Age Verification Feedback

https://kotaku.com/discord-palantir-peter-thiel-persona-age-verification-2000668951 Thiel is the majority owner of persona the age verification provider for vrchat and he has been seen in the epstien files. https://en.wikipedia.org/wiki/Peter_Thiel Not only that, he has a notorious history of privacy violations and is currently helping ICE agents with the capturing of families and american citizens. I implore the devs to seek a new verification provider as association with somone like that puts the trust users have in vr chat at risk.

VRChat has determined Persona can be trusted with a photo of your face and government ID. Persona is a VC-backed (arguably "tech bro") San Franciscan tech startup that's only existed since 2018. They operate out of a shared space behind a bar: https://maps.app.goo.gl/t5ebyhr9oTUhupMf9 Their privacy policy says (as I read it) that they explicitly have permission to take your personal information (selfie, photo of your government ID) and store it for years, and can and will send it to "vendors, agents...companies we've hired to provide customer service support..." and to "law enforcement [and] other government agencies." They say they'll use your personal information "to understand you and your preferences to enhance your experience and enjoyment" and for the purposes of "marketing, including to communicate with you about new services, offers, promotions, rewards, contests, upcoming events, and other information about our services and those of our selected partners..." and for "advertising, including display [sic] advertising to you..." Their privacy policy site also uses clickjacking to prevent you from copying the text of their privacy policy: https://withpersona.com/legal/privacy-policy These doesn't seem like the actions of a legitimate and trustworthy company, and there aren't enough guarantees that you won't be literally doxxing yourself. PII is extremely valuable and there's an entire industry of brokers that facilitate the sale and transfer of people's personal information--not to mention the risk of hacking, accidental disclosure, or a new and untrustworthy company being sloppy or reckless. These days AI can train off a photo of your face, and scams and identify fraud are extremely common. Personally, the only times I've had to provide a photo of myself holding an ID are for once-in-a-lifetime financial transactions. Never for a video game or social media. VRChat is willing to take the chance of making this de-facto-mandatory (i.e., the community normalizes it and it results in a greatly degraded experience if you don't comply)? The ask is a severe imposition and an invasion of privacy without adequate concern that the chosen data broker is trustworthy. Even the announcement incorrectly claimed your PII would be handled in accordance to the GDPR, but the company is actually based out of California, where regulations are far less strict, and fines far less burdensome.

The automated system Persona uses fails to identify any form of ID I provide. Despite using every form of ID that’s available to me and trying it under different lighting conditions I get the same result. This system seems to have no way of falling back on some other form of age verification. The extent of customer support I’ve gotten on this subject so far is being told to try again. Are there plans to provide alternative methods of age verification so that people don’t get unfairly excluded through no fault of their own?

They scan your ID against 250+ sources, not to mention keeping a record on you for years after you verify, while having your whole ID and SO many data breaches.

While age verification seems to be a requirement in the age of the modern internet, persona as a company has shown they cannot be trusted with user data, especially with a recent breach in privacy. This breach has even resulted in discord dropping it as vendor. Not only has persona had that breach, it has collected data and has been accessed by things LIKE openAI and puts people on a WATCH LIST. Please, vrchat, if you care about your userbase's safety and the longevity of your platform, it is genuinely in your best interest to find another means to age verification. This is an invasion of user privacy, and while I can respect wanting to maintain safety for adults and minors, there has to be an alternative to persona! sources: https://cybernews.com/privacy/persona-leak-exposes-global-surveillance-capabilities/ https://www.therage.co/persona-age-verification/

An idea that could potentially be an alternative for age verification or the Persona service, is having VRChat create a downloadable and printable form with minimal PII, which can be filled out, and taken to a notary public and have notarized. While this process is not instantaneous like Persona, it can offer more minimal and secure handling of identifiable information. (Please also offer these forms in different languages; thank you)

Please allow ID's where unneeded information can be blurred/redacted. Since I am from The Netherlands, this is even required by law. I see no problem in accepting redacted ID's, since they still provide more than enough proof of age, while maintaining the user's privacy against companies who abuse your data.

