Higher education institutions should mitigate risk when adopting new XR devices, platforms, and services by reviewing and updating their procurement policies and procedures. Conducting risk assessments ensures that vendors can effectively protect institutional data and demonstrate compliance with applicable international, federal, and state laws or that they are at least able to accurately document compliant and non-compliant product features.

Regarding data security and privacy concerns, most institutions should already be requiring their vendors to submit a Higher Education Community Vendor Assessment Toolkit (HECVAT) questionnaire (or similar assessment) as a starting point to assess the security practices and controls implemented by vendors, particularly cloud vendors. The EDUCAUSE HECVAT team has recently released an updated version 3.0 of the toolkit. While this new version includes many improvements, institutions should look at supplementing the HECVAT with additional questions specific to XR data processing, particularly for data relating to avatars, and biometric (e.g., iris scan, gaze, and gait) or bio-inferred data. HECVAT 3.0 does not, by itself, help institutions inventory the specific biometric and PII data being collected or determine how long that data should be retained.

When conducting a third-party risk assessment, institutions should adopt a "trust but verify" approach. Answers provided by vendors to the HECVAT questionnaire should be validated if at all possible by requesting audit reports, preferably a SOC 2 (System and Organization Controls type 2), conducted by a third-party auditor.

Institutions should also review, and, if necessary, update their data protection addendum (DPA) to include additional provisions to cover additional data acquired, stored, and processed by XR devices or platforms. The DPA should include requirements regarding timely notification in case of breach or accidental disclosure and when data collection, storing, and changes occur, such as when the vendor shares data with new third parties.

Procurement policies and practices should likewise be updated to account for the unique accessibility concerns that exist with XR technologies and experiences. Institutions may already be asking vendors to provide an Accessibility Conformance Report, which shares results from a Voluntary Accessibility Product Template (VPAT). (It should also be noted that HECVAT 3.0 now includes a set of questions dedicated to accessibility, developed with contributions from the EDUCAUSE IT Accessibility Community Group.) However, these tools, which largely rely on the World Wide Web Consortium's (W3C) Web Content Accessibility Guidelines (WCAG) may not directly address the vast range of interactions and unique controls and commands that are common to XR experiences. Adding XR-specific questions to these assessments can help institutions gain a better understanding of any accessibility issues that may exist and whether obstacles may be overcome through user controls, modifications, or accommodations. W3C's Accessible Platform Architectures Working Group published a series of recommendations in 2021 that can be integrated into accessibility evaluation procedures.

While most institutions have already developed comprehensive vendor security and compliance assessment processes or policies, enforcement of these processes or policies can remain a challenge—one that can become compounded as institutions now start to adopt XR technologies through iterative and organic processes. Many staff and faculty may not be aware of significant differences between consumer versus business XR devices (e.g., Meta Quest 2 consumer versus business edition), or the additional risk resulting from using freemium versions of XR applications or collaboration platforms not covered by a negotiated enterprise agreement. Contractual indemnification clauses should also be reviewed.

Finally, institutions should anticipate that the procurement of XR-related devices, technologies, and services will present challenges similar to the procurement of mobile devices, services, and apps:

• Procurement policies and processes should require XR-related requisitions to select enterprise-level devices and services instead of consumer ones, when available. This will be of higher importance to consider when initiatives are scaling up rather than during initial efforts.
• Enterprise-level devices and services typically represent additional costs that need to be factored into not only the acquisition but also the overall long-term costs. In particular, XR enterprise offerings from companies such as Magic Leap, Microsoft, or Meta (Facebook) result in yearly maintenance costs.
• Enterprise integration costs should also be considered up front. Integrating XR devices with the central authentication and authorization SSO platform may result in unanticipated costs. For example, the discontinued Meta (Oculus) for Business used the Facebook Workplace account management platform. However, the Workplace Single Sign-on functionality was available only in higher-tier versions.
• Most XR device ecosystems leverage an app store/walled-garden licensing and distribution model. Institutions should research mechanisms to purchase and distribute educational applications (depending on the licensing model used by the developers). We should note that these models continue to change but remain based on consumer rather than educational use. Purpose and use of the application should be also considered when making these decisions.

The increased adoption of online education tools (e.g., learning platforms and management systems) and the advent of MOOC providers have raised the big data privacy problem for student data. The availability of large amounts of detailed, fine-grained student data offers the promise of a data-driven education where students are provided with personalized and customized educational experiences, and ultimately better learning outcomes. Supported by progress in big data analytics and machine learning, many colleges and institutions have launched learning analytics initiatives.

These learning analytics initiatives present significant inherent challenges, such as documented privacy threats and potential algorithmic biases. One significant risk is how mining these large instructional data sets can deeply reveal private information about a student (e.g., sexual orientation, political leaning, emotional instability). In response, higher education institutions have developed data governance and data privacy programs1 (including creating chief data officer and chief privacy officer leadership positions), increased investments in technological safeguards, and developed policies regarding how data is shared with third parties (e.g., cloud providers).

The adoption of XR technologies, platforms, and services for instruction will generate another massive wave of fine-grain, very personal data that institutions will have to protect and decide how to use. The question whether all available data through this new technology should be collected will be the topic of many debates. Justin Reich, in his book Failure to Disrupt: Why Technology Alone Can't Transform Education, highlights the dilemma of data collection and experimentation presented by every new technology (see chapter Toxic Power of Data and Experiments). We believe that, more than ever, the principle of data minimization will have to be applied: what XR-generated data is truly necessary to provide students with the best educational outcomes? To the same extent, data purpose limitation should be defined early on to prevent situations where analytical studies could be conducted without having obtained sufficient end-user consent.

It is important for institutions to prepare themselves for this new data tsunami and develop an understanding of what kind of data can be collected in an XR setting. The temptation might be to initially focus on biometric data. Article 4(14) of General Data Protection Regulation (GDPR) defines biometric data as "personal data resulting from specific technical processing relating to the physical, physiological, or behavioral characteristics of a natural person, which allows or confirms the unique identification of that natural person, such as facial images or dactyloscopic data." However, another significant class of data might be easily missed: biometrically inferred data (BID). XRSI defines BID as a collection of datasets resulting from information inferred from behavioral, physical, and psychological biometric identification techniques, and other nonverbal communication methods.

XR devices enable the collection of previously unavailable data, such as where students are looking (eye gaze tracking), facial expressions, heart rate, mouth tracking, and gait. In particular, XR devices can record a large amount of BID. Body movement patterns recorded through accelerometers or inertial measurement unit (IMU) in XR devices can be used not only to identify users but also to gain insight about users' emotional states or reactions while accessing an XR environment.

Other data domains that should be identified, defined, and managed include those relating to the creation of campus/physical space digital twins, spatial anchors, and new 3D content. Managing these data domains early on will help institutions get ahead of data quality and intellectual property questions (as we will discuss later in this report).

