cancel
Showing results for 
Search instead for 
Did you mean: 

Full Facebook & Messenger data accessible to friends/family using your Oculus 2...crazy.

terramex
Level 4
Full Facebook & Messenger data completely accessible via Oculus 2's browser or Messenger app -- think all of your (non-deleted) private conversations (text searchable), by anyone using your headset; all your likes, all your activity, all your groups, etc.

This is a crazy privacy / security concern; and there is no way to secure it or prevent it. I've only had an Oculus 2 for a day, and I'm fairly sure I'll be sending it back. Facebook is taking a step too far.


24 REPLIES 24

nalex66
Volunteer Moderator
Volunteer Moderator
In a couple weeks they're supposed to roll out the multi-user feature, which will mean that guest users can sign in with their own Facebook account rather than using your. Until then, maybe don't let other people use your Quest unsupervised, if you don't trust them?

i7 5820K @ 4.25GHz | EVGA GTX 1080 SC | Gigabyte GA-X99-UD4 | Corsair DDR4 3000 32GB | Corsair HX 750W
SSDs: Intel 660p M.2 2TB, 3x Samsung Evo 1TB | Startech PCIe 4x USB 3.0 | Startech PCIe 2x USB C 3.1 gen2

terramex
Level 4

nalex66 said:

In a couple weeks they're supposed to roll out the multi-user feature, which will mean that guest users can sign in with their own Facebook account rather than using your. Until then, maybe don't let other people use your Quest unsupervised, if you don't trust them?


Yeah, I am aware of this. However, it's still a massive blunder on Facebook's part. I bought a system for gaming knowing it would require my Facebook account to login; nowhere did it say the device would force an exposure of all of my Facebook activity and Messaging history and provide no way to prevent or block it. Nowhere did it say any user of the headset could sign in to any website as myself through my Facebook account. Insane.

Even after the update, I don't want people to have to log in and out in order to play a gaming device, just to secure some privacy. Where is the fun in that? Why would I pay for that? Privacy and basic cop-on should be the default here, not the opposite. I want to be able to allow a curious 12 year old (who is too young to have a Facebook account) use the headset without being able to read 15 years of my Messenger history. I want to be able to give my friends a go without them being able to see private conversations that could be about them! Etc., etc., etc.

What is Facebook thinking? I have a feeling this update is going to deliver an over-complicated solution, that will not solve the basic security problems.

If someone can pickup a gaming device, turn it on, and read private conversations of others, and there's no way to prevent it, something is seriously wrong. Sure, there's probably a way to secure it with a pincode, but unless that is at a Facebook account level (after the update), it's no good. Even if there is a per-account pincode solution, it's crap.

Couple this with the slow-as-hell phone app, I'm struggling to see why I shouldn't return this device today...

tampasonny
Level 2
After thinking about Facebook's decision to require a login I now stand in support of it.  Here's why:  this is a new vehicle of communication, not simply a gaming system.  Try to compare it to the emergence of cell phones ...smart phones today are very different from those in 1999.  Would you pass your cell phone to a friend or 12 yr old to play a game on it? Try this out on a buddy some time --- ask to play a game on their phone ..once you get it, close the game and open the picture album and see if your friend starts to sweat.  Same goes for sharing computers at home .. I assume your child cannot play under your microsoft or Google id used to log you in to the computer without exposing saved passwords to messenger and history of your browsing.

Facebook has invested a lot of money into this still emerging technology.  In 2016 I purchased a $3500 camera in order to make walkable home tours in 3d.  It was amazing then and that was having to use a phone attached to the headset that would overheat and Every scratch on your phone was magnified.

We have seen how facebook has been used by bad actors to carry out massive campaigns of misinformation along with the creation of hundreds of thousands of fake accounts used by bots.  The sole purpose of those bots was to plant themselves in the middle of conversations Americans were having and stir the pot ..in other words divide us by acting in outrageous ways that non anonymous people would not in order to encourage division in our democracy.  The number one way to harm a nation is not by use of weapons ...but manipulation into getting them to see each other as enemies and ultimately the government.  So....facebook has been held accountable and part of accountability is knowing who is actually on your platform.  Would you want 100s of Jeffrey Epstein's in anonymous profiles running around in virtual worlds that allow for real time interaction and a feeling of "presence" to be able to interact with your child? 

Before returning it, check out the non game activities like Venues...where in the lobby you can walk up to people and socialize.  There are many vr worlds being created and I'm sure some you can remain anonymous on.  But now the vr worlds are linking together, selling assets via cryptocurrency, building businesses using digital assets purchased with title held on blockchain (check out somniumspace) and much more.  In the case of VR and real life business, would you want to interact with 6 people who all had the name NickiMinaj1 in a shoe store? Or a doctor performing an operation on you named "bigdawg2".  By requiring logins using the newer vetted facebook requirements of first and last name etc, we can expect a safer experience in VR now and in the future.  You can Google some of the things that VR is used now for today other than games and this will only get bigger after 5g becomes the standard.  

Facebook is a social app that exploded in popularity for the reasons you prob use it today.  Transparency is not a bad thing ...it keeps those using these vehicles for communication accountable for their actions.  Experiment with the device and you may change your mind ...I don't work for Facebook ..but I've created business models and plans implementing this technology and understand the power that it has.  This technology is needed for a post-covid world and adds a lot of value compared to hundreds of zoom calls.

I totally understand your frustration but maybe this perspective helped! 

terramex
Level 4
I think you're missing the main gist of my point though. I don't specifically care about requiring a Facebook login, and I fully support the idea of not remaining anonymous in VR worlds (i.e., you're right, there's more to this than gaming and will be more so in the future). Even though Oculus is pitched as more of a gaming device, than pitched as an experience device, I accept your point.

But I do care about the simple fact that there is no way I can let some friends play Beat Saber, or hit a virtual ball around a virtual table tennis table, without also giving them access to 15+ years of my private Facebook data. Just think about that for a second. All I am expecting is the option -- at least when it comes to gaming -- and the option isn't there.


Howie_Doodat
Level 7
I use my headset almost daily (for almost half a year now) and didn’t even know I could go right into my Facebook via oculus. so unless your friend preplanned, did research, and is for some reason malicious, I don’t see how this would occur. 

terramex
Level 4
Well I only received the device yesterday and the Browser and Messenger app were pretty obvious to me. And with every update, you don't know what is going to change or where, and how it would be presented.

And my "friend" is fictitious and is used as an example. My point still stands. Security by obscurity is not security.

nalex66
Volunteer Moderator
Volunteer Moderator

terramex said:

I think you're missing the main gist of my point though. I don't specifically care about requiring a Facebook login, and I fully support the idea of not remaining anonymous in VR worlds (i.e., you're right, there's more to this than gaming and will be more so in the future). Even though Oculus is pitched as more of a gaming device, than pitched as an experience device, I accept your point.

But I do care about the simple fact that there is no way I can let some friends play Beat Saber, or hit a virtual ball around a virtual table tennis table, without also giving them access to 15+ years of my private Facebook data. Just think about that for a second. All I am expecting is the option -- at least when it comes to gaming -- and the option isn't there.


His phone analogy is right on target, though. Handing your personal VR headset to someone and letting them do whatever they want without supervision is akin to handing over your unlocked smartphone. Once they're in, they can probably get to your email, text messages, Facebook app, etc. without entering any passwords.

If you don't trust your guest user, you could screen-cast to your phone to keep an eye on what they're doing. If they exit the game and start nosing around in the browser, yank the headset off their head.

i7 5820K @ 4.25GHz | EVGA GTX 1080 SC | Gigabyte GA-X99-UD4 | Corsair DDR4 3000 32GB | Corsair HX 750W
SSDs: Intel 660p M.2 2TB, 3x Samsung Evo 1TB | Startech PCIe 4x USB 3.0 | Startech PCIe 2x USB C 3.1 gen2

terramex
Level 4
A phone has a number, unique to a person. It's more personal and they always have been. It's carried everywhere with them. It's also pretty obvious when buying a phone that, if someone else gets a hold of it, it's a privacy breach. Phones have a more serious function in someone's life.

This is an entertainment device. It isn't serious for the most part.

It isn't fair to compare a phone to the Oculus 2 as an excuse for Facebook's greed (let's face it, that's what it comes down to).

The Oculus 2 is a standalone device, that never leaves the house, running an operating system which until very recently didn't require a Facebook login. Now it does. And it exposes everything, with no option for security, or a pin code, or similar, to lock it down in way to prevent access to personal data, while still allowing other people to enjoy it. Even the Messenger app trickled in in an update, the other day, no option to not get it. Really?!

If I wanted to share a PC, I'd create a user for someone. Or log out of my browser. If I wanted to let someone in my house play Steam games, I'd give them my login. If I want to let someone play a PS4, they can. I don't need to worry that a private conversation pops up somewhere.

I'm not looking for half-solutions; that's missing the point. I know I can monitor people, or rely on chance and security by obscurity. I don't have anything to hide, but I should be able to have something to hide tomorrow, or in two years, and keep it hidden, if that's my choice. I should not have to worry about an entertainment device exposing private details. This is about the principal of it.

Richooal
Level 12
I haven't got a facebook log in, and never will, but from what I've read on here I was under the assumption that there was some kind of separation between facebook social media and OculusVR.
The way they've done it just makes no sense for the customers, it only assists facebook in data collection and it's use in revenue collection through advertising.

I've said all along that there should be an optional level of sign in.

Level 1 via an oculus device account which holds your purchased (or free) content that you can use without "social" access.

Level 2 via a facebook account allowing access to your content and access to the facebook "social" stuff.

If facebook make the "extras" good enough people will want to join.
I'm sure there would be enough sheep for them to make lots of money with an optional fb log in.
i5 6600k - GTX1060 - 8GB RAM - Rift CV1 + 3 Sensors - 1 minor problem
Dear Oculus, If it ain't broke, don't fix it, please.