Oculus will be releasing a new Privacy Policy and Terms of Service tomorrow that will go into effect on May 20th, just five days before the EU’s General Data Protection Regulation (GDPR) privacy law enforcement deadline of May 25th. I had a chance to review the new privacy policy and terms of service as well as talk with the lead privacy policy architect Jenny Hall and a privacy cross-functional team member Max Cohen, who leads product for the Oculus platform.

LISTEN TO THIS EPISODE OF THE VOICES OF VR PODCAST

Generally, both the old and new Oculus privacy policies are written in an open-ended way that provides Oculus great leeway in being able to capture and record a lot of different types of data, and the new privacy policy actually adds a number of new passages that allows for new types of data to be collected. Hall & Cohen emphasize that Oculus is committed to transparency and building trust, and that they need this flexibility to account for future applications that haven’t even been imagined yet. But as the line between Oculus and Facebook continues to blur, there are still many open questions for what types of data or biometric information gathered from VR is going to prove to be useful for Facebook’s advertising bottom line.

In talking with Hall and Cohen, they were able to detail how Oculus is taking a much more conservative approach than a worst-case scenario interpretation of what the privacy policy affords, but up to this point their limited implementations have relied upon a ‘just trust us’ approach with not a lot of transparency on the full range of data that is actually being captured and how it is being stored. Oculus will soon be releasing more GDPR-inspired transparency tools so that users will be able to audit what personal data are being recorded so that users will be able to see for themselves, but these tools still will not reveal everything that Oculus is capturing and recording.

On May 20th, Oculus will be releasing a ‘My Privacy Center’ web interface that will allow users to download a copy of the personal data that Oculus has collected, view the information that Oculus collects when you use their platform, and set privacy settings around who can see your real name, real name search, sharing your Oculus apps & activity, as well as who can see your friends list. Hall and Cohen told me that Oculus is really committed to transparency, and these automated privacy tools will be a huge step in actually allowing users to audit what data are being collected.

The current privacy policy allows users to request to download and review your data, but I found their previous method to be both unreliable and non-responsive. Oculus did not respond to my previous email requests that I sent to privacy@oculus.com in January and March 2017, and so I’m happy to see that the GDPR obligations have catalyzed an automated web interface that will provide immediate access to the private data Oculus has captured. When asked if all of the GDPR obligations will be provided to all of the users around the world, an Oculus PR representative responded, “We are making sure everyone has the same settings, controls, and privacy protections no matter where they live, so not just Europe but globally. The GDPR’s penalties and notification policies are specific to EU law.”

Both the current and new privacy policies are more likely to grant Oculus permissions for what data they can collect than to detail the obligations for how Oculus plans on capturing and storing that data. Hall and Cohen described to me how Oculus takes a tiered approach to privacy where there are at least three major tiers of data that are collected: data that are collected and tied back to personal identity (which they try to limit), data that are de-identified and shared in aggregate (things like physical movements taken at a low sample frequency), and then personal information that is useful for VR and is only stored locally on your machine (like the height of the player).

However, Oculus does not disclose in the privacy policy which tier data will be captured at. For example, in the “Information Automatically Collected About You When You Use Our Services” section, Oculus only says that they collect “information about your environment, physical movements, and dimensions when you use an XR device.” Oculus doesn’t specify that their current recordings of physical movement data are not tied to your identity, that the sample frequencies are too low to fully reconstruct movements, and that it is only presented in aggregate form. This is the type of information that Hall and Cohen provided to me when I asked about it, but Oculus hasn’t disclosed this information in any other way.

The way the privacy policy is written implies that physical movements could indeed be tied to personal identity at as high of a sample frequency as they would want. It’s this level of vague open-ended language that would allow Oculus to capture data at a much high fidelity than they currently are. Because Oculus doesn’t commit to any specifics in the privacy policy, then this means that they don’t have to commit to notifying users if their implementation changes. Currently Oculus isn’t tying physical movements to identity, but that could change next month and there are not any notification obligations that are specified in the privacy policy. The privacy policy merely states that Oculus can record physical movements without being overly prescriptive for how Oculus decides to implement it.

It is worth pointing out that both Hall and Cohen emphasized over and over again that they’re really committed to transparency, and that most of their interpretations of the privacy policy are very conservative. They’re not trying to scare users, but rather build trust with them. Users will be able to have tools in May to be able to verify what data are actually being recorded, and if there is a mismatch of expectations of having way more data that’s captured than users were expecting, then that’ll cause users to lose trust with Oculus. It takes a lot of time to build trust, but it can be lost in a moment and Cohen emphasized that losing trust can be detrimental for Oculus. So I took this message to be on good faith that Oculus’ Privacy Policy needs to be flexible enough for them to be able to provide the services that they are providing, but the privacy policy still only provides limited obligations for what Oculus is committed to providing.

It is likely that this is because Oculus is trying to keep their privacy policy simple in response to GDPR obligations to have human-readable privacy policies that give concrete examples. Hall also said that they’re trying to prevent the policy from exploding into hundreds of pages long. Once downloadable access to what exact data are actually collected and tied to identity will also likely solve some of these problems of having open-ended and vague language in the privacy policy, but it won’t solve all of the transparency issues about what exactly is being recorded.