Blog

You are here: Home » Blog » Uncategorised » Thoughts on Facebook/Oculus Accounts
23rd September 2020
23 Sep 2020

Thoughts on Facebook/Oculus Accounts

I turned this into a post because it covers many discussions I’ve had in different forums.

 

So Facebook Oculus have a new policy about use of Facebook accounts to enable new devices or for new users after October. Its new Quest 2 devices will need a Facebook account. We have lots of Quests in the lab and have used them extensively for teaching over the past year. They are really great devices with impressive capabilities packed into a very usable package.

 

Facebook urgently needs a better solution for researchers and educators going forward. 

 

I can’t see that we can make significant use of Quest 2 in our labs in the future. Yes, we will buy devices. Yes we will probably do lots of demos of them. But we will not be able to use them as the default device in teaching. It also seems that we can no longer run some of our experiments on them because we can’t guarantee to satisfy GDPR requirements.

Further, their timing of changes is absolutely awful as teaching and research programmes are set months in advance. Christmas may be coming, the Quest 2 may have to go out with Facebook accounts, but now I have to rethink the coursework for my VR module that I was going to start in 3 weeks. I expect a lot of my colleagues are also having to rethink what they were going to do.

The issues in increasing order of difficulty:

 

1) Content and history

 

We have lots of Oculus devices from DK1 onwards. We have bought lots of content. This is spread around various “lab” oculus accounts, because, you know, they weren’t always owned by Facebook. These oculus accounts now need to be given to “people” so the content can be migrated. It’s a minor issue but the idea that there is one person for one device, is really not a good match to how a lab or teaching facility works. Who should get the content? (Are there tax implications?)

Further questions:

  • Can I log into multiple devices with the same account and run content on both? I can do this now, but it surely doesn’t fit with the personal profile model.
  • If I log into multiple devices, what does the logging do?
  • Will I be able to transfer content between accounts, because what happens if someone leaves or we lose access to their Facebook account?

Perhaps we should have bought corporate devices, but they haven’t always been around, the programme has requirements that I don’t think the university can match, it is really expensive for a university and there is no store, so we can’t buy Rez Infinite. Whoever does their sales in the UK hasn’t been keen to talk to me in the past.

Apparently our old devices will keep working for a couple more years, but we can’t demo content we already own on new devices without facing this issue. This is a shame because one of the main things our lab has done over the years (20+ years) is act as a place people in the university and in the broader community can come to experience current VR technologies. We have demonstrated to 1000s of people.

 

2) Facebook identities

Why don’t I just link my oculus account to my Facebook account? (Can I link more than one?) I do have a Facebook account, but like many people I don’t use it for work at all, just family and friends from outside work (sorry to those colleagues I have been ignoring for >10 years). I personally don’t want to connect my Facebook and Oculus identities. 

That is not the big issue though: I probably can’t require students to have Facebook identities in order to work in the labs.

Perhaps legally I might be able to do this. I am not sure, and that is the main problem: I don’t have the time to ask and find out in 3 weeks. My university  has bigger problems to deal with, such as how to make sure that our online teaching functions. Earlier in the year we were advised to not use teaching tools that use external sign-ups. For example, there were a few discussions about whether we could use Zoom before we got a university-wide account.

The problems are:

  • Students might have Facebook accounts, but rightly don’t want to share their details with anyone at the university. I can probably do coursework without having to know their identities, but we are going to do our VR coursework “networked-first”, so we need some thought there. When it gets into supporting the students, TAs might have to find their identities, etc.
  • Students might not want or be able to create Facebook accounts. There are various reasons here, but the obvious one is that they are Chinese students and are currently based in China because of Covid-19 travel restrictions.
  • Students might just be concerned about data gathering.
  • Students might have accounts in a name that they can’t validate if challenged. E.G. they use a nickname or alternate identity. We don’t want to trigger anything that might cause a validation or query (see below the recent change about needing telephone number or credit card for developer access)
  • Facebook maintains the accounts. What if Facebook decides to suspend an account just before a deadline? We have no power here to intervene.

 

3) Security

I have a whole bunch of questions about security on shared devices. Here is just one to get started:

  • What if a student or staff member forgets to log out of a device?

There isn’t much security on Quests right now. I use an Oculus not a Facebook account, but presumably there are interactions that I can push through apps into the wider Facebook system if I had logged in with my Facebook account.

Perhaps someone’s account is going to get polluted with lots of irrelevant and non-characteristic information from multiple people that we show demos to. There is a minor risk to that, obfuscated by the fact that we don’t keep records of who does demos which leads to the elephant in the room, GDPR.

4)  General Data Protection Regulation (GDPR)

Once you start touching upon the issues in GDPR you enter a world of complexity that even UCL (which is sophisticated in these matters) hasn’t quite resolved:

  • Can I have a participant do an experiment in the lab on an Oculus Quest 2 logged into someone else’s Facebook account? The person with the Facebook account signed up to some data privacy agreement. The participant signed up with us and we only collect data that is allowed under a data protection agreement agreed with the college prior to getting ethics permission. What data is Facebook actually going to collect? 
  • How can we run certain types of distributed experiments out of the lab?

In our lab, this isn’t really an issue as we commonly don’t use Quests for experiments. However, we are trying to run more experiments out of the lab both because of current Covid-19 conditions, but also to gather more representative samples and increase the number of participants in our studies (join the Distributed-VR3DUI Slack to discuss)

In the lab, we should note that the risks are extremely small. It is standard practice for us not to have devices online during experiments just in case they decide to background download or even install something. But if we were online, e.g. we wanted to do something multi-user, Facebook might also gather data and that might not be allowed under GDPR. To some extent we have ignored some of the implications of this; indeed much of the HCI field has, as the same concerns would apply over, say, experiments run on smartphones. Again, the risks are tiny as we usually don’t keep any personally identifiable information for our experiments and the data would be properly anonymous, but we’ve got to that through years of experience in running experiments and refining our data collection process to minimize risks. 

Hence, Facebook really needs to support researchers by having devices, or policies that ensure we can use the devices without risks or ambiguities. Especially in an EU context. 

For example, a really simple mitigation would be confirming that developer accounts can be created that aren’t associated with specific people. Perhaps there would need to be a process to apply for these? There is a separate issue about the move to having all developers confirm a telephone or credit card, but I haven’t thought that through other than I can see that it may make someone more reluctant as it ties more information to their Facebook account.

Maybe I should just get a corporate account, but I expect that even if I had the money, it could take weeks or months to get the legalities sorted as I would need central contracts support from the university – I am not an authorised purchaser of software and licenses for the university. 

 

Overall, for this term I am not too worried. We have enough Quests that I can give each student group a Quest logged in with one of our lab oculus accounts. My experience is that some students will buy their own Quest 2s anyway having considered the Facebook account issue. We also have a lot of Vives and other systems and laptops to lend out. However, for future iterations an alternative standalone VR platform or a better solution from Facebook would be highly desirable.

 

in Uncategorised /by /#permalink