The intent is to ensure VRChat's dev/PR team see's this post and its info regarding Persona Identities, inc. The private third party Age Verification security company. I've an active post in the discord 'community support' channel posting about concerns and linking information on persona and why I don't believe they should be trusted with PII (Personal Identifying Information): https://discord.com/channels/189511567539306508/1461769866544545964/1461769866544545964 Persona Identities has repeatedly demonstrated it needs the upmost scrutiny when going over their service. Something VRC's dev team is adamant they are doing. I believe VRC when I say they demand no data be held longer than the confirmation process. What I don't believe is how faithful Persona itself is when carrying out that request. They're already facing a lawsuit for misappropriating PII (WASHINGTON v. PERSONA IDENTITIES INC (2024)): https://caselaw.findlaw.com/court/il-court-of-appeals/116477461.html They have a major investment from the Founder's Fund, a project co-founded by Peter Thiel, who additionally co-founded PayPal and Palentir Technologies. (Here's an in depth video about what that is a concern, but keep in mind this vid focuses on Discord's potential partnership with Persona, not VRChat's): https://www.youtube.com/watch?v=qhxsE8dvbs4 archived link suggested by ArtemisFowl4465: https://preservetube.com/watch?v=qhxsE8dvbs And most recently, an independent 'Security Researcher' (or hacker), Vmfunc, found a weakness in some of Persona's software testing methodology, in which they located source code in a publicly accessible location online. (Fair warning, the blog itself is very 'internet' themed): https://vmfunc.re/blog/persona At first this wasn't super credible on its own, a blog post and some social media posts by the same individual. But then the Persona CEO, Rick Song, responded to Vmfunc publicly on twitter, denying the suggested intention of the found source code, stating it was unimplemented and for testing purposes. Which unfortunately for persona does confirm the blog's claims on WHAT was found, and the fact that it was not secured. A few LinkedIn posts regarding the story: https://www.linkedin.com/feed/update/urn:li:activity:7429960436453666816/ https://www.linkedin.com/posts/alon-gal-utb_persona-ceo-rick-song-responds-to-watchlist-share-7430290736115236865-SaTa/ with a final public follow up from vmfunc to Rick on twitter: https://twitter.com/vmfunc/status/2024433404683374921 Journalist sites are picking up on the story but its really only cybersecurity news sites at the moment, some more reputable than others: https://cybernews.com/privacy/persona-leak-exposes-global-surveillance-capabilities/ Just to be clear with anyone, User/Mod/Dev, reading this; I am not an authority figure on cyber security, most of my relevant experience is working for financial software devs that had to comply with government regulations in order to offer services to banks and other financial institutions. So I get how much and how little an individual company can do in the face of gov regulations. ALSO, I want to note regarding potential alternatives or solutions to these concerns: I DO understand that there are currently government regulations in multiple countries that require Gov ID or Biometrics for Age Verification, so I know private companies like VRC's devs aren't in a position to outright refuse compliance without being banned in, or legally pursued by, those countries with said regulations. But it's a lose/lose situation because I've yet to see or hear about a trustworthy age verification service. Personally I'd like to see more public push back against these gov regulations, and companies rolling out global systems in response to said countries, beyond what's already being done. (But believe me, there's a LOT of things that currently need public resistance on right now, so I understand that it's not something that's gonna see a huge unified push overnight.) I'm not against Age Verification, for MANY reasons I do support it. But we don't get the luxury of living in a world where PII can just be sent over the net without it risking being abused by bad actors and authority figures alike. So age verification without compromising personal information and privacy is the goal we all need to be pushing for in what ways we can.

In the Netherlands, organisations are only allowed to ask for a full, unobscured ID when their situation is specifically permitted by law. Otherwise, either the user or organisation has to block out the BSN and passport photo. Does the process abide by these rules by blocking out said information before further processing or allowing the user to upload an image processed by KopieID? Or is there some sort of exception, making it that these rules don't apply for this use case? I'm looking forward to getting access to this feature, but don't want to run into issues because non-compliance causes stuff to be blocked or whatever. (See: https://www.autoriteitpersoonsgegevens.nl/en/themes/identification/passport-and-identity-card/copy-of-your-id-what-can-you-do#copy-id-without-statutory-obligation ) Watermarking is also recommended to minimise risk, unless a clean copy is required by law, but this is not mandatory, so that does not worry me that much.

Per the updated FAQ for the announcement of Age Verification, I would like to suggest a hard limit of at least 1 or at most 2 alts who are eligible for the same age verification. People may have alts for various reasons, some being that they may not want people who know their main VRC account name (especially if that name exists outside of VRC on other platforms) and may not want to engage with the more hardcore gated content (cough18+STUFFcough) for fear of other users maliciously looking them up and then harassing them on other platforms or even irl. I realize that may be an extreme example, but I can imagine I am not the only one who has their VRC name as their other socials and tries to keep it as professional as possible especially those that are creators. And while you could just say... "Well. Then just verify your alt account." ...and I could just do that, but what if in doing so I lock my main account off from my favorite worlds and or avatars should those world/avatar creators put their creations behind Age Verification gates. I apologize in advance if this was hard to follow, I'm not the best at articulating my words, so I hope this made some sense... I would just greatly appreciate being able to keep my main and an alt with the same amount of access and not feel like I have a baby gate in my way on one or the other despite being a fully grown adult. -_-