Meta Quest 2

Warning: *Privacy Not Included with this product

Meta Quest 2

Meta
Wi-Fi Bluetooth

Review date: Nov. 9, 2022

|
|

Mozilla says

|
People voted: Very creepy

Meta's Quest 2 VR headset lets you play games inside the game or, as Mark Zuckerberg hopes you'll call it, the Metaverse. Immerse yourself in virtual reality as you climb tall mountains, battle bad guys, or have a lightsaber fight with Lord Vader. Just be careful to not get too carried away and break your walls or your neck. Be warned, Facebook still requires you to have a Facebook account to use the Meta Quest 2. And they can and probably will use that account to generate lots more data about you. That's just what Facebook does.

What could happen if something goes wrong?

Meta (you know, the company that used to be Facebook), has a very long history of betraying users' privacy and trust. They've faced record fines around the world for this and have been caught hiding data leaks from their users. In April 2021, it was reported the personal information of more than 500 million Facebook users was shared online in a massive data leak. Then there was the 2022 admission that over one million Facebook users’ login info may have been compromised due to malicious apps stealing data through the Facebook third-party login (hey, Meta/Facebook did announce this themselves, so, good for them). All this this coupled with with the Facebook whistleblower testimony in 2021 to the US Congress that outlined the harms Meta/Facebook causes and the dishonest way they approach dealing with these harms and Meta/Facebook appears to be one of most immoral companies we review in *Privacy Not Included.

This is the starting point for bringing a device that tracks the movement of your head and body and maps and collects a lot of data about you and your home environment. To use the device, you’re required to have a Meta account (Meta says they will no longer require a Facebook account to sign into this VR headset, but will require a Meta account, which is an account you can sign up for with your email address, or Facebook or Instagram account). It’s good that users are no longer required to have a Facebook account to use the Quest 2. Still, you’re gonna be sharing your data with a company with a horrible track record at protecting and respecting the data they do collect from this VR headset. And good luck figuring out which of the Meta/Facebook, Oculus, Supplemental Meta Platforms Technologies privacy policies applies to you when you use the Meta Quest 2. It’s pretty confusing trying to sort all that out. Which makes sense when you read that Meta/Facebook’s own engineers struggle to keep track of, control, and explain the use of all the data Meta/Facebook collects

So, the question comes down to, does Meta/Facebook have your best interests at heart when it collects all the data this device is capable of collecting? From Cambridge Analytica to where we are today, the answer to that question is a resounding NO. We're afraid these devices come with *Privacy Not Included.

One more note on Meta from a privacy researcher’s point of view. Trying to read through Meta's crazy network of privacy policies, privacy FAQs, privacy statements, privacy notices, and supplemental privacy documentation for their vast empire is a nightmare. There’s so many documents that link to other documents that link back even more documents that understanding and making sense of Meta's actual privacy practices feels almost impossible. We wonder if this is by design, to confuse us all so we just give up? Or, if maybe even Meta'’s own employees possibly don’t know and understand the vast network of privacy policies and documentation they have living all over the place? Regardless, this privacy researcher would love to see Meta do better when it comes to making their privacy policies accessible to the consumers they impact.

Tips to protect yourself

  • Connect your VR headset to a secure WiFi network
  • Set up an unlock pattern and secure your VR headset with an extra layer of security that you can use to prevent others from accessing your device or saved passwords.
  • Sign up with an email to create your Meta account rather than login in with your Facebook or Instagram account
  • Minimize the amount of data shared with your Facebook account
  • Do not sign up with third-party accounts. Better just log in with email and strong password.
  • Chose a strong password! You may use a password control tool like 1Password, KeePass etc
  • Use your device privacy controls to limit access to your personal information via app (do not give access to your camera, microphone, images, location unless neccessary)
  • Keep your app regularly updated
  • Limit ad tracking via your device (eg on iPhone go to Privacy -> Advertising -> Limit ad tracking) and biggest ad networks (for Google, go to Google account and turn off ad personalization)
  • Request your data be deleted once you stop using the app. Simply deleting an app from your device usually does not erase your personal data.
  • When starting a sign-up, do not agree to tracking of your data if possible.
  • Set up your Facebook account's privacy settings
  • mobile

Can it snoop on me? information

Camera

Device: Yes

App: No

Microphone

Device: Yes

App: No

Tracks location

Device: Yes

App: Yes

What can be used to sign up?

Meta or Oculus account required. Facebook or Instagram log-ins available.

What data does the company collect?

How does the company use this data?

We ding this product for combining data it has on users with data received from third-party advertisers and marketers.

Meta receives data on its users from "third parties incl. advertisers and third-party data providers who have the rights to provide us with your information", whether users have Facebook account or not:
"Advertisers, app developers, and publishers can send us information through Meta Business Tools they use, including our social plug-ins (such as the Like button), Facebook Login, our APIs and SDKs, or the Meta pixel. These partners provide information about your activities off of our Products—including information about your device, websites you visit, purchases you make, the ads you see, and how you use their services—whether or not you have an account or are logged into our Products. For example, a game developer could use our API to tell us what games you play, or a business could tell us about a purchase you made in its store. We also receive information about your online and offline actions and purchases from third-party data providers who have the rights to provide us with your information."

"We also receive information about you from partners and third parties, including:
Third-party apps
Developers
Other online content providers
Marketing partners

For example, in Meta Quest, we receive information from developers about your achievements in their app and about what features you can use in their app. To learn about how a third-party service processes or shares your information, please refer to their terms and privacy policies. "

Meta shares information with related companies. Meta/Facebook shares data with numerous third parties such as partners who use their analytics services, advertisers, measurement partners, partners offering goods and services in Facebook products, vendors and service providers, researchers and academics, law enforcement, and legal requests.

