Why is Persona deemed to be trustworthy?
Foxipso
VRChat has determined Persona can be trusted with a photo of your face and government ID. Persona is a VC-backed (arguably "tech bro") San Franciscan tech startup that's only existed since 2018. They operate out of a shared space behind a bar: https://maps.app.goo.gl/t5ebyhr9oTUhupMf9
Their privacy policy says (as I read it) that they explicitly have permission to take your personal information (selfie, photo of your government ID) and store it for years, and can and will send it to "vendors, agents...companies we've hired to provide customer service support..." and to "law enforcement [and] other government agencies."
They say they'll use your personal information "to understand you and your preferences to enhance your experience and enjoyment" and for the purposes of "marketing, including to communicate with you about new services, offers, promotions, rewards, contests, upcoming events, and other information about our services and those of our selected partners..." and for "advertising, including display [sic] advertising to you..."
Their privacy policy site also uses clickjacking to prevent you from copying the text of their privacy policy: https://withpersona.com/legal/privacy-policy
These doesn't seem like the actions of a legitimate and trustworthy company, and there aren't enough guarantees that you won't be literally doxxing yourself. PII is extremely valuable and there's an entire industry of brokers that facilitate the sale and transfer of people's personal information--not to mention the risk of hacking, accidental disclosure, or a new and untrustworthy company being sloppy or reckless. These days AI can train off a photo of your face, and scams and identify fraud are extremely common.
Personally, the only times I've had to provide a photo of myself holding an ID are for once-in-a-lifetime financial transactions. Never for a video game or social media. VRChat is willing to take the chance of making this de-facto-mandatory (i.e., the community normalizes it and it results in a greatly degraded experience if you don't comply)? The ask is a severe imposition and an invasion of privacy without adequate concern that the chosen data broker is trustworthy. Even the announcement incorrectly claimed your PII would be handled in accordance to the GDPR, but the company is actually based out of California, where regulations are far less strict, and fines far less burdensome.
Log In
°sky
this has been a concern of mine since the announcement - i would not mind verifying my id if a company was located and operated within the eu with some form of europa agency watching over it.
ideally, vrchat would work with government agencies to use the tools provided by said governments to verify rather than use private for profit companies.
Geckσ
Yea, definitely not gonna use this service, especially the fact that "posting a selfie + gov ID UNEDITED" is ringing my alarm bells, hell, I don't want to display my name and other sensitive information, while it's all about the age exclusively, on top of that to a company located in the US, which has already class action lawsuits (data abuse) against it, being in charge of this service.
Couldn't VRC find any better company, which is ONLY in the business for verifications without the cluster duck of storing and selling (/ abusing) data for their own profit? Like wth?
Geckσ
As long as VRC and Persona are not verifying the deletion of the data right away after verifying the user's data for the +18 badge, this will hinder lots of users from using that service. I don't want my sensitive data to be stored by a company with an already existing bad reputation.
Anmheda
Indeed, well stated! Now I am even more concerned about the forthcoming mandatory age verification.
Personally, I would approach this differently. I would award all current VRC+ subscribers a new badge, labeled not as an "age badge" but as a "Verified User" badge. If users desire more controlled environments, they could create "verified only" instances, which would be exclusive to VRC+ supporters. This way any adult could easily get "verified" by purchasing a VRC+ subscription with their card, avoiding the submission of your entire identification document, and adding a layer of verification while also supporting VRChat. This seems like a preferable alternative to submitting personal identification. To obtain the verified badge, an active subscription is required; merely receiving a gifted VRC+ would be insufficient.
Geckσ
Anmheda Not going to work. You can buy charged gift-cards for steam, and use those to buy yourself VRC+. That is not a proper way to verify yourself as an adult in any way.
Anmheda
Geckσ Read my text again.
Geckσ
Anmheda Doesn't change what I replied to what you said. Verifying will not work through this kind of steps, my point is valid. And why the hell are you liking your own comments? lol ... a bit of entitlement here, ain't it?
Anmheda
Geckσ My point is just as valid as yours. I said in my original text that VRC+ gifts would not be enough. And speaking of entitlement, I do not view VRChat as seriously as a bank or financial institution; its a game. Its entirely up to the VRChat team how they want to implement a verification system when users desire more controlled environments, whether it be VRC+ subscription or Persona. The decision is solely in the hands of the developers.
Geckσ
Anmheda Talking about entitlement and still liking your own comments. Go figure. Your "point" is literally "verify by purchasing a subscription", which is not a valid point to prove that you are 18+ or anything near it. You can run this kind of service through someone else's bank account (or even by your own, like netflix, disney+ and Co. allowing you for a sub by your own, even if you are not 18+) and even can financially lift that up by using gift-cards, which are NOT gifted VRC+ elements by others (telling me to re-read your thing, while you are not reading mine), to charge your account with a sufficient amount of money and run the sub on it.
Those are ALL not a valid point of validation. This is not how you do a verification in any country.
Your point is merely an idea, not a proof of concept nor something which is legally suitable.
Anmheda
Geckσ You still dont understand, I just disagree with you, simple. In my eyes, my point is just as valid as yours. Its a game/a social platform. They dont "need" to verify age by IDs and Selfies via Persona, they can choose whatever they want as a way of "verifying". Not one single social platform I know of (FB, X, etc) uses government IDs and Selfies to verify you as a user, only my bank does that. I think its overkill verifying ages in VRC (a game) sending over sensitive IDs and selfies, so I think vrc+ would be enough, or something else that doesn't involve handing over sensitive documents. If you do not agree, then lets agree to disagree.
lackofbindings
Perhaps they should have used Stripe Identity. Personally I’d find them way more trustworthy. I suspect they didn’t because their services are more expensive though.
-Skay-
So this is panning out almost exactly how I thought it would then
Is there REALLY no-one better who can be trusted with such data?
Corbent
When they said verification had a cost, I somehow thought that THEY were going to pony up the money, like showing they were so committed to this or something. But the player that is being forced into it has to pay for it. I wouldn't be surprised if VRC gets a cut of this whole deal for bringing customers to Persona. That would explain a lot.
tsumonik
I struggle to understand why a game with a massive queer community is going to have a US based company handling IDs, even without all of the other scumbaggery that Persona is involved with.
Their choice of company, the likelihood that us users will have to pay for it, and the fact they're going to put content-gate tagged worlds and avatars behind it leaves me baffled as to why any other users thought this was a good idea, and even more baffled as to how there are still people cheering this on.
SaphiGoat
This is serious data we have to give to persona to get age verified.
This Data can be used for identity fraud. Means someone can inpersonate you, do contracts in your name, or do crimes.
This will get you into more trouble then just leaked payment information. This can get very serious.
Tsukare
Nobody has mentioned yet that Persona is also currently the subject of a class action lawsuit for illegally misusing PII.
Arctic Tortie
I am also curious about their choice in Persona. This company is very opaque about what it does with your data other than a lot of "whatever we want".
Did they choose because Persona is low cost? VRC managers know them personally/professionally? It is clear they did not pick privacy and security as core pillars of this rollout. To me, people appear to be wanting this kind of verification and VRC decided this was a convenient way to give that while also collecting even more data on their users.
This is a massive loss for consumer protections and data rights. Another win for surveillance capitalism.
Load More
→