UPDATED! The Facebookening of Oculus: Taking a Look at the Updated Oculus Privacy Policy and the New Oculus Supplemental Data Policy (Part 3 of 3)

Housekeeping Notice: This is the third and final part of a three-part series. Part 1 can be found here, and Part 2 can be found here.

UPDATE Oct. 14th, 2020: Well, that didn’t take very long! The first reports of Facebook bricking Oculus VR headsets have already begun to come out, only on the second day of the Quest 2’s release. More details on these cases are at the very end of this blogpost.

This manipulated image of the new Facebook Reality Labs logo is courtesy of the insanely talented and creative LokiEliot; the eye is actually not part of the FRL logo pyramid, but as several commentators on Twitter have remarked, it may as well be there.

Today is the first day of shipping for the new Oculus Quest 2 standalone VR headset, which has received glowing reviews from many quarters. Scott Stein of C|Net reports:

There’s a pair of magic goggles I’ve gone back to again and again over the last two years, opening up worlds of games, theater, conversations, art and experiences that are tough to even describe. The Oculus Quest 2 is an improved, less expensive sequel to the Oculus Quest, a self-contained VR game console that was my absolute favorite thing in 2019. This year it’s already been my portable holodeck, my little magic fitness room, my escape space.

Over the last month, I’ve used the Quest 2 for hours, sometimes an hour straight or more at a time. It keeps impressing me, and the fit and comfort have actually improved. The more compact head strap feels like it’s broken in a bit, and the eye padding now feels less restrictive. I feel like I’ve found a sweet spot for adjusting it to my face. And the controllers still haven’t needed new batteries in over a month of use.

However, he adds:

The Quest 2 requires you to connect or merge with a Facebook account, even if you’re a long-standing Oculus user. Facebook’s policies for the Oculus VR have changed, requiring a Facebook login which wasn’t necessary before. Existing Oculus ID owners still have to merge accounts immediately when using the Quest 2. Facebook’s social media ambitions are clearly aligned where VR and AR are heading, and guess what? The Oculus Quest 2 is a Facebook product. This isn’t surprising to me, but it’s something to consider if you want a VR headset that’s more open and flexible, or doesn’t live under Facebook’s umbrella.

That’s concerning in the longer-range scope of how Facebook handles data on its VR headset, but in the short term it doesn’t affect much at all. The Quest 2 is a game console, for the most part, and it’s a fantastic one. It might even be my second-favorite game console right now next to the Nintendo Switch.

Today, in looking at the new Oculus Data Policy (which was updated on Oct. 11th, 2020), I will be relying heavily on the work done by Kent Bye, who used an automated version comparison tool to compare the old and new policy documents, and has outlined his thoughts and impressions in this series of tweets posted shortly after the update on Oct. 11th. Kent was also able to ask some follow-up questions of Facebook, and he shared a second series of those questions and their answers today, on Oct. 13th.

I want to thank Kent Bye for taking the time and effort to read through the fine print of multiple Facebook/Oculus policy documents, and running a comparison checker on them against previous versions, to highlight what was new. The overwhelming majority of people, of course, would not go to this length, but I wanted to highlight here some of the things he discovered.

Part 3: The Updated Oculus Privacy Policy, the Facebook Data Policy, and the Oculus Supplemental Data Policy

If you click on “Oculus Terms of Service” link in the email announcement I received a couple of weeks ago, you are taken to yet another Oculus page with the imposing heading of LEGAL DOCUMENTS:

This image has an empty alt attribute; its file name is Legal-Documents-2-1024x673.png

As I said up top, this document was updated only a couple of days before the first Oculus Quest 2 units started shipping to consumers.

If you are the owner of an existing Oculus VR device (Rift or Rift S, the original Quest, or Go), and choose to merge your Oculus and Facebook accounts, or if you purchase a Quest 2, you must abode by the Facebook Data Policy and the Oculus Supplemental Data Policy. If you choose to use an Oculus account (but not a Facebook account) to access Oculus Products, you will be covered by the Oculus Privacy Policy (also updated on Oct. 11th, 2020). Confusing? Yes it is. You have to visit multiple documents to figure out what’s happening here.

Under “How do we use this information?”, the Oculus Supplemental Data Policy states:

We use information we collect when you use Oculus Products for the purposes described in the Facebook Data Policy under “How do we use this information?”, including to provide, personalise and improve the Facebook Products (including seamless integration between the Facebook Products); to provide measurement, analytics and other business services (including ads); to promote safety, integrity and security; to communicate with you; and to research and innovate for social good.

Upon reading the phrase “innovate for social good”. I tweeted incredulously to Kent:

“Research and innovate for social good”?!?? From a company whose flagship product is a toxic dumpster fire of misinformation, disinformation, and conspiracy theories, and who strip-mines your personal data and sells it to corporations and campaigns (remember Cambridge Analytica?)

