Age Verification FAQ

Will my data be sold to train AI? Do you at VrChat guarantee that this data will not be shared with other companies like OPEN AI?

So just to be sure im not doing an horrible life decision. Does VRChat take responsability of its user data being completly private and in the case of a leak, nothing will be recoverable and there will be no chance that my public ID and information will suddently leak because the data was not disposed correctly?

Just to inform you, even a bank was victim of leaks of this kind in Canada. With my respect, I have difficulty to think a gaming company can handle thoses even stricter if they don’t delete them.

Why is this feature optional instead of mandatory?

One big concern I have especially from being on other platforms that use Persona for Age Verification, is the process of reporting and the “T&S Team” follow-up to users reporting someone for suspicion of falsified ID. Will the team request resubmission of ID, and how will the reporting process happen? Will it be available via the In-Game report system, or will it be via a support ticket outside of the VRChat software?
Thank you for the update on the Age Verification addition, hope to see the system implemented well and the safer future of VRChat as a social platform.

So, Persona. A rather sketchy data scraper offshoot of LinkedIn that claims to be GDPR compliant. Yet I haven’t been able to find any audits, instead running into a lot of PII misuse cases. What a great outlook this grants.
Guess we should be thankful there hasn’t been a breach reported with them, not yet at least.

The legal mess they are aside, I’m a bit concerned with your explanations. Unfortunately, I’m not familiar with their workflow and data flow, so I’m going off of my experience with actual government-ran verification services.

1. Why is it that VRC is concerned with implementing PII hashing, and not Persona? Isn’t the whole idea behind using a trusted third party PII verification provider that you effectively get to shift all the blame for any data mishandling abstract all your needs and not have to handle any PII yourselves, just getting verified information?
2. Why does VRC need to know any specific data at all, when in the scope of this feature all you need is a binary state: is the person under or of legal age? I don’t want you to know anything specific. Why do you insist on storing DoB?
3. Given the flexibility of Persona’s integration, how are you going to prove you’re only collecting the information you’re saying you’re collecting? Who and when is going to audit your integration with Persona?
4. Given your involvement in processing PII, when are you going to be audited to verify your claims of PII removal? As much as I’d like to trust the pinky promise to delete all specific data after processing, I don’t, especially not one coming from a US-based company, even given your DPA–which we are yet to see.
5. What are you planning to do about age verifications by residents of countries not supported by Persona? If persona decides they aren’t quite human enough, how do these people get their verification done?
6. What are you planning to do about age verifications by residents of countries where IDs or passports provide an analogue of an SSN, who effectively would be committing a crime by abiding by Persona’s verification process?

How could you make sure that all users know the difference between the “Age Verified” and “Verified 18+” badges?
Since the “Age Verified” badge doesn’t mention being under 18 at all, I can see this causing misunderstandings if a user has not read this specific FAQ before, and this ambiguity could potentially be used maliciously (by underage users) or for plausible deniability (by of-age users). Could the user’s age be part of the “Age Verified” badge?

Would visitors be able to age verify or are you able to age verify once you reach a certain trust level?

The latest changes are a good step forward and shows that you are listening to most of the things said.

First something that’s not entirely clear to me, it’s good that the original data will be destroyed after verification and only a hash of the data is kept.
That is an significant improvement over the earlier idea.
However you say you keep the information to prevent ID reuse.
Does that mean as in if i have a Passport and Drivers License then these separate IDs can verify 2 different accounts?
Or is the data gathered from the ID and the resulting hash something that can be matched across two different issued IDs?

Also I do not think as currently explained that it entirely passes under Art 5. of GDPR, primarily 1.c. which is stated as:

Personal data shall be:
1.c. adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed (‘data minimisation’);

This means that Persona will have to specify what information is gathered from the ID provided and for what purpose.
As an example in the case of a drivers license; you should not have to provide information about which class of vehicles your are allowed to drive.
Arguably not sensitive information, but also not relevant for verifying the age.

The same can be said for any national identity number, this is also not relevant to be gathered at all for simply verifying your age.
Ergo you should be provided with what information is necessary, for which purpose it’s actually used and which information you can cover up.

Another question is why you have not chosen a provider that is able verify using eIDAS for European users?

One suggestion could be going into discussions with someone like Criipto.
They have an age verification solution that would be entirely GDPR compliant.

This specific one is focused on age verification in Dennmark, but Criipto do work with other eID providers in Europe for authentication.
Meaning it’s not impossible to approach them about making an age verification solution for VRChat that passes GDPR.
For them a wider age verification solution for games and social media is definitively a marketable product, so there could be interest there if you approach first.

