Age Verification Feedback

VRChat has determined Persona can be trusted with a photo of your face and government ID. Persona is a VC-backed (arguably "tech bro") San Franciscan tech startup that's only existed since 2018. They operate out of a shared space behind a bar: https://maps.app.goo.gl/t5ebyhr9oTUhupMf9 Their privacy policy says (as I read it) that they explicitly have permission to take your personal information (selfie, photo of your government ID) and store it for years, and can and will send it to "vendors, agents...companies we've hired to provide customer service support..." and to "law enforcement [and] other government agencies." They say they'll use your personal information "to understand you and your preferences to enhance your experience and enjoyment" and for the purposes of "marketing, including to communicate with you about new services, offers, promotions, rewards, contests, upcoming events, and other information about our services and those of our selected partners..." and for "advertising, including display [sic] advertising to you..." Their privacy policy site also uses clickjacking to prevent you from copying the text of their privacy policy: https://withpersona.com/legal/privacy-policy These doesn't seem like the actions of a legitimate and trustworthy company, and there aren't enough guarantees that you won't be literally doxxing yourself. PII is extremely valuable and there's an entire industry of brokers that facilitate the sale and transfer of people's personal information--not to mention the risk of hacking, accidental disclosure, or a new and untrustworthy company being sloppy or reckless. These days AI can train off a photo of your face, and scams and identify fraud are extremely common. Personally, the only times I've had to provide a photo of myself holding an ID are for once-in-a-lifetime financial transactions. Never for a video game or social media. VRChat is willing to take the chance of making this de-facto-mandatory (i.e., the community normalizes it and it results in a greatly degraded experience if you don't comply)? The ask is a severe imposition and an invasion of privacy without adequate concern that the chosen data broker is trustworthy. Even the announcement incorrectly claimed your PII would be handled in accordance to the GDPR, but the company is actually based out of California, where regulations are far less strict, and fines far less burdensome.

While age verification seems to be a requirement in the age of the modern internet, persona as a company has shown they cannot be trusted with user data, especially with a recent breach in privacy. This breach has even resulted in discord dropping it as vendor. Not only has persona had that breach, it has collected data and has been accessed by things LIKE openAI and puts people on a WATCH LIST. Please, vrchat, if you care about your userbase's safety and the longevity of your platform, it is genuinely in your best interest to find another means to age verification. This is an invasion of user privacy, and while I can respect wanting to maintain safety for adults and minors, there has to be an alternative to persona! sources: https://cybernews.com/privacy/persona-leak-exposes-global-surveillance-capabilities/ https://www.therage.co/persona-age-verification/

They scan your ID against 250+ sources, not to mention keeping a record on you for years after you verify, while having your whole ID and SO many data breaches.

https://kotaku.com/discord-palantir-peter-thiel-persona-age-verification-2000668951 Thiel is the majority owner of persona the age verification provider for vrchat and he has been seen in the epstien files. https://en.wikipedia.org/wiki/Peter_Thiel Not only that, he has a notorious history of privacy violations and is currently helping ICE agents with the capturing of families and american citizens. I implore the devs to seek a new verification provider as association with somone like that puts the trust users have in vr chat at risk.

The automated system Persona uses fails to identify any form of ID I provide. Despite using every form of ID that’s available to me and trying it under different lighting conditions I get the same result. This system seems to have no way of falling back on some other form of age verification. The extent of customer support I’ve gotten on this subject so far is being told to try again. Are there plans to provide alternative methods of age verification so that people don’t get unfairly excluded through no fault of their own?

