OVRseen: Auditing Network Traffic and Privacy Policies in Oculus VR

Summary

Virtual reality (VR) is an emerging technology that enables new applications but also introduces privacy risks. In this paper, we focus on Oculus VR (OVR), the leading platform in the VR space, and we provide the first comprehensive analysis of personal data exposed by OVR apps and the platform itself, from a combined networking and privacy policy perspective. We experimented with the Quest 2 headset, and we tested the most popular VR apps available on the official Oculus and the SideQuest app stores. We developed OVRSeen, a methodology and system for collecting, analyzing, and com-paring network traffic and privacy policies on OVR. On the networking side, we captured and decrypted network traffic ofVR apps, which was previously not possible on OVR, and we extracted data flows (defined as〈app, data type, destination〉). We found that the OVR ecosystem (compared to the mobile and other app ecosystems) is more centralized, and driven by tracking and analytics, rather than by third-party advertising. We show that the data types exposed by VR apps include personally identifiable information (PII), device information that can be used for fingerprinting, and VR-specific data types. By comparing the data flows found in the network traffic with statements made in the apps’ privacy policies, we discovered that approximately 70% of OVR data flows were not properly disclosed. Furthermore, we provided additional context for these data flows, including the purpose, which we extracted from the privacy policies, and observed that 69% were sent for purposes unrelated to the core functionality of apps.

Papers and Presentations

  • R. Trimananda, H. Le, H. Cui, J. T. Ho, A. Shuba, A. Markopoulou, “Auditing Network Traffic and Privacy Policies in Oculus VR”, arXiv preprint arXiv:2106.05407, Technical Report (extended paper). June 2021.
  • R. Trimananda, H. Le, H. Cui, J. T. Ho, A. Shuba, A. Markopoulou, “OVRSeen: Auditing Network Traffic and Privacy Policies in Oculus VR”, Proceedings of the 31st USENIX Conference on Security Symposium (SEC) 2022. August 2022, Boston, USA.
  • R. Trimananda, A. Markopoulou, “OVRSeen: Auditing Network Traffic and Privacy Policies in Oculus VR (extended abstract)”, 4th Annual Symposium on Applications of Contextual Integrity (PrivaCI), 2022.
  • A. Markopoulou, R. Trimananda, H. Cui, “A CI-based Auditing Framework for Data Collection Practices“, position paper presented at the 4th Annual Symposium on Applications of Contextual Integrity (PrivaCI), New York, Sept. 2022. (slides)
  • R. Trimananda,  “OVRSeen: Auditing Network Traffic and Privacy Policies in Oculus VR”, presentation at FTC PrivacyCon 2022November 2022, Virtual Event.

[ Paper | USENIX page | Release Page | Datasets | Github | Artifact Appendix | ArXiv (extended version) | Extended abstract for PrivaCI | Position paper for PrivaCI (slides) | FTC PrivacyCon 2022 ]

Press

Team

Software and Datasets

Contact

If you have any questions about the paper, software, or dataset, please email properdata@uci.edu.