What Colleges’ Contracts for ‘Metaversities’ Leave Out

This fall, hundreds of students across 10 colleges will join a small but growing cohort nationwide that is attending class in another dimension — the digital one.

What does that mean, exactly, for their data privacy?

To find out, The Chronicle analyzed university-vendor contracts, obtained under the Freedom of Information Act, from five of the institutions that plan to pilot “metaversities”: digital, immersive replicas of their campuses that dozens of their students will visit and even attend classes in, using virtual-reality headsets.

Our analysis unearthed inconsistencies in the provisions the contracts outlined for data privacy and security. It also found no mention of two third-party companies — one of which is Meta, Facebook’s parent company and a tech conglomerate not historically known for best practices in this realm — that will be collecting various pieces of student data during the two-year pilot.

The Oculus Quest 2 virtual-reality headsets that Meta is providing free, for example, require Facebook accounts, and are capable of collecting data such as location, information about a students’ physical features and movements, and, in some cases, recordings of their voices.

Legal experts and data-privacy advocates told The Chronicle they weren’t necessarily surprised by these findings. These are nascent partnerships that may be refined after the pilot, they said. The main contractor, VictoryXR, has also confirmed that it isn’t privy to students’ educational records.

Those experts do, however, worry that variances in the contracts indicate an increasingly common occurrence in higher ed: Colleges embarking on new ed-tech ventures with an incomplete understanding of what the technology can ultimately glean about their students, especially when numerous private entities are involved.

It’s not that institutions are “totally asleep at the switch,” said Jacob H. Rooksby, dean of the Gonzaga University School of Law. But it is possible that, in a case like this, “institutions aren’t thinking about these things … and that’s a problem.”

Privacy experts told The Chronicle that such an awareness is essential, both for students’ protection and to safeguard institutions’ reputations, before more widespread adoption of new ed tech like these metaversities. They said colleges also have a moral obligation; the onus should not fall solely on students to be their own data advocates.

Further Reading

Privacy “needs to be at the forefront of considerations as schools are embarking on new, exciting technology to educate their students,” said Cody Venzke, senior counsel for the Equity in Civic Technology Project at the Center for Democracy and Technology, which works to promote democratic values in tech policy. “Not something that is an afterthought, or that waits until after there’s a controversy.”

As public outcry against tools like online proctoring and Covid tracking has revealed, there’s a lot to gain from transparency and being proactive, advocates added.

“It might not be a fire right now,” said Jason Kelley, associate director of digital strategy at the Electronic Frontier Foundation, a nonprofit championing user privacy. “But there’s some embers smoldering.”

The Chronicle filed public-records requests for all contracts and data-privacy agreements pertaining to the metaversity pilot, which includes 10 colleges. Five of the colleges responded by the deadline, each providing a single document: A contract with VictoryXR, a VR educational-product company that is designing each institution’s digital replica with more than $500,000 in funding from Meta.

One provision Venzke was happy to see: All of the contracts “made very clear that the schools retain ultimate ownership” of any data generated from the partnership.

The contracts diverged from there. While legal experts agreed that the University of Maryland Global Campus and California State University-Dominguez Hills had fairly robust contracts — one technology lawyer noted that the CSU campus’s 16-page contract is, perhaps, even a bit over the top — the three others The Chronicle reviewed were comparatively vague.

For example, Southwestern Oregon Community College and West Virginia University’s contracts don’t explicitly mention any cybersecurity measures or instructions for reporting a data breach. The education sector was a top target for cyberattackers in 2021, with the average number of weekly attacks spiking 75 percent from 2020, according to research by Check Point Software Technologies.

The two also make no mention of applicable federal, state, or local privacy laws, such as the Family Educational Rights and Privacy Act. These laws apply regardless of whether they’re mentioned in a contract, lawyers noted; still, they said it’s good practice to mention them, as a way to set expectations and hold vendors accountable.

South Dakota State University, in its contract, also granted VictoryXR the unrestricted right to use any information produced as a result of VictoryXR’s services “in the normal course” of its business “for any lawful purpose” — language that lawyers said is common, but nonetheless “squishy” and open to interpretation.

The Chronicle asked Southwestern Oregon Community College, and South Dakota State and West Virginia Universities, for comment. South Dakota State wrote that “it complies with all laws and all policies on Ferpa, and other IT security policies apply.” West Virginia University similarly stated that it “follows federal, state and local laws”; the institution is also reportedly one of more than 150 colleges that uses the Higher Education Community Vendor Assessment Toolkit to measure vendor risk. Southern Oregon reiterated that students’ education records are not accessible to third-party providers in this case.

The differences across the contracts could be attributable to a host of factors, experts said: A college’s own data-governance policies, and relevant state laws (see the California Consumer Privacy Act of 2018). Resources, and the number of general-counsel staff on hand to review contracts. The presumed lower stakes of a pilot project, and a price tag that, in the contracts The Chronicle reviewed, falls between $12,000 and $40,000.

Broadly speaking, especially if a new, exciting venture is generating community buzz, colleges’ main priorities are likely to be “to get to ‘Yes,’” said Jeff Knight, an education lawyer at Bricker & Eckler LLP. “They’re trying not to be a blocking agent.”

Indeed, virtual reality and metaversities have begun piquing institutions’ interest as dynamic, immersive options for remote and hybrid learning; the website Cointelegraph reported just this week that Arizona State University had submitted trademark filings that suggest intentions to offer virtual classes in the metaverse. Students in the metaverse can do things like explore historical settings or perform a mock dissection, miles from their college’s campus.

