Warning: *privacy not included with this product
Meta Quest 2
Meta's Quest 2 VR headset lets you play games inside the game or, as Mark Zuckerberg hopes you'll call it, the Metaverse. Immerse yourself in virtual reality as you climb tall mountains, battle bad guys, or have a lightsaber fight with Lord Vader. Just be careful to not get too carried away and break your walls or your neck. Be warned, Facebook still requires you to have a Facebook account to use the Meta Quest 2. And they can and probably will use that account to generate lots more data about you. That's just what Facebook does.
What could happen if something goes wrong?
Meta (you know, the company that used to be Facebook), has a very long history of betraying users' privacy and trust. They've faced record fines around the world for this and have been caught hiding data leaks from their users. In April 2021, it was reported the personal information of more than 500 million Facebook users was shared online in a massive data leak. Then there was the 2022 admission that over one million Facebook users’ login info may have been compromised due to malicious apps stealing data through the Facebook third-party login (hey, Meta/Facebook did announce this themselves, so, good for them). All this this coupled with with the Facebook whistleblower testimony in 2021 to the US Congress that outlined the harms Meta/Facebook causes and the dishonest way they approach dealing with these harms and Meta/Facebook appears to be one of most immoral companies we review in *Privacy Not Included.
This is the starting point for bringing a device that tracks the movement of your head and body and maps and collects a lot of data about you and your home environment. To use the device, you’re required to have a Meta account (Meta says they will no longer require a Facebook account to sign into this VR headset, but will require a Meta account, which is an account you can sign up for with your email address, or Facebook or Instagram account). It’s good that users are no longer required to have a Facebook account to use the Quest 2. Still, you’re gonna be sharing your data with a company with a horrible track record at protecting and respecting the data they do collect from this VR headset. And good luck figuring out which of the Meta/Facebook, Oculus, Supplemental Meta Platforms Technologies privacy policies applies to you when you use the Meta Quest 2. It’s pretty confusing trying to sort all that out. Which makes sense when you read that Meta/Facebook’s own engineers struggle to keep track of, control, and explain the use of all the data Meta/Facebook collects
So, the question comes down to, does Meta/Facebook have your best interests at heart when it collects all the data this device is capable of collecting? From Cambridge Analytica to where we are today, the answer to that question is a resounding NO. We're afraid these devices come with *Privacy Not Included.
One more note on Meta from a privacy researcher’s point of view. Trying to read through Meta's crazy network of privacy policies, privacy FAQs, privacy statements, privacy notices, and supplemental privacy documentation for their vast empire is a nightmare. There’s so many documents that link to other documents that link back even more documents that understanding and making sense of Meta's actual privacy practices feels almost impossible. We wonder if this is by design, to confuse us all so we just give up? Or, if maybe even Meta'’s own employees possibly don’t know and understand the vast network of privacy policies and documentation they have living all over the place? Regardless, this privacy researcher would love to see Meta do better when it comes to making their privacy policies accessible to the consumers they impact.
Tips to protect yourself
- Connect your VR headset to a secure WiFi network
- Set up an unlock pattern and secure your VR headset with an extra layer of security that you can use to prevent others from accessing your device or saved passwords.
- Sign up with an email to create your Meta account rather than login in with your Facebook or Instagram account
- Minimize the amount of data shared with your Facebook account
- Do not sign up with third-party accounts. Better just log in with email and strong password.
- Chose a strong password! You may use a password control tool like 1Password, KeePass etc
- Use your device privacy controls to limit access to your personal information via app (do not give access to your camera, microphone, images, location unless neccessary)
- Keep your app regularly updated
- Limit ad tracking via your device (eg on iPhone go to Privacy -> Advertising -> Limit ad tracking) and biggest ad networks (for Google, go to Google account and turn off ad personalization)
- Request your data be deleted once you stop using the app. Simply deleting an app from your device usually does not erase your personal data.
- When starting a sign-up, do not agree to tracking of your data if possible.
- Set up your Facebook account's privacy settings
What can be used to sign up?
Meta or Oculus account required. Facebook or Instagram log-ins available.
What data does the company collect?
Name, email address, and phone number
Contacts (optional, when you share content)
How does the company use this data?
How can you control your data?
What is the company’s known track record of protecting users’ data?
In September 2022, Meta was fined $405M for treatment of childrens' data on Instagram.
In October 2022, Meta Pixel was a cause of a data breach of sensitive healthcare data that hit 3 million patients at Advocate Aurora Health (AAH), a 26-hospital healthcare system in Wisconsin and Illinois.
In October 2022, Meta notified around 1 million users of potential compromise through malicious apps.
In August 2022, private and personal information of over 1.5 billion Facebook users were allegedly being sold on a popular hacking-related forum.
In March 2022, Meta received a $18.6M fine from the Data Protection Commision. The DPC found that Meta Platforms failed to have in place appropriate technical and organisational measures which would enable it to readily demonstrate the security measures that it implemented in practice to protect EU users’ data, in the context of the twelve personal data breaches. The decision followed an inquiry by the DPC into a series of twelve data breach notifications it received in the six month period between 7 June 2018 and 4 December 2018.
In October 2021, Facebook's WhatsApp was fined nearly $270 million by Irish authorities for not being transparent about how it uses data collected from people on the service.
In April 2021, it was reported that there was a personal data leak of about 533 million Facebook users from 106 countries, including over 32 million records on users in the US, 11 million on users in the UK, and 6 million on users in India. It included their phone numbers, Facebook IDs, full names, locations, birthdates, bios, and, in some cases, email addresses.
In August 2019, Bloomberg reported that Facebook hired contractors to transcribe audio messages users sent through Messenger and Facebook confirmed the report.
Child Privacy Information
Can this product be used offline?
User-friendly privacy information?
Detailed Privacy FAQ & settings are provided, however, there are a confusing number of privacy policies to consider.
Links to privacy information
Does this product meet our Minimum Security Standards?
Is this AI untrustworthy?
What kind of decisions does the AI make about you or for you?
Oculus Insight computes an accurate and real-time position for the headset and controllers every millisecond in order to translate your precise movements into VR.
Is the company transparent about how the AI works?
Does the user have control over the AI features?
Meta’s VR Headset Harvests Personal Data Right Off Your FaceWired
Facebook Doesn’t Know What It Does With Your Data, Or Where It Goes: Leaked DocumentMotherboard: Tech by Vice
Meta warns 1 million Facebook users their login info may have been compromisedThe Washington Post
Meta Faces Another Lawsuit Over Health Data Privacy PracticesHealthITSecurity
VR Tracking Facial Expressions May Be the Next Privacy Nightmare—Here's WhyLifewire
Facebook hit with antitrust probe for tying Oculus use to Facebook accountsTechCrunch
Will the Oculus Quest still require a Facebook account? It’s complicatedThe Verge
Facebook’s Oculus Quest will soon be called the Meta QuestThe Verge
Facebook Just Gave 1 Million Oculus Users A Reason To QuitForbes
Facebook’s virtual reality push is about data, not gamingThe Conversation
Oculus will sell you a Quest 2 headset that doesn't need Facebook for an extra $500PC Gamer
Facebook VP of VR recommends checking your account is in 'good standing' before buying a Quest 2Fraser Brown
Should You Trust Facebook With Oculus Quest 2 Privacy?Johnathan Jaehnig
Everything We Know About Facebook's Massive Security BreachLouise Matsakis and Issie Lapowsky
Got a comment? Let us hear it.