[Trust & Safety] Digitally Sign & Encrypt Avatar Data
MisutaaAsriel
Introduction
As VRChat has grown, the community has come together to create a vibrant and creative collection of avatars with which to represent themselves, oft personal in nature. Likewise, a large creator economy has been built up around the platform, with many public avatars also being for sale for personal use and modification, many with their own distinctive licenses.
However, as with the growth of any platform, piracy too has grown. This in turn
has caused many creators to leave the platform
, and others to refrain from sharing or uploading further content, due to fears of their avatars being "ripped".I myself, have been the subject of "ripping" in fact, for avatars I custom modified from bases to an extreme degree, adding deeply personal touches and spending hours developing and troubleshooting.
Some of these avatars' bases are not licensed for public distribution
. and on all of them the changes I have made are deeply personal
.—
Suggestion
Implement
server-side encryption of avatar data and...
- Digitally signavatar dataserver-sidebased on the uploading account.
- Apply a checksum server sideto ensure the avatar data has not been tampered with.
And, make relevant adjustment to client to...
- Use common practices to verify the validity of the digital signature and ensure it matches the file's contents during each load.
- After signature validation, decrypt the avatar's contents __from storage__ into memory(notback into storage) for use whilst the avatar is displayed.
- Allow unsigned & unencrypted avatars if the avatar's creator ID matches the current user.
- Store the original, encrypted, signed, and checksummed filein cache, and decrypt "on the fly" as needed.
- Disable signature check in offline modes, to allow for local testing.
- Once complete encryption and signing of existing avatar data is complete,move to restricting use of unencrypted avatar data tooffline modes only, unless the creator's ID matches the current online user.
—
Goal
- By encrypting, signing, and applying a checksum to avatar data, VRChat could potentially slow or stop the piracy of avatar assets through conventional means, and any raw avatar data returned by VRChat's internal APIs will also be in an encrypted format.
- By handling encryption server-side, this can prevent tampering with the SDK to circumvent safety measures,and ensuresall historic avatar data is also encrypted, signed, and checksummed, not just new uploads.
- By restricting unencrypted/unsigned avatar use to avatars created by the current user, this allows legitimatetesting and use of local avatar data created by the SDK, whilst prohibiting illegitimate use cases.
—
Similar Feedback
- VRChat Cache Encryption
- Avatar Data Encryption
- Avatar Encryption
- Client & Server-side Encryption
- Now EAC is enabled. So, It's time to encrypt asset(avatars & worlds) data!
—
Why a new feedback post?
- The intent of this document is to propose a more detailed and thought out solution to the problem of avatar piracy. "Encryption" is the right answer, but there are many wrong ways to go about it, and every way to go about it will have its own tradeoffs.
Log In
ashe-to-dust
Okay, so... Then avatars will just get ripped from memory?
~Trixi~
ashe-to-dust: Which would trip EAC. A program whould have to hook into hook into vrchats memory. The only way to do this is with a custom dill witch will violate EAC. Honestly in my opinion the only reason why EAC should be in the kernel. 🙃
ashe-to-dust
~Trixi~: And then people will hook into VRChat regardless and just make new accounts. All of this is very trivial to get around.
~Trixi~
ashe-to-dust: Not trying to start a flame war but lets say they did managed to dump the memory before EAC was triped. First the avatar whould have to be actively rendering. You would then have to data mine. And know exactly what you're looking for. The format people's avatars will be for Unity to render and not in a cach file. And most likely split up and not in the same place. On top of that memory addresses are dynamic so it changes everytime. I guess it wouldn't be impossible for someone to rip your avatar it however would not be easy. If somebody really wants to do anything you can always find a way. The goal is to make things harder not impossible.
Yoyobuae
ashe-to-dust: See what VRC admins should do is only do detection at first. Gather evidence on the users that are doing the ripping. As much evidence as possible. Also gather all the other accounts they use from the same PC. Do all this
silently
Once VRC admins have a big list of all these users, then mass ban all of them at the same time. Then watch them panic as they no longer feel safe to do whatever they want without repercussion ;)