"Oculus’ creation of an immersive virtual reality experience is an exciting development," Franken wrote in an open letter to Oculus CEO Brendan Iribe, "but it remains important to understand the extent to which Oculus may be collecting Americans’ personal information, including sensitive location data, and sharing that information with third parties."
The question is, what exactly is Oculus asking to collect—and how much worse is it compared to other online services' EULAs?
The short version is, Facebook can keep tabs on what software you're running through the Oculus Home hub, where you're using your Oculus, and the positional tracking of your headset—and then will likely share that data among other Facebook-owned companies.
"I believe Americans have a fundamental right to privacy, and that right includes an individual’s access to information about what data are being collected about them, how the data are being treated, and with whom the data are being shared," Franken said in a public statement.
However, Franken's statement didn't mention any other major online services, so this is a good opportunity to review whether Oculus is really breaking new, privacy-infringing ground.
Let's run through those cases one-by-one. For starters, "information about your interactions with our services" is a long-winded way of saying, "we're gonna study anonymized data about general Oculus use." The same goes for any connected entertainment network you've used in the past five years, including Xbox Live, PlayStation Network, Hulu, Amazon Video, and Netflix. Netflix was even shameless enough to admit that House of Cards came as a result of studying its customers' watching habits.
Facebook also isn't saying much interesting with its clause on tracking a user's "location information." For starters, your IP address is pretty telling, as is any shipping information you provided with your Oculus preorder (since that's the only way people can currently buy the hardware). In addition, GPS tracking in online-service privacy statements isn't exactly new, though that's usually because the service or device in question offers useful services once we give it permission to stalk us. That doesn't mean the Oculus Rift headset has a GPS sensor in it—rather, this is the same services statement that a Samsung GearVR user will see when using its Oculus-powered app.
We imagine Oculus's smartphone-powered systems will see more GPS-powered apps before long (especially if mobile-friendly, GPS-tracked games like Qonqor or Ingress ever take a VR leap), so Oculus has to admit that it will have access to that data, at the very least. And Facebook has already made clear that it's analyzing users' GPS activity "to tailor our services for you and others," so this isn't a major leap for a company in the same corporate umbrella.
The last part, which gathers "information about your physical movements and dimensions when you use a virtual reality headset," seems the most prying. In good news, at least, those movements aren't being captured as photographic images, as the Oculus Rift "Constellation" sensor only tracks infrared lights. Meaning, if you wanna wave your naked butt at your headset, go to town (so long as you don't cover your cheeks with infrared sensors, at any rate). That simply leaves positional tracking of the headset mid-game and the times when the headset is left unused on a desk.
While we can understand reasons to want to opt out of any of these data-donation pools, we imagine that VR users might want Oculus to have as much positional data as possible, as this is the stuff researchers will be mining as they work on the problems of VR nausea and discomfort. Anonymized data from thousands of retail headset wearers might answer questions that a smaller pool of dev-kit owners simply couldn't.
Conversely, the ability to gather data on, say, where we point our VR "gaze" to look at is a bit disconcerting. We imagine Oculus's app isn't recording such granular data though, because that would require a lot of recording and processing, which would eat into PC performance. Oculus probably wants users to hit a rock-solid 90fps visual refresh way more than they want to know how long you stare at the caterpillar in Lucky's Tale. (However, the amount of time you spend within each app, game, or visual experience? Every other streaming-video and online gaming service captures that information, as well.)
VR is a new frontier for user experiences, but not for privacy policies surrounding a data-gathering gold-rush. The one complaint we'd levy specifically at Oculus is that its privacy and legal policy pages weren't set in stone until February—a full month after the headset's preorder campaign began in earnest—so we certainly understand why some customers would have preferred having that information before making a purchase decision.
Otherwise, we hope Congressional leaders like Franken are mindful of the fact that what Oculus is doing here is incredibly typical—and if he wants to take legal action about privacy policies, and with whom a company shares its users' data, he's gonna need a bigger boat.