Age Verification Feedback

Share feedback about Age Verification. DO NOT POST YOUR ID OR INFORMATION HERE.
Persona requires too much sensitive data
The age verification service "Persona" requires an entirely unredacted government-issued identification to grant verified age status for VRChat. I find this unacceptable. In my case, in exchange for VRChat receiving verified age information, Persona receives my: Name, first and last, Address, Driver's License Number and class, Sex, Height, Weight, Eye colour, Hair colour, Signature, and barcodes that can be used to find the same or more information about me. All so VRChat can have the one data point on the card they care about: Date of Birth. I will make concessions for the use of Height, Weight, Eye colour, Hair colour, and the photo on the ID with an accompanying self photo for the sole purpose of verification. The balance of what is required versus what is ultimately used is egregiously skewed. And while VRChat's contract with Persona stipulates that any identification data obtained by Persona must be deleted upon completion, there is comparatively little risk to Persona keeping the wealth of information illegally. Should a breach occur, users that have had their personal data exposed would be left fighting for the rest of their lives against Identity theft and fraud, while Persona would likely only be served a monetary fine. The risk versus the reward is far too unbalanced against the user. As for how likely it may or may not be that Persona is holding such data illegally, I would like to make note that Persona is based in the United States of America, and you don't have to look very hard to find the state of professional accountability for wealthy companies backed by powerful people in that country. Suffice to say that I do not trust Persona with my identification information, and am upset that the age verified features will be unavailable to me due to this. I implore VRChat to consider other avenues of age verification that do not require such extreme overreach of personal data collection. Regards -Aranethon
0
Why is Persona deemed to be trustworthy?
VRChat has determined Persona can be trusted with a photo of your face and government ID. Persona is a VC-backed (arguably "tech bro") San Franciscan tech startup that's only existed since 2018. They operate out of a shared space behind a bar: https://maps.app.goo.gl/t5ebyhr9oTUhupMf9 Their privacy policy says (as I read it) that they explicitly have permission to take your personal information (selfie, photo of your government ID) and store it for years, and can and will send it to "vendors, agents...companies we've hired to provide customer service support..." and to "law enforcement [and] other government agencies." They say they'll use your personal information "to understand you and your preferences to enhance your experience and enjoyment" and for the purposes of "marketing, including to communicate with you about new services, offers, promotions, rewards, contests, upcoming events, and other information about our services and those of our selected partners..." and for "advertising, including display [sic] advertising to you..." Their privacy policy site also uses clickjacking to prevent you from copying the text of their privacy policy: https://withpersona.com/legal/privacy-policy These doesn't seem like the actions of a legitimate and trustworthy company, and there aren't enough guarantees that you won't be literally doxxing yourself. PII is extremely valuable and there's an entire industry of brokers that facilitate the sale and transfer of people's personal information--not to mention the risk of hacking, accidental disclosure, or a new and untrustworthy company being sloppy or reckless. These days AI can train off a photo of your face, and scams and identify fraud are extremely common. Personally, the only times I've had to provide a photo of myself holding an ID are for once-in-a-lifetime financial transactions. Never for a video game or social media. VRChat is willing to take the chance of making this de-facto-mandatory (i.e., the community normalizes it and it results in a greatly degraded experience if you don't comply)? The ask is a severe imposition and an invasion of privacy without adequate concern that the chosen data broker is trustworthy. Even the announcement incorrectly claimed your PII would be handled in accordance to the GDPR, but the company is actually based out of California, where regulations are far less strict, and fines far less burdensome.
36
This isn't age verification so much as it is identity verification
It will always be worth restating no matter how many times or in how many ways it's said. Privacy isn't just some word bad people hide behind. Trust and safety should apply to all users. I'm not going to presume VRChat's need to perform identity verification as part of their strategy. I'm just throwing my opinion in that the level of data sharing is excessive for the goal of age verification and creating a reasonably safe environment. Laws can change or be broken. Policies can be quietly ignored. People can be put at risk through no fault of their own. I'm of the opinion that platforms like VRChat have a responsibility to implement these systems in a way that maximizes and maintains privacy. VRChat are the ones that want to own the platform after all - rather than letting users self-host or federate. The level of trust that can be put into the 'trust me bro' assurance that PII or other personal data artifacts are handled appropriately is paper thin. VRChat's choice of partner has (rightfully) come into public view on multiple occasions for exactly the wrong reasons. VRChat has become an important social outlet for me. My group has taken to mostly use 18+ instances regardless. So now I become a burden if I'm to be included (not a great feeling). I can only speculate other groups are the same. Meaning verification is all but necessary to even participate and will probably get worse once content gating is in. Making the verification process a matter of coercion rather than purely of consent. I sincerely hope VRChat comes up with a more appropriate solution.
0
Persona and All Third-Party ID Age Verification Services Are a Huge Risk to Data Privacy and Cybersecurity
To put this plain and simple to start: The idea of verifying one's age to gain access to more secure and moderated groups and instances sounds like a good idea at first. However, your current method of age verification (Persona, and frankly any 3rd-party ID Verification service) is, and has already proven to be, an incredible risk to everyone's data privacy and cybersecurity. (Now onto the lengthy part) Persona has been recorded gathering more information other than Age such as: name, address, gender, marital status, and similar demographic details, Social Security Numbers, IP address, device type, your device’s operating system, browser, cookie and device identifiers, and other software including type, version, language, settings, and configuration, geolocation data such as city, state, and country, etc. Persona also has ties to the government data analytics company Palantir. Persona has also been caught building profiles on users and sharing said profiles with the US government and government organizations such as ICE, even having a flagging system to flag users that seemed suspicious. It was also discovered that 269 different checks were used for verification, including things like phone carrier queries and death record matching, and with their privacy policy hiding these checks under vague terms like "public government documents". So this all means that even though Persona says that all data is deleted within the first 3 days (or in some cases, up to 3 years), that data has already been passed off to third-party partners and the US government and does not get deleted. To further prove my point, Other age verification services have had multiple mass breaches of personal information, such as pictures of IDs, Biometric Face Scan data, and more. For example: Infutor, which had a massive data breach where 676,798,866 unique American citizens (including deceased persons) had their data exposed, including full names, date of birth, addresses, cities, state, ZIP codes, phone numbers, and social security numbers. IDMerit also had about 1 billion personal records leaked throughout the world. I am completely unwilling to put my personal data and cybersecurity at risk for a little logo that tells others that I'm over 18. But I believe that there are possible, safer alternatives for age verification My first thought for alternatives is, of course, manual age verification checks performed by VRChat's safety team. This is obviously never going to happen because this would take forever, hiring enough staff members to review all of these age verification requests would be too expensive, and this also comes with security risks. So my next Idea is credit card-based age verification. This is, in my opinion, the best of both worlds. The majority of countries across the world require you to be at least 18 years of age to get a credit card, and currently, you need to have an active VRC+ membership to age-verify. There could very well be a system where if the user pays for a VRC+ membership using a credit card, then they become automatically eligible for the age-verified status. This is personally how I would like to verify my age. I don't currently have a credit card, but I am willing to wait until both I have a credit card and until you get a system like this put in place. But until that day comes, I will never age-verify using Persona or any other ID Verification service. I hope you take everything that I have said into serious consideration moving forward.
1
Load More