I’m composing this in an attempt to course-correct the mess that is the Age Verification update.
The very disheartening and concerning disregard for any questions and issues of substance by the head of community relations, @tupper, leaves us at a rather nasty spot. We have, in fact, seen a similar clusterfuck of an update before, with EAC update rollout. This time it’s worse, and it also seems to be rushed in the same manner.
Let's do a little recap of everything happening thus far
Three weeks ago VRC announces “Age Verification” update, lying about their chosen provider’s origin. Persona is, in fact, a US-based company.
For these three weeks a ruckus ensues, where people find out that Persona is involved in a couple of PII (personally identifiable information) mishandling cases. This is brought up many, many times.
A backlash happens, as it is revealed that, in fact, “Age Verification” is used for a more nefarious purpose: Identity Verification. This is, naturally, not mentioned in the teasers–or anywhere, for that matter. Said Identity Verification is planned to only allow for one account per person.
Nine days ago VRC publishes a teaser for AV “improvements”, revealing that, in fact, data would have been stored with Persona. Now they’re planning to implement full PII hashing.
This brings even more questions about the planned implementation, as the beta test is rushed to mainline.
Concerns and issues brought up to this day get dismissed with a hand-wavy responses, often never elaborating on questions actually asked.
And we’re here now. So, what are the issues, then?
They’re in it for the money
Persona is a US-based company who makes income by verifying PII details. Persona is interested in extracting dosh out of this process.
Need I elaborate on how this does not mesh with sensitive information?
Misrepresenting identity verification under a lesser issue
“Age” verification is really an Identity verification in this context. I am personally very concerned with how VRC keeps effectively lying about this.
Playing devil’s advocate one could claim that VRC is truly only interested in obtaining DoB details. However, they get to handle raw PII, and plan on associating said information with your account. This is, by definition, Identity Verification.
Not to mention the initial plans on restricting verification to one account. Priorities here are obvious.
Employing dubious service to handle sensitive data
Persona is not trustworthy, and their verification methodology involves violating many a law, especially in EU. The claims of being GDPR-compliant under the context of two [1][2] PII mishandling cases.
What Persona wants to see has nothing to do with verification
Persona’s document verification process is laughable from the security standpoint, as one can manufacture a visually valid ID and verify with it using their methods. Persona does not validate the document’s authenticity, aside from attempting to read an NFC message.
There is no signature check involved.
Yet Persona wants to collect all the data, uncensored.
VRC also handles all your data
VRChat getting to handle raw data is very much a no-no. Not only does this subject VRC to PII handling requirements, we’re also supposed to take VRC’s word on deleting PII.
VRC does not need to handle any of this. Claims of not disclosing the inner workings of the system for security reasons are bollocks, for issues discussed have nothing to do with internal workings of the system; we are talking about you needing too much, now how you go about it.
Trusting a company barely capable of adding server-side checks for user input to keep your data safe? Hard pass.
Data staying on ramdisk is resident data, no matter if it’s stored to hard drive or not.
Not from favoured countries? Too bad, chucko
Persona is incredibly limited. Country/document coverage is limited to the “first-world” countries and some extras, with no alternatives in sight for everyone else.
This creates a significant segregation issue, as well as potentially locking out players from accessing content beyond their control when age check is implemented against content gating.
Happen to be brazilian, chinese, russian, east slavic, from middle east, or from any african countries? Sucks to suck, bud, you’re not human. 180 supported countries is a lie.
Persona wants you to commit a felony
Yeah. For many of the residents of EU, it is illegal to submit a full, unedited image of your documents, as it contains incredibly sensitive data, i.e. Burgerservicenummer. Since one can’t censor anything with those images, one exposes self to a significant identity theft risk, as well as commits a crime.
The speed at which VRC aggressively disregards criticisms, as well as pushes this clearly poorly implemented “feature” is concerning, as well as perceived hostility to these criticisms.
This set of issues creates a friction spot, where recently introduced (and very vaguely defined) content gating flags and age-limited instances are going to be useless in the near future, for people wishing to remain on the platform who are not able or willing to subject themselves to said verification process are not going to follow through with them.
Stop working on this, put it back into the designing stage, and implement a much less invasive, limiting, and felony-enabling solution. For a company that monitors and adheres to legal requirements of various countries Persona is doing a piss-poor job. Your DPA means jack shit when neither of the parties involved are trustworthy.
Start using signed documents and receipts, at least. Pretty much every government signs their documents, you can actually validate their response that way.
Considering that “only one account is verifiable per ID”, yeah, this is more than just age verification. If they really deleted all the information other than your age, then one could verify an unlimited number of accounts.
This is debatable as of the follow-up, at least according to the statement @tuppermade:
Key part being
Knowing their management, it “will” be launched “later” the same way physbones and contact systems “will” launch for worlds. Granted, this lives in the same promise land as his hint at connecting content gating to this system, but still.
