Submitting a retainable record of your government ID is not an acceptable method of age verification.
cxtto
As your full government ID is retainable when sent as an image, this is not a safe method to age verify as seen by multiple leaks, as well as the leaks of source code from Persona which indicate their direct interfaces to send data to the US government and their potential retention of this data over a long period. Other services have had their databases leaked as well, for example IDMerit which has left an estimated
billion
people with their full name, address, face, and all other information on their ID now held by an unknown amount of strangers.Access to an image of your full ID is as extensive as a doxx can get, and upon any failing to secure this data this information will not be removable from the public internet. When these are found by malicious actors, the data can be sold to any interested party en masse without disclosing it publicly, or even shared around interested parties. Keeping data like this quietly is not new, as long as company databases have been valuable, the information has been as well. Copies cannot be removed.
If the data is publicly released, archives will exist with data this valuable. It takes one person deciding they don't like you who knows the right place to look to try to find who you are in person. As with any ID verification company, Persona's internally stored data is a black box with no way of proving that they do not link the data back to your account, or any of the other data sources they use, as stated in the Privacy Policy:
"We may verify personal data about you for age assurance purposes with our network of trusted third-party data sources, including the following: publicly available sources (such as open government databases), government and national ID registries, consumer credit bureaus, utility companies, mobile network providers and postal address databases. The types of this “Additional Age Assurance Data” we obtain from these sources will vary depending on the verification checks available in the particular country. "
I also find it concerning due to the use of VRChat as a place to explore personal identity: multiple sources and definitions deem the current actions of the United States administration as a genocide against transgender people, linking this government ID with those exploring their gender identity is incredibly worrying to me as the actions of the United States administration are increasingly brazen. Matters of national security are free to have orders attached not to disclose that a company is cooperating for a specific purpose to the government, and the administration has already stated publicly their views of transgender activism as a threat to national security. The 2026 United States Counterterrorism Strategy specifically states that they will "prioritize the rapid identification and neutralization of violent secular political groups whose ideology is anti-American, radically pro-transgender, and anarchist." I am in Canada. With our degree of cooperation with the United States, I do not feel comfortable having a link between my current government ID and my behaviour online with the current United States' administrations actions.
I do not feel safe sending such extensive personal data in a retainable form to any entity. I do not trust any entity with a potentially permanent record of such dangerous data to have. I oppose any link between my personal identity offline and online; should some form of ID be necessary, at MINIMUM significant redactions should be allowed if not mandatory in order to simply demonstrate that there exists someone somewhere who is the age shown.
I especially take issue with gating all content of a category behind such an egregious violation of privacy. If your system is has significant risks for the user, it is not a system that can be an expectation to interact with certain content. Privacy matters, and such an expectation causes even further erosion then what we have already lost. Normalization and acceptance of this lost part of anonymization paves the road for further damage.
Log In
WubTheCaptain
I stopped reading after the misinformation in the first paragraph. Age assurance processors have several KYC solutions for different types of business customers (data controllers) and the data those tools can process is quite bog standard for a KYC solution for anyone who's worked in finance or another regulated environment for legal compliance with know your customer requirements. Or as Rick Song put it: "KYC/AML, online payments, account security, marketplace fraud, remote employee verification, age verification, digital health, gaming, online degrees, and more."
The second and third paragraph essentially amounts to proofless claims or fearmongering that VRChat Inc. would have configured their use of data retention policies in Persona's tools incorrectly. It also assumes (incorrectly) that the abuse of personal data would be Persona's business model (it isn't). OP's statements are contrary to what's been stated on VRChat Ask in Developer Update - 19 February 2026: https://ask.vrchat.com/t/developer-update-19-february-2026/47849/34
OP's post further on goes to confuse the reader about privacy policies of Persona, while omitting that Persona is a processor acting on behalf of VRChat and not the data controller for age assurance on VRChat. Being a data processor also means the processor is explicitly not allowed to use the data beyond what the processor's customer (data controller, VRChat) requests. Whatever is in the legal documents is to cover edge cases and different types of Persona's customers, and it doesn't allow a processor to do anything illegal (depending on your jurisdiction). Storing the ID data would be a liability, where the fines for abuse are too high, so the data is deleted immediately.
The fifth paragraph is also N/A, because Persona does not receive any information about you or your VRChat account (per strasz in the above mentioned Developer Update).
WubTheCaptain
This isn't a topic for discussion in a feature request format, but I have good news for you cxtto: You don't have to verify yourself (in Canada). Age assurance in VRChat is opt-in and optional, and you don't need to be age assured to use VRChat. Personal data from government IDs is also not retained.
Lastly, I'm personally glad age assurance providers exist nowadays because else in general we'd be sending photocopied government IDs or notaried physical documents to various support team agents on the Internet for different services to manually have them look at our IDs with far longer data retention policies by necessity.
Without government IDs and selfies, it's difficult to confirm ownership for ID verification. For age assurance, there's already a global move towards age estimation processes from photos/videos.