The intent is to ensure VRChat's dev/PR team see's this post and its info regarding Persona Identities, inc. The private third party Age Verification security company. I've an active post in the discord 'community support' channel posting about concerns and linking information on persona and why I don't believe they should be trusted with PII (Personal Identifying Information): https://discord.com/channels/189511567539306508/1461769866544545964/1461769866544545964 Persona Identities has repeatedly demonstrated it needs the upmost scrutiny when going over their service. Something VRC's dev team is adamant they are doing. I believe VRC when I say they demand no data be held longer than the confirmation process. What I don't believe is how faithful Persona itself is when carrying out that request. They're already facing a lawsuit for misappropriating PII (WASHINGTON v. PERSONA IDENTITIES INC (2024)): https://caselaw.findlaw.com/court/il-court-of-appeals/116477461.html They have a major investment from the Founder's Fund, a project co-founded by Peter Thiel, who additionally co-founded PayPal and Palentir Technologies. (Here's an in depth video about what that is a concern, but keep in mind this vid focuses on Discord's potential partnership with Persona, not VRChat's): https://www.youtube.com/watch?v=qhxsE8dvbs4 archived link suggested by ArtemisFowl4465: https://preservetube.com/watch?v=qhxsE8dvbs And most recently, an independent 'Security Researcher' (or hacker), Vmfunc, found a weakness in some of Persona's software testing methodology, in which they located source code in a publicly accessible location online. (Fair warning, the blog itself is very 'internet' themed): https://vmfunc.re/blog/persona At first this wasn't super credible on its own, a blog post and some social media posts by the same individual. But then the Persona CEO, Rick Song, responded to Vmfunc publicly on twitter, denying the suggested intention of the found source code, stating it was unimplemented and for testing purposes. Which unfortunately for persona does confirm the blog's claims on WHAT was found, and the fact that it was not secured. A few LinkedIn posts regarding the story: https://www.linkedin.com/feed/update/urn:li:activity:7429960436453666816/ https://www.linkedin.com/posts/alon-gal-utb_persona-ceo-rick-song-responds-to-watchlist-share-7430290736115236865-SaTa/ with a final public follow up from vmfunc to Rick on twitter: https://twitter.com/vmfunc/status/2024433404683374921 Journalist sites are picking up on the story but its really only cybersecurity news sites at the moment, some more reputable than others: https://cybernews.com/privacy/persona-leak-exposes-global-surveillance-capabilities/ Just to be clear with anyone, User/Mod/Dev, reading this; I am not an authority figure on cyber security, most of my relevant experience is working for financial software devs that had to comply with government regulations in order to offer services to banks and other financial institutions. So I get how much and how little an individual company can do in the face of gov regulations. ALSO, I want to note regarding potential alternatives or solutions to these concerns: I DO understand that there are currently government regulations in multiple countries that require Gov ID or Biometrics for Age Verification, so I know private companies like VRC's devs aren't in a position to outright refuse compliance without being banned in, or legally pursued by, those countries with said regulations. But it's a lose/lose situation because I've yet to see or hear about a trustworthy age verification service. Personally I'd like to see more public push back against these gov regulations, and companies rolling out global systems in response to said countries, beyond what's already being done. (But believe me, there's a LOT of things that currently need public resistance on right now, so I understand that it's not something that's gonna see a huge unified push overnight.) I'm not against Age Verification, for MANY reasons I do support it. But we don't get the luxury of living in a world where PII can just be sent over the net without it risking being abused by bad actors and authority figures alike. So age verification without compromising personal information and privacy is the goal we all need to be pushing for in what ways we can.

Please allow ID's where unneeded information can be blurred/redacted. Since I am from The Netherlands, this is even required by law. I see no problem in accepting redacted ID's, since they still provide more than enough proof of age, while maintaining the user's privacy against companies who abuse your data.

