This section presents five hypothetical scenarios where XR is being used for instructional purposes along with commentary and specific risk mitigation recommendations. We encourage readers to attempt to identify issues as they review these scenarios and consider how the events described might unfold differently at their institutions and whether our recommendations should be modified to better reflect institutional differences.

A faculty member purchases a set of VR headsets and is interested in using them synchronously with students in their course weekly and on an ongoing basis. The faculty member has access and/or has developed a virtual space on a publicly available third-party platform to run weekly meetings. Students in the course are asked to create accounts to enter the virtual space outside of the campus single-sign-on. Some students use their institutional email while others sign in with their private accounts. Students are asked to create and embody a human avatar and are presented with an option to create it using a still image. Some students use their own images while others choose celebrities or fictional characters from movies and other media. As part of the virtual sessions, students will view/review assignments or materials assigned by the faculty member, speak and collaborate in small groups, and move throughout the virtual space. Most of the class will take place in VR.

Important Questions to Ask

1. Student VR device ownership or access to VR devices
   1. Will all students have access to a VR device?
   2. Has the faculty member acquired devices that can be on extended loan to students?
   3. Does the institution have a VR device loaner program for students?
   4. If students are expected to have their own VR device for this class, was this documented in the course catalog or syllabus before students registered for the class?
2. Student access
   1. Has the faculty member considered whether the third-party platform is available from non-VR devices such as mobile apps, a browser, or desktop apps?
   2. Is the third-party platform available from most headsets? (For example, the PlayStation VR headset is not supported by recent collaboration platforms.)
   3. Do any students require special accommodations?
3. Device/platform data collection
   1. In the case of the faculty member or the institution providing loaner VR devices to students, has there been a review of the data being collected by the headsets?
   2. Are students provided with a consent form before getting a faculty- or institution-provided device?
   3. Do students need to share faculty- or institution-provided loaner VR devices? If so, does the device support multiple users with reasonable controls to separate user-related data?
   4. Is there a procedure documenting how the devices will be reset and how end-user data will be purged at the end of the class (or if a student needs a replacement device)?
   5. Does the faculty member or institution use a device management platform for its loaner devices? If so, are students told what data might be collected by the platform and be accessible by the faculty member or others?
4. Third-party platform considerations
   1. Does the institution already have an agreement in place with the third-party platform? If so, has a security review been done? Have terms and conditions been negotiated by either the institution procurement or legal department? If not, has the faculty member engaged the cybersecurity unit to conduct a risk assessment (e.g., HECVAT review) ahead of the class? If not, has the faculty member read the end-user license agreement (EULA) of the platform?
   2. Does the third-party platform already have out-of-the-box integration with the institution's SSO services?
   3. Does the third-party platform support integration with consumer cloud applications such as Google Drive, Dropbox, or One Drive? If so, are the students provided with an appropriate EULA when linking their personal cloud storage solution to access materials such as assignments?
   4. Does the third-party platform support integration with the institution's SaaS applications, such as cloud storage solutions (Google Drive, Dropbox, or OneDrive)? If so, what kind of data or metadata is being captured by the third-party platform?
   5. Is the virtual space for the class restricted to only students enrolled in the specific course or section? Can guests (including those external to the institution) join the virtual space?
   6. Is a record of student participation created?
   7. What permissions are available for faculty or students to record virtual events on the platform? What type of elements can be captured?
   8. Can an avatar be duplicated or recreated? Has the faculty member considered the potential for someone impersonating a student?
   9. Are students required to display their actual names (for example, to enable the faculty to record attendance or contributions)?
5. Class considerations
   1. Has the faculty member or institution developed a code of conduct for 3D social environments? If it has, is the 3D environment code of conduct referenced in the syllabus? Are students taking part in a training session during class time?
   2. Are students asked to sign a FERPA consent form?

