VRC's awareness of Persona's problematic aspects.
BunnyHuggles
The intent is to ensure VRChat's dev/PR team see's this post and its info regarding Persona Identities, inc. The private third party Age Verification security company.
I've an active post in the discord 'community support' channel posting about concerns and linking information on persona and why I don't believe they should be trusted with PII (Personal Identifying Information):
Persona Identities has repeatedly demonstrated it needs the upmost scrutiny when going over their service. Something VRC's dev team is adamant they are doing.
I believe VRC when I say they demand no data be held longer than the confirmation process. What I don't believe is how faithful Persona itself is when carrying out that request.
They're already facing a lawsuit for misappropriating PII
(WASHINGTON v. PERSONA IDENTITIES INC (2024)):
They have a major investment from the Founder's Fund, a project co-founded by Peter Thiel, who additionally co-founded PayPal and Palentir Technologies.
(Here's an in depth video about what that is a concern, but keep in mind this vid focuses on Discord's potential partnership with Persona, not VRChat's):
archived link suggested by ArtemisFowl4465:
And most recently, an independent 'Security Researcher' (or hacker), Vmfunc, found a weakness in some of Persona's software testing methodology, in which they located source code in a publicly accessible location online. (Fair warning, the blog itself is very 'internet' themed):
At first this wasn't super credible on its own, a blog post and some social media posts by the same individual.
But then the Persona CEO, Rick Song, responded to Vmfunc publicly on twitter, denying the suggested intention of the found source code, stating it was unimplemented and for testing purposes. Which unfortunately for persona does confirm the blog's claims on WHAT was found, and the fact that it was not secured.
A few LinkedIn posts regarding the story:
with a final public follow up from vmfunc to Rick on twitter:
Journalist sites are picking up on the story but its really only cybersecurity news sites at the moment, some more reputable than others:
Just to be clear with anyone, User/Mod/Dev, reading this; I am not an authority figure on cyber security, most of my relevant experience is working for financial software devs that had to comply with government regulations in order to offer services to banks and other financial institutions. So I get how much and how little an individual company can do in the face of gov regulations.
ALSO,
I want to note regarding potential alternatives or solutions to these concerns:
I DO understand that there are currently government regulations in multiple countries that require Gov ID or Biometrics for Age Verification, so I know private companies like VRC's devs aren't in a position to outright refuse compliance without being banned in, or legally pursued by, those countries with said regulations.
But it's a lose/lose situation because I've yet to see or hear about a trustworthy age verification service. Personally I'd like to see more public push back against these gov regulations, and companies rolling out global systems in response to said countries, beyond what's already being done.
(But believe me, there's a LOT of things that currently need public resistance on right now, so I understand that it's not something that's gonna see a huge unified push overnight.)
I'm not against Age Verification, for MANY reasons I do support it.
But we don't get the luxury of living in a world where PII can just be sent over the net without it risking being abused by bad actors and authority figures alike.
So age verification without compromising personal information and privacy is the goal we all need to be pushing for in what ways we can.
Log In
『Gecko』
I personally have nothing against age verification - assures an environment which is applicable just for the age itself and the conversations, behavior and whatever sticks with and comes from the respected age. Just being among like-minded people is great, instead of having minors yeeting around and throwing slurs around themselves...
But the execution of the necessary verification process is just horrible. From an EU standard, exposing EVERYTHING on your ID and yourself for just an age verification is beyond good and evil, and on top, a private company "requiring" them to verify you is just beyond comprehensible, too. A simple "redact eyes, name, PLACE YOU LIVE, and other non-important stats", which usually is a standard practice, does not suffice for an AGE VERIFICATION PROCESS, says Persona... I wonder why - I actually never wondered, that is why I am still not verified.
There are more safe options to actually verify yourself, e.g. "eID", without exposing any unnecessary data to any company. VRChat ignores that, furthermore. There were no reactions nor statements for or against eID. They rather stick to Persona, despite the history record and suspicious behavior, and probably will continue to hold onto them even after the exposed info.
I am on VRC for 7+ years, and I still see no dedication of the VRChat Staff listening to the community, and that is miserably disappointing.