The issues related to physical and emotional safety including cybersickness should be considered before an institution offers to bring anyone into an XR experience. When people are in a VR or head-mounted AR experience, they are often unaware of their surroundings and are susceptible to injure themselves or be subjected to unwanted touching or misconduct by bystanders. It will be important to address the physical and emotional safety of participants, the hygiene of devices, and the risk of cybersickness before opening an XR lab or making devices available for checkout.

Physical Safety

As noted in a previous section, institutions of higher education have a duty of care to provide a safe learning environment. During the fall 2021 EDUCAUSE Learning Lab on XR Safety, Security, and Privacy, certain group projects outlined the importance of providing end users with proper training, as well as publishing XR safety guidelines. Lab safety recommendations that surfaced as part of these group projects included the following:

• Create and post infographics as appropriate (e.g., in XR dedicated spaces).2 
• Hire and train dedicated XR safety lab assistants. Assistants to XR users should ask students their preferences for being notified of dangers (verbal, touch).
• Develop XR safety awareness/training courses that users would be required to complete before participating, particularly when no TA/lab assistant will be present during immersive XR-based instruction.
• Consult with legal counsel to create liability waivers that properly inform users of risks and limit institutions' liability in the event of an accident. Be sure to address harm to the user (psychological and physical), harm to others, and harm to property as part of these conversations and in any resulting release forms.
• Seek out information and resources outlining internal processes for addressing lab-based incidents, and work with leaders within the academic departments and central units to clarify any steps that may be unclear.

Hygiene

Cleaning safety protocols (e.g., using disposable masks, wipes, Cleanbox) for XR labs and devices is critical for the safety of all participants as well as extending the life of devices. Hygiene and safety are always important to consider when using VR headsets and controllers on multiple people. Areas that pose a high safety risk include the VR location-based entertainment industry, showcasing events, VR labs, education that uses VR, larger gatherings where headsets are swapped between people, and headsets that are used daily by multiple people (e.g., when training with headsets). During the COVID-19 pandemic, it became clear that current procedures would not be sufficient anymore. Therefore, updated information about best practices on how to safely use VR headsets is needed.

Cleanable and Disposable Face Pads

VR headsets usually have a face pad that is not waterproof. It is advisable to purchase waterproof face pads. Replacement with a waterproof one makes disinfecting the face pad safer and easier. Putting a cotton cover over the existing face pad will not be a safe option, as moisture can seep through. The same goes for disposable face pads. They will only protect against dirt-like makeup smudges. Make sure to replace the cotton cover after every user and wash it with hot water and detergent. And decontaminate underneath the disposable or cotton cover after every user.

UVC Light

UVC light seems like the safest and easiest way of decontaminating headsets and controllers. The DNA of microorganisms (e.g., bacteria and fungi) and viruses are destroyed when the UVC light hits them. UVC light decontaminates a headset when it hits the surface from a specific distance for a specific time with a specific wavelength. Cleanbox Technology is a well-known company that sells UVC light decontamination boxes especially for headsets (and more). Cleanbox staff found that exposure to a wavelength of 265 nm for 60 seconds from a certain distance worked best to kill off any bacteria, fungi, and viruses, including COVID-19. Other UVC boxes are available to buy online. Usually, they are made for different purposes and are not suitable for VR headsets because of their size, intended purpose, and use of the wrong wavelength.

Do not confuse UVA light (320­–420 nm) or UVB light (280–320 nm) with UVC light (100–280 nm), because they have different wavelengths and therefore different effects on your headset. UVA light and UVB light are the kind you get from the sun, and they will damage the displays in your headsets. However, UVC light will not damage your headset, although it is very damaging to your skin and eyes, so caution is needed when working with UVC light. Furthermore, a UVC light decontamination box can be a costly investment.

Take caution when creating a UVC decontamination box yourself. It needs to cast UVC light the right distance, for a specific amount of time, and at a specific wavelength. Shadows also cause problems, because every surface needs to be touched by the light to fully decontaminate the headset. And remember that UVC light is very harmful to skin and eyes.

Nanotechnology

Nanotechnology can be used to make your headset waterproof so (micro) droplets will not stick and makeup will not permanently stain it. Although hydrophobic nanotechnology is available to buy in a spray can, most of these coatings contain harmful PFAS chemicals, which can cause health and environmental problems, so make sure your spray is safe to use. Hydrophobic coatings differ based on the material on which they will be used. VR headsets are typically made of plastic and fabric. The coating is useful for the inside parts around the lenses of certain headsets, which are often made of fabric and can be difficult to disinfect. Follow the instructions of the spray when applying. Multiple layers might be required.

Furthermore, some sprays might damage the lenses, so consider covering them when applying the coating. Do not use tape to cover lenses; that might leave residue that is difficult to clean. Rather, use paper or plastic cutouts.

Cybersickness

Cybersickness, also called simulation sickness, is a real condition that can be caused by VR experiences. Cybersickness occurs when there is a disruption in the coordination between our visual input and our sense of balance or movement, as well as the syncing of our eye focus distance and our perception of depth. Symptoms include nausea, disorientation, headaches, sweating, and eye strain. As devices and processing power improve, these conditions are minimized. Design techniques can help alleviate the potential for cybersickness. They include ensuring there is an earth-fixed visual horizon for the participant, reducing the latency and increasing the frame rate for the VR headset, and allowing the option to narrow the field of view for the participant during scenes with a lot of motion. Cybersickness is less common in AR  because participants can still see the real world. Additionally, guidance should be provided to participants who are susceptible to motion sickness. Techniques like sitting down, closing eyes, and feeling external airflow from a fan can help reduce the potential for cybersickness. The following are other helpful techniques:

• Avoid exaggerating or scaling rotation of the user's perspective as this can create a conflict between what the user is sensing and seeing.
• Ensure movement in VR exactly matches the real-world movement of a user's head.
• Provide a stable visual reference with texture.

During the fall 2021 XR Learning Lab, some of the participants highlighted the use of possible preventive measures, such as adjusting the headset, making sure the room has plenty of air, starting out with very short sessions and include breaks in between, and being stationary. As part of XR training and awareness, students should learn how to detect the symptoms of cybersickness and pay attention to their breathing.

For additional information, we recommend the following resources:

• Jay David Bolter, Maria Engberg, and Blair MacIntyre, Reality Media: Cybersickness and the Negation of Presences (Cambridge: MIT Press, 2021).
• Joseph J. LaViola, "A Discussion of Cybersickness in Virtual Environments," ACM SIGCHI Bulletin 32, no. 1 (January 2000).
• Simon Davis, Keith Nesbitt, and Eugene Nalivaiko, "A Systematic Review of Cybersickness," in Proceedings of the 2014 Conference on Interactive Entertainment (Newcastle, NSW, Australia: ACM Press, 2014).
• Ben D. Lawson and Kay M. Stanney, "Cybersickness in Virtual Reality and Augmented Reality," Frontiers in Virtual Reality 2 (October 13, 2021).
• XR Association Developers Guide: An Industry-Wide Collaboration for Better XR (October 2018).