To which he in turn replied:

“Research & innovate for social good” is a clause allowing them to do academic research on a whole range of topics. It’s language that’s a carry-over from their Facebook Policy, which provides a bit more context. The social harms get into all of the many unintended consequences.

One thing that new Supplemental Oculus Terms of Service makes very clear is that you, the purchaser, are responsible for any breaches of the ToS by anybody who uses your headset. Kent says:

My take: You could lose your Facebook account if you let someone use your Oculus headset & they violate the ToS.

Kent asked Facebook, “Can I use multiple Facebook accounts on the same device?” and the answer back from Facebook was:

Not right now, but we plan to introduce the ability for multiple users to log into the same device using their own Facebook account, so that people can easily share their headset with friends and family while keeping their information separate.

To which I ask: Why the hell didn’t Facebook take care of this before shipping the Oculus Quest 2? The Quest 2 is being marketed as a single-user device tied to a single account on the Facebook social network, at a time when the majority of VR devices are shared between multiple people. Why did Facebook not take this into account? Were they in too much of a hurry to tackle this problem before launch?

I can think of numerous examples where different users (such as multiple children of different ages within the same family) will be using a single VR device. For example, I am donating my original Quest to my sister-in-law’s workplace, where she is part of a team of people who works with developmentally challenged adults. Even worse, if any one of those people breaks the Terms of Service, they could then lose access to their device and all the content purchased for it.

Another new thing in the Terms of Service is Facebook has “permission to use your name, profile picture, and information about your actions with ads and sponsored content.” When Kent asked Facebook what was meant by “your name”, the response was it could refer either to your Oculus username of your real name.

All updated versions of the Oculus Terms of Service will now use the Facebook Community Standards, the Oculus Conduct in VR policy, and the Oculus Platform Abuse Policy. A transgression in the Facebook social network will impact on your use of Oculus devices, and vice versa; all data is shared among all Facebook companies.

In the Supplemental Oculus Terms of Service, in a section titled Account Suspension, it states:

In addition to what is stated in Section 4.2 of the Facebook Terms of Service, your access to or use of Oculus Products may be suspended or disabled, and you may lose access to, or the use of part or all of, the services offered by Facebook or third parties through Oculus Products, if (acting reasonably): (1) we determine that you have violated or breached the Terms, Community Standards (also known as the Facebook Rules), Conduct in VR Policy, Oculus Platform Abuse Policy or other terms and policies that apply to your use of Oculus Products or Third-party Services; (2) we believe that your access to, or use of, Oculus Products creates a health and safety risk; or (3) Facebook suspends or disables your Facebook account. Furthermore, we may suspend or disable your access to or use of Oculus Products if you repeatedly infringe other people’s intellectual property rights or when we are required to do so for legal reasons. To the extent permitted by applicable law, Facebook and its affiliates assume no liability for such loss of access and use and will have no obligations related to such loss. If you delete or we disable your access to or use of Oculus Products, these Oculus Terms shall be terminated as an agreement between you and us…

The new ToS covers personal and non-commercial use of Oculus VR devices, referring commercial users to separate cosument, the Oculus for Business Enterprise Use Agreement:

Kent Bye reports that there is a LOT of data collection which Facebook will be collecting from Quest 2 users, and users who choose to merge their Oculus and Facebook accounts with older devices (Rift, Quest 1, and Go).

Users will have to examine both the Oculus Supplemental Data Policy under the heading “What kind of information do we collect?”, in addition to the Facebook Data Policy under the heading “What kinds of information do we collect?”.

The Facebook Data Policy states (yes, I know it’s long, but you should read the whole thing):

To provide the Facebook Products, we must process information about you. The type of information that we collect depends on how you use our Products. You can learn how to access and delete information that we collect by visiting the Facebook settings and Instagram settings.

Things that you and others do and provide:

Information and content you provide. We collect the content, communications and other information you provide when you use our Products, including when you sign up for an account, create or share content and message or communicate with others. This can include information in or about the content that you provide (e.g. metadata), such as the location of a photo or the date a file was created. It can also include what you see through features that we provide, such as our camera, so we can do things such as suggest masks and filters that you might like, or give you tips on using camera formats. Our systems automatically process content and communications that you and others provide to analyse context and what’s in them for the purposes described below. Learn more about how you can control who can see the things you share.

Networks and connections. We collect information about the people, Pages, accounts, hashtags and groups that you are connected to and how you interact with them across our Products, such as people you communicate with the most or groups that you are part of. We also collect contact information if you choose to upload, sync or import it from a device (such as an address book or call log or SMS log history), which we use for things such as helping you and others find people you may know and for the other purposes listed below.

