Facebook is currently facing hard questions about how it handles user information, but most of the discussion has focused on the social network itself. Facebook owns plenty of other apps and services — including the Oculus virtual reality platform, which (like all VR platforms) collects incredibly detailed information about where users are looking and how they’re moving. VR headsets have a clear potential for surveillance and data harvesting, and Facebook has a bad track record regarding protecting privacy. So what exactly is the link between Oculus and Facebook as far as user privacy is concerned?

A VR platform like Oculus offers lots of data points that could be turned into a detailed user profile. Facebook already records a “heatmap” of viewer data for 360-degree videos, for instance, flagging which parts of a video people find most interesting. If it decided to track VR users at a more detailed level, it could do something like track overall movement patterns with hand controllers, then guess whether someone is sick or tired on a particular day. Oculus imagines people using its headsets the way they use phones and computers today, which would let it track all kinds of private communications.

The Oculus privacy policy has a blanket clause that lets it share and receive information from Facebook and Facebook-owned services. So far, the company claims that it exercises this option in very limited ways, and none of them involve giving data to Facebook advertisers. “Oculus does not share people’s data with Facebook for third-party advertising,” a spokesperson tells The Verge.

Oculus says Facebook isn’t using its data for advertising

Oculus says there are some types of data it either doesn’t share or doesn’t retain at all. The platform collects physical information like height to calibrate VR experiences, but apparently, it doesn’t share any of it with Facebook. It stores posts that are made on the Oculus forums, but not voice communications between users in VR, although it may retain records of connections between them.

The company also offers a few examples of when it would share data with Facebook or vice versa. Most obviously, if you’re using a Facebook-created VR app like Spaces, Facebook gets information about what you’re doing there, much in the same way that any third-party app developer would.

You can optionally link your Facebook account to your Oculus ID, in which case, Oculus will use your Facebook interests to suggest specific apps or games. If you’ve linked the accounts, any friend you add on Facebook will also become your friend on Oculus, if they’re on the platform. The reverse won’t be true, however, so you can friend someone on Oculus without adding them on Facebook. (You can also de-link accounts, as explained on a support page.)

Behind the scenes, Oculus apparently shares data between the two services to fight certain kinds of banned activity. “If we find someone using their account to send spam on one service, we can disable all of their accounts,” the spokesperson says. Similarly, if there’s “strange activity” on a specific Oculus account, they can share the IP address it’s coming from with Facebook.

Oculus hasn’t had any high-profile privacy blowups the way that Facebook has, but concerned VR users have been raising red flags about it for years. Former Minnesota senator Al Franken questioned Oculus about its data collection policies in 2016, for instance; the company responded with answers similar to the ones I’ve described above.

The biggest problem is that there’s nothing stopping Facebook and Oculus from choosing to share more data in the future. VR journalist Kent Bye raised this concern in a report last year, quoting Oculus product VP Nate Mitchell admitting that “used in the wrong way or in the wrong hands, you can be tracked probably more than you would normally expect to be” in VR.

A lot of VR data mining isn’t that different from existing methods

As intimate as VR surveillance seems, it’s still (as far as we know) not nearly as invasive or all-encompassing as Facebook’s app and web surveillance. Some of the things that Oculus collects, like location data and IP address, are already being collected by Facebook apps and pages. VR headsets can tell where you’re looking, but an ordinary webpage can achieve a similar effect by tracking where you’re moving your mouse or clicking.

But if mixed reality technology advances, this is going to become a much more important issue. Writer and game developer Chet Faliszek points out that augmented reality glasses would collect far more data than present-day VR goggles, if you’re wearing them for long periods of time in everyday life. (I’ve written a bit already about AR’s huge privacy implications.) Facebook sees AR glasses as the future, and any precedent Oculus sets today could affect Facebook’s mixed reality privacy policies down the road.

Right now, Oculus’ privacy stance is ambiguous: it’s supposedly sharing relatively little user information with Facebook but leaving its options open. If you’re worried about VR’s long-term privacy implications, this isn’t encouraging. But in the short term, most VR users will still be giving Facebook more data with old-fashioned clicks and shares.