Onboarding Activities

To ensure students and faculty are ready to safely use VR headsets and engage in virtual environments, developing an onboarding protocol is critical. While we have seen several headsets available on the consumer market, student and faculty experience with this technology is still limited, and a number of misconceptions exist. The XR field has also developed its own specific language that is helpful to review with both domestic and international students to ensure consistency and shared understanding.

Given the rapid pace of development for upgrades and new features, a general introduction session should be a required first step for both first-time and returning students using VR/AR headsets in the teaching and learning environment. For example, the protocols listed below have been developed and implemented at The New School XR Lab. During onboarding, students are guided into proper fitting of the headset and shown how to adjust the interpupillary Distance or IPD to guarantee an optimal visual experience. Understanding the use of the controllers setting the play area are important for students to safely and successfully participate in XR-based activities. During onboarding sessions, students and faculty should also be briefed on medical conditions, hygiene, data privacy, and ethical considerations when visiting virtual spaces as addressed in previous sections.

When students are asked to review immersive experiences as a group or individually, they should be provided with a description and understanding of the nature of the content they will encounter. Virtual experiences trigger emotional and physical responses in users, making this an excellent platform for learning. Immersive experiences have the potential to generate empathy by letting students step into the shoes of others and better understand their perspective. Immersive simulations can help students understand complex science phenomena and develop confidence in mastering certain skills. VR is frequently used as a component of exposure therapy as a way to alter behavior and help patients suffering from Post-Traumatic Stress Disorder (PTSD). Virtual experiences have the potential to contribute to new therapeutic treatment and awareness. At the same time, virtual experiences can be overwhelming because they are so lifelike. Experiences developed for learning or workforce training may include simulations of height or dangerous scenarios that can trigger unexpected responses in students. In social virtual worlds, participants may experience bullying and harassment that will feel no different from the way they experience them in the real world. Immersive experiences can have a lasting impact and influence behavior, not only in virtual spaces but also when participants remove the headset. Thus, it is important for institutions to develop and include proper onboarding activities as part of engaging students with immersive experiences.

When campuses are engaged with XR onboarding, sessions should be developed and made available for staff, faculty, and students. Onboarding activities may include individual or small groups in onsite sessions led by XR lab assistants or staff before students enter immersive experiences and can be complemented by additional synchronous sessions in XR in which students can participate. Some content can be made available through recordings and other media ahead of time. Onboarding sessions should include developing a better understanding of the technology as well as practice using the headset and controllers, and tips for navigating inside virtual experiences such as teleportation, hand gestures and other features. Lab assistants providing onboarding activities should be trained. Onboarding activities should also include information on data privacy, account management, and safety and ethics.

Institutions with mature XR initiatives managing a large number of headsets should focus on developing models for XR enterprise integration and management. XR devices owned by institutions should be treated as an endpoint, and existing endpoints or mobile device policies, standards, and procedures should be extended to this new class of devices. Ideally, the devices would be integrated into an enterprise-wide mobile device management (MDM) system, and any user accounts to access those devices would be managed through a single sign-on (SSO) solution with multi-factor authentication (MFA). It is important to note that these solutions are just starting to arrive in the education market. XR devices should be thought of as another mobile device that needs to be secured and managed. Institutions should strive to enact policies and procedures to manage mobile phones and tablets, and those processes and systems can be evaluated and updated to include XR devices. At the time of this writing, XR devices fall into two categories—enterprise devices such as the Magic Leap and Microsoft HoloLens models, and consumer-grade devices such as the Meta Quest models and others like the Vive Flow. When considering consumer-grade devices, the institution should consider using device accounts or centrally managed accounts to ensure that privacy and security settings are addressed.

One key consideration that should be researched when acquiring enterprise XR devices is integration with the institution enterprise architecture, starting with authentication and authorization. How will users be authenticated when accessing an XR device? What kind of authentication methods are supported (biometric-based authentication vs. password)? Another aspect is whether the XR devices will support multiple users, an important consideration when looking at lab-based usage scenarios.

User Authentication and Authorization

User authentication and authorization for XR devices are critical functions that need to be addressed from a policy as well as a technical standpoint. There is still much uncertainty about how the data on these devices is used by the device manufacturers and the platform vendors. Depending on the device and the manufacturer, a unique account may be required just to access the device. For consumer-grade devices like the Meta Quest 2, a unique user account is required to set up the device and access content on that device. If the institution has devices that will be used by students, it will need to consider whether students will be allowed to log in with their personal accounts or if they will need to use an institution-managed account. XR devices that allow enterprise SSO to be configured will be easier to manage, as will applications and student data. In the future, bring-your-own-device (BYOD) scenarios will create challenges for institutions on how they deliver educational content and balance FERPA regulations for those students as the device may allow personal and work/educational accounts on the same device.

In addition to device-level user accounts, applications will need to be authorized for individual users. Each application and each device has unique solutions for managing application acquisition and authorization. While many applications are free, they are required to be purchased or licensed by the device user account. Enterprise XR devices like the HoloLens 2 can be managed via an Azure Active Directory solution like Intune or VMware's Workspace One. Applications on those devices may require separate licenses that need to be managed at the enterprise level on the Microsoft 365 tenant. For example, Microsoft Dynamics 365 Remote Assist requires a separate license to access the application on the HoloLens 2. That license needs to be applied at the tenant level and requires users to have an Azure Active Directory account. Optionally, that application can be licensed on a per-device basis and will require separate management to support that.

SSO solutions are well understood only for Microsoft devices that have tight integration with Azure Active Directory. Other devices offered by Meta and Magic Leap have plans for enterprise SSO and management, but they are not available at the time of this writing. VMware offers solutions for VR headsets to provide a containerized experience for enterprise accounts. This could be a solution for institutions to evaluate, depending on their existing MDM and VMware solutions.

In creating policies and procedures to support user authentication and authorization, the institution needs to have clear use cases and personas regarding how the XR devices will be used. In many cases for teaching and learning, institutional or device accounts can meet most of the needs for a classroom setting when selecting free applications or applications that allow students to log in to the application with their own account. For institutions that will be using XR devices for research purposes, a separate strategy may be necessary to allow for individual faculty or labs to manage their own accounts but follow institutional policies regarding privacy and security.

Device Management and Protection

At a high level, XR devices should be inventoried, managed, secured, regularly patched, and included in the institution's vulnerability management program. This can be accomplished in many ways, in part depending on the number of the devices and the device vendor ecosystem. Vendors such as Microsoft, Magic Leap, and Meta offer enterprise-level MDM solutions. With the increasing use of AR/VR hardware in educational institutions, a new breed of these MDM solutions is being created specifically for VR/AR hardware. Some are calling these solutions Virtual Reality Device Management (VRDM). An example from such an offering is the solution from ArborXR and HP ExtendXR. Long term, it is expected that MDM vendors will expand their offerings to this emerging class of devices.3 

Another key aspect of managing institution-owned XR devices is endpoint protection. Today, any institution's cybersecurity team already has in place an endpoint security program leveraging one or more Endpoint Protection Platform (EPP), Endpoint Detection and Response (EDR), or Extended Detection and Response (XDR) tools. Some of these tools may include support for mobile devices (Android or iOS) to address mobile threats, such as the ones identified by the MITRE ATT&CK for Mobile framework. As XR devices become adopted across multiple industries, one should expect the emergence of new XR class threats and attack vectors. Initially, some similarities will exist between XR and mobile devices in how to approach EPP/EDR/XDR. Still, the full risk posture is unclear at this point. While there might be a temptation to rely on the fact that most XR instructional experience will involve the use of approved and curated applications distributed through app stores, it is essential to remember the following:

• WebXR will play an integral role in creating XR instructional experiences. The possibility for a bad actor to hijack the XR-enabled browser of a headset for either stealing private data or implementing some malware is not well understood at this time.
• There will probably be instances, especially during the early adoption stages of XR in higher education, where users will want to load XR applications outside the official ecosystem app store. Such sideloading activities present additional risks where malicious applications can be loaded onto a device.
• XR instructional activities will leverage multiple types of platforms that present their own set of risks. World-type creation platforms (e.g., Altspace, RecRoom, VRChat) offer malicious actors new intrusion vectors not well understood. Emerging XR collaboration platforms (e.g., Spatial.io) could also be leveraged to exfiltrate data through credential hijacking and integration with other enterprise applications (e.g., Office365, Google Apps, Slack).

Application Distribution and Integration

Device and identity management are only part of the challenges faced when implementing XR technologies within your institution. The applications that run on those devices often have their own licensing, data collection, and distribution infrastructure, and they often are unique. Two of the largest platforms for distributing content to VR devices are Meta and Steam. They have developed ecosystems that allow developers to publish applications that can be distributed to users from a centralized location. Additionally, many other application vendors and third-party platforms allow you to distribute content to your devices, and they have their own accounts and licensing requirements.

When using the consumer platforms offered by Meta and Steam, the licensing of content is predicated on a per-user basis. This can cause issues with institutions that have devices that are being used in classes by students, faculty, or staff. The licensing agreement for many of the titles requires that the license is not shared. With few options available for enterprise XR device solutions, institutions are forced to manually manage individual accounts, application licenses, and distribution. While this is manageable on a scale of fewer than 20 devices, it quickly becomes burdensome as you scale over that. Institutions should consider how they want to manage applications that are paid differently from ones that are free. Free applications could be left to the users of the device to install as needed.

Another consideration should be made around setting some of these devices into developer mode to allow applications to be sideloaded or installed outside of one of the application stores. An application called SideQuest allows a user to install applications directly to a VR headset without going through a store. For Microsoft Hololens 2 devices, if the device has the developer portal enabled, a person with the proper development tools can install applications that are custom developed or not officially approved by the institution. This can be a good thing, but it can also present security risks. The institution should have clear policies and procedures on how it will manage developer access and sideloading of applications to the XR devices. Sideloading an application is the process in which an end user can install an application to the device once a developer mode is enabled on that device. There are emerging risks of malware and security attacks on devices that have developer mode enabled, and those should be considered as part of the risk management plan for implementation.

In enterprise device management solutions such as Microsoft Intune and VMware's Workspace One, institutions can set devices in kiosk mode and allow only authenticated users access to applications that are controlled by the platform. These solutions should be evaluated based on the use cases required as well as the types of applications that are able to be managed by those solutions. Some applications are not supported by those enterprise solutions and therefore will not be available for users. The enterprise solutions are evolving, and institutions should regularly review the options available as they scale up their programs.

As part of a plan for adopting XR technologies for instructional purposes, institutions should early on consider the fact that XR instructional experiences will be accessed from both institutional and personal XR devices. Institutions that will be implementing an XR device loaner program should ask the following questions:

• Will students be required to sign a liability waiver in case of loss or damage?
• How will the institution handle excessive wear and tear or loss of accessories?
• Will there be an acceptable use policy that covers the use of these devices off campus or on a non-institution network?
• What will the cleaning protocols be for checkout and check-in?
• Will there be contactless pickup with lockers or other card methods, and how will that be handled during off hours?
• Who will manage the inventory and process check-in to ensure all equipment is in place?
• Will the devices be set up for developer access, and can students install software on them?
• Will the devices be reset upon each check-in? Who will be responsible for that?
• How will charging and OS updates be handled?
• Does the institution have a separate SSID for devices that can be added by MAC address?

The potential for learners to use their personal XR devices raises several questions that will need to be addressed:

• Can all XR-based instructional experiences be accessed from a mixed combination of devices (personal vs. institution-owned)? What are the implications for compatibility, quality of instructional experience, and licensing?
• How will institutions revise their student device ownership or recommendation policies or documentation?
• What will be the ethical implications of expecting students to have their own personal XR devices—especially when the cost may drive students to choose price-subsidized devices in exchange for better access to personal data by the vendor?
• What policies will have to be created regarding the acceptable use of personal XR devices on campus? What level of responsibility will the learner accept?
• Historically, some institutions have provided some level of assistance/support to students with their personal devices. Institutions will have to decide whether to extend this type of service for XR devices, along with associated changes in terms of risk. While technicians may have guided students instead of working directly on devices, this approach may not be possible in the context of an XR headset (unless some form of casting/remote assistance will be possible).

While much discussion has concerned what learning will look like post-pandemic, this represents only the latest development in what has already been a paradigm shift over the last decade toward online learning/learning from anywhere. Therefore, any XR-based instructional scenario should assume that learners will access VR or AR instructional environments from the following places:

• Private/personal space such as an off-campus bedroom/living room, or on-campus dorm room
• Institution-owned instructional space (classroom, off-campus leased space)
• "Semi-public" spaces (outdoor/public space owned by the institution)
• Public space such as a park bench
• Geographically dispersed locations (e.g., students might access XR environments from different U.S. states or countries)

At first, this access-from-anywhere approach may appear no different from students' accessing asynchronous or synchronous learning environments from their laptops. However, it is important to remember that AR/VR devices have a lot more sensors (e.g., cameras) oriented toward the outside world. These sensors can capture not just regular 2D pictures (like any camera phone), but also 3D pictures (through either LIDAR or photogrammetry capture).

What, then, should be the expectation of privacy for the following groups?

• Students (and faculty/teaching assistants) who are co-located and participating in the same instructional activity/XR environment (e.g., students/faculty located in the same classroom and using an anatomy-based AR/VR application)
• Other students who are located in the same physical location (e.g., a library or outdoor space) but are not registered for the same class
• Faculty, staff, or other campus constituents who happen to be within proximity of an XR device user
• Off-campus bystanders, such as members of the same household or people walking on the street or park

These are difficult questions that will have to be answered through community discussion, revision of institutional policies, future state or federal laws, or international laws. Institutions should consider the following points of discussion when reviewing their internal policies and guidelines:

• Will institutions need (or want) to create XR-friendly access spaces, or designate some campus spaces to be XR device-free zones (with some kind of technology-based exclusion zone in the future)?
• What kind of new on-campus policies, updates to existing policies, or student/faculty/staff handbook will be required? Will students have to sign consent forms before taking part in a class using co-present/group-based XR?
• What are the implications of letting students use institutional XR devices (XR loaner program) in private spaces? What will be the implications of letting students use their own XR devices on campus?
• How should institutions approach a geographically (including internationally) distributed population of learners accessing an XR environment?

Application Development

Developing an application requires not only effort but also support. In many cases, the development process starts and is managed within the context of a small team whose focus is dedicated to XR and well established on campus. These early efforts tend to develop as collaborations with faculty and XR teams. The organizational structures of large institutions can potentially undermine the process of seeking support as it tends to be hierarchical. While the development is confined within one department, the procedures one needs to go through depends on how meticulously the department is segmented. When working on more advanced projects, the development requires cross-department collaboration, and the administrative burden can be heightened as the conversation will require more stakeholders.

Challenges might also lie in maximizing accessibility. XR products sometimes require devices like head-mounted displays that entail more physical interactions that need testing and iterations. This means more physical or financial support is required, which will depend on more negotiations with the stakeholders. Further, before releasing the product to the public market, we also need to make sure that the application focuses only on institutional users.

The faculties should be mindful of related data-collecting policies while developing the application. The care should cover the data required for functioning and the data that third-party software uses. Further, while applying the application to courses, the faculties should list advice from alternative learning technologies, since the end users—in this case, the students—hold the right to decide whether to engage in the product. This might lead to the potential exploitation of students' right to learn.

More potential threats need to be considered as the product is prepared to be released to the market, for instance the Meta Quest store. The relevance of the application's core to the institutional vision might undergo careful examination. Though led by a department level, the application still represents the institution. Hence, the discussion can cover not only the application's intention but also the potential impact on the higher education institution. In addition, we need to calculate the possible threat to students' data safety. How much of the students' data will be shared with the platform if the app is listed needs to be clarified. Most important, adjustment to the application should be proposed to prevent harm to students.

Content Development Using XR platforms

As more instructors experiment with the use of XR for instructional purposes, adoption of XR-based collaboration or social platforms (e.g., Spatial.io, VRChat, RecRoom, AltspaceVR, and Mozilla Hub) has enabled the development of content. Institutions will have to decide what happens to created content once a class is over. Should XR content related to the class (including artifacts) be deleted or preserved? While these questions have probably been addressed by institutions in the context of 2D classes, they may need to be revisited in the case of a 3D setting—particularly within the context of institution-created content vs. student-created content as part of a class. What mechanisms should be offered to students to let them either export or maintain an exhibit of their 3D VR or AR creations, particularly from a life-long learner e-portfolio perspective?

Other challenges will have to be researched such as ensuring the integrity of 3D VR- or AR- created content in persistent virtual environments. After all, no one would want to see their 3D exhibition on a research topic altered or defaced within VRChat or RecRoom the night before a class presentation.

The rapid switch to remote learning due to the COVID-19 pandemic has brought renewed attention to the problem of how to conduct assessment in an online learning context. Institutions had to review their approach to online ID verification and proctoring tools. The question of XR's role in assessing learning outcomes and how to use the technology properly is outside the scope of this document. Our focus here is to discuss some of the potential challenges ahead, including some of the tools and capabilities that will probably be needed. We believe these capabilities include the following:

• Ability to control/lock both XR devices and environments. Today, most remote proctoring solutions rely in part on the ability to lock the end-user environment (e.g., browser lockdown) in combination with using learning management system (LMS) assessment capabilities. What kind of lockdown functionalities will be needed in AR/VR headsets to prevent the user from accessing other resources? In the case of a VR headset, will passthrough functionalities need to be disabled? We anticipate that device lockdown might be initially easier to implement on institution-owned devices, leveraging, for example, the use of XR device management capabilities. Allowing students to take the equivalent of a closed-book exam in XR using their personal headsets will require the online proctoring industry to work closely with the XR industry to develop new solutions (e.g., XR remote proctoring apps). How will XR labs and campus facilities support assessment activities?
• Purpose-built application or platform-based assessment capabilities. Online assessments tend to be delivered through the LMS licensed by an institution. How LMS will evolve to take advantage or connect to XR applications is unclear at this time. Nevertheless, we should anticipate that some purpose-built XR-based learning applications and simulations (e.g., anatomy/physiology/workforce skills development) will provide both LMS and assessment capabilities to some degree. Another question for consideration is how instructors might decide to use collaborative XR environments (e.g., Altspace or Spatial.io) to conduct some form of assessment.
• Need for continuous identity verification, anti-impersonation capabilities. Remote proctoring solutions typically leverage a webcam and require the student to present a valid form of identification at the beginning of the exam, and then monitor the student's actions (including eye gaze) through the use of AI to detect potential cheating. How will the initial user identity validation be conducted in an XR situation? The nature of XR headsets will require a different approach. Identity verification may require the continuous use of a headset's internal cameras/sensors (if available), combined with the use of biometrically inferred data (as described in the previous section). This latter point raises the question of how much data will be collected (and kept for how long) by an institution or a third-party service for the purpose of XR-based assessment?
• It is also important to note that in cases of programs like art, design, architecture, computer science, media, UX and others, students are put in the shoes of developers as they create content as part of their studies in the program. In that sense, institutions should consider how faculty, peer, and outside assessment will take place.

While XR technologies provide numerous benefits for people with certain disabilities, the use of XR for instruction also raises concerns regarding how institutions will address accessibility challenges and modification and accommodation requests.

