Facebook To Slurp Oculus Rift Users’ Every Move

The web is abuzz with the news that the Facebook-owned Oculus Rift has buried in its terms of service a clause allowing the social media giant access to the “physical movements and dimensions” of its users. This is likely to be used for the purposes of directing advertising to those users and most importantly for the advertisers, measuring the degree of interaction between user and advert. It’s a dream come true for the advertising business, instead of relying on eye-tracking or other engagement studies on limited subsets of users they can take these metrics from their entire user base and hone their offering on an even more targeted basis for peak interaction to maximize their revenue.

Hardly a surprise you might say, given that Facebook is no stranger to criticism on privacy matters. It does however represent a hitherto unseen level of intrusion into a user’s personal space, even to guess the nature of their activities from their movements, and this opens up fresh potential for nefarious uses of the data.

Fortunately for us there is a choice even if our community doesn’t circumvent the data-slurping powers of their headsets; a rash of other virtual reality products are in the offing at the moment from Samsung, HTC, and Sony among others, and of course there is Google’s budget offering. Sadly though it is likely that privacy concerns will not touch the non-tech-savvy end-user, so competition alone will not stop the relentless desire from big business to get this close to you. Instead vigilance is the key, to spot such attempts when they make their way into the small print, and to shine a light on them even when the organisations in question would prefer that they remained incognito.

Oculus Rift development kit 2 image: By Ats Kurvet – Own work, CC BY-SA 4.0, via Wikimedia Commons.

70 thoughts on “Facebook To Slurp Oculus Rift Users’ Every Move

  1. Before everybody loses their minds over this, the data packets have been analyzed over on /r/oculus.
    It’s a small (1-5Kb) packet every 5 seconds or so. Hardly enough for anything terribly nefarious. Most likely, a simple, “Hey, I’m alive” heartbeat type of packet.

    It’s also important to note that Steam, iTunes, and most other popular consumer software have equally invasive EULA terms. There’s nothing new or evil going on here, no matter how much the media wants to sensationalize it.

    1. you mean, its JUST as evil as all the other companies and products you listed?

      does not make them saints. the fact that they act evil as others does not give them validity or an excuse!

      glad I know about this; I will steer clear of the whole mess and never give it a 2nd look.

      1. Actually it’s okay because other companies have been shown not to do it. EULAs are boiler plate written by lawyers who cover every possible avenue. If companies did half the things they entitle themselves to in the EULAs then society as a whole would have crumbled by now.

    2. I’m inclined to agree. If Facebook hadn’t purchased them, the TOS would probably be the same, and nobody would care, because it’s similar to XBL, PSN, Steam, et al. For example, I just googled “PSN TOS” and found this bit:

      “Automatic Information Collection

      We may also automatically or passively collect information about your use of the SIENA Network
      In addition, the SIENA Network may use a variety of other hardware or software specific technologies that automatically collect information.”

      Source https://www.playstationnetwork.com/privacy-policy/

    3. 1-5 kB every 5 seconds is 17 – 86 MB per day, sent in the background of course.

      “Hey, I’m alive” packets containing encypted “hot” data from local disk – no problem.
      What else could be inside those packets ?

        1. Every *5 seconds*?? Once an hour is more than plenty for updates. They’d better have some good servers to handle all those mega-pings. Still doesn’t seem right though.

          Imagine the DDOS you could implement, re-routing a few of those “pings”.

          1. You don’t think Facebook, a company that handles 1.04 billion users per day doing wonderful things like loading pictures, watching videos, and sending messages way larger than 1kb in size can handle a few VR headsets sending data every 5 seconds?

            Also you have a very 1990s view of what pings are needed to take down a site. Back of the envelope calculation shows my home server with my home cable modem could handle some 114000 of these devices, assuming they are always on for 24 hours. I think you’ll find Facebook has more resources that I do.

    4. That is enough to biometrically identify the user. It should be a fantastic law enforcement tool that allows the locations of people to be determined the moment they interact with a VR device. Cross referencing the data with movement data extracted from surveillance video should allow and AI system to match individuals to devices, locations and, through the rest of the data facebook has, to networks of association.

      My inner fascist megalomaniac is totally ecstatic!

      (Oh boy I hope you guys appreciate irony…)

      1. Most people are not aware of the decade or so of modern research put into identifying individuals based on ‘side channel’ data.

        Try explaining it to a layperson and they quickly conclude you are insane.

        1. Here’s a good argument against those telling you’re a conspiracy theorist because of being concerned about something very unlikely and unusual but still possible: “that is the same response I would get if I overheard one of the terrorists about 9/11 one day before the attacks and was going to tell everyone”.

    5. ‘It’s important to point out that lots of places have prisons, so there’s nothing sinister about CIA black sites…’

      Thanks for your input facebook representative.

  2. Ever since this article surfaced, lawyers have come out and said that terms like these are pretty much required nowadays to operate a social platform without being sued out of existence by your users. Go copyright laws. Just uploading a profile picture that can be viewed by people in your friends list means that they need a license to redistribute derivative works (they might have compressed or resized the image).

    1. What a psychopathic perspective.

      Could they also reasonably argue that they have to identify and drive certain users to suicide to prevent being sued?