"When you use our voice services, we process:
- Audio recordings
- Transcripts
- Related data about your voice interactions such as the hardware version of your device and the length of the audio related to your interaction

We process this information to respond to your requests, provide the requested service to you, and depending on your settings, improve our voice services. Learn more.

Please note that third-party services may offer their own app voice experiences. When you use those services, information collected by these third-party services is subject to their own terms and privacy policies, not this policy. "

How can you control your data?

It is unclear if all users regardless of location can get their data be deleted.

"Under the GDPR, you have the right to access, rectify, port and erase your information, and object to or restrict certain processing of your information that we collect through Meta VR Products by visiting your Meta Quest Privacy Centre. You also have the right to object to and restrict certain processing of your data. This includes:

the right to object to our processing of your data for direct marketing; and

the right to object to our processing of your data where we are performing a task in the public interest or pursuing our legitimate interests or those of a third party. "

Meta's Quest VR headset stores data that identifies you until it is no longer necessary to provide MetaProducts or your Meta account is deleted, whichever comes first, unless retention of the data for a longer period is justified in order to comply with law or recordkeeping obligations, to respond to a legal request, prevent harm, or to improve Oculus safety, integrity and security features.

When you delete your account, Meta deletes things you have posted and information about apps and entitlements you have downloaded, and you will not be able to recover that information later. Information that others have shared about you is not part of your account and will not be deleted when you delete your account. To delete your account at any time, or to learn more about deleting your account, please visit the Privacy Center.

What is the company’s known track record of protecting users’ data?

Bad

In September 2022, Meta was fined $405M for treatment of childrens' data on Instagram.

In October 2022, Meta Pixel was a cause of a data breach of sensitive healthcare data that hit 3 million patients at Advocate Aurora Health (AAH), a 26-hospital healthcare system in Wisconsin and Illinois.

In October 2022, Meta notified around 1 million users of potential compromise through malicious apps.

In August 2022, private and personal information of over 1.5 billion Facebook users were allegedly being sold on a popular hacking-related forum.

In March 2022, Meta received a $18.6M fine from the Data Protection Commision. The DPC found that Meta Platforms failed to have in place appropriate technical and organisational measures which would enable it to readily demonstrate the security measures that it implemented in practice to protect EU users’ data, in the context of the twelve personal data breaches. The decision followed an inquiry by the DPC into a series of twelve data breach notifications it received in the six month period between 7 June 2018 and 4 December 2018.

In October 2021, Facebook's WhatsApp was fined nearly $270 million by Irish authorities for not being transparent about how it uses data collected from people on the service.

In April 2021, it was reported that there was a personal data leak of about 533 million Facebook users from 106 countries, including over 32 million records on users in the US, 11 million on users in the UK, and 6 million on users in India. It included their phone numbers, Facebook IDs, full names, locations, birthdates, bios, and, in some cases, email addresses.

In August 2019, Bloomberg reported that Facebook hired contractors to transcribe audio messages users sent through Messenger and Facebook confirmed the report.

Child Privacy Information

Facebook Child's Safety Centre provides an overview of Facebook Policies about children safety.

Can this product be used offline?

No

User-friendly privacy information?

No

Detailed Privacy FAQ & settings are provided, however, there are a confusing number of privacy policies to consider.

Links to privacy information

Does this product meet our Minimum Security Standards? information

Yes

Encryption

Yes

Strong password

Yes

Security updates

Yes

Manages vulnerabilities

Yes

Privacy policy

Yes

Does the product use AI? information

Yes

Is this AI untrustworthy?

Can’t Determine

What kind of decisions does the AI make about you or for you?

Oculus Insight computes an accurate and real-time position for the headset and controllers every millisecond in order to translate your precise movements into VR.

Is the company transparent about how the AI works?

Yes

Does the user have control over the AI features?

Yes

*Privacy Not Included

Dive Deeper

  • Meta’s VR Headset Harvests Personal Data Right Off Your Face
    Wired Link opens in a new tab
  • Facebook Doesn’t Know What It Does With Your Data, Or Where It Goes: Leaked Document
    Motherboard: Tech by Vice Link opens in a new tab
  • Meta warns 1 million Facebook users their login info may have been compromised
    The Washington Post Link opens in a new tab
  • Meta Faces Another Lawsuit Over Health Data Privacy Practices
    HealthITSecurity Link opens in a new tab
  • VR Tracking Facial Expressions May Be the Next Privacy Nightmare—Here's Why
    Lifewire Link opens in a new tab
  • Facebook hit with antitrust probe for tying Oculus use to Facebook accounts
    TechCrunch Link opens in a new tab
  • Will the Oculus Quest still require a Facebook account? It’s complicated
    The Verge Link opens in a new tab
  • Facebook’s Oculus Quest will soon be called the Meta Quest
    The Verge Link opens in a new tab
  • Facebook Just Gave 1 Million Oculus Users A Reason To Quit
    Forbes Link opens in a new tab
  • Facebook’s virtual reality push is about data, not gaming
    The Conversation Link opens in a new tab
  • Oculus will sell you a Quest 2 headset that doesn't need Facebook for an extra $500
    PC Gamer Link opens in a new tab
  • Facebook VP of VR recommends checking your account is in 'good standing' before buying a Quest 2
    Fraser Brown Link opens in a new tab
  • Should You Trust Facebook With Oculus Quest 2 Privacy?
    Johnathan Jaehnig Link opens in a new tab
  • Everything We Know About Facebook's Massive Security Breach
    Louise Matsakis and Issie Lapowsky Link opens in a new tab

Comments

Got a comment? Let us hear it.