First, many notable advancements for people with disabilities have been made possible through XR technologies, which can provide pathways for students to access or explore previously inaccessible content or engage with their classmates and instructors in unique ways. Institutions may wish to explore some of the following developments when considering service offerings for students with disabilities. In some cases, these could be helpful regardless of the instructional modality:

• Various audio description and captioning applications becoming available on mobile devices
• Live visual interpretation assistance through AR glasses (e.g., Aira)
• Haptic gloves to support visually impaired students in feeling virtual 3D objects
• Other haptic devices for navigating VR environments (e.g., the Canetroller)
• The use of 360 video with VR applications to bring real-world locations and environments to students with mobility difficulties in more immersive and engaging ways

Meanwhile, new accessibility barriers can be created in XR learning environments. As noted in a previous section, it is important to ensure compliance with federal and state disability anti-discrimination laws, such as the ADA, Section 504, and Section 508 (and state "mini 508s"), when offering XR learning experiences. However, as it relates to specific technical standards for digital accessibility (e.g., those in Section 508 and WCAG), the degree to which learning experiences must conform to these standards, which were initially contemplated more for websites and 2D software, may not be fully settled at this time.

XR accessibility challenges are not limited to students with visual impairment or neurological/motor impairments. The use of spatial audio to enhance XR experience (in particular VR) will put students with auditory impairments at a disadvantage. Potential eye discomfort, strain on neck, or simply XR devices capable of accommodating glasses wearers should also be taken in consideration when designing XR-based instructional activities.

In addition to the evolving legal risks, ethical considerations for creating accessible XR experiences should also drive development decisions, and there are emerging standards, best practices, and assistive technologies. For example, W3C, which updates WCAG guidelines that serve as standards for a variety of other electronic and information technologies, has released a unique set of recommendations for XR environments, and its Immersive Web Working Group has been developing more targeted and detailed guidelines in a number of sub-areas, including device API, gamepads, and augmented reality, with additional resources forthcoming. Another helpful source of accessibility resources can be found with XR Access's XR Accessibility Project, which features a continuously updated directory of XR accessibility developer resources, including specific guidelines and tutorials for common platforms such as Unity and Unreal Engine, as well as links to community groups that are active in this space.

Of course, many of the resources listed above involve the application of technical standards and recommendations for content developers, which may be of little help when shared with instructional faculty who may be teaching in XR environments but would not necessarily have a background in information technology or XR design. As is the case with in-person and 2D online learning, incorporating universal design principles and inclusive pedagogy, such as through applying the Universal Design for Learning framework (UDL), can help support digital accessibility efforts while also being more accessible to individual instructors who may be more familiar with instructional best practices than those used in web design, for example. The University of California, Berkeley has compiled several resources on XR from a UDL Perspective, and ideally we will begin to see more research and scholarship exploring both the benefits of XR for UDL and vice versa in the near future. While the above frameworks are a good starting point when addressing accessibility, it should be noted that the developers of immersive experiences and environments are also in the process of developing design principles unique to 3D spaces, which can inform practice.

Institutions should work to integrate XR-specific accessibility considerations into their curricula, electronic and information technologies (EIT) or digital accessibility policies, procurement practices, and support infrastructure. Often, institutions will have interdisciplinary working groups that focus on digital accessibility with representation from IT, disability service units, and various instructional or student support units that have a role in creating accessible materials or instructional support and resource development. If such a working group exists at your institution, representatives may have experience creating or implementing institution-wide accessibility objectives involving a wide range of learning technologies. This would be an appropriate starting point for XR-focused accessibility discussions. Alternatively, starting with a disability services office or an IT unit that conducts accessibility reviews for learning technologies may serve as a good starting point for these conversations.

However, regardless of existing accessibility infrastructure, institutions should strive to identify risks, challenges, and opportunities associated with XR and AR environments and work with accessibility experts, in addition to XR designers and program administrators or initiative leads, to develop new resources, assessment tools, and policies that address both accommodation opportunities and accessibility challenges. Aligning any updates with W3C's recommendations may prove particularly helpful given the prominent role of W3C in influencing technical as well as legal standards for digital accessibility more broadly. Finally, as best practices in accessible XR instruction and UDL in XR continue to be explored, units should support faculty seeking professional development opportunities in this emerging area as a means of mitigating risk in addition to offering pedagogical support.

The metaverse, also described as a network of interconnected immersive worlds, will change the way people learn, socialize, and run businesses in ways we cannot predict. But one thing is certain: it will have a significant impact on society and pose challenging questions in terms of its governance, access, and interoperability. Creating an accessible and inclusive metaverse will require addressing privacy, safety, and security for all members of the public. It will also require that we bring a greater fluency and awareness about the power of these technologies.

As defined by UNESCO in its 2020 policy paper Digital Citizenship as a Public Policy in Education in Latin America:

A digital citizen is able to understand the principles that govern the digital environment, to analyze the place of technologies in society, their impact on our daily lives, their role in building knowledge and their uses for social participation. A digital citizen is able to navigate the complex digital context and understand the social, economic, political, and educational implications. A digital citizen knows how to make a reflexive and creative use of the Internet, both for critical analysis and for democratic participation.

Digital Citizenship implies competences that allow people to access, understand, analyze, produce and use the digital environment in a critical, ethical and creative way.

Higher education will need to take action in developing these critical competencies in staff, faculty, and students. To navigate complex digital worlds, we need to be able to enter not just as consumers but as actively engaged citizens. As more students and faculty meet on immersive and digital platforms, it is fundamental that we ensure their privacy, security, and safety. This will require in-depth understanding, active participation, and engagements with both technology and policy stakeholders. It will also require developing a higher level of awareness within our institutions on these topics and possibly a new set of policies that will govern the institution engagement in virtual worlds and the metaverse. In these sections we have sought to provide a review of the current landscape and critical topics institutions should consider as they build their presence in the metaverse.

XR Collaboration and Social Spaces

Increased adoption of XR instructional technologies will result in an increased demand by students for collaborative virtual spaces. What kind of XR spaces should institutions provide so that students can meet and collaborate outside of class? What should be the policies, guidelines, and processes associated with use and provisioning? To what degree should these spaces be persistent—for the class duration only, or should the space and artifacts remain persistent to enable students to reference artifacts for their e-portfolios?

We should note that many student groups working on a class project will collaborate using non-institution-licensed/sanctioned tools (e.g., Slack/Group.me instead of Microsoft Teams). It is likely that this behavior will extend to XR, and students will use their preferred XR collaboration tool instead of those institutionally provided (e.g., students or faculty using the public instance of Mozilla Hub or the free version of Spatial.io).