I still don’t understand how a hash of any PII is going to prevent an end user from verifying multiple accounts with the same data, given that every single verification is stateless–and why it should even be prevented.
The data sent back from Persona–hashed or not–is contextual to the current user, not globally to all users. There is no reason to check for duplicates using the same PII, other than to prevent verification.
How one can overcomplicate a very simple model update driven by a REST API call is hard to understand and reason. Unless we’re talking about incompetence or malice.
Either way, in the state this feature’s in, it should just be rebuilt by an actual team, not a nodejs intern and a sleepy manager introducing wacky limitations.
Your very wrong on it being a felony or crime in EU… your driver’s licens is something that cannot be used to for fraud or any other malicious activity. It does not contain sensitive info. And pretty much every shop or anything you go to irl. That requires a age of 18. Requires you to show an ID. The only thing your doing here is misinforming people and leading them astrey. And since persona follows gddpr and so does vrchat… if they do something that would breach this. A massive fine would go both ways. Oh and also all data is encrypted. And just so you know just being online exposes you to alot more shady things then this imao. Just being on twitter. Bsky. LinkedIn etc all of them can be used against you. And by being against age verification also makes you look rather suspicious.
Driver’s license is a document that one may not possess. While it typically doesn’t have sensitive PII–and thus can be presented freely–it is the only option that doesn’t won’t break the law.
Not exactly a seamless option to verify your if you don’t have one. Moreover, in certain countries it does contain medical information absolutely not necessary to share.
By their own word, which isn’t backed by anything. Considering the lawsuits they’re involved in, and no independent audits of GDPR compliance, I’ll default to them not being GDPR-compliant.
I.e. I can claim to be Santa Claus. Am I Santa Claus just from claiming so?
All information from Persona’s verifications (e.g. the verification results, verification checks, documents, reports, etc) can be retrieved via API.
Thus said encryption is pointless. Their wording also implies that the data in question is encrypted with the same, single private key, for all of it, though this may just be a poor wording choice.
Just sending TCP/UDP packets does not expose any of your PII. If you publish your PII somewhere, this is entirely on you.
Once again, while all these services collect data on you indirectly, none of it can be used to identify you unless you yourself give your PII up. Besides, fingerprinting can be circumvented in various ways, should you chose to.
For the record, I never stated I’m against age verification. I am, however, against identity verification on a F2P US-based platform.
But go ahead and elaborate on why not disclosing one’s age makes one look suspicious.
while on this age subject moderators of VRC rooms dont need to be asking for peoples date of birth when asked for prof of age all they supposed to ask for age if you go into VRC rooms like house party/sunset bar/the midnight bar and a lot of other VRChat rooms where the admins of the groups of these rooms asking age and date of birth if you stupid fuoks gonna ask people for their age your dumb a@@es should at least know the year of birth its really stupid to play bouncer and ask for a persons age but count the year they were born you cant do that in real life why in VR and god forbid if your 40 and over and a male you just get labled as a straight out pedo VRChat is an open world game most of you group admins need to get off you high horse coming in to VR worlds making you feel like somebody important
As someone deeply involved in the bar and club scene within VRChat, I’ve frequently taken part in addressing safety concerns and working to remove groups that fail to uphold proper standards in their instances. It’s evident that simply verifying someone by their age or date of birth isn’t enough. That’s why I’m genuinely encouraged by VRChat’s decision to roll out updates for age verification locks on 18+ instances.
Once this system is fully implemented, I strongly believe that 18+ bars and similar spaces should require verified age authentication for entry. This step is crucial to fostering a safer and more secure environment for all users.
Additionally, I want to emphasize the gravity of allegations against individuals in these spaces. Unfortunately, I’ve had to deal with situations where such allegations escalated to extreme levels. These matters require a thoughtful, measured approach to handle appropriately while ensuring fairness for all parties involved.
In popular venues like the Sunset Bar and other club hangouts, there is often an exaggerated emphasis on the “bouncer” role, which sometimes distracts from addressing real issues. The real concern lies with groups that engage in harassment or fail to uphold basic safety protocols. Over the past three months alone, I’ve been involved in helping shut down 48 groups that engaged in such behavior.
I am committed to raising awareness of these issues within the VRChat community and hope that they draw the attention of the platform’s team. While I am not employed by VRChat, I will continue to do my best to make a difference within the capacity I have and to highlight the importance of these safety measures.
If you come across behavior or instances that appear to violate VRChat’s guidelines or terms, I strongly encourage you to contact VRChat Moderation or file a report against the specific group on the VRChat website. This ensures that such violations are thoroughly reviewed and addressed in line with VRChat’s policies and procedures.
Again. If your so against it just dont opt in for it. But you will also be unable to join alot of worlds once it goes live. As majority most likely will enable the 18+ only instance.
and in regards to Driver licens yes some countries have some PII u shouldnt reveal. but majority dont. and if that is the case use some other ID that does not contain sensative PII.
and in regards to why not being verified makes you look rather suspicious. here is a list of why’s.