Current politics and past history makes it continuously harder for us Europeans to trust American companies with our personal information unfortunately.
I think a large part of the userbase would prefer the company providing age verification to be in a country with much stronger privacy rules and much more stable political climate (and relatively more functional legal system too), myself included.

Edit:
Adding on another provider which has a significant amount of customers would be Signicat.
They even have a specific example of Age verification which would return if verification passed and the age as an integrer.

Or their “ReuseID” product which has a specific example of usecase for gaming too.

why deleted? I even understand from the hash vulnerability but there is no need to simply delete everything I said, there are many important things that I wrote
such as data processing, using AI or Bot to verify people’s identities and passports and many other things, as well as the gray area that exists regarding this data processing.

I don’t even know if it was right or wrong or if they deleted it thinking it wasn’t a question, I just asked these questions about how vulnerable the system is, the fact that there is a lot of unnecessary information to just validate the age, and the fact that it is obvious that Persona is a company and obviously needs profit above all else for it to exist.

There will always be loopholes, whether it’s the first case they talked about here or the case I talked about this morning.

VRCHAT is a company and all companies have their help system, there is nothing wrong with me asking if my data is violated and my rights are violated (at least in this part of the IDs), and what VRCHAT company will do something about it, roblox has already had this type of leak

As previously posted several times, all posts in this thread that are not a question will be deleted. Discussions, attempts to answer, opinions, or feedback will be removed.

Please direct all feedback (change requests, feature additions) to our feedback boards.

So I’m going to do it this way…

Will VRCHAT be responsible for all the data in case of a leak?
Has VRCHAT already looked for other alternatives for age verification or other things?

Am I required to show completely unnecessary information from my document such as parents’ names, place of birth, type of document, etc.? Will my data be analyzed indiscriminately regardless of what is written?

Which data verification system will VRChat choose?
Is the verification location and where the data will be temporarily stored subject to any local regulations regarding data privacy?
Where are the documents on how my data will be processed by PERSONA companies, where can I be sure that there is some type of security?

Have you ever thought about using a safer, more reliable, more complete system with more privacy? Have you ever looked for non-governmental organizations or non-profit organizations to use this data? Although it does not store the IDs themselves, but rather the HASHes created from these IDs, do you at VRChat guarantee that there is no way for these Hashes to be used by other military or scientific organizations (or other type of criminal organization)? Do you guarantee that there are no security holes in this system today?

Regulation regarding data abuse and misuse of data is a gray area as it is still being discussed and regulated worldwide. What will VRCHAT do if the laws change, whether for or against the use of this data? Is there a right to anonymity, as in Germany, will it be obeyed or simply ignored?

Will they be real people who will verify identities or programmed bots? And if they are bots, do they comply with the copyright and privacy laws of all countries in the world?

Does the verification let people see your specific age / birthday? Is this planned to be an option?

I’m curious about what might happen if I get banned because someone is making up lies to stop me from being able to get back into VRChat

I fully back this but,
*can someone maybe type up how this age verification process *
works I know you have to go on Persona But I’m asking for the whole run down and method for those that have accessibility issues such as hearing issues and sight issues, my point is things in the video just needed to be made a lot clearer for some users hope there’s an understanding here…

Thanks

What instance types will people be able to create as Verified 18+ only?

Will there be a group permission specifically for “Create Verified 18+ instance”?

Although it states government-issued photo ID is required, would a UK citizencard be eligible, as this is a form of photo ID with name, date of birth and such. It is a government-backed scheme for adults to hold a proof-of-age card. Proof of Age Standards Scheme - Wikipedia

The Age Verification Closed Beta has commenced, with a limited number of groups invited to test this system.

This test is expected to last a short period of time, but the holidays may impede our ability to progress past the beta until later. This depends greatly on the feedback and performance we observe during the testing period.

We’re evaluating when it will be best for us to expand, and do not have a time estimate right now.

You may see people with Age Verified badges in VRChat, and you may see instances that you are unable to join unless you are Age Verified 18+.

How do we verify if one of our groups got into the beta? Im not the group owner, but a member of the group

Answering my own question here. I was given an opportunity to verify early through a group that was given access to the test drive, and UK PASS-logo ID cards seem to work without issues.

How would I go about verification for a group that was accepted into the beta?
They released a announcement saying that they were accepted into the beta for age verification but with no instructions on how to go about it.