> "Your audio data"

> "Certain data" about hand, body, and eye tracking

> Fitness-related information

> "Information about your physical environment and its dimensions"

> "Voice interactions"

That kind of data can 100% be matched back to a Facebook profile. There should be a legal definition of "anonymous data" so that companies like Facebook cannot have the opportunity to pretend they care about their user's privacy.

Considering that the legal definitions of "PII" exclude quite a lot of actual PII, I don't have any faith that a legal definition of "anonymous data" would be any more accurate.

Laws are not immutable.

Probably goes without saying, but Quest users are obliged to have a Facebook account. So that can't even be qualified with "if they have a Facebook account", the vast majority of users do.

As far as I know, the original workaround of using a developer registered account now requires an invite and it's hard to see that not quietly being dropped at some point and all users requiring a "real" account.

It's a shame looking in from the outside at how good the pricepoint is for the hardware, but can't bring myself to get involved with Meta. Just about the only aspect of a user (they aren't even 'just a user' if they've spent hundreds on Quest and apps, they're a fully blown customer) they aren't collecting data on is their DNA.

From ~late 2022 onwards, Quest users were no longer obliged to have a Facebook account, but rather a (non social-media) 'Meta account'.

Not defending them. Merely anecdoting that, as one of that small minority who never cultivated a Facebook account, getting and using a Quest unit had no special or far-reaching implications for me or my private information.

Recital 26 of the GDPR has a quite good definition

>To determine whether a natural person is identifiable, account should be taken of all the means reasonably likely to be used, such as singling out, either by the controller or by another person to identify the natural person directly or indirectly. To ascertain whether means are reasonably likely to be used to identify the natural person, account should be taken of all objective factors, such as the costs of and the amount of time required for identification, taking into consideration the available technology at the time of the processing and technological developments. The principles of data protection should therefore not apply to anonymous information, namely information which does not relate to an identified or identifiable natural person or to personal data rendered anonymous in such a manner that the data subject is not or no longer identifiable.

Which of course relies on threat modelling as technology doesn’t stand still. However it’s quite clear that if you can link the data in any way to an individual, it’s not anonymous.

I work in privacy and I’d even argue that collecting anonymous data is likely not possible unless using something like differential privacy. It’s more likely they are collecting personal data (because even your IP would link this data to you) and then anonymise it afterwards (i.e. store it without your IP address).

> I’d even argue that collecting anonymous data is likely not possible unless using something like differential privacy.

I think this is undeniably true.

Aside from differential privacy (which is pretty weak sauce itself), the only way there can be "anonymous data" about people is if that data is aggregated and only the aggregation is kept. The collected raw data must be deleted.

The problem with that is that there's no way to know if a company is actually doing that. All we have to go by is what they say, and I think a strong argument can be made that we shouldn't believe what companies say just because they say it. Especially if those companies are the likes of Facebook.

So, as things currently stand, "anonymous data collection" is a misnomer and any time I see a company asserting they're doing such a thing, I think that company is lying. Or, maybe worse, deluding themselves.

I'm actually shocked Meta doesn't already do this. I wonder what anonymous usage data Apple is collecting on the Vision Pro.

its nuts how much these devices will be able to learn about us. User privacy will have to change if they can spatially map out your bedroom, your body and your movements.

If its like the iPhone situation, not much is collected

An iPhone is extremely chatty to Apple.com though even with iCloud etc turned off.

it doesn't sent my conversations, the shape of the rooms in my home, or my physical activity levels back to Apple, so there's that.

> These policies only seem to apply to users who make use of a Meta account to access their Quest headsets

Didn't they make it a requirement to use the Quest headsets?

Apparently people using old Oculus accounts are exempt. The strange thing here is the apparent lack of ability to opt out. It's pretty standard practice among data collection devices to at least have an option to turn it off, and since most people don't do so, it doesn't seem to have a large impact on analytics, but omitting an opt out except if using an account type that can no longer be created seems like a great way to alienate power users.

I commented here just recently that I found the privacy options on the Quest to be fine as they were implemented, and here they go and immediately change the terms just at the moment when Apple came in and made the Quest look like a great value for people who want to get into XR but don't want to pay $4k.

I'm not certain that Ars is right here about there being no opt-out, and even they don't seem to be sure, but I hope they're mistaken.

Meta forced Oculus users to migrate to a Meta account and accept the new terms permitting data collection

Even if you're able to opt out I'm sure they'll screw you over by disabling some features if you opt out

In previous versions, the features that were disabled had to do mostly with disabling multiplayer coordination if you choose not to share precise location information, in other words, just the things that would need that data to function. My Quest is currently updating, so I'll see soon if there's really no opt-out, but I wouldn't expect any change in function for removing analytics if their past is any indication.

I don't see much difference in the current version, and the anonymized data that you can't opt out of seems mostly to do with crash reports. It's laid out in this article, and although I'd prefer a full off option, it's not any worse than Windows and does respect choices after updates.

https://www.meta.com/en-us/help_app/614185856801362/

I don't even disable everything, but the option should always be there.

Yeah, but "It's Not A Facebook Account! :)"

Everyone basically went with that line and called it "good" when I still thought it "a disaster" and the only response that typically comes after that is "well then just don't use it!" when there's no real good other alternatives on the market.

I'm shocked by this. Shocked I tell you.

It is a toss up what is more shocking between this and one of those "Giant pet alligator kills owner" type stories.

1. Sell product without invasive feature 2. Wait for people to buy many of said product 3. Implement invasive feature 4. Force captive users to comply since they have no real choice but stop using the expensive product otherwise

This is something I thought about VisionPro on an MDM in an edu environment.

I'm not sure I would want to ponder the focus and attention metrics of tweens.

This is very concerning!

i... honestly thought they were already doing this? isn't that why they require accounts to use in the first place?