Policies, guidelines, and ownership of XR spaces and content will have to be addressed as well, including licensing and distribution rights associated with the digital twins of campus spaces and artifacts. Below is a list of questions that institutions should start to consider as more students and instructors create XR digital content (whether in VR or AR settings) or digitize existing spaces or artifacts:

• Will institutions need to establish policies or guidelines on how instructional XR spaces are created?
• Will instructors have relative freedom in creating these digital spaces? Who will have ownership? The instructor or the institution?
• Will institutions have a library of predefined instructional digital spaces that instructors can choose from or be required to use?
• What kind of ethical, safety, and accessibility considerations should be taken into account?
• Will some form of monitoring or moderation be required (e.g., based on models similar to those being implemented by Facebook for its Horizon platform)?

Institutions should create preliminary guidelines (potentially specific to individual courses, as part of the course syllabus). Eventually, the student handbook and code of conduct will have to be updated. Institutions should consider persistence, backup (snapshots), and export capabilities for spatially created content by students. Digital rights might have to be discussed (for example in the context of architecture instruction when a student uses campus spatial content as a base). As institutions start to adopt XR and create digital replicas of part of their campus (similarly to previous attempts in platforms such as Second Life), they should consider how free speech/respect for the First Amendment will extend to these accurate digital twins, metaversities, or fully reimagined virtual campuses. While not an area of immediate concern, institutions should consider how they might approach the need to create a safe digital public forum area. One specific consideration is how such areas will be accessible to the public (similar to how the public might request access today to an institution's public forum area). It is unclear which policies and guidelines will have to be established to ensure the safe use of this space.

Avatar/Representation

Avatars represent our digital identities in virtual worlds as we play, learn and work in the connected network of virtual environments that we envision as the metaverse. Avatars are undergoing rapid development from simple cartoon characters that float in air to the most recent iterations where some platforms are beginning to incorporate custom features in addition to a set of default options. Increasingly, companies are developing and supporting human likeness avatars that can mirror facial expressions and body movements in virtual worlds. Avatars are critical to fully developed immersive experiences, as our virtual worlds feel empty without the presence of others. Companies like Meta, Nvidia and Unreal Engine are exploring developing human and meta-human avatars driven by AI engines that will not only represent us as our digital twins but also be able to engage with us in powerful ways.

Institutions are faced with multiple questions as they enter the metaverse. Questions to consider: Should institutions have approved features for avatars, including clothing or even a school uniform? Should we assign or provide avatars for our students? Questions have also emerged in terms of representation and the ability to match skin color, hair color, gender, cultural dress, or other important markers that are critical to our identities. Should students be able to choose avatars other than their known gender and ethnicity? Most of today's platforms lack the capacity to fully address many of these characteristics, but companies are working on offering new solutions to address these demands. Should students be allowed to participate in virtual classes or events in any form and garb, or should this be governed by institutional policies? Students enter college to pursue their education and career opportunities, but they often find higher education campuses to be a safe space where they can explore questions about their identity. They do in real life, with the clothing and accessories they wear, and most institutions allow a broad range of freedom. But even on our physical campuses there are situations where policies come into play, such as when a student wears a symbol offensive to others. By its very nature as a digital space, virtual worlds will offer significantly greater freedoms in terms of students representing themselves as avatars. As institutions, we pledge to celebrate diversity and inclusion in our student journeys. In the boundaryless world of the virtual, the questions around avatar representation may be far more challenging from a policy standpoint.

The ability to create a deeply realistic avatar requires advanced technology and expertise. This will continue to change as companies like NVIDIA and Meta heavily invest in making available tools to create virtual avatars and digital humans accessible by most users. This is further complicated by the fact that some avatars in virtual worlds will represent us while others will power virtual assistants, mentors, coaches, and ultimately instructors and administrators. Some of them will represent staff that students can meet both in person and in the virtual world, but others may be meta-humans, NPCs, or AI-driven avatars that will be able to answer questions and provide services. What we see today with AI chatbots on institutional webpages will become a routine performed by AI-driven avatars in the meta university. These nonhuman virtual characters—perhaps as digital twins of actual faculty and staff—have the potential to vastly expand the services an institution can offer. They will also present challenging ethical and philosophical questions. What if a student takes out their frustrations by harassing or assaulting a university NPC avatar? What happens if they react to an authentic avatar in this fashion, having mistaken it for an AI-driven avatar? Many of these questions are beyond the scope of this report, but as a community, higher education needs to actively discuss them. As we move into virtual worlds with realistic avatars that mirror real-life experience, we will face critical issues in our collective future.

Harassment, Discrimination

Preventing and addressing harassment, including student-to-student harassment that may be considered severe or pervasive (or persistent), should be considered a critical priority for institutions regardless of the instructional modality for the educational activity involved. Institution-supported events, social spaces, and communication platforms must likewise be included as part of these efforts.

Social spaces in VR are becoming increasingly popular as more users are able to join synchronously to attend events, explore, hang out, and engage within the virtual space. Unfortunately, reports for examples of harassment have been documented in a variety of platforms, including VRChat, Altspace, Meta Horizons, and games like EchoVR.

On December 1, 2021, Meta shared that a beta tester had posted that she had been groped by a stranger on Horizon Worlds. Upon review, Meta announced that the beta tester should have used a feature called "Safe Zone" that's part of a suite of safety features built into Horizon Worlds. Safe Zone is a protective bubble users can activate when they navigate virtual worlds or feel threatened. The Safe Zone ensures that no one can touch them, talk to them, or interact in any way. It is a feature users can selectively enable.

Harassment refers to a broad spectrum of abusive behaviors of participants in online or virtual environments. In virtual social environments, experiences of harassment can be enabled by features such as synchronous voice chat, feelings of presence and embodiment, and violations of personal space. These are exacerbated by the synchronous nature of social interaction in the virtual world as avatars stand next to each other and voice intensifies verbal harassment.

In the article "Harassment in Social VR: Implications for Design," harassment experiences in social VR falls into three categories: verbal harassment, such as personal insults or hateful slurs; physical harassment, such as unwanted touching or throwing objects; and spatial harassment, such as displaying graphic content on a shared screen.

Following several harassment reports in February 2022, Microsoft shut down the areas in AltspaceVR where users could freely congregate and talk to one another—including Campfire, News, and the Entertainment Commons social space. While events, classes and community group pages continue to exist, there are no longer common spaces for users to simply hang out.

Microsoft also made a small but significant change to its Safety Bubble feature. It is now turned on by default for all users. Participants are automatically muted when they first join an event. In addition, the company has promised to increase moderation and improve event content ratings to supplement those changes. Microsoft now requires users to use a Microsoft account to access AltspaceVR, which lessens the possibility of harassing or antisocial behavior since participants are linked to their real-life identities. As a result of that requirement, parents will now be able to use the company's Family Safety feature and manage how much time their children can spend within the app.