Assumptions

• The faculty member purchased a few additional VR headsets to lend to students. However, due to cost concerns, the faculty member acquired the consumer version of the headset, which requires students to have and use a social media account to use the device.
• The faculty member included in the syllabus some information regarding the use of the third-party platform. However, students were not asked to sign a FERPA consent form.
• The faculty member continues to use the VR headsets to deliver most or all course activities.
• Some students decide to purchase or use their existing personal VR device to access the virtual space. Others have decided to use their laptop or mobile device to access the space since the third-party platform supports access from web/mobile devices.
• The institution's library department recently started a VR headset loaner program for students. The library department requires students to sign a loan agreement form.
• The faculty member selected a third-party platform based on the recommendation of a colleague at another institution. While the platform has a workgroup and enterprise paid offering, the faculty member elected to use the free tier, which is sufficient based on the size of the class.
• The platform lets students create a local account or use an existing Gmail or Office 365 account. However, when using their institution's email address, students are asked to log in using their institution-provided credential (based on the Gmail/Office 365 integration supported by the platform).
• The environment (virtual space) created by the faculty member is private. However, anyone with a link and an account on the third-party platform can access the space.
• Students are expected to present and discuss work, such as virtual posters. Students can create and leave 3D artifacts that remain persistent. Once invited to the virtual space, students can access the space outside of regular class sessions to meet as a group.
• Students can take pictures or record what is happening in the virtual space using the native recording capabilities of the VR devices.
• All students in the class are located in the United States. While most students are on campus, some students are off campus.

Review Section

First, it is important to remember that because an online environment creates a record of student activity, that record is subject to FERPA privacy rights. Similar to the use of any non-vetted 2D cloud-based solution for a class, a primary issue in this scenario is the fact that the faculty member is using a third-party solution that has not been vetted by the institution. Even though the faculty member elected to use the free tier, the third-party platform should have gone through a review process to ensure that:

• Necessary controls are in place to protect student information (HECVAT and SOC2 report review).
• The data steward for the student data domain (typically the registrar in this instance) had a chance to review the use of the third-party platform in an instructional setting.
• The institution retains sole ownership of the data.
• The institution will be notified in the event of a data breach.
• The institution has the right to reclaim its data.

Students enrolled in the class should have been allowed to sign a FERPA consent form. Students not willing to provide consent should be offered alternative options without academic penalty.

While the virtual environment created by the faculty member is private, the fact that anyone with a link can access the space is a problem. It is not hard to imagine one or more students sharing the link with friends, inviting them to check out the experience. Other students may also decide to record and share some of their group discussions on social media platforms.

The lack of strong access controls offers students and/or outside guests the possibility to disrupt the synchronous VR sessions in many ways. While the reader may already be familiar with different forms of Zoom bombing, a VR environment provides additional opportunities for pranksters or others with ill intent. Depending on the platform, it is not hard to imagine all students joining a session using the same avatar (and displaying the same avatar name). One could easily imagine a scenario where everyone changes their avatar to recreate the scene in which Agent Smith turns into a virus and replicates himself in the Matrix movie.

Students/faculty wish to create 360 interactive videos to publish/use within the institution's LMS or CMS. The institution has acquired a set of licenses for 360 video editing software and a sharing platform. Students and faculty use the institution's 360 video cameras to film around campus and town. Students interview faculty, administrators, peers, and residents. Some of the footage includes dorms and campus spaces. Students compose music to add to the 360 videos. The videos are published to the web and available to the public. As with other media projects, student final projects end up being stored on personal drives, a shared class drive, Google drives, the LMS, and student portfolio systems. Unlike other media, 360 video and LIDAR files include a range of visual and other data that flat video files do not include.

Important Questions to Ask

1. What challenges do LIDAR and 360 media present?
   1. Additional information and sources of data that can be repurposed for alternate media assets. For example, LIDAR data or a piece of 360 video of a specific location of the campus could be used for nefarious purposes, such as recreating a school shooting.
   2. Meticulous details will be featured in the content. Hence, a deeper inspection of copyrights should be included before releasing.
2. Are these interactive experiences graded assessments?
   1. Are devices made available for all students?
   2. Tutorials for the device and software used to fulfill the filming and editing should be adequately offered to students.
   3. Are students offered enough help to meet special requirements brought by the use of 360 cameras to finish the projects?
   4. Does students' access to the evaluation records abide by FERPA?
3. Who owns the content?
   1. Are students authorized to film particular areas of the school? Or are there other rules to follow, for instance, no commercial use?
   2. How much third-party content is used when creating the 360 videos? Further, what usage rights does the third-party content cover?
   3. While filming, are other people featured in the video? If so, do we have their consent to include them in the video or reproduce the part where we might violate others' image rights?
   4. Areas of the school might contain personal information, for instance, dorms, lectures, and offices. While filming, are provisions made to ensure that personal details are not exposed in the video?
   5. While releasing the video to different platforms, how are ownership rights managed? Also, to what extent are the usage rights shared?
   6. Are students and faculty who are featured in the videos aware of where the content is released? Are they credited in each channel?
4. Where is the content hosted?
   1. To what extent are the usage rights shared if the video is to be hosted by that platform?
   2. Is it worth it to host the content on that platform while weighing the effectiveness and rights given?
   3. If the need is to restrict the video's edit to students and faculty within the institution, are sign-in options, for instance, double-verification sign-in, covered?
5. What happens when it is downloaded?
   1. Is the video available for download?
   2. Before downloading, are the users informed what data is being tracked while navigating through the video?
   3. Are the users aware of the ownership of the rights in the content?
6. What metadata is collected in 360 video and LIDAR data?
   1. Does the collection of the metadata abide by the XRSI Privacy Framework?
   2. While users are accessing the content, are they aware of the collection of this personal metadata? Also, do they know who actually owns the metadata and how it is used?
   3. Are they aware of the potential risk of authorizing the data to the platform?
   4. If the video is of educational use, are there options to access the content while not collecting the metadata?
   5. Is there a reference document detailing the sources and use of data?
      