There is no actionable feedback or suggestions to improve the process in this topic. This is my only reply to this topic on VRChat Feedback (Canny), discuss this on reddit, Discord, VRChat Ask, in VRChat, or somewhere.
cxtto
WubTheCaptain
[1/3]
Hello, thank you for the response. I've taken a look at the links you've sent.
I want to start with your statement for age assurance providers.
Government ID is used for in person services regularly, and when allowed to be sent would often allow redactions. Showing someone ID in person is the standard as it does not create a retainable record. Sending it directly as an image with all information available may be standard in other spaces I am not aware of, however,
tying a government ID to what is supposed to be an anonymous online social service is new. This is not a standard already established, it is one being pushed for recently and VRChat's open support of it is not adopting the industry standard, but instead accelerating the proliferation of a standard that erodes your privacy and creates a risk of a dangerous amount of your data being exposed.
For the first paragraph, here is the blog regarding the source code.
(setting aside seriousness for a moment, this website is adorable and i love it, hackers make great websites; take a look just for the little cat that chases your mouse cursor around.
back to the issue...)
The source code shows multiple functions for reporting a person to FinCEN and FINTRAC; rereading and reflecting on this, I can see this being a requirement of working with financial institutions while not allowing the institutions to have certain data. However, as an entity existing in the United States it remains vulnerable to subpoenas, which the administration has already used before. Having
any
link to people's physical identity exist is incredibly worrying to me.As for data retention, even assuming goodwill, any error from the systems Persona employs or their partners employ can cause the data to remain somewhere. I concede that this is speculative and assumes there are errors, however
we've already seen repeatedly with technology that there is nearly always a hole somewhere. This data existing in a form that can be retained at any point is an issue, and the larger the system is the more space there is for a hole to be hidden.
cxtto
[2/3]
As for IDMERIT, here's a link to an article reporting on it where someone goes through a sample of the data, redacted of course. In it they also state that despite the database being on an unsecured exposed endpoint, IDMERIT states that there's no evidence that anyone has accessed the database. There is no way to know how many copies of this data exist.
As for the second paragraph, I do not mean to implicate VRChat as misconfiguring; I mean to state that I do not trust Persona.
Persona's CEO, Rick Song, can say anything and it remains impossible to prove nor disprove as their entire system is opaque.
Again, even assuming goodwill of Persona, I need to extend that assumption to all other entities they may work with and every developer - and then I have to assume they have built their system perfectly to not send or accidentally keep unneeded data along any step of the process anywhere. This is not a novel concern, in a sufficiently large system immediately is just not possible. The data exists somewhere for a time, however in this case the data is a photo with all
of the data on your government issued ID. An ID does not change easily; even if you somehow change every set of numbers on it, it is still a full name, face, and address.Here I want to move towards a personal anonymity stance. The risks of an ID being obtained are known and the transmission of an image of it at any point is a massive risk. I feel it is very unlikely that Persona is selling data, but the data they collect does link anything they do have to an actual person.
I will also concede VRChat directly sending any account data is unlikely, however Persona states that they may cross check the ID verification with device identifiers and other parties such as credit card bureaus, mobile network providers, ID registries, and postal address databases.
The verification sends an excessive amount of data that is not required just to prove that a person that is the age needed exists. The data sent and the partners create a link to who you are as tracked by all of these services.
cxtto
[3/3]
I could full well be disproven if we could see a more technical breakdown of what data is sent, how the custom ID is generated, what data is deemed relevant to the verification that VRChat receives, how many of the 269 checks Persona has are used, and what data is contained on an ID that is extraneous to the process. However, even then unless we are free to redact this extraneous data it remains a moot point that all of this is sent somewhere.
I again want to thank you for your response, and I am happy about the lack of it's requirement for now in Canada. However, this is not an acceptable state for me due to the fact that VRChat shows intent to expand this feature over time and for the fact that many people are pressured into the transmission of exceedingly sensitive data by VRChat's current and increasing adoption of this method. It isn't coming for me personally yet isn't a reason to let it come for others as I believe it is a risk for
anyone.
I stand by my initial conclusion:
I do not feel safe sending a potentially permanent record of this much personally identifying information to any entity. I feel it is irresponsible to solicit people to do so because of the risk of this information being obtained by malicious actors. I oppose any link between my physical identity and who I am online. If some form of ID is absolutely necessary, at MINIMUM significant redactions should be required to reduce the verification information from enough to be traceable to one specific person to simply showing that a person somewhere exists who is above the allotted age.
Allowing this to be a standard here is another step down the path of normalizing it for all other services adjacent.
cxtto
Rereading the latter half of this response, some of the issues regarding personally identifying information seem to stem from VRChat trying to link to the IDs as a ban enforcement measure. The requirement to prove a person is unique by tracing them to every service they are required to use is a ridiculously excessive measure for an online social space. Let the users redact the ID to simply give the information that someone somewhere exists who is the age needed instead, and deal with ban evasion the same way it always has been. Should someone continue to be a nuisance, VRChat has an array of options for personally moderating someone while waiting for a report to go through.