Instances of harassment and discrimination across social VR platforms are well-documented,4 and Microsoft's mix of technical and nontechnical solutions may be a model to consider. Other platforms have increased their moderation activities and/or created safe personal spaces in the form of a bubble around each avatar that users can activate. The spread of harassment in social environments has also prompted users to consider avatars that are less likely to fully reveal their gender or cultural identity. For example, it is well known that avatars of women and people of color tend to encounter greater harassment. Institutions will need to ensure that their virtual worlds are safe places for students and that victims of harassment have ways to report antisocial behavior and seek redress.

Finally, as immersive and embodied experiences continue to grow in popularity and realism, we are likely to see new forms of harassment being invented and tested by users. Developing policy, following proper training protocols for students and faculty, and being proactive and engaged with both the corporate and policy worlds is critical in ensuring safe spaces for students and faculty as we continue to move our campuses and teaching and learning activities to the metaverse.

Need for New Cultural Norms, Policies, and Values

Institutions should start to think about potential issues that will accompany the increased use of digital avatars in virtual worlds:

• How will cultural norms further complicate interactions between students in XR-based environments? Will it be more difficult for students from different cultural backgrounds to understand societal norms, acceptable behavior, and personal boundaries in an immersive VR environment without ever having been on a U.S campus? Should institutions require XR etiquette training as part of courses for XR-only virtual students?
• Will students be permitted to have multiple avatars? Will they be required to have an official avatar they must use when attending XR instructional activities? Will there be an expectation that their official avatar will match their physical appearance versus their desired appearance? (Should I be able to have my avatar looking like an imaginary animal or anime character? What if I use a wheelchair? Should my avatar also use a wheelchair?)
• Alternative policies to a mandatory avatar representation could consider approaches such as limiting the possibility for a student to switch his/her avatar for the duration of a course or at least limiting substantial changes to what would be considered "primary" avatar attributes (e.g., attributes that are deemed necessary to reasonably recognize the student). The latter approach would provide students the ability to change items such as their digital outfit, hairstyle/color. Other approaches may consider limiting the number of avatar changes a student might make during a semester.

Institutions should consider establishing preliminary guidelines regarding the acceptable use of avatars in XR environments used for ongoing instructional purposes. These guidelines should be established in concert with multiple groups, including the Office of Legal Affairs, faculty representatives, and student government bodies. Avatars should also be considered from the data governance perspective, including the potential creation of a specific data domain. Avatar principles and policies should also be established for faculty and instructors, including part-time lecturers.

XR is often associated with the terms "spatial computing" and "spatial web" and related concepts that imagine a future convergence of the physical and digital worlds. This convergence, as noted above, might lead to the partial or full digitization of physical campuses (also known as digital twinning). If so, what are the intellectual property implications for these expansions into virtual worlds? And who owns the rights to a physical institution's digital twin?

XR-digitized data is primarily the result of two situations:

• The creation of point clouds by XR devices when running functionalities such as safety (e.g., to prevent VR users from bumping into obstacles) or when anchoring/positioning a digital object in a physical space. These point clouds are typically created whenever the XR device is in a new space.
• The creation of a 3D digital replica by end users themselves, either using an XR device, a 360 video, or increasingly more commonly, a phone via a photogrammetry or LIDAR-based application.

While point clouds and 3D digital replicas can stay local to a device, they are often uploaded to a cloud for different purposes. One purpose is the creation of a larger digital twin of space to support the anchoring of digital objects in the real work in AR applications. Another common purpose is sharing (and sometimes monetizing) 3D replicas via sharing platforms such as Sketchfab.

It should be noted that some companies (e.g., Niantic) are taking a gamification approach to accelerate AR mapping activities. Incentivization models raise the prospect of students creating 3D accurate digital replicas of inside or outside campus spaces that might become the property of, or grant a lifetime usage license to, a third-party company.

Amid the rapid evolution of digitization technologies and platforms that facilitate and accelerate the creation, sharing, and usage of XR data such as 3D assets, institutions will soon need to think about how to address the intellectual property and copyright considerations under various scenarios:

• Digitization of physical spaces (either public or private) or assets. Examples include (1) digitizing (e.g., creation of a point cloud/digital mesh) campus public spaces, private research labs, or research equipment; and (2) creating 360 videos.
• Creation or use of original digital 3D content in VR spaces or AR-based applications.
• Defacing/degrading property in virtual worlds or in physical spaces through AR (e.g., location-based AR where digital graffiti can be superimposed on a physical space that is invisible without using an AR application or device).
• Defacing or alteration by a third party of a student AR/VR class assignment or project.
• Portability or content persistence of AR/VR assets or content created by students. For example, how can AR/VR content created by students be integrated into a lifetime e-portfolio?

We should note that in some instances these intellectual property considerations intersect with physical safety and the potential need to control or prevent the creation and distribution of digital replicas. For example, what are the safety implications resulting from a student or employee creating a detailed 3D replica of a building using his/her personal device and making it publicly available? Data management and security of digitized assets should be considered as well.

These are difficult questions that some institutions or interest groups have started to explore. Recently, a working group from the Association of College and Research Libraries has started to research "Copyright and Legal Issues Surrounding 3D Data."

Institutions that already have a mature data governance program in place should consider defining data domain(s) and identify data stewards responsible for digital twins and newly created XR digital content. In some instances, they will need to discuss whether to create new data domains or extend the scope of existing ones. For example, the data steward responsible for 2D campus plans or building information modeling (BIM) data could become responsible for any 3D building representation in the metaverse. These discussions will need to involve different stakeholder groups, including Enterprise Risk Management and Office of Legal Affairs, to discuss access and control mechanisms regarding the dissemination of campus digital replicas. In addition, institutions should look at leveraging and extending their existing filming and photography policy.

These intellectual property questions do not limit themselves to 3D assets related to spaces or physical objects. They extend to our own digital representations or identities in the metaverse. New tools or platforms are emerging to let us create, manage, and use our avatars across multiple metaverse ecosystems. However, do we truly control and own these digital representations of ourselves? Consider the avatar platform Ready Player Me. A review of the end-user agreement, and in particular Section 13 on "Intellectual Property," highlights the fact that an end user does not own the avatar created. Rather, use of this identity by the individual is provided only as part of a non-exclusive license:

13. INTELLECTUAL PROPERTY

13.1. The intellectual property rights to the Services, data, methods and processes based on which the Services are produced, including the Avatar itself, shall vest in and remain the sole and exclusive property of Wolf3D, unless expressly stated otherwise in these Terms.

13.2. Hereby we grant you a non-exclusive, non-transferable, non-sublicensable worldwide license as per the term of the agreement entered into by you and us under the Terms to use the Platform, including the right to customize the Avatar.

13.3. Hereby we also grant you a non-exclusive, non-transferable, non-sublicensable worldwide license for the full period permitted by law to use any Avatar(s) created by you on the Platform. The use of the Avatar(s) is subject to the conditions of clause 7 of the Terms.