Summary

Virtual reality (VR) is an emerging technology that enables new applications but also introduces privacy risks. In this paper, we focus on Oculus VR (OVR), the leading platform in the VR space, and we provide the first comprehensive analysis of personal data exposed by OVR apps and the platform itself, from a combined networking and privacy policy perspective. We experimented with the Quest 2 headset, and we tested the most popular VR apps available on the official Oculus and the SideQuest app stores. We developed OVRSeen, a methodology and system for collecting, analyzing, and com-paring network traffic and privacy policies on OVR. On the networking side, we captured and decrypted network traffic ofVR apps, which was previously not possible on OVR, and we extracted data flows (defined as〈app, data type, destination〉). We found that the OVR ecosystem (compared to the mobile and other app ecosystems) is more centralized, and driven by tracking and analytics, rather than by third-party advertising. We show that the data types exposed by VR apps include personally identifiable information (PII), device information that can be used for fingerprinting, and VR-specific data types. By comparing the data flows found in the network traffic with statements made in the apps’ privacy policies, we discovered that approximately 70% of OVR data flows were not properly disclosed. Furthermore, we provided additional context for these data flows, including the purpose, which we extracted from the privacy policies, and observed that 69% were sent for purposes unrelated to the core functionality of apps.

Papers and Presentations

• R. Trimananda, H. Le, H. Cui, J. T. Ho, A. Shuba, A. Markopoulou, “Auditing Network Traffic and Privacy Policies in Oculus VR”, arXiv preprint arXiv:2106.05407, Technical Report (extended paper). June 2021.
• R. Trimananda, H. Le, H. Cui, J. T. Ho, A. Shuba, A. Markopoulou, “OVRSeen: Auditing Network Traffic and Privacy Policies in Oculus VR”, Proceedings of the 31st USENIX Conference on Security Symposium (SEC) 2022. August 2022, Boston, USA.
• R. Trimananda, A. Markopoulou, “OVRSeen: Auditing Network Traffic and Privacy Policies in Oculus VR (extended abstract)”, 4th Annual Symposium on Applications of Contextual Integrity (PrivaCI), 2022.
• A. Markopoulou, R. Trimananda, H. Cui, “A CI-based Auditing Framework for Data Collection Practices“, position paper presented at the 4th Annual Symposium on Applications of Contextual Integrity (PrivaCI), New York, Sept. 2022. (slides)
• R. Trimananda,  “OVRSeen: Auditing Network Traffic and Privacy Policies in Oculus VR”, presentation at FTC PrivacyCon 2022. November 2022, Virtual Event.

[ Paper | USENIX page | Release Page | Datasets | Github | Artifact Appendix | ArXiv (extended version) | Extended abstract for PrivaCI | Position paper for PrivaCI (slides) | FTC PrivacyCon 2022 ]

Press

• Facebook’s Meta, tracking code, and the student financial aid website [The Register]
• Feds eye virtual reality as the next privacy and security battleground [README_]

Team

• Rahmadi Trimananda (UC Irvine)
• Hieu Le (UC Irvine)
• Hao Cui (UC Irvine)
• Janice Tran Ho (UC Irvine)
• Anastasia Shuba (Independent Researcher)
• Athina Markopoulou (UC Irvine)

Software and Datasets

• Please visit OVRseen Github page here.
• Please visit OVRseen datasets release page here.

Contact

If you have any questions about the paper, software, or dataset, please email properdata@uci.edu.