Oct 05 2023

Schools Can Protect Student Privacy in Augmented, Virtual and Extended Reality Tools

Before implementing these powerful learning technologies, schools should make it safer for students to use them.

In some modern K–12 classrooms, students can travel to Egypt to explore the pyramids or treat patients in hyper-realistic simulations of medical environments, all without leaving their classrooms.

Augmented, mixed, virtual or extended reality technologies make these scenarios possible. They use realistic 3D graphical interfaces that allow students to deeply immerse themselves in learning like never before. While these newer technologies serve as powerful learning tools, sometimes K–12 schools focus first on implementation without considering the security implications.

However, immersive technologies should be treated like any other application on a school’s network, and IT teams should have a plan in place for securing them. Here are some ways to ensure the safe enjoyment of these technologies.

Click the banner below to learn how to increase your ransomware recovery capability.

Safely Use Immersive Tech with Help from Security Tools

If schools are going to host these tools on their networks, they should treat them like any other technological device and vet them before giving them access. Bad actors can hijack immersive tools to backstep into a school’s network and gain access to private information that lives in places such as student information systems. 

Schools should consider installing endpoint detection and response software that can monitor and detect anomalies and then lock down any tools — including immersive tools — that pose a threat. Schools should also ensure that all of these devices are behind firewalls and that they are locking down ports and locking down access.

Secure Account Habits Protect Student Data in Case of Cyberattacks

Schools must set up student accounts in such a way that even if the accounts were infiltrated, students’ information would remain safe. That might mean not using students’ last names or sharing their addresses.

If educators are using a VR headset, for example, IT could configure the headset so that it locks every hour and forces new users to sign in to use it. This might seem a bit extreme. However, nefarious things can happen when schools allow unfettered access to any school-issued device; for example, unregistered users can go into someone else’s account and assume their identity for cyberbullying or engage with inappropriate materials. IT staff should also have a master list of passwords so they can access these devices and programs if needed.

RELATED: Learn about the four phases of a cybersecurity strategy that schools must implement.

Technology and Configuration Audits Can Ensure Device Security

Consistent technology audits are always a good idea. Once these tools get into the hands of our students, we may not always be aware of what programs they are using. Students are curious, and even if they are using learning components from National Geographic, they could also just as easily be using school technology to play a video game.

Periodic reviews can make IT and teachers aware of when a student is using a school device in an inappropriate manner and help them lock it down. Similarly, configuration audits can ensure that devices are properly secured and set proper user permission levels.

Such audits should also prompt schools to update their policies so that only administrators can download new programs onto school-owned devices.

Include Immersive Technology in All Incident Response Plans

Unfortunately for K–12 schools, a cybersecurity incident is not a matter of if, but when. In a recent Sophos global survey, 80 percent of K–12 respondents reported being victims of a ransomware attack in the past year.

With this information in mind, schools should update their incident response plans to reflect immersive technology use. Having a documented plan of how to prepare for an incident involving these types of technologies will mean IT can take quick action when needed.

WATCH: Here’s why schools should bring more people to the table for incident response planning.

Develop Student Data Privacy Policies Compliant with Federal Laws

Student information always needs to be protected first because it’s the last virgin information on the planet. If a student gets their information stolen or if someone uses a student’s identity, we probably won’t know about it until after they turn 18 and start collecting on their credit scores. So, keeping information private for their physical, emotional and financial safety is very important.

Under the Family Educational Rights and Privacy Act, schools are obligated to protect student data, which means they must limit the amount of data they share with third parties. As part of creating a safe learning environment, some schools have developed student data privacy policies that comply with FERPA for their IT vendors and other third parties.

Restrict Student Access to Immersive Tech to Responsible Users

Schools have a responsibility to keep children safe while they are at school. One way to do that is to reduce the likelihood of them unknowingly sharing sensitive information with outsiders. More schools are creating digital citizenship curricula that teach students how to safely navigate the internet.

Schools should also create an agreement that students and parents must sign before they start using these tools. The agreement should cover topics such as not sharing passwords, not cyberbullying and not using the device inappropriately, and should include consequences for breaking the agreement.

LEARN MORE: Here’s why schools should do a Google Workspace for Education audit.

Inform Parents of Their Right to Choose What to Share

In addition to signing a behavioral agreement for their student (s), parents should also be informed about how their child’s information could be used on these immersive technologies, especially when it comes to privacy.

According to research published in the International Journal of Computer-Supported Collaborative Learning, “[extended reality] technologies open up a range of learning affordances through their ability to immerse learners in digital worlds and to track learners’ body movements on digital displays.”

Knowing this, parents should be properly informed of what kind of information immersive tech might retain. Some parents may not be comfortable with their children being in the metaverse, for example, and using avatars that look like them. Others may be okay with sharing only their student’s first name and initial on these platforms.

Schedule a Small Test Before Giving Immersive Tech the Greenlight

Bringing immersive technologies safely into schools will be a learning experience for everyone, not just for teachers and students but also for IT teams. Some educators take extra precautions and download the programs onto headsets so students don’t use them live on the internet. Other schools might access immersive technology exclusively on laptops, and this may mean giving students live access to the internet.

However, the smartest approach for introducing any kind of technology, no matter the type, is to conduct a small test. Schools can have five to 10 students try out new immersive technologies for a month. This will allow IT to see what issues pop up and give them time to make corrections or adjust configurations. These tests shouldn’t end with a breaking-in period. Schools need to constantly learn from their technologies so they can be ready to face any security challenges.

This article is part of the ConnectIT: Bridging the Gap Between Education and Technology series. Please join the discussion on Twitter by using the #ConnectIT hashtag.

[title]Connect IT: Bridging the Gap Between Education and Technology

Stígur Már Karlsson /Heimsmyndir/Getty Images

Become an Insider

Unlock white papers, personalized recommendations and other premium content for an in-depth look at evolving IT