      

Assumptions

• Students and faculty have equal access to and support for using cameras and software required to make the 360 videos.
• Students who require special accommodations are taken care of, including physically being there to film and use the software to edit the footage.
• A full investigation into the privacy settings and data sharing agreements is done before licensing the 360 video editing software so that students, faculty, and the footage are protected while using the software.
• The videos will be graded, but there are alternative assessment options offered.

Review Section

To finish the 360 videos, students will need to film the settings of the school's environment. For the project, students will apply parts of others' creations or belongings into their personal output. For instance, the video will feature buildings and passers-by. However, since the videos will be put on the institute's LMS and go public, we should consider potential conflicts to copyrights and privacy. We should look into the regulations relating to copyrights from the educational institution and the hosting platforms.

Institutions should also consider where the final video is hosted and which actions are enabled for end users. Many hosting platforms require a certain level of copyright if they are to host the digital content. Further, when the video is open to the public, the content is subject to being repurposed. Therefore, to protect the privacy of video contents and the rights of students, we need to be aware of the potential threats. Actions can include selecting the platform that is in students' best privacy and security interest and exploring agreements such as XRSI Privacy Framework and FERPA.

Another critical aspect of the project is to make sure that the 360 videos are created with end-user rights in mind. Before releasing the project to an LMS and hosting platforms, be sure to inform future users what data is collected while accessing the video. Further, since the video's goal is to educate, we should consider alternatives to this video as well. The rights of students with concerns about data collection and special accommodations should not be neglected.

As XR devices and content become more readily available, students will be given options to join both curricular and extracurricular activities in immersive environments. They will enter both third-party platforms and campus virtual environments. Students participating in classes remotely may consider using their personal Facebook accounts and VR headsets to access course content. Some students may already own headsets; others are able to check out headsets from the institution.

Additional Background: In the case of using the Meta Quest headsets, setting up the access allows students to opt in to set up a new account or to link to their existing social media account. In summer 2022, Meta released a set of new options for users to create and access applications on the Meta Quest headsets. Other device manufacturers like HP, Vive and Pico have opt-in options when it comes to data collection. Even when access to the device requires an account, a separate account is often required to join/enter third-party applications.

Account management and data collection will continue to evolve as more institutions and organizations adopt XR devices for teaching and learning. Tools for managing accounts at the enterprise level are not available, and access to headsets continues to require students to manage their accounts as they engage in teaching and learning. While we expect enterprise management tools to become available for XR devices, it is important to make sure students are fully aware of the account and device privacy settings.

Important Questions to Ask

1. What device are they using to access content?
   1. Is the content available on devices not offered by the school?
   2. Can technicians identify ways to incorporate the content on personal devices with low risks? If yes, are students provided with guidance and help to have the content work on their own devices?
   3. If the students are using their own devices, should their devices be connected to the institution's VRDM?
   4. While allowing the students to access the content through their own devices, are there possible copyright violations to the content?
2. What data is collected by the device?
   1. What data is directly or indirectly collected by the content itself or other collaborating platforms?
   2. Are there any settings regarding data collection on the school's device that students who are using their own devices need to know of?
   3. Can the technicians help students set up personal devices for their data protection?
   4. If the data is required for evaluation, how are the faculty accessing the data?
   5. While collecting data from students' devices, will additional personal data be inadvertently collected? If yes, are the students informed of the possible consequences?
   6. Will the data collection from devices not monitored by the institution violate the rights of other students or the rights of the content owners?
3. Have students signed a specialized waiver/agreement outlining the data that is collected?
   1. Did the waiver/agreement inform students of potential threats to their own rights by accessing the content through their own devices?
   2. What conditions do students need to abide by to use their own devices instead of the institution's devices?
   3. Is there any alternative or support if the students refuse to sign the waiver/agreement?
4. Who is liable in the case of data breaches/account hacking/data loss?
   1. Is using a student's personal social media account posing a potential threat of a data breach? Moreover, is it allowing a further threat to other student's data security?
   2. If the institution is not able to offer support in protecting students from cybersecurity threats while accessing the content through their own devices, are students informed of the possible cybersecurity threats?
   3. Are students offered support to access endpoint protection platforms (EPP) and endpoint detection and response (EDR) while accessing the content through their own devices?

