Sen. Al Franken (D-Minn.) wants to know how and with whom Oculus' virtual reality system Rift shares users' location data.
According to a copy of a letter to CEO Brendan Iribe dated Thursday (April 7), Franken calls immersive VR an exciting development, but what has him a bit exercised is "the extent to which Oculus may be collecting...sensitive location data" and other information.
Franken cites the company's privacy statement, which says that a user's physical movements and dimensions and location can be shared "with other companies that are within the family of related companies Oculus is a part of," and the statement's indication that de-identified data may be shared with others for any purpose, which clearly troubles Franken.
He says that while collecting and storing and sharing personal info may enhance the VR experience, he wants to make sure that information is protected.
He said he appreciated the specificity of the privacy statement, but said there were still questions about what it collects and who it shares it with for what purpose.
Franken, the ranking member of the Senate Privacy Committee has long been one of the Senate's loudest voices on privacy protection, including seeking info from Clear Channel earlier this year on info-collecting billboards, taking aim at so-called stalking apps, and seeking more info on the info-collection by Smart TVs.
Among the questions Franken wants answers to (by May 13) are:
1. "Oculus has stated that it automatically collects users' location information. Is this collection necessary for Oculus to provide services? Are there any other purposes for which Oculus collects this information? Does Oculus share this information with third parties, including its 'related companies,' for any other purpose than the provision of services?
2. "Oculus has indicated that it stores communications among Oculus users and any information associated with such communications. Is this retention necessary for the provision of services? And for how long will Oculus retain the data?
3. "Given that the data-sharing relationship between Oculus and its related companies is not readily apparent to Oculus' customers, in your view, which company is responsible for providing information about this relationship to consumers? Which company is responsible for providing security information to consumers?
4. "Oculus has indicated that it shares de-identified and aggregate data with others for any purpose. Does Oculus currently sell this information to third parties? Can you specify the purposes for which you’d share or sell such data
5. "Oculus s privacy statement provides the following with respect to information security: '[N]o data transmission or storage can be guaranteed to be 100% secure. As a result, while we strive to protect the information we maintain, we cannot guarantee or warrant the security of any information you disclose or transmit to our Services and cannot be responsible for the theft, destruction, or inadvertent disclosure of information.' What precautions does Oculus currently have in place to ensure the security of consumers' data?"