“I don’t know how it works but you’re clearly wrong!”
You really need to work on your scene entry, mate.
Any data verification processes backed by trusted provider are sufficient enough to only implement age verification without the need for obtaining end user’s PII. These services are typically run by government entities, and are subject to much stricter security measures as well as requirements to access said data in the first place.
Persona is not a government entity, not even a government-backed one. They act as a layer between the consumer (VRC) and the user’s PII, providing pseudo-verification. As a matter of fact, Persona does not validate the authenticity of the documents users provide, at all. They are, however, very adamant on forcing the user to go through their “liveness check”, which is a good reason for concern, given their involvement with stated lawsuits. Mind you, this “liveness check” does not involve demonstrating the document used in the first step.
But sure, disregard all that because I’m “paranoid”.
Golly-gee, that’s news to me. I must be unqualified to be principal backend engineer then.
On a more serious note, let’s break down the bollocks you’ve posted:
We’ve already gone over how authenticity is not verified. The documents collected are put through basic canvas alignment, internal type matcher, and then OCR. About the same process as what we do to digitise old newspaper releases. Extracted data is then stored.
It is not temporary. As per persona’s own documentation linked above, your “profile” is indeed created for further accessing by the consumer. VRC claims this process is supposed to be replaced with Persona bringing them all the data instead, and then waiting on VRC to submit a hash for Persona to store in place of your data.
Typically this would be true and desirable, and the end consumer would not be receiving any PII outside of the information needed. This is not how VRC describes this process:
So, no. Both entities operate on PII, needlessly. Steps 6 and 7 therefore are entirely off the course, as per VRC’s words: they hash the PII and send that hash back to persona to… store it in place of your PII? To do something. This is where they employ STO practices that make this shadier than it needs to be.
This literally goes the opposite to what VRC have stated, linked above. Please read their statements in question first before claiming anything. This tends to be the best practice.
No, it is not. Again, like it was stated, they rushed this, and after a sufficient enough backlash they caved in and set up a hashing system to be able to identify the same PII given to not run it through Persona’s OCR and extractors over again, thus to not have to pay the processing fee.
Why exactly this is a techincal limitation in either implementation is unclear. Why it is a limitation in concept is very clear: age verification is just identity verification in disguise.
I assume you’re asking for a solution to multiple accounts being verified with the same identity.
Well, it’s simple: just receive and update. A user can have multiple accounts by definition.
This situation is basically identical to adding a unique index onto the password hash field. Except this time it’s PII hash.