VR Biometric Data is Not Personally Identifiable (Yet)

There are some existing biometric identifiers that can connect information gathered from your body that can personally identify you, which include things like facial features, fingerprint, hand geometry, retina, iris, gait, signature, vein patterns, DNA, voice, and typing rhythm. Right now your gait, voices, or retina or iris as captured by an eye tracking camera could be biometric data that proves to be personally identifiable. It’s also likely that the combination of other factors like your body, hand, and head movements taken together may prove to create a unique kinematic fingerprint that could also personally identifiable you with the proper machine learning algorithm. This could mean data is being anonymously stored today that could eventually be aggregated to personally identify you, which is a special class of PII that requires special legal protections.

OpenBCI co-founder Conor Russomanno told me that EEG brainwave data may turn out to have a unique fingerprint that can not ever fully be anonymized and could be potentially be tracked back to individuals. What are the implications of storing massive troves of physical data gathered from VR headsets and hand tracked controllers that turns out to be personally identifiable? Downey suggests that the best answer from a privacy perspective is to not record and store the information in the first place.

VR Companies Are Not Being Proactive with Privacy

There’s a set of self-regulatory principles for online behavioral advertising that companies have collectively agreed to follow to help with the Federal Trade Commission’s oversight of companies protecting the privacy of individuals. But up to this point all of the major virtual reality companies have not taken a proactive approach to educate, be transparent and provide consumer controls to opt-out of what may be recorded and stored from a VR system.

Google has the most detailed privacy Dashboard to be able to review and control what they’ve recorded from your regular account (included interactive maps of location history and voice recordings of talking to Google Assistant), but they don’t have any specific information related to virtual reality yet. You can see what ad preference categories that Facebook has selected for you, but their Privacy Policy explanation page shows very little of the raw data that they’ve collected. The HTC Vive links to HTC’s privacy policy, which hasn’t been updated since September 29, 2014 and predates the Vive so there’s no specific VR information. And there’s no specific indication of VR data being capturing or tracked in Valve’s or Samsung’s privacy policy.

HTC Vive GM on the New Vive Tracker & Privacy in VR

Oculus’ Privacy Policy is the only one to call out any specific VR data being collected, which means that either other companies aren’t recording any head or hand tracked information yet, or they’re not properly disclosing the fact that they are.

Oculus’ Independence from Facebook is Fading

The site VRHeads did a great comparison of the different privacy policies of VR companies pointing out some of the commonalities and differences. They also flagged Oculus’ privacy as concerning saying, “The company states that all of that information is necessary to help make your game experience more immersive; they also use the data to make improvements on future games. But permanently storing that data, and then sharing it? That’s a bit invasive.”

Oculus made this statement about privacy in response to an UploadVR report from April, 2016:

We want to create the absolute best VR experience for people, and to do that, we need to understand how our products are being used and we’re thinking about privacy every step of the way. The Oculus privacy policy was drafted so we could be very clear with the people who use our services about the ways we receive or collect information, and how we may use it. For example, one thing we may do is use information to improve our services and to make sure everything is working properly — such as checking device stability and addressing technical issues to improve the overall experience.

Lastly, Facebook owns Oculus and helps run some Oculus services, such as elements of our infrastructure, but we’re not sharing information with Facebook at this time. We don’t have advertising yet and Facebook is not using Oculus data for advertising – though these are things we may consider in the future.

Just because Oculus hasn’t shared information with Facebook as of early 2016, that doesn’t mean that they won’t and they don’t plan to in the near or far future. In fact, it’s likely that they will otherwise they wouldn’t have included the legal language to do so.

The boundaries of independence between Oculus and Facebook have been fading lately. Facebook has been taking more and more of an active part in running Oculus as shown by the Oculus logo including mention of Facebook, with CEO Brendan Iribe recently stepping down, and with Mark Zuckerberg giving a much more in-depth demo about the future of VR and Facebook at the recent Oculus Connect 3.

Any early comfort that Oculus would be run as an independent company from within Facebook is starting to fade, and the bottom line is that there’s nothing stopping Oculus from feeding as much intimate data about body movements into Facebook’s unified super profiles of personally identifiable users. It’s starting with physical movements, but it’s likely that future generations of VR technology will have deeper tracking technologies built in, like eye tracking and biometric sensors. Oculus’ privacy policy is laying down the legal framework to be able to capture and store everything you look at and interact with in virtual worlds; these policies will increasingly matter as VR becomes a more important part of our lives.

