I’m unaware of any marketplace listing cheaper than 100 credits. You’re essentially leaving users with 99 credits that can’t be spent on anything.
We could do 500 credits too! we’d accept that xD
1 Like
It was probably easier for that group to post non-event days if they did a lot of weekly events but hopefully this repeating events feature changes that for them
here, I got one for Soba-chan - Hey, you’re looking soba-utiful today~ X3~
i was told this would be a good place to hold this discussion so here we go.
recently persona has been in the news again for its potential usage by discord and ties to peter thiel/US surveillance, and yesterday it was revealed that biometrics are deleted after 3 years by default (in openai’s case) not instantly as we’ve been told up until now. i’ve been getting told that persona deletes this instantly with nothing to back it up except “it would be a bad business decision” essentially.
i dont think this should even be debated, it should be a kneejerk reaction to drop this company immediately and deal with the blowback while you find a better solution. we’re not in a position where companies are actors independent of whats going on in the world. having this data available in any capacity is incredibly dangerous to your users and it shouldnt matter one bit how much your trust them by word or even by contract.
1 Like
I agree — the Featured Event section is completely useless to me, as it suggests random events from groups I don’t even belong to or have any interest in.
Please vote on canny: [1744] Hide featured in Live now tab | Voters | VRChat
VRChat already responded to this on the subreddit:
tl;dr Persona pinky promises to not give out the data
I’m curious how much will be accounted for with custom rules. One group I’m in for example hosts a monthly event every second-to-last Saturday.
Soba?
I was told this was the place to ask.
From my understanding of the leak, the code leak is the same pipeline used by OpenAI’s age verification system (KYC + Age) but hosted on a FedRAMP server. It seems improbable that they would write entirely different apps per customer (they used to do this when they first started but migrated away from this practice after a year or two according to the CEO on a spotify podcast).
Please understand, I am not trying to force anyone in a corner, but leak has been more transparent than anything Persona has said over the years. All I am looking for is clarity and transparency.
-
Is there a way we can get confirmation in Persona data deletion? Part of the source code that was leaked shows that that any verification that fails or any face scan that is suspicious (even if passed) keeps the face to be trained on.
There is an extremely heavy implication that faces are kept for ~3yrs otherwise to make sure you don’t submit a duplicate.
-
The architecture flow diagram on the disclosure report seems to claim that the more invasive background check endpoints are hit (via identify.withpersona) regardless of the source of the docs/company the data is for.
-
The method of implementation that VRC uses is referred to as “KYC + Age” in the docs. KYC paths in Persona work like a background check. Part of this verification can scan watchlists and other dbs, some of what we saw in the leak.
- Can you speak upon the usage and depth of Persona’s KYC products used by VRChat?
- Is there a reason the KYC method was chosen over the age estimation verification product Persona has?
-
Persona’s code reportedly does not delete IDs. They are “retained permanently” (paraphrased from website). This seems to check out with a press release they released awhile back where they showed forgeries using the famous McLovin ID.
- Building upon this, is this how VRC knows if you try to verify twice?
-
Persona will periodically rescan all your info that it has, how can they do that when it’s deleted? Does VRC have this feature on (which is the default option, apparently??)
I know this is a hell of a lot but I’d greatly appreciate answers, I think it would put a lot of people at ease.
3 Likes
That reminds me, is the chat box still wonky?
I read that page and vrchat has something at least slightly different, as that page declines people under 18.
I kinda wonder about persona’s smaller customers, as those would be the people who the documentation is written for. Like, I can see seller’s on the vrchat economy needing to do the “know your client” stuffs.
This was so annoying than God it’s fixed.
I’m going to do my best to respond to the Age Verification/Persona questions. I’m not going to be responding line-by-line to every question, as I don’t think that would necessarily be helpful. Instead, I’m going to try to get at the heart of the matter.
First: I get why there’s so much anxiety around this.
To say that we’re in a tense moment of time would be an understatement. Given that VRChat is a platform where a lot of people go to be themselves – whatever that happens to mean for them – a certain degree of privacy is necessary.
