None of the de-identified data that’s captured is going to show up in the new My Privacy Center, which means that there is currently no way for users to audit what types of de-identified data are being captured. There’s also no mechanism for users to see if the sample frequency of the recording of physical movements increases, and there’s no disclosure obligation by Oculus to let users know if they do increase the frequency or start capturing new types of physical movements. If Oculus is truly committed to full transparency, then they should provide a master list of all of the different types of data that are being collected in a table format with details about the different tiers of how that data are being stored, and what information is being shared with other Facebook-family services.
The new GDPR law also says that “it must be as easy to withdraw consent as it is to give it,” but there is not any indication that Oculus is going to be providing ways to opt out of having any types of data being captured and recorded as this granularity of control was not shown in initial screenshots of the new My Privacy Center.
One of the most concerning new passages in the new privacy policy is this statement: “We collect information about the people, content, and experiences you connect to and how you interact with them across our Services.” This could potentially open the door for Oculus to start correlating what content you’re specifically looking at within a VR experience, and then feed that data to Facebook for advertising purposes. One of the passages in the “How do we use information?” section says that the information that they gather is used “To market to you. We use the information we collect to send you promotional messages and content and otherwise market to you on and off our Services.” When I asked Hall about reading these two passages together, she said that the marketing passage currently means to sending promotional emails about VR experience that you might like, and that Oculus doesn’t have any current plans to do any more sophisticated advertising.
But both the old and new privacy policies say that all data collected by Oculus can be also shared with Facebook. “Sharing Within Related Companies. Depending on which services you use, we share information within the family of related companies that are legally part of the same group of companies that Oculus is part of, or that become part of that group, such as Facebook.” It also says that they can use information to “market to you on and off our Services,” which may have been intended to mean e-mail, but it can also read to mean that Oculus data can be used to advertise to you on Facebook.
So even if Oculus doesn’t have any plans to do any advertising, they have set up the legal framework to be able to send data over to Facebook where it can be used for advertising purposes. There is nowhere that Oculus has committed to disclosing what specific information is ever shared with Facebook, or what type of data might prove to be useful for advertising purposes. Even if Oculus isn’t currently sharing any data with Facebook, and even if they don’t have any near-term plans to do so, they have granted themselves this right in their privacy policy with no further obligations for disclosing what data are being shared to other services.
Update (4/19/18): It looks like Oculus’ newly published blog post has a FAQ with the question and answer of “Is my Oculus data used to target ads to me on Facebook? We don’t share data with Facebook that would allow third parties to target advertisements based on your use of the Oculus Platform.” So they’re saying that they’re not currently sharing data that would be used by third parties for advertising, but their privacy policy technically allows this to happen in the future. This is another example of how open-ended their policy is where a close reading of the policy would allow this to happen in the future, and there are not any commitments made in the privacy policy to disclose to users if this changes in the future or any transparency on what specific data (de-identified or identified data) is going to ever be shared with Facebook. Also, does not sharing Oculus data directly to third party advertisers mean that Facebook won’t be using data from Oculus to create more specific psychographic profiles? This could indirectly benefit advertisers. Again, there is no obligation that Oculus has made anywhere to fully disclose what information might be shared between Oculus and Facebook.
The other biggest open question that I have for Oculus and Facebook is what their philosophical stance on recording biometric data is going to be. I was disappointed to hear that they are not taking any stance on biometric data yet, which means that they’re still leaving the door open to potentially capturing and recording biometric data in the future. Cohen said that there aren’t any Oculus platform technologies released yet that are recording biometric data, and so they’re currently having those discussions internally on the Privacy XFN team. Hall said that these questions about biometric data seem to be way off in the future, and that they are not prepared to make any statements on it yet. Just because Oculus hasn’t released any products yet to directly capture biometric data or that it is still in the future doesn’t mean that Oculus can’t have an opinion about biometric data and how they plan on treating it. Hall did say that they would likely update their privacy policy to account for biometric data, but it’s also possible that this privacy policy will be unchanged once products that can capture biometric data are released here in the near future.
All of the biometric data experts that I’ve talked with have warned about the concerns about biometric data privacy. Behavioral neuroscientist John Burkhardt warns that there’s an unknown ethical threshold between predicting and controlling behavior with access to biometric data streams like eye tracking, facial tracking & emotional detection, galvanic skin response, EEG, EMG, and ECG.
Privacy advocate Sarah Downey warns that VR could turn out to be the most powerful surveillance technology ever created if companies start recording biometric data, or it could be the last bastion of privacy if architected correctly. She also points out that the more data that companies record, that the more that weakens America’s Fourth Amendment protections which can make it less likely that people will speak freely into their First Amendment rights to free speech.
Jim Preston warns against the dangers of performance-based marketing companies like Facebook or Google having access to biometric data, and that it’s mortgaging our rights to privacy in exchange for free services. He says that privacy is a really complicated topic, and that it’s going to take the entire VR industry to be engaged in these discussions.
Advanced Brain Monitoring CEO Chris Berka says that some biometric data should be considered medical information protected by HIPAA regulations, and that commercial companies will have to be navigating some sensitive issues for how they store and treat biometric data. Tobii’s VP of Products and integrations Johan Hellqvist says that companies should be asking for explicit consent before they consider recording eye tracking data.
So I’ve had many conversations with biometric data experts warning about how this data from your body reveals whole new levels of unconscious information about what you value, what you’re paying attention to, and perhaps even what you find interesting. Biometric data will be a gold mine for performance-based marketing companies like Google and Facebook, and so it’s not incredibly surprising that Oculus is leaving the door open for how they will treat it. But it’s also quite disappointing that Oculus is not being more proactive in participating in a larger conversation about biometric data while also seemingly discounting it as a concern that is really far off in the future when we’re already seeing prototype VR devices that have eye tracking technology built in, like Qualcomm’s reference design with Tobii eye tracking. I expect to see eye tracking and facial tracking technologies released in VR and AR hardware within the next 1-3 years, which is not so off into the future.
The fact that Oculus has said that they can record physical movements could already mean that they’ve created the legal framework to capture other types of biometric data. When I asked whether or not “physical movements” could be interpreted to be eye movements or facial movements, Hall wasn’t willing to provide a definitive answer and said that they currently had not been thinking about it in that way. But the way that the current privacy policy is written is open-ended enough that it could already give Oculus the right to record eye tracking movements or facial movements, and tie it to our identity if they chose to do so.
There may also be issues with recording this type of biometric data in what is presumed to be de-identified, but that there could be unique biometric signatures that de-anonymize it. Open BCI’s Conor Russomanno warns that it may turn out that EEG data may actually end up having unique biometric signatures that means that the data may not be able to be fully anonymized.
This has implications for what may be presumably be de-identified biometric data, but that there may be a unique biometric key that unlocks the identity information. Oculus ensures us that they use state of the art security practices, but data can never be completely guaranteed to be safe and secure. Oculus is actually removing the Security disclaimer in their privacy policy that used to read, “Please note that no data transmission or storage can be guaranteed to be 100% secure. As a result, while we strive to protect the information we maintain, we cannot guarantee or warrant the security of any information you disclose or transmit to our Services and cannot be responsible for the theft, destruction, or inadvertent disclosure of information.”
When I asked why they removed this security section, Hall said that they’re not trying to make a claim that data is 100% secure, but they also didn’t see that this passage was necessary. It also happened to scare people. I don’t think it should have been removed because I think it’s actually honest about the reality of how any data that’s collected actually isn’t 100% secure and that it can never be guaranteed to be 100% secure. People should be scared because we should be trying to limit what data are being captured and recorded.
