[00:40:13.252] Max Cohen: There's a live stream of the Marshmallow, but you're also allowed to opt out of that, and so you can choose to turn that off if you want.
[00:40:19.057] Jenny Hall: And our in-product notifications features, we also have very granular opt-outs that allow you to opt out of getting notifications from specific apps or services.
[00:40:30.142] Kent Bye: Yeah, I guess if you combine that with collecting information about the people, content, and experiences, how you're interacting with these experiences, that's basically saying we're going to look at how you're interacting with any experience, so what you're paying attention to and what you interact with, and that That's basically opening up the door to be able to take what I'm paying attention to and what I'm interacting with. Um, so I guess that's the thing that I, and, and having that in combination to the marketing sort of implies all now, all of a sudden that Facebook can have access to anything I'm looking at in a VR experience. If you're correlating and collecting information about how people are in content and experiences, how you connect and how you interact with them, that means that you're looking at what I'm looking at in VR and you're able to make that correlation to be able to tie that into potentially a profile about me to be able to advertise to me.