This is wrong
complete
Arctic Tortie
I am sorry, but this is a massive issue. I hope more people express similar concerns, but I am really uneasy about this.
For one, the Vendor, Persona, appears to be very shady in its data privacy, retention, and security. For a company wanting to know so much about you, they do not give you the same courtesy. This is a company that appears to be doing everything to get into the market quick, which tends to be at the expense of real security and real robust systems. LinkedIn users have been complaining about the reliability of their verification service for months now. If this company seems to not even prioritize the reliability of their verification service, how much worse do you think everything else is?
For two, this puts users at risk. This should be point one, but it appears to be less important to the community at present. To get to the point, this platform has many members of the queer community. It is awful timing that VRC is rolling this out in the wake of a recent US election of which LGBTQ+ human rights are under threat. One data breach of Persona which leaks any data about LGBT members can be life-threatening. Once it is out there, it is out there. Persona seems to be OK with this due to their massive data collection, and so does VRC based on the disinterest in alternative solutions. Data breaches happen, especially easy lucrative targets like an insecure data harvesting company burning VC money. It is never a matter of if, but when a breach will happen. The only things Cybersecurity can do is mitigate the damage and make it harder to acquire the target. Of which, Persona does not care to consider or implement due to the lack of US-based regulations forcing them to, putting profits above human decency.
For three, this age verification system is way too broad in what it collects. If we were to entertain that a photo and government ID are needed for the community's desired age verification, the system should only be looking at confirming A. the ID is the user’s and B. the birthdate is over 18 years ago. After that, everything should be deleted. An ID is a big deal, and despite the US’s lack of privacy regulation, should be considered a “hot potato” to handle. A company should be very afraid when working with this data as a screw up could cost the company majorly. I do not understand why VRC goes one step in the right direction by only storing birth date on their end, but agreed to let Persona collect as much data as it wants from your ID, picture, and everything else they can get their hands on in the process.
This feels wrong. Something feels fishy and I am afraid of a future headline that will read “Persona suffers massive data breach and now you all are screwed...again, and after the other major data breach of SSNs and addresses.” The fact I see many users on VRC are willing to fork over so much information to “avoid kids” in a 13+ game in the process is disheartening. This is just a slow boil of increasing data harvesting that will continue to isolate and put pressure on the ones of us who will hold out and reject giving this data out so that we relent on our values in order to participate in what few communities exist for us.
We don't need this system to gather together and share experiences, content, and joy. We can demand more, and reject this authoritarian, surveillance-capitalist company.
Log In
MidnightWolfFox
It has been proven that Persona keeps your face info and license to sell for years without deleting the data unless you personally send them a letter to remove it.
Tupper - VRChat Head of Community
marked this post as
complete
In line with this request:
> the system should only be looking at confirming A. the ID is the user’s and B. the birthdate is over 18 years ago.
Our recent changes illustrated in this video demonstrate how the system works.
We validate that the ID belongs to the user, create a non-reversible hash to ensure the validity of the ID, and then save the user's birth date and the hash. All other data is deleted. Please see our FAQ thread for more details.
Keeping your birth date is necessitated by our regulatory requirement to adhere to COPPA, as well as allowing us to update Verification state when users reach their 18th birthday. VRChat has always collected the user birth date upon their first-time agreement with our Terms of Service.
Since these updates address the core feedback of this post, I'm marking it as completed.
SaphiGoat
Tupper - VRChat Head of Community it is still possible to get the data stolen. You still have to give persona a full ID, with unblurred data (wich is against GDPR art 5).
The ID photo should only be containing the Photo and Date of Birth
kawashirov
>non-reversible
That's not full truth.
The result of the hash function is the same for the same data, that's whole purpose. So, it's possible to reverse the hash.
It's hard to reverse hash for changeable data with high entropy like XTt~SH<2(:&`_]3$E>qkVD passwords.
But with real paper data like names, birthdays, issue numbers, etc which have low entropy it more than possible.
If DB and hash-fucntion is leaked, then with help of leaked databases, it's solvable/reversible in minutes.
Chosen Lottus
i have to agree
ByteByte-Baxi
Sadly vrchats official platforms are edging on cults at this point. Don't even try to speak against this on the discord for instance. I did pointing out the same things you just did and others did. Only to be ban for no reason other than "enough" and "toxic behavior toxic person" after I asked the mods if speaking against the AV is a ban able offence and they refused to answer straight. While the people who spammed my dms calling me a child groomer and child rapist for being against the AV are talking in the discord right now
Gordonmorbzolla
ByteByte-Baxi I quite literally mentioned in a four line, quick wording on a VRChat server in the general section, how I won't be able to join the meet and greet because I don't feel safe giving away my ID like that.
The moderator then deleted it for RANTING, (Literally four short sentences at most with zero exaggerating, 70% explaining 30% frustration), which they then told me that I'm allowed to want my privacy but others are allowed to know who they are interacting with, and then I told them I have zero issue or problem with anyone here and I'm okay and understand people wanting to be safe to interact with adults and am just angry with how VRChat is handling it, and then they said "I wasn't implying that please stop" (????), and, DESPITE how ridiculous that was, I kept it cool and said "Oh ok good to know, I wasn't sure and wanted to make sure that was understood" (something like that can't remember now), and then when I responded to the 'please stop', asking "Hey, why are you texting like this is tense? I'm just trying to communicate" (something pretty darn close to that pretty sure), I was just banned on the spot for noncompliance (somehow).
I had no idea how bad it was, and now I realize why this is so sensitive. SHEEYEESH!
ByteByte-Baxi
Gordonmorbzolla ahhh your timing is really funny. ironically i forgot I was ban, tryed to join the discord again and was met with "no you can't accept the invite." was like huh? Then i noticed this reply in my inbox when I was checking if my email was correct. and im like OHHHHH RIGHT the cult ban me two years ago lol, so yeah im still ban from the discord for this. now I remeber why.
MidnightWolfFox
Alot of my friends and I are going to be giving ChilloutVR and Resonite a spin in the near future. ChilloutVR does the 18+ DLC in a brilliant way: Linking it to your steam account. No ID required.
It's sad that it is easier now to buy/play an M-Rated game, Watch an R rated movie, or even access porn; than it will be to play vrchat. The whole system sounds like a pain.
Gordonmorbzolla
MidnightWolfFoxHey, could you help me do that 18+ verification with steam linking? Does that apply 18+ to my whole account? Or just for the event? I'd be really grateful if you could assist!
Gordonmorbzolla
Nevermind, I heard that was sadly removed and "patched"
Corbent
Here's a tweet showing off a couple of lawsuits involving them...
"one for using your data for training AI" LOL
Pepperpop
Perpetually storing even just enough of your ID to reliably determine that it's been used before is ludicrous, and I have no doubt that they will store more than that. I once had my SSN leaked by a third party address service to my healthcare provider that had no business even receiving my SSN from them, because companies with data are appealing targets. People seem to have no idea how dangerous this kind of data is and it should be the #1 concern they have.
Gordonmorbzolla
PepperpopOr they know and are just choosing to profit..
MidnightWolfFox
Pepperpop vrchat and persona are making $$$ selling your info...