Facebook’s Oculus Quest 2 Has Some Serious Privacy Issues

A VR veteran weighs in on the problems with connecting your headset to Facebook

Photo: Minh Pham/Unsplash

The leaks are true.

Oculus, which is owned by Facebook, just announced the Oculus Quest 2, a very decent low-end VR head-mounted display (HMD) for under $300. This has been the company’s own internal quest for many years: to most cheaply solve the most common frustrations users have with VR. The theory is, with everyone now cooped up at home, and with the drop in price, the Zoom-fatigued and occasionally unwashed masses will now jump into VR’s new immersive social experiences by the millions.

At least, that’s what Facebook hopes will happen.

The company must have bought millions of components in advance to get costs so low, which means that Facebook has probably invested at least $10 billion into Extended Reality (XR) at this point, possibly double that. Still, I assume they will easily make at least that much off their users in a few years.

But there are serious privacy concerns that are preventing many people, including me, from buying these devices. I recently ran a [not-very-scientific] poll on Twitter where the majority of respondents said they won’t buy any Facebook products at all. Second place was an option to treat the upcoming election like carbon credits: buying the Quest 2, but also pledging to vote for candidates who will regulate Facebook.

When Oculus founder Palmer Luckey announced that he sold his company to Facebook, he promised that you wouldn’t need to sign into Oculus with your Facebook account, giving some hope that they could beat their VR sabers and simulate jobs in peace. Yet Facebook will require everyone who buys the new hardware to have a Facebook account, and that means consumers will have to use their real identity or risk a permanent ban from the platform. (You have some time to convert if you remain on the older hardware). This is not at all surprising, given Facebook’s business model, but some folks still feel betrayed.

Facebook revised their XR privacy policies recently. This was the company’s best opportunity, in my view, to correct some of its most egregious abuses of trust, where it could clearly state their user’s rights and clarify any promises Facebook would make to protect those rights.

The new policies popped up late on a Friday night, which should tell you something about how user-friendly they really are. I haven’t fully digested them, and I am not a lawyer. But the gist seems to be that Facebook owns your information if you use their systems, and you have the right to opt out — by deleting your account. Perhaps it’s clearer now what they collect, but it’s not any better for you, the user.

So what’s wrong with Facebook’s Quest 2 and associated apps collecting your private information, if this pays for a valuable free service and probably makes the device cheaper?

A lot.

Facebook is subsidizing these devices with its ad business, and that ad business is primed to collect a lot more data about you, the user. And there’s no way to opt out now.

The Cambridge Analytica scandal wasn’t that long ago, but many have forgotten how the company used private Facebook user data to catalog and then push the emotional buttons of many voters and thus impact elections.

I’ve never met Andrew “Boz” Bosworth, who leads Facebook’s AR/VR hardware and FRL. But I’m old enough to remember back when the scandal broke, he took to Twitter to correct media reports that Facebook had any kind of data breach.

I’m not sure which version of the story was worse, honestly, but the whole situation was so mishandled that Facebook would really just like us to forget it. And like your drunken college photos popping up on Facebook, the internet never forgets.

Profiling and trolling is apparently still going on for the 2020 election, under new names. Twitter wisely stopped accepting political ads to stem some abuse. Facebook says they can’t discern reasonable advocacy from the outright lies and trolls, but they won’t stop accepting political ads until one week before the election.

Manipulation is the real danger here, even if no one has an explicit “mind control ray,” as Cory Doctorow recently wrote, and I believe trivialized. Consider a better analogy: A fraudster with loaded dice can win more games over time without specifically directing each throw. This cheating may go unnoticed unless you analyze the statistics. Most of us are blissfully unaware when we’re being emotionally manipulated, but all of us are susceptible. And Cory is right that we can and should reduce the power of the big platforms as they seep into more and more aspects of our lives.

With virtual reality and augmented reality devices, the dangers are exponentially higher than we saw with modern 2D social networking. I’ve written about what happens when head-mounted devices can see what you’re looking at and record how you react; how they can understand and, if needed, change your environment in real time to elicit responses. There are proactive steps we should be taking now to address it, such as declaring biometric data as health data, legislating more consumer protections, and making privacy choices simpler and better informed (for example, “nutrition label” analogs). But more pressing issues in 2020, like Covid-19 and latent fascism, take precedence.

The dangers of ad-driven business models in XR are real. And I don’t see anyone higher up at Facebook taking that very seriously, likely because ads are what pay their salaries and grow their stock options. What does it mean that so much of the leadership in Facebook’s XR program (including “Boz”) comes from their ad business?

This corrosive business model encourages more effective, more persuasive, and even manipulative ads to grow the business. There is no pro-consumer force to offset that I can see, except perhaps for future government regulation. This concern is primarily what I see holding people back from buying into the Facebook ecosystem.

You could buy a Quest 2 and create fake accounts to avoid the buildup of any accurate profiles, or at least keep these separate from existing social accounts. I’ve written a guide on how to do that. [TL;DR: it’s not worth risking a ban. It would be more effective for most customers to spend their time telling Facebook that they want them to change.]

Perhaps the most interesting and unreported aspect of an ad-subsidized hardware model comes with wondering how Facebook will prevent clever hackers from turning this powerful little device into an open-source tool, free of its Menlo Park masters? Facebook must have considered this, right?

With the immense volume and low cost of these devices and with so much public pressure against the company, it seems inevitable that this goes the way of Linux PCs — cheap, open, and crowd-supported. How long that takes is a function of how hard Facebook made it to hack.

The same kinds of hardware components that can deter casual hacking can also improve privacy. So-called hardware “data vaults” can more safely store things like biometric signatures and encryption keys that should never be uploaded to any cloud. Private user data should be forgotten immediately, unless it is absolutely necessary. But to the extent that your data must be retained, it should be encrypted only on your local device such that only you can decrypt it, not Facebook or any scope-creeping government. It’s not clear yet whether Facebook included such hardware protections for Quest 2 or opted instead for more cloud storage of your information. I suspect the latter based on history.

I don’t know if any of this convinces you to buy or not buy a Quest 2. Despite my concerns, I may still buy one anonymously, just to play around, without linking it to a real Facebook account, and risk a ban. Then again, I don’t have a real Facebook account to lose.

Schools looking to buy cheap devices should also think carefully about student privacy. Would it be okay to buy ad-subsidized laptops that used the webcams to record students in order to profile and advertise to them? I doubt it. (Academic Chromebooks seem to be more about building up future monetizable users).

For businesses getting into XR, Oculus has a slightly different set of policies that claim extra security and charge a higher price per unit. But it’s not clear what information flows beyond any company’s internal firewall. Will companies risk their confidential information leaking in the form of cloud-stored images and audio captured by XR devices?

Overall, I’d much rather see some progress from Facebook on supporting the rights of all users before government regulation forces it to do so. Let’s actually put people first.

Disclosure: Avi Bar-Zeev has been working in Spatial Computing for nearly 30 years. He has prototyped and helped guide prospective products from Microsoft, Amazon, and Apple. He consults for leading companies in the XR space under NDA. He may publicly discuss their competitors or competing products in this space. His views are entirely his own and do not represent those of any employer or client.

Design and Technology Leader (fmr. HoloLens, Apple, Google Earth, Second Life, Disney VR) Profile photo is from generated.photos (read “Who owns YOU?” for why)

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store