In a candid moment, Mitchell told me:
“There are a lot of potential pitfalls over the future of VR and AR around user privacy. There’s never been a technology that brings so much of you into the experience, which is sort of that double-edged sword that’s the power of VR. But yeah, used in the wrong way or in the wrong hands, you can be tracked probably more than you would normally expect to be. Right? And I think that that’s only going to become more and more important as we develop new technologies that bring even more of you into the experience. And users are going to want to know and understand what’s actually happening under the hood.”
Oculus says that they’re using 60-second averages of physical movement data to debug their tracking. Mitchell said, “Almost any of the live tracking we’re doing, almost all of it, is all really diagnostics focused. So if there’s a problem with your hardware, like a batch of hardware for example, we want to know that so that we can deliver a high-quality experience, and make sure that if there’s an issue with your system and reach into support, you can send us logs. And we can say, “Hey, clearly there’s a problem the Rift sensor” or something like that.”
Oculus is clearly using this data to debug and improve their technology, but it’s unclear whether Facebook could use this “physical movements” provision in order to record all sorts of eye movements, facial movements, and potentially more biometric data in the future. It’s a vague enough provision to potentially allow Facebook to capture a whole range of biometric data including eye tracking, galvanic skin response, heart rate and heart rate variability with ECG, muscle tension & facial expressions with EMG, and brain waves with EEG. This type of biometric data is usually gathered within a medical context protected by HIPAA or a marketing research context with explicit consent and privacy protections.