      What does “prevent being sued” mean? Does it mean getting away with something that is wrong? Or does it mean preventing people from having access to justice?

      I see a lot of the “prevention of access to justice” now days. It doesn’t matter if you love or hate the court systems, the fact remains that they provide a civilized means to resolve differences. In the absence of access to justice via the courts, people just find alternate means to resolve their differences and most often these are NOT civilized means.

          1. So is it normal to check every 5 minutes for an update, couldn’t you check every time you fire up your Oculus or I don’t know ? Checking every 5 minutes seems really too much. And for what ? It’s a gaming device and you don’t want to get disturbed by an update in the middle of a game.

            Or it could be a way to test the public reaction to the constant report of data. Once it will be accepted, they will slightly change this “ping” to be more informative for them ;)

        1. Thanks to the US. Where written things claim victory over common sense. And thus you create a need to cover your ass in every way possible. Or else some asshole might sue you over the fact that your website resized your uploaded photo and win millions.

    1. Would you say the same about the PS4, Xbone or iPhone hardware ? “I’m not forced to use their software” 99.999% of the people who buy the hardware will use the software provided. And if the hardware is locked down with enough cryptography most will have no option to use their own software.

  3. “Based on your porn viewing habits, preferred body types, age ranges and and likes here are two females that would be good friends and mating partners and match your sex drive and personality. We’ve simulated a picture for your to consider.”


    “FINALLY Facebook isn’t a utter piece of sh1t.” Yeah, fuq off Facebook.

        1. “We at Facebook and the executive staff that have paid off ALL their taxes…cater to many demographics and want to ensure we can cater to any interests. Stephanie Meyers here is a product to help you for you! Those twin vampire waif bois aren’t going to handle themselves! In the mean time we have identified you’ll love Subways NEW 2 foot long Italian Sausage and Mega Meatball Sandwich!”


  4. It is my opinion that when something like this is legal, it’s not a indicator of the validity of the subject, but rather a question on the legal system and it’s methods to determine just and unjust. I find it rather disturbing that we even have to tell Facebook not to do something like this, it should be implied from the fact that they are human, that this is not an acceptable use of hardware.

    1. Facebook isn’t human. It’s a corporation. Nothing matters but the almighty dollar, and you can bet that the revenue they get from advertisers for harvesting this data will outweigh any feelings of remorse the executives feel.

      Those bonus cheques are probably pretty large.

      1. It is made up of people that (presumably) have a conscience, and even if they don’t, the government should make that practice illegal. Though, your right, people serve their own short term, interests, on most levels of the government and corporation.

  5. Most people though don’t really give a rat about privacy – hell they willing divulge everything in their life on faecesbook so what’s a bit of extra data collection.

          1. Yup, I see three animated GIFs. Might be they needed a while for somebody to check the links were OK, so you didn’t see them when you posted.

      1. Okay, I took off the https:// (no, changing it to http:// abpve did not work either). Now you get the URL but it is neither embedde nor clickable. Are there some formatting tags I need to use? If so, where are they documented? Anyway, that URL is worth a copy/paste into you web browser address bar…

  6. what about the OSVR headset, that is “open-source” and very hackable ? the quality is better than the DK2 and no spying occurs with their open-source multiplatform software stack that lets you plug any periferal you can imagine ?

  7. If I ever get a VR headset, it will be firewalled from the net to hell and back. It doesn’t need to access the internet to show me 3D renderings. And if it does, I’m not buying it. Simples (and non-negotiable).

  8. I am surprised that people are harping on the Facebook telemetry so much (even though it is important that it gets exposed). I suspect that most of the data being transmitted is related to the Oculus store and the “social” functionality – checking for notifications, friends requests and such.

    However, did you read the Oculus privacy policy? It contains this gem (after prompting you to put in your credit card during install):

    6. Security
    Please note that no data transmission or storage can be guaranteed to be
    100% secure. As a result, while we strive to protect the information we
    maintain, we cannot guarantee or warrant the security of any
    information you disclose or transmit to our Services and cannot be
    responsible for the theft, destruction, or inadvertent disclosure of

    In other words, if we get hacked because of our incompetence or negligence and your data get stolen and abused, too bad for you. Someone didn’t learn from the backlash Vtech got recently when they have tried to disclaim responsibility in a similar way in their EULA – after getting hacked and having data on 6 million kids stolen …

    1. That’s the biggest shame. They force us to accept anything but they don’t want to be responsible if their data get stolen. They usually just apologize when this happens. I say they should give money : our informations are sold to advertising companies so if the data used to make this money is stolen, we should at least have one symbolic dollar as an apology.

  9. Having not read up on most of the stuff, what is to stop you from just throwing a line in your hosts file or DNS like ‘::1 occystats.facebook.com’ or wherever it sends its data?

  10. A thing to consider. How many Hackaday readers would this effect. Honestly who here isnt going to hack, root, jailbreak, ect. (whatever the new term will be for it) this thing a few minutes or days after purchase?

Leave a Reply

Please be kind and respectful to help make the comments section excellent. (Comment Policy)

This site uses Akismet to reduce spam. Learn how your comment data is processed.