Assumptions

• All students are able to secure a device and a school-issued account needed to access the content from the institution.
• Access to VR devices is also ensured for remote students so they are not pressured to need to use their own devices to access the content.
• The institution's devices are preset to protect students' data security. In addition, the building of the content is following the same guidelines.
• School-managed accounts can be effective in protecting students from the exploitation of data collecting.

Review Section

The first question can be as fundamental as how to let students access the content through their personal devices. While releasing the content to students' own devices, it is also essential to ensure the actions will not infringe the content creator's right. Further, more discussions should take place between technology and policy teams. The faculty and technicians should establish the relationship between students' accounts on the institution's devices and students' devices on the VRDM.

For devices offered by the school, environments are preset so that students can access the content. However, when students are using their personal devices and accounts, possible contradictions might occur. Therefore, it is essential to inform students of the issue and support them to avoid harm. Additionally, cybersecurity in XR is still a relatively obscure area, with unseen threats emerging. Institutions need to consider how to help students evade those perils. All these possibilities should be clearly communicated to students through waivers/agreements, and alternative solutions should be offered if students do not agree with the waiver/agreement.

Finally, the security of the institution and other students should also be taken into consideration. Without guidance and restriction, students are more likely to violate content rights and endanger network security while navigating through the content on their personal accounts and devices. While the waivers and agreements can inform students what to do or not to do, we should still actively protect all stakeholders, students, and creators, by building a guarded environment through technology and policy.

A decision has been made to build an XR lab space open to students and faculty. VR and MR headsets are procured and set up in lab space for the community to use. The computer stations and VR headsets use a set of institutional accounts dedicated for the XR lab use. VR content is purchased and made available under these accounts. Some of the VR experiences are available free, some are locally developed, while others are professional packs to serve specific discipline needs. Students are invited to visit the lab and access the XR experiences.

Important Questions to Ask

1. Procurement process
   1. What type of equipment will the lab contain?
   2. If Meta Quest devices are procured, what type of accounts will you create and who will manage them?
   3. What is the data protection agreement with the hardware and software vendors?
   4. Where will the lab be located on campus and what physical buildouts are needed?
2. Waivers/agreements
   1. What type of agreement about accessing content and data collection will students sign?
   2. Who will manage the lab and what will their responsibilities be for student support?
3. Licensing of content
   1. Who will purchase the content?
   2. What accounts will it be linked to?
   3. How will the list of content be organized and maintained?
   4. Who will be able to purchase content and what decision-making process will be in place?
4. Who will manage devices and use of content?
   1. Who will ensure devices and content are updated regularly?
5. Who will onboard students and provide information where relevant to privacy and data collection?
   1. Are students accessing content/simulations as part of a course requirement? Do they need to have a record of completion?
   2. Are students asked to review content that may contain triggers?
   3. What options are made available to students with specific needs who may not be able to view content via the headsets?

Assumptions

• The institution will purchase the devices and maintain them.
• The institution will manage software updates and cybersecurity for any PCs, servers, or XR devices that are accessible in the lab.
• The institution will have policies in place to govern acceptable use of the equipment for students, faculty, and staff.
• Students will be responsible for any accounts, content, and their behavior in accessing hardware and software in the XR lab.
• The XR lab will have proper controls for monitoring access to the room and equipment.
  
  

Review Section

Many risks can be associated with running an XR lab at an Institution, and we have highlighted the most critical ones below.

One of the largest risks to students is the protection of their data in using XR experiences, and students need to understand the terms of service for using any accounts with major platforms such as Steam, Meta (Oculus), and Pico.

It is important to establish policies or protocols for lab use. Students violate acceptable use policies by creating or accessing content that is deemed inappropriate. Students need to be trained in acceptable and unacceptable use of the devices in the lab. For example, it is unacceptable to harass or discriminate against other students or users of XR experiences or hardware.

Lab staff must check that (1) devices are returned not damaged or broken and (2) devices and equipment are properly sanitized between uses.

When the equipment is no longer supported by the vendors or software providers, the Institution will need to consider upgrading or replacing.

