Virtual reality (VR) is an emerging technology that enables new applications but also introduces privacy risks. In this paper, we focus on Oculus VR (OVR), the leading platform in the VR space and we provide the first comprehensive analysis of personal data exposed by OVR apps and the platform itself, from a combined networking and privacy policy perspective. We experimented with the Quest 2 headset and tested the most popular VR apps available on the official Oculus and the SideQuest app stores. We developed OVRseen, a methodology and system for collecting, analyzing, and comparing network traffic and privacy policies on OVR. On the networking side, we captured and decrypted network traffic of VR apps, which was previously not possible on OVR, and we extracted data flows, defined as <app, data type, destination>. Compared to the mobile and other app ecosystems, we found OVR to be more centralized and driven by tracking and analytics, rather than by third-party advertising. We show that the data types exposed by VR apps include personally identifiable information (PII), device information that can be used for fingerprinting, and VR-specific data types. By comparing the data flows found in the network traffic with statements made in the apps' privacy policies, we found that approximately 70% of OVR data flows were not properly disclosed. Furthermore, we extracted additional context from the privacy policies, and we observed that 69% of the data flows were used for purposes unrelated to the core functionality of apps.

翻译：虚拟现实( VR) 是允许新应用的新兴技术, 但也引入了隐私风险。 在本文中, 我们侧重于 VR 空间的主要平台 Oculus VR (OVR), 我们从网络和隐私政策的角度, 首次全面分析VVR 应用程序和平台本身暴露的个人数据。 我们实验了 Quest 2 headet 并测试了官方 Oculus 和 SideQuest 应用程序中最受欢迎的 VR 应用程序。 我们开发了 OVR Seeen, 这是收集、分析、比较OVR 网络流量和隐私政策的一种方法和系统。 在网络方面, 我们捕获和解密了VR 应用程序的网络流量, 而以前在OVR 应用程序和平台本身的网络流量是不可能的。 与移动和其他应用程序生态系统相比, 我们发现 OVR 更加集中和驱动, 而不是通过第三方的广告。 我们显示 VR 应用程序所披露的数据类型类型和网络流中的数据类型类型包括了我们所使用的70种数据流( PII ) 。