Not verifying your age in games can make you seem suspicious because of the following reasons:
Compliance with Age-Restricted Content Laws: Many games include content (like violence, gambling, or chat features) that is legally restricted to specific age groups. If you don’t verify your age, it raises concerns that you might be underage and trying to access inappropriate content.
Preventing Liability for Game Developers: Game developers are required to comply with laws such as the Children’s Online Privacy Protection Act (COPPA) or General Data Protection Regulation (GDPR-K) in the EU, which protect children online. If you refuse to verify your age, developers may treat you as underage to avoid legal issues.
Preventing Fraud or Abuse: Age verification is often part of broader security measures to prevent fraudulent activities like creating fake accounts, evading bans, or engaging in prohibited behavior. Not verifying could make you seem like someone trying to bypass these protections.
Ensuring a Safe Community: Many games and online platforms aim to create age-appropriate communities. If you don’t verify your age, other users or moderators might view you as someone who could disrupt the environment or fail to adhere to rules designed for specific age groups.
Bot or Account Farming Prevention: Some game systems use age verification as part of a method to ensure users are real people and not bots or account farmers. Not complying might flag you as suspicious or not genuine.
Obivously refusing it doesn’t mean your bad. it just means there is going to be alot of people who would suspect you otherwise.
At this point I don’t know if you’re being this dense naturally or intentionally. Read everything through again.
Which, again, circles back to being the problem at hand. Your presented solution is not a really a solution then, is it?
Every document Persona allows you to use contains PII. Not using one is not an option, even if one’s government has the tools to censor sensitive information.
Currently Persona basically does everything to lead you to committing a felony. I’m sure that’s not their intention, but that’s how it ends up being.
This depends on your country’s laws. I don’t have to disclose my age to access questionable content like this.
COPPA is an opt-in system in reality, and it only covers US. GDPR-K falls into the same category, just for EU. I am subject to none, hence why I haven’t explicitly opted in to either.
This has nothing to do with age verification. This is just identity verification used to prevent account creation, which is the problem at hand.
Got a single point correctly there. Here’s the thing: this is entirely dependent on the kinds of themes and demographics the community in question is running. If I’m not participating in adult-only activities, there is no reason for me to disclose my age.
So, why is it suspicious to not disclose my age, again?
Repeating #3. It has nothing to do with disclosing one’s age.
Yet you keep implying the opposite. You still haven’t reasoned your point, though.
This just seems paranoid. I haven’t read about Persona’s process, but I can’t imagine an age verification process that doesn’t require first finding out if you are a real human being. If the age verification process was just to check rather or not a picture of a driver’s license looks “real” and then get the age off it, it becomes super easy to just make pictures of fake driver’s licenses.
You don’t know how the hashing of data works. I’ll try to give you an example, since this is something I know a lot about. But let’s make this a full example.
You give some verification provider a picture of your driver’s license and a proof of life picture to prove that it is indeed your driver’s license.
The verification provider checks with its official channels to see if your driver’s license is real and valid. I assume they ask the government agency or something, but the exact doesn’t matter for this example.
The verification provider now knows that your driver’s license is REAL and the information on it is true. They have the proof of life picture to confirm that you didn’t just take someone else’s driver’s license.
The verification provider now create a quick (and hopefully temporary) profile with your information. Filling in your name, date of birth, and maybe a few other things like country of residency or other things. For example: Name: John Doe, DoB: 2024-01-01, Con: US
The verification provider make a hash out of this information. Let’s use MD5 hash as an example because it is simple and short, but there are better hashing algorithms. The MD5 hash of John Doe+2024-01-01+US is f111829ab487303f52892214a275af51. There is no way to find out what was used to make the hash, that is the point of a hash.
The verification provider now sends the date of birth and the hash to VRChat, and delete it from their system. If they happen to use this data for anything else before deleting it, they are breaking the agreement they have with VRChat as we have been told.
VRChat saves the date of birth and the hash to your account.
Now, if you then try to verify your alt account with your passport. Let’s skip some of the points here.
You give the verification provider a picture of your passport and they verify it.
The quick profile they make is again: Name: John Doe, DoB: 2024-01-01, Con: US and the hash will again be f111829ab487303f52892214a275af51, because it was made using the exact same information.
The verification provider sends date of birth and hash to VRChat.
VRChat sees that the hash matches another hash in their system, so they discard it as a duplicate and deny they verification of the alt account.
That is why VRChat needs the hash, and that is what the hash is. VRChat does not get your real name, or anything other than your date of birth.
Why can’t you verify multiple accounts?
Most likely because it prevents one person from verifying all their friends (which might be underage). I am sure VRChat will have fun trying to prevent this otherwise, and I am curious to see what solution they come up with if they want to allow it.
If you think you have a solution, share it, I’ll be interested in seeing it.