We've seen it time and time again. That little speaker you trusted with your daily questions and routines ends up transmitting your personal information for employees to listen to on a whim. That security camera turns out to be a little less secure than initially thought. So it might be a little disconcerting to think that the Oculus Quest or Oculus Rift S you just picked up has between 4 and 5 cameras on the headset itself, watching your every move any time the headset is turned on. To make things worse, Oculus is owned and run by Facebook, a company that's come under fire for more than a few abuses of privacy and trust.
But let's be real about how the Oculus Rift S and the Oculus Quest are used. They aren't IoT devices. They aren't always-on, and they aren't always watching or always listening. These are headsets that are only active when you turn them on, and they likely only see a small portion of your home during any one given play session. The hardware itself isn't scary, and the operation of it isn't either.
What might be more alarming for some folks is the way each unit saves a known play space for later use. Original generation consumer-level VR headsets, like the original Oculus Rift and the HTC Vive, utilize a set of external sensors that are usually physically mounted to the wall and never move. This requires no storage of any kind of visual data for the room and only saves a geometric virtual play space that's sized proportionately to your physical room.
The Oculus Rift S and Oculus Quest both use a relatively new tracking system known as inside-out tracking. This was first popularized on Windows Mixed Reality headsets and has matured significantly over the past two years. But it still stands to reason that the play space has to be mapped and saved somewhere, otherwise you would have to reconfigure it every time you put the headset on.
UploadVR received some correspondence from Facebook specifically about the usage of this data and where it's stored, and the response was mostly reassuring. In a nutshell, Facebook says "we don't collect and store images or 3D maps of your environment on our servers today". Both the Quest and the Rift S do store map data, but it's only locally accessible and, in the Rift S's case, can be deleted from the directory that's it's stored in on your computer.
There are a few ways this data can be shared though, but they're mostly in the form of bug reports. When reporting a bug, the option to share "pass-through data" will be made available when it pertains to the bug being reported. Users can also choose to livestream their pass-through data, but this is a different method of transmitting that mapped data since it's not any kind of digitally accessible map, rather it's just a visual reference on your livestream.
The only worrisome part of Facebook's statement at this time is the use of the word "today." This implies that there could be cases in the future where this data may be shared but, legally, Facebook will be required to update the terms of service before such a change can be made. Privacy advocates regularly site issues with the idea of a "terms of service (ToS)" agreement because they are generally too long, have too much legalese, and users typically do not read them in their entirety.
What's the best protection going forward? Make sure your privacy settings are right. They work just like Facebook's and can be found on the Oculus website. Also, be sure to pay attention when a ToS update appears, and ask questions if anything seemingly nefarious ever pops up as well. A vigilant community is the best defense in any privacy or security matter, and this one is no different.