Your usage. We collect information about how you use our Products, such as the types of content that you view or engage with, the features you use, the actions you take, the people or accounts you interact with and the time, frequency and duration of your activities. For example, we log when you’re using and have last used our Products, and what posts, videos and other content you view on our Products. We also collect information about how you use features such as our camera.

– Information about transactions made on our Products. If you use our Products for purchases or other financial transactions (such as when you make a purchase in a game or make a donation), we collect information about the purchase or transaction. This includes payment information, such as your credit or debit card number and other card information, other account and authentication information, and billing, delivery and contact details.

Things others do and information they provide about you. We also receive and analyse content, communications and information that other people provide when they use our Products. This can include information about you, such as when others share or comment on a photo of you, send a message to you or upload, sync or import your contact information.

Device information:

– As described below, we collect information from and about the computers, phones, connected TVs and other web-connected devices you use that integrate with our Products, and we combine this information across different devices that you use. For example, we use information collected about your use of our Products on your phone to better personalise the content (including ads) or features that you see when you use our Products on another device, such as your laptop or tablet, or to measure whether you took an action in response to an ad that we showed you on your phone on a different device.

Information that we obtain from these devices includes:

Device attributes: information such as the operating system, hardware and software versions, battery level, signal strength, available storage space, browser type, app and file names and types, and plugins.

Device operations: information about operations and behaviours performed on the device, such as whether a window is in the foreground or background, or mouse movements (which can help distinguish humans from bots).

Identifiers: unique identifiers, device IDs and other identifiers, such as from games, apps or accounts that you use, and Family Device IDs (or other identifiers unique to Facebook Company Products associated with the same device or account).

Device signals: Bluetooth signals, information about nearby Wi-Fi access points, beacons and mobile phone masts.

Data from device settings: information you allow us to receive through device settings that you turn on, such as access to your GPS location, camera or photos.

Network and connections: information such as the name of your mobile operator or ISP, language, time zone, mobile phone number, IP address, connection speed and, in some cases, information about other devices that are nearby or on your network, so we can do things such as help you stream a video from your phone to your TV.

Cookie data: data from cookies stored on your device, including cookie IDs and settings. Learn more about how we use cookies in the Facebook Cookies Policy and Instagram Cookies Policy.

Information from partners:

Advertisers, app developers and publishers can send us information through Facebook Business Tools that they use, including our social plugins (such as the Like button), Facebook Login, our APIs and SDKs, or the Facebook pixel. These partners provide information about your activities off Facebook – including information about your device, websites you visit, purchases you make, the ads you see and how you use their services – whether or not you have a Facebook account or are logged in to Facebook. For example, a game developer could use our API to tell us what games you play, or a business could tell us about a purchase you made in its shop. We also receive information about your online and offline actions and purchases from third-party data providers who have the rights to provide us with your information.

Partners receive your data when you visit or use their services, or through third parties that they work with. We require each of these partners to have lawful rights to collect, use and share your data before providing us with any data. Learn more about the types of partners we receive data from.

To learn more about how we use cookies in connection with Facebook Business Tools, review the Facebook Cookie Policy and Instagram Cookie Policy.

And the Oculus Supplemental Data Policy covers even more kinds of data which Facebook collects about you when you use your Oculus device, including a few things that you might not have thought about, for example, “your physical features and dimensions, such as your estimated hand size” and “information about your environment, physical movements and dimensions when you use an XR device“:

In addition to the information described in the Facebook Data Policy under “What kinds of information do we collect?”, we collect the following categories of information when you use Oculus Products:

Physical Features: We collect information about your physical features and dimensions, such as your estimated hand size when you enable hand tracking.

Content: We collect content you create using Oculus Products, such as your avatar, a picture you post, an object you sculpt or audio content you create, and information about this content, such as the date and time you created the content.

Cookies and Similar Technologies: We receive information collected in or through various technologies on Oculus Products, including cookies, pixels, local storage and similar technologies. Learn more about how we use these technologies on our websites and mobiles apps in the Oculus Cookies Policy.

Interactions: We collect information about the features you interact with on our Oculus Products. For example, we receive information about your Oculus Browser usage, such as interactions with recommended pages, which browser features you use, crash reporting data and other statistics related to your Oculus Browser. When you use our voice services, we process your voice interactions to respond to your request, provide the requested service to you and improve our voice services on Oculus. You can learn more about how we collect and use information from other features you interact with on the Oculus Products in our Oculus Privacy FAQ.