The Metaverse as the Last Bastion of Privacy?

As these online profiles start to merge into our real world with augmented reality technologies, it could vastly reduce our sense of privacy. So Downey is optimistic about the potential of a virtual reality metaverse could become one of the last bastions of privacy that we have, if VR technologies are architected with privacy in mind.

Downey encourages VR application and hardware developers to minimize data collection and to maintain as little data as possible. She also suggests to not personally identify people, and to use decentralized payment options like Bitcoin or other cryptocurrencies as to not tie information back to a singular identity. Finally to avoid using social sign-ins so as to not have people’s actions be tied back to a persistent identity that’s permanent stored and shared forever.

Open Questions to VR Companies for Regulators

Virtual reality technologies are going to have increased scrutiny from public policy creators in 2017, and there has already been a Senate Commerce hearing about Augmented Reality in November of 2016.

Some of the open questions that should be asked of virtual reality hardware and software developers are:

• What information is being tracked, recorded, and permanently stored from VR technologies?
• Is this information being stored with the legal protections of personally identifiable information?
• What is the potential for some of anonymized physical data to end up being personally identifiable using machine learning?
• Why haven’t Privacy Policies been updated to reflect what VR data is being tracked and stored? If nothing is being tracked, then are they willing to make explicit statements saying that certain information will not be tracked and stored?
• What controls will be made available for users to opt-out of being tracked?
• What will be the safeguards in place to prevent the use of eye tracking cameras to personally identify people with biometric retina or iris scans?
• Are any of our voice conversations are being recorded for social VR interactions?
• Can VR companies ensure that there any private contexts in virtual reality where we are not being tracked and recorded? Or is recording everything the default?
• What kind of safeguards can be imposed to limit the tying our virtual actions to our actual identity in order to preserve our Fourth Amendment rights?
• How are VR application developers going to be educated and held accountable for their responsibilities of the types of sensitive personally identifiable information that could be recorded and stored within their experiences?


The technological trend over the last ten to twenty years has been that our behaviors with technology have been weakening our Fourth Amendment protections of a reasonable expectation of privacy. As we start to provide more and more intimate data that VR and AR companies are recording and storing, are we yielding more of our rights to a reasonable expectation of privacy? If we completely erode our right to privacy it will have serious implications on our First Amendment rights to free speech.

As virtual reality consumers, we should be demanding that VR companies do not record and store this information, in order to protect us from overreaching governments or hostile state actors who could capture this information and use it against us.

In order to have freedom of expression in an authentic way we need to have a container of privacy. Otherwise, we’ll be moving towards the dystopian futures envisioned by Black Mirror, where our digital footprint bleeds over into our real life that constrains all of our social and economic interactions.

Is VR going to be the most powerful surveillance technology ever created or the last bastion of privacy? It’s up to us to decide. We need to make these privacy challenges to VR companies now before they become ingrained in our expectations.

Support Voices of VR

Music: Fatality & Summer Trip

Newsletter graphic

This article may contain affiliate links. If you click an affiliate link and buy a product we may receive a small commission which helps support the publication. More information.

  • Get Schwifty!

    “As of right now, none of the information gathered by a virtual reality technologies has been determined to be definitively classified as “personally identifiable information,” which enables VR hardware companies and application developers to capture and store whatever they like. But once there are eye tracking technologies with more sophisticated facial detection or one day brain-control interfaces, then VR technology will have the capability to capture and store really intimate data including facial expressions, eye movements, eye gaze, gait, hand & head movements, engagement, speech patterns, emotional states and, from EEG, brainwaves, attention, interest, intent, and potentially even eventually our thoughts.”

    In other words, all this information would naturally fall under Personal identifiable Information, or PII regulation. As usual the government regulations for such things are behind the tech curve, but definition is needed to extend PII correctly but this only applies directly to U.S. companies, and those when operating here…

    I understand the author’s clear personal dislike for Facebook coming through, but what are we to make of HTC, a Taiwanese company that doesn’t even directly fall under U.S. laws regarding PII except when operating in the U.S. and then marginally so? No offense, but I have more doubts about what a foreign-to-US company outside of Canada or the EU is collecting data than I am Facebook at this stage. You’d have to be downright stupid to believe the force of law is equivalent outside the US, Canada and EU with respect to privacy laws…..