Consider employing and training full-time staff to manage the lab and training student assistants who can help run the lab.

As part of the course, students are asked to complete a set of VR simulations. Each simulation concludes with an assessment module. Students might be required to repeat some simulations multiple times to ensure competency. While the simulation might track student attempts, this may or may not be of interest to the faculty. Students are required to answer a set of questions, similar to taking a quiz, at the end of the simulation experience and are provided with immediate feedback on their responses. The score is also available to the faculty. Faculty use a variety of other assessment methods in the course. While faculty consider the final quiz and/or performance score as the only relevant data point for the purpose of the course, the institution is interested in a variety of additional data points to better understand the use of VR simulations. Further, the maker of the simulations and the headset manufacturer receive and have access to a variety of data.

Important Questions to Ask

1. Student VR device ownership or access to VR devices
   1. Will all students have access to a VR device?
   2. Has the faculty member acquired devices that can be lent to students in this class?
   3. Does the institution have a VR device loaner program for students?
   4. If students are expected to have their own VR device for this class, was this documented in the course catalog or syllabus before students registered for the class?
2. Student access
   1. Has the faculty member considered whether the third-party platform is available from non-VR devices such as mobile apps, a browser, or desktop app?
   2. Is the third-party platform available from most headsets? (For example, the PlayStation VR headset is not supported by recent collaboration platforms.)
   3. Do any students require special accommodations?
3. Device/platform data collection
   1. In the case of the faculty member or the institution providing loaner VR devices to the student, has there been a review of the data being collected by the headsets?
   2. Are students provided with a consent form before getting a faculty- or institution-provided device?
   3. Do students need to share faculty- or institution-provided loaner VR devices? If so, does the device support multiple users with reasonable controls to separate user-related data?
   4. Is there a procedure documenting how the devices will be reset and end-user data purged at the end of the class (or whether a replacement device needs to be provided to a student)?
   5. Does the faculty member or the institution use a device management platform for loaner devices? If so, are students told what data might be collected by the platform and be accessible by faculty or others?
4. Third-party platform consideration
   1. Does the institution already have an agreement with the third-party platform? If so, has a security review been done? Have terms and conditions been negotiated by the institution's procurement office or legal department? If not, have the faculty engaged the cybersecurity unit to conduct a risk assessment (e.g., HECVAT review) ahead of the class? If not, have the faculty read the EULA of the platform?
   2. Does the third-party platform already have out-of-the-box integration with the institution's SSO services?
   3. Does the third-party platform support integration with consumer cloud applications such as Google Drive, Dropbox, or One Drive? If so, are the students provided with some kind of EULA when linking their personal cloud storage solution to access materials such as assignments?
   4. Does the third-party platform support integration with the institution's SaaS applications, such as cloud storage solutions (Google Drive, Dropbox, or OneDrive)? If so, what kind of data or metadata is the third-party platform capturing?
   5. Is the virtual space for the class restricted to only students enrolled in the specific course or section? Can guests (including those external to the institution) join the virtual space?
   6. Is a record of student participation created?
   7. What permissions are available for faculty or students to record virtual events on the platform? What type of elements can be captured?
   8. Can an avatar be duplicated or recreated? Has the faculty member considered the potential for someone impersonating a student?
   9. Are students required to display their actual names (for example, to enable the faculty to record attendance)?
      
      

Assumptions

• Students have lab or check-out access to the VR devices and content.
• Students are required to complete the simulation/XR experience in order to master a skill or develop a higher-level awareness.
• Some assessment is available within the simulation, and some may be performed after the simulation.
• Training is provided for the student to establish a level playing field.
• If a third-party platform or experience is used, it tracks only data agreed upon by all parties.
• Student privacy is ensured during and after completing the simulations and relevant assessment.
• If export of data is required from the platform, it is managed by people with the right level of responsibility and access.
• Faculty have full access to all data.

Review Section

Integrating XR simulations and other content within curricular activities requires careful planning and support. It is important to involve faculty, instructional designers and XR staff members in evaluating the content and its use. It is important to evaluate how students will access the simulation and what personal information and identifiers will be collected. Third-party agreements should be carefully considered and negotiated when necessary to ensure compliance with all institutional policies.

It is important to develop a consistent method for collecting students' completion rates and/or scores when appropriate. It is important to establish how faculty will review performance and if necessary what data will be collected and how it will be used and stored.

Students should be provided with training and practice sessions to ensure their performance is not affected by technology or other factors. Alternative methods for completing the work need to be developed for students who might not be able to use headsets.