Why is Persona deemed to be trustworthy?
Foxipso
VRChat has determined Persona can be trusted with a photo of your face and government ID. Persona is a VC-backed (arguably "tech bro") San Franciscan tech startup that's only existed since 2018. They operate out of a shared space behind a bar: https://maps.app.goo.gl/t5ebyhr9oTUhupMf9
Their privacy policy says (as I read it) that they explicitly have permission to take your personal information (selfie, photo of your government ID) and store it for years, and can and will send it to "vendors, agents...companies we've hired to provide customer service support..." and to "law enforcement [and] other government agencies."
They say they'll use your personal information "to understand you and your preferences to enhance your experience and enjoyment" and for the purposes of "marketing, including to communicate with you about new services, offers, promotions, rewards, contests, upcoming events, and other information about our services and those of our selected partners..." and for "advertising, including display [sic] advertising to you..."
Their privacy policy site also uses clickjacking to prevent you from copying the text of their privacy policy: https://withpersona.com/legal/privacy-policy
These doesn't seem like the actions of a legitimate and trustworthy company, and there aren't enough guarantees that you won't be literally doxxing yourself. PII is extremely valuable and there's an entire industry of brokers that facilitate the sale and transfer of people's personal information--not to mention the risk of hacking, accidental disclosure, or a new and untrustworthy company being sloppy or reckless. These days AI can train off a photo of your face, and scams and identify fraud are extremely common.
Personally, the only times I've had to provide a photo of myself holding an ID are for once-in-a-lifetime financial transactions. Never for a video game or social media. VRChat is willing to take the chance of making this de-facto-mandatory (i.e., the community normalizes it and it results in a greatly degraded experience if you don't comply)? The ask is a severe imposition and an invasion of privacy without adequate concern that the chosen data broker is trustworthy. Even the announcement incorrectly claimed your PII would be handled in accordance to the GDPR, but the company is actually based out of California, where regulations are far less strict, and fines far less burdensome.
Log In
SaphiGoat
This is serious data we have to give to persona to get age verified.
This Data can be used for identity fraud. Means someone can inpersonate you, do contracts in your name, or do crimes.
This will get you into more trouble then just leaked payment information. This can get very serious.
Tsukare
Nobody has mentioned yet that Persona is also currently the subject of a class action lawsuit for illegally misusing PII.
Arctic Tortie
I am also curious about their choice in Persona. This company is very opaque about what it does with your data other than a lot of "whatever we want".
Did they choose because Persona is low cost? VRC managers know them personally/professionally? It is clear they did not pick privacy and security as core pillars of this rollout. To me, people appear to be wanting this kind of verification and VRC decided this was a convenient way to give that while also collecting even more data on their users.
This is a massive loss for consumer protections and data rights. Another win for surveillance capitalism.
ᴋᴀᴡᴀ
I agree.
First of all, even "orange youtube" and similar sites, Elon's X with tons of роrn bots and other socials with NSFW content doesn't require ID. Common assumption that it is parents' fault if they can't control their kids and kid's fault if they pretending to be adult. Not someone was fooled. This is interesting precedent that shifts responsibility from families towards strangers online.
Second, it is still not clear for me why Persona needs to hold that pretty valuable private information, and why it cannot be deleted automatically right after verification for everyone's peace of mind.
Betty The Bat
Now that i think about it... They already taking a lot of data about us. Why more?
TsoLit
I'm more concerned with Persona's partner company Paravision. I'm not really happy the FAQ didn't mention it at all.
Foxipso
TsoLit I'm unfamiliar with that too. What's Paravision?
lackofbindings
TsoLit Well that immediately explains why they want to hold onto your data so badly lol. They are almost certainly using the data collected from persona to help train the paravision algorithms. Spooky.
Squi๋shy
TsoLit They do list exactly who and for what reason they share facial scan data at least, and paravision is not on there. Where did you find that they share any customer data with them?
patrizl001
Foxipso Paravision used to be a company called Everalbum which released a cloud storage app called Ever. The FTC went after them because turns out they were secretly using the photos stored to train facial recognition algorithms and then sold these to other companies. This facial recognition was something they advertised as opt-in only, but then they enabled it by default and didn't let people turn it off. Also, despite telling people that they would delete all photos and videos stored at user request, the FTC found they didn't delete anything and would just keep it all. After all the controversy they shut down the app and rebranded to Paravision to distance themselves from it. If you look up Everalbum online, you can pretty easily find all of this.
I hope you can understand how people might have privacy concerns with Persona when they're literally partnered with a company that has a history of not respecting privacy - and the VRChat team is not mentioning any of this.