Second: A lot of what I’m about to say is me reiterating stuff from our Age Verification FAQ. Some time has passed though, and it’s possible not everyone has read through all of it. So here we go!
Persona is a company that provides many services to many different clients, all with varying needs.
Take a peek at their website and look at the “Solutions” tab.
Persona provides out-of-the-box tools that are relatively easy to use and integrate for their clients. This is because, for example, a lot of customers looking for a “KYC” (Know Your Customer) solution all generally want the same sort of solution, that maintains compliance in a certain way (for whatever industry they are in).
Persona also provides its clients with a lot of customization, as well as powerful tools to make sure that what they want to happen is happening. They offer a lot of flexibility – more than most providers. You can take an off-the-shelf solution from them, yes, or you can be very specific about what you’re looking for.
One of the engineers who setup our integration was graciously enough to take some time out of his day to explain what this looked like to me.
Here’s what he had to say:
We are not using Persona’s default settings, so if anything you have heard about their default functionality contradicts what we’ve said, it’s because we’ve set it up to work differently.
I have set up our implementation to explicitly remove all verification data after a verification inquiry succeeds, fails, or expires. I’ve also verified on their dashboard that the verification data is being removed.
This actually causes problems for us sometime, which some of our users have noticed. For example, because this data is deleted, when a user has a problem with verification (say, a certain sort of ID), it’s almost impossible to troubleshoot, as we don’t actually know what type of ID they were using. Persona, also, can’t help… as they can’t see it either, as it is deleted immediately even if verification fails.
It’s also worth noting that Persona receives no information from us about you or your VRChat account.
We generate a custom ID for the sake of verification, which tracks the progress of the verification process. Once Persona sends us the relevant information attached to that ID, it’s hashed, we complete the process, then all verification data is deleted.
This process ensures two big things: we don’t store any data related to your verification (nor do we receive any images of IDs or face scans) and Persona doesn’t know who you are in VRChat.
Finally, Persona handles data according to terms they agree on with their customers (including us!). What folks have seen “in the wild” are numbers that often equate to the maximum length that they are comfortable holding data, not the additional limits their customers might have with them.
This is also why we said this in the blog post, where we announced Age Verification:
Persona is obligated to only use your data to provide identity verification services for VRChat and is expressly prohibited from selling it, sharing it, or using it for another purpose.
Finally, I’d just like to say that, when something does happen that’s big news in the tech space, we’re always taking a look, too. We’re always keeping tabs on things. We, after all, are as plugged in as you are, and want to make sure that we’re providing the best product for our users.
To some extent, I hope that the fact that we’re verified is us showing our money is where our mouth is. We trust the system enough that we use it. We’re a step beyond dogfooding at VRChat. 
8 Likes
Thank you for the rational response. There’s a lot of irrational discussion, even false or misleading statements on Canny relating to Persona: Find an Age Verification Provider Not Linked to Palantir
1 Like
This is playing politics and doing damage control rather than materially addressing the matter at hand: your org is doing business with a company poisoned by Thiel’s blood money, when there are alternatives that are not. The fact that our ids cannot be easily traced to our particular accounts, assuming the security engineers did their due diligence under the supervision of cryptographic auth experts, is immaterial given the vulnerable demographics that make up a large portion of VRChat’s player base. Simply knowing we are on VRChat is enough to cross reference with other data to paint a picture of each of us. A picture with a target on it.
trust in VRChat is rightfully limited given how the EAC rollout was handled, soft-banning hard of hearing users. Do better.
4 Likes
While I do understand you guys are trying to keep the community safe, I do feel given recent revelations surrounding Persona, you should at the very least do research for alternative vendors, especially if in game events like Furality are going to require age verification to attend. I have already had several people do not plan to attend this year due to the controversy and that should be a signal the community does not want to be associated with such a company. I hope you will that this into consideration, and maybe make a more public announcement to address this issue so people can see and give their feedback.
4 Likes
Goodness I’m not the only one with concerns, which is reassuring to me, though i know that means more headