Meta says eye tracking just makes VR work better, but their own executive admitted it could measure whether you look at ads. The companion app includes Meta's advertising toolkit. Your eye movements — what catches your attention, how long you look at things — could feed the same ad-targeting system as Facebook and Instagram. Meta markets the Quest 3 as privacy-focused, but they're currently under a $5 billion government penalty for lying about privacy — and got caught violating that agreement. When a company fined billions for privacy violations says their new product with cameras, microphones, and eye trackers is "built with privacy in mind," their history suggests otherwise.
What they claim: Meta's Supplemental Privacy Policy states eye tracking data is used to "improve image quality" and "help you interact with virtual content." The Eye Tracking Privacy Notice says raw image data of eyes "is not shared with apps." Meta positions these sensors as functional features for the VR experience.
What we found: The companion app (com.oculus.twilight) embeds Meta Audience Network — Meta's advertising SDK — alongside Facebook Analytics. Meta's head of global affairs Nick Clegg confirmed to the Financial Times that eye tracking data could be used "to understand whether people engage with an advertisement." The policy language "personalise your experiences and improve Meta Quest" is standard industry phrasing for ad targeting. Eye tracking reveals what captures attention, cognitive load, and emotional responses — precisely the data an advertising platform needs.
What they claim: Meta's Quest Pro Privacy blog post states the device is "built with privacy in mind" and that "eye tracking and Natural Facial Expressions are off by default." The Supplemental Privacy Policy frames data collection as necessary for device functionality.
What we found: Meta is operating under a $5 billion FTC consent decree (2020) for privacy violations. In 2023, the FTC found Meta failed to comply with the order, including misrepresenting data access given to app developers. A federal judge ruled the FTC can impose tougher restrictions. Separately, the PIRG Education Fund report found Quest headsets collect "far more data than traditional consumer electronics" and that room mapping can reveal socioeconomic information. Meta's track record directly contradicts their "built with privacy in mind" marketing.
What they claim: Meta's privacy settings page states "You cannot enable the eye tracking, fit adjustment or Natural Facial Expressions feature for your child's Meta account." Meta positions itself as protecting children on the platform.
What we found: Fairplay filed an FTC complaint (2025) alleging researchers heard voices of children under 13 in nearly every Horizon Worlds game and experience visited from July 2024 to April 2025. Children are using Quest headsets and being exposed to the full sensor suite (cameras, microphones, spatial mapping) without COPPA-compliant age verification or parental consent. The gap between "we disable eye tracking for child accounts" and "children under 13 are everywhere on the platform without child accounts" is a critical policy failure.
What they claim: The Meta Horizon companion app requests RECORD_AUDIO permission on the user's phone. The Quest 3 headset itself has built-in microphones for voice commands and spatial audio.
What we found: The Fairplay FTC complaint documented children under 13 using Horizon Worlds without proper accounts, meaning their voice data is captured by both the headset microphones and potentially the companion app's RECORD_AUDIO permission. Voice data from minors is among the most sensitive categories under COPPA. Combined with the headset's eye tracking and spatial mapping, Meta is collecting biometric data from children without COPPA-compliant parental consent — while operating under an FTC consent decree that specifically addresses data practices involving minors.
What they claim: The Quest 3 chipset (Snapdragon XR2 Gen 2) includes an NPU with 8x higher AI performance for on-device processing of sensor data. Meta's privacy blog states that eye tracking data is processed on-device and raw images aren't shared with apps.
What we found: CVE-2025-21479 is a critical vulnerability (CVSS 8.6) in the Adreno GPU driver affecting Quest 3 devices. It allows arbitrary kernel memory read/write and full privilege escalation from user-controlled buffers. CISA listed it as a Known Exploited Vulnerability with evidence of targeted exploitation in the wild. This means the "on-device processing" security boundary is compromised — an attacker exploiting this vulnerability could access all sensor data including raw eye tracking images, spatial maps, and microphone feeds that Meta claims are protected by on-device processing.
What they claim: Meta requires a Meta account (linked to Facebook/Instagram identity) to use the Quest 3. The Supplemental Privacy Policy covers data collection across Meta's "family of products."
What we found: The companion app includes Facebook Login, Facebook Analytics, Facebook Share, and Meta Audience Network trackers. The app requests GET_ACCOUNTS and AUTHENTICATE_ACCOUNTS permissions, confirming deep integration with Meta's identity system. This means VR sensor data (eye tracking, spatial mapping, body movement, voice) is linked to the same identity used across Facebook, Instagram, and WhatsApp — enabling cross-platform profiling that combines social media behaviour with biometric and environmental data from VR.
What they claim: The University of Chicago "Inception Attacks" research (March 2024) demonstrated that Meta Quest headsets are vulnerable to man-in-the-room attacks where all user interactions can be recorded and modified.
What we found: The Quest 3's sensor suite includes multiple RGB and IR cameras, eye trackers, depth sensors, microphones, and accelerometers/gyroscopes — all processing through the Snapdragon XR2 Gen 2 with its known GPU vulnerability (CVE-2025-21479). The Inception attack deceived 26 of 27 test participants. Combined with the GPU privilege escalation vulnerability, the Quest 3's comprehensive sensor array becomes a potential surveillance toolkit: room cameras capture your environment, eye trackers reveal your attention, microphones record conversations, and motion sensors track your body — all potentially accessible to attackers through documented exploit chains.
What they claim: Meta's privacy policy states data is processed to provide and improve VR services. The Eye Tracking Privacy Notice says eye tracking is for "image quality" and "avatar animation." Privacy settings page describes spatial data as needed for mixed reality features.
What we found: Firmware analysis reveals hardcoded endpoints including graph.facebook.com, mqtt-mini.facebook.com, edge-mqtt.facebook.com, and star.c10r.facebook.com — all Facebook social media infrastructure, not VR-specific services. The MQTT endpoints indicate persistent real-time messaging connections to Facebook's backend. The device also connects to analytics.oculus.com and crashlyticsreports-pa.googleapis.com. This network architecture routes VR sensor data through Facebook's social media and advertising infrastructure rather than isolated VR-only servers.
What they claim: The Meta Quest 3 is marketed as a VR gaming and entertainment headset. Core functionality requires motion tracking, display rendering, and audio.
What we found: The companion app requests 25 permissions including ACCESS_FINE_LOCATION, ACCESS_COARSE_LOCATION, READ_CALENDAR, WRITE_CALENDAR, GET_ACCOUNTS, AUTHENTICATE_ACCOUNTS, and QUERY_ALL_PACKAGES. A VR headset companion app has no functional need to read or write calendar entries, query all installed packages on the phone, or access precise GPS location. The QUERY_ALL_PACKAGES permission reveals every app on the user's phone — a data point for profiling. Combined with the headset's own spatial mapping, Meta can build a profile spanning physical room layout, phone app usage, calendar schedule, and GPS location.
What they claim: Meta's privacy policy describes spatial data as needed for mixed reality features and gives users controls to manage spatial data sharing with apps.
What we found: The PIRG report found that VR room mapping captures dimensions, furniture placement, and environmental details that can reveal socioeconomic information. A cited study showed just minutes of VR movement data allowed researchers to infer geolocation, age, fitness level, and physical/mental disabilities. Meta's policy frames spatial data as a feature toggle, but the data is collected by default for the headset's tracking to function. Users cannot use mixed reality — the Quest 3's primary selling point — without generating detailed 3D maps of their home that Meta stores.