    If people get blinded to focusing on Facebook as a U.S. company and not wondering what Sony and HTC for example are really doing outside the U.S. with their information they are going to be in for a big surprise…

    “HTC counts Facebook developers as an affiliate organization” – taken from the link quoted in the article.

    • NooYawker

      This is a really good point, I actually chose HTC because I worried about FB’s data mining. Also because of the full room scale mostly though. But who knows what HTC does since it’s based outside the US. But the VIve goes through steamVR. Does steam control what data is passing through or does the hardware circumvent the software and sends data on it’s own? Who knows, it’s very possible. We definitely know Facebook collects data, that’s it’s sole purpose. So who do we trust? What can we do?
      That really sucks but is it wrong right now my real concern is when are we going to get some AAA VR games? Kind of willfully ignorance is bliss at this point since there’s nothing we can do without being fully informed.

      • Get Schwifty!

        Yeah – my philosophy is your probably not going to avoid being recorded… just take comfort in the fact your neighbors porn habits are also being recorded LOL.

        Great handle btw-

  • MikeVR

    The Oculus anti-privacy narrative continues… :S
    “doesn’t mean that they won’t and they don’t plan to in the near or far future. In fact, it’s likely…” “…there’s nothing stopping Oculus from feeding as much intimate data … into Facebook”.

    • Mike Handles

      And why not? Facebook is evil. Not alone in being evil, but what kind of excuse would that be anyway?

      • Get Schwifty!

        You do realize they all are “evil” right? It’s an interesting phenomena that people I guess have evolved to want to try to boil everything down to a black-white status. If you are more trusting of any large company you will find out quickly they all are pretty cold at heart. The only ethical mandates with HTC, Sony, Facebook/Oculus and any others is self-interest to make money and keeping the shareholders happy. I can assure you HTC is not making the Vive because they see some grand vision of enlightenment and democratization of the planet with VR, they just want to make a lot of money. Period.

        • Mike Handles

          I say again “Not alone in being evil, but what kind of excuse would that be anyway?”

          I mean, just look at this stupid article:

          Just a few quick google searches will quickly find more Facebook related articles showing their underhanded, information prying, low down snake in the grass ways.

          I wasn’t trying to make a Vive vs Rift comment by the way, just doing some light hating on Facebook. But just for shits and grins I tried looking for some articles outlining HTCs shady practices and could find none. The Facebook ones came to light pretty damn easily. So maybe instead of speculating we should go with what we know. And what we know is; Facebook is evil.

          Choosing the lesser of two evils should always be attempted when possible. And my research has led me to find Facebook is among the worst. So I will avoid them like the plague. I urge everyone to do the same.

    • Get Schwifty!

      Of course, that statement is at the point we go from “journalism” to “OP-ED” piece… the fact is they have a clear policy, if you don’t choose to read it and are bothered by the information sharing shame on you to a large extent. What I dislike about “Drive-Bye” Kent’s pieces they always sum up to a point where they transition to opinion, fear mongering and supposition. You cannot say something is “likely”, it either is or it is not if you are truly just reporting the facts. I would argue its just as likely HTC or Sony or any other VR player is just as likely if not more so due to being in regions with lackluster privacy laws to be just as bad if not worse but that is left out of the discussion. Facebook’s real fault is just openly testing the line if you think about it, the others quite likely just collect and sell your information on the side quietly.

      Not talking about you specifically, but with a generation that can’t see the problem with getting its “news” from sources like the Daily Show I am not surprised most people don’t see the problem with this style of “journalism”.

  • OgreTactics

    Code is law. The ENEMY, not the problem, but an ENEMY of human society is platforms like Facebook. If there’s any grave political or geopolitical society that occurs in the coming years you can be sure some people at Facebook will go straight to jail for what they’ve done.

    This debate is way more subtle that general matrices or capabilities of companies and technology. It’s how we code the platform and orient the algorithm. Facebook has vastly ruined society, education, information, freedom and expression, and it’ll take a few years to realise that this is not exaggeration but a new kind of crime against societies…