The broader educational value of virtual reality is still an open question, though officials at Morehouse College in Atlanta — which started its first metaversity iteration in 2021 — say they’ve seen promising results: Students in a spring-2021 VR world-history course, for example, had final grades 10 percentage points higher, on average, than peers taking the course face to face.

Steve Grubbs, founder and chief executive of VictoryXR, told The Chronicle that the privacy of students’ information is important to his company and its ethos. For this particular project, he said, VictoryXR has access to students’ email addresses, along with their names if they choose to provide them.

While that could change after the pilot, VictoryXR’s business model “does not make money from selling data,” Grubbs wrote in an email. “The collection of data only increases our liability risk trying to house it. There’s no value for us to take on that risk.”

So does that mean a simple contract that doesn’t emphasize data privacy is actually OK? From a purely legal standpoint, perhaps. But advocates say “legally sufficient” shouldn’t be the goal if a university wants to build community trust and enthusiasm for a new enterprise.

Students’ trust, after all, isn’t guaranteed when it comes to data use. In a 2020 Educause survey, fewer than half — 49 percent — said they trusted their college to use their personal data ethically and responsibly.

Their willing participation will be a critical part to these pilots’ success.

“Showing that, as a university, you’re being thoughtful about ed-tech data collection shows that you are doing more than, let’s say, the college next door to protect your students’ safety,” Kelley, of the Electronic Frontier Foundation, said.

Perhaps just as interesting as what the contracts don’t say about data is what they don’t say about the corporate entities connected to the pilot.

While VictoryXR is designing the digital replicas of the college campuses, two other companies’ names are peppered throughout the news releases about the new metaversities.

One is Engage XR, which is providing the underlying code that powers the platform on which VictoryXR is building the digital campuses. (Students participating in the metaversities will create accounts with Engage XR.)

The other is Meta, which is investing heavily in the future of virtual reality and the “metaverse” as user growth on its existing social platforms stagnates. Thanks to its funding to VictoryXR, participating colleges have to pay only for student and administrator licenses, which are in the ballpark of $135 and $330 per year, respectively. It’s also providing about 50 free Oculus Quest 2 headsets to most of the colleges.

Both entities have their own data policies that users read and agree to.

Despite making clearer in recent years what data it amasses and how users can manage their information, Meta is still mired in public distrust surrounding its collection and use of data (one Forbes contributor referred to it as “a data-hungry ad giant”). In 2021, the company paid $650 million to settle an Illinois lawsuit that alleged that it had harvested the facial-recognition data of tens of millions of state residents (it’s now facing a similar lawsuit in Texas). The tech-investigations nonprofit The Markup also reported in April that code embedded on the FAFSA website had been sending data to Facebook.

The reality is that people and their data “are the product,” Rooksby said. “That’s kind of lurking in the background of all of these contracts.”

Legal experts acknowledged that, practically speaking, institutions aren’t expected to hold separate contracts with every third-party vendor that touches a project, if those vendors are not providing the service in question and do not have access to institutional data, such as Ferpa-protected student educational records.

But, they added, it’s also not smart to overlook them, given their data-collection capabilities.

Engage XR requires a first and last name, email address, and password to create an account (from there, students can activate their VictoryXR-provided license). The company’s data policy notes that other data it may collect include a user’s IP address and purchases made on the platform. Grubbs noted that the company, which VictoryXR contracts with separately, follows the European Union’s General Data Protection Regulation, widely considered to be comprehensive privacy law.

According to Meta’s data policy and supplemental Oculus data policy, the company and its products gather, among other things:

• Information about “the people or accounts you interact with”
• “Location-related information”
• “Information about your environment, physical movements, and dimensions when you use an XR device”
• “Recordings and transcripts of your voice interactions” (users can opt out of this one)

Even if contracts with every third party aren’t deemed necessary, legal experts like Knight, the education lawyer, said colleges still need to research the “data flow” of all elements of a project before greenlighting it.

Rooksby said there’s “a duty,” too, for colleges “to educate their students about the ramifications” of using the social media platforms or technology they’re being asked to use.

Contracts in general, Rooksby added, should be explicit, with clear statements describing what the college has to gain through a given partnership, what could be at risk, and how it’s shielding against that risk.

These contracts should say, “We think this is educationally valuable — that’s why we signed it — but … we’re not going to be ignorant to the fact that, really, why” vendor partners “are interested in this is they’re interested in you, students. They’re interested in what you see, do, think, feel, say, etc.,” Rooksby said.

Students do have a few options if they don’t want to use Meta headsets, Grubbs said. VictoryXR’s products are compatible with other headsets, such as HTC Vive (it should be noted, though, that it is almost exclusively Quest 2 headsets that the participating institutions are receiving free). Students will also be able to access their metaversity via a web browser, though Grubbs acknowledged that “It’s definitely a better experience” using a VR headset.

He confirmed that VictoryXR has no side contract with Meta. “It was important to me … that they put no restrictions on what we did,” he said. “They just said, ‘We want you to use this grant to build the metaversity community in higher education in the United States’ — so we did. … It has been a very positive relationship thus far.”

At least in Morehouse College’s case, students up to this point “have not been overly concerned about using Facebook, primarily because that is not the social-media site of choice for their generation,” Muhsinah Morris, the college’s virtual-reality project director, wrote in an email. “They feel like it’s more of an educational tool versus a place where their private lives are displayed. “