Environmental, Dimensions and Movement Data: We collect information about your environment, physical movements and dimensions when you use an XR device. For example, when you set up the Oculus Guardian system to alert you when you approach a boundary, we receive information about the playing area that you have defined; and when you enable the hand tracking feature, we collect technical information such as your estimated hand size and hand movement data to enable this feature.

Information From Third Parties: We receive information about you from third parties, including third-party apps, developers, other online content providers and marketing partners. For example, we receive information from developers about your achievements in their app and share this information with your friends on Oculus. We also collect content and information that other people provide when they use Oculus Products. This can include information about you, such as when they send us an abuse report that refers to or contains a video of you.

– Technical System Information: We collect technical system information such as crash logs which may contain your user ID, your device ID, your IP address, the local computer file path, the feature quality, the amount of time it takes to load a feature and whether you use a certain feature.

There is much, much more that Kent Bye uncovered, which I do not have the time or space to address here. Please refer to Kent’s twitter threads here (Oct. 11th) and his follow-up questions and answers here (Oct. 13th) to get the complete story.

Will any of this make any difference to the success of the Quest 2? Probably not. Most people (many of whom probably already have a Facebook account) will see a cheaper, better version of the original Quest and buy one, tacitly signing off on all these policies without reading them or understanding them. The people who know about the potential dangers and warn about them (such as Kent Bye and myself) are but a vocal minority. Most people don’t know the issues and don’t care. As one of the members of the RyanSchultz.com Discord said recently:

Facebook wants to own the Metaverse…

The question is whether you are willing to sell your data to get a cheaper VR headset. The mainstream market cares about the price more than privacy.

The Oculus Quest 2: Are you willing to let Facebook strip-mine your data for a
cheaper VR headset? Most consumers will probably say yes.

UPDATE Oct. 14th, 2020: The following was posted today to the Oculus Quest subReddit community, along with screenshots:

Got my Quest 2 today and created a new Facebook account with my real name (never had one previously) and merged my 4 year old Oculus account with it. Promptly got banned 10 minutes later and now cannot access my account or use my device.

Sent drivers license photo ID as requested by Facebook and my account now says “We have already reviewed this decision and it can’t be reversed.” upon trying to login so it looks like I’ve lost all my previous Oculus purchases and now have a new white paperweight.

Fuck Facebook & Fuck Oculus. Be warned folks.

This user’s Facebook initial signup email, the ban page they received on Facebook, and resulting Oculus support email can all be found here:

And this is not the first such report, just one that has been well documented. A commenter on this Reddit post stated:

I swear I had the exact same thing happen today.. Except I didn’t use a phone number, so 10 minutes later I was disabled, but they wanted to verify phone number, which I did.. Then they wanted a selfie video of me… Now it’s pending REVIEW!! WTF I just created an account with all 100% real info. THIS IS ILLEGAL! Buy something you can’t use!! You can buy PlayStation, Xbox, Nintendo and never create an account but you can buy a game, put it in, and play it!!!! SERIOUSLY FACEBOOK IS THE MAFIA!

We can expect to see many more incidents as Facebook’s faulty automated checking systems falsely flag and ban accounts which it assumes are false. As word gets out, and the news media begin to report on these problems, it could put a small dent in Quest 2 sales (although I still predict that Facebook is going to sell a lot of Quests, regardless).

UPDATE Oct. 15th, 2020: Upload VR has reported on this problem. And the reports of users being locked out of their Oculus devices have grown so numerous that people are beginning to track them, and discuss ways of organizing in response. Rainwolf, a member of the RyanSchultz.com Discord, posted the following image, which indicates that a great many Japanese people are encountering the same problems:

This is actually happening a LOT to my Japanses VR fanatic friends, right now, who are buying the Quest 2 to get involved in VRChat, Cluster, and VirtualCast. If you check the Twitter hashtags, it’s rampant… In Japan, Facebook is used like LinkedIN, it’s there for business and networking with business. THey don’t use it for personal stuff. That’s reserved for Line and Twitter. Japan’s mobile phones have automated filters to blur the faces of people in the background of images, even.

Japan takes identity and privacy online to the next level, and many of them have multiple personas online that are used for various groups or associations, so this is hitting them really hard…Many of them are making an Oculus account (creating a Facebook account) for the first time, putting a picture of their avatar or their artwork up, and making private everything else as you would expect them to. Then they go to use their headset and are immediately locked out.

To steal a line from I Love Lucy, Facebook has some ‘splaining to do…

Liked it? Then please consider supporting Ryan Schultz on Patreon! Even as little as US$1 a month unlocks exclusive patron benefits. Thank you!

2 thoughts on “UPDATED! The Facebookening of Oculus: Taking a Look at the Updated Oculus Privacy Policy and the New Oculus Supplemental Data Policy (Part 3 of 3)”

Comments are closed.