The age verification service "Persona" requires an entirely unredacted government-issued identification to grant verified age status for VRChat. I find this unacceptable. In my case, in exchange for VRChat receiving verified age information, Persona receives my: Name, first and last, Address, Driver's License Number and class, Sex, Height, Weight, Eye colour, Hair colour, Signature, and barcodes that can be used to find the same or more information about me. All so VRChat can have the one data point on the card they care about: Date of Birth. I will make concessions for the use of Height, Weight, Eye colour, Hair colour, and the photo on the ID with an accompanying self photo for the sole purpose of verification. The balance of what is required versus what is ultimately used is egregiously skewed. And while VRChat's contract with Persona stipulates that any identification data obtained by Persona must be deleted upon completion, there is comparatively little risk to Persona keeping the wealth of information illegally. Should a breach occur, users that have had their personal data exposed would be left fighting for the rest of their lives against Identity theft and fraud, while Persona would likely only be served a monetary fine. The risk versus the reward is far too unbalanced against the user. As for how likely it may or may not be that Persona is holding such data illegally, I would like to make note that Persona is based in the United States of America, and you don't have to look very hard to find the state of professional accountability for wealthy companies backed by powerful people in that country. Suffice to say that I do not trust Persona with my identification information, and am upset that the age verified features will be unavailable to me due to this. I implore VRChat to consider other avenues of age verification that do not require such extreme overreach of personal data collection. Regards -Aranethon

The Chief Technical Officer and Co-Founder of Discord, Stanislav Vishnevskiy, posted a blog recently covering Age Verification and their roll-out plans. https://discord.com/blog/getting-global-age-assurance-right-what-we-got-wrong-and-whats-changing On the 15th Paragraph of the blog post, they talk about Persona and mentioned something very critical. Here is the direct quote from the blog: "One of our core goals with age assurance is to give you options. As part of that, we’ve been evaluating multiple vendors to offer a range of verification options people are comfortable with. One of those evaluations was with Persona, a company used by platforms like Roblox and Reddit. In January, we ran a limited test with Persona in the UK only. After completing the test, we decided not to move forward with them, and consistent with our privacy policy, all data was deleted after completing verification. We’ve set a new bar for any partner offering facial age estimation, including that it must be performed entirely on-device, meaning your biometric data never leaves your phone. Persona did not meet that bar." When I verified myself with Persona through VRChat early on since its implementation, I was informed that the biometric data of my face scan was never gonna leave my device. I trusted Persona on that when I used their website. I don't know if they changed since then. But now, after Discord's own CTO and Co-Founder revealed that Persona failed to keep that part of the promise, it's time for VRChat to consider other options. Personally, I think BlueSky has a decent alternative method for users not willing to submit government documents. BlueSky allows users to verify their unique ownership of the account (to prevent or mitigate impersonators) via their own personal Domains and using those Domains as their BlueSky Handle instead. This is because registering a Domain requires using a real identity and be registered in the Domain Registrar in accordance with ICANN. Although domain regulations will very from country to country. These rules are from the US. And maintaining that registration requires annual upkeep. The Domain Registrar can also hide your name and address at your request and so no one but the Registrar knows who you are. Anyone who looks you up will just see the default name and address of the company with whom you registered your Domain with (examples: GoDaddy, Hover, etc.) and your registration ID is redacted. This provides a layer of protection and I never submitted my government ID to them to register. Just your name, address, and credit card information. I think this method might be more suitable for VRChat as it still offloads the cost and procedure of verification to another company while eliminating the need for submitting an ID altogether. The only downside with this is how this will affect ownership of the user's account should they lapse in their annual upkeep of their Domain in the Registrar (or their equivalent in other countries). Thoughts?

In the Netherlands, organisations are only allowed to ask for a full, unobscured ID when their situation is specifically permitted by law. Otherwise, either the user or organisation has to block out the BSN and passport photo. Does the process abide by these rules by blocking out said information before further processing or allowing the user to upload an image processed by KopieID? Or is there some sort of exception, making it that these rules don't apply for this use case? I'm looking forward to getting access to this feature, but don't want to run into issues because non-compliance causes stuff to be blocked or whatever. (See: https://www.autoriteitpersoonsgegevens.nl/en/themes/identification/passport-and-identity-card/copy-of-your-id-what-can-you-do#copy-id-without-statutory-obligation ) Watermarking is also recommended to minimise risk, unless a clean copy is required by law, but this is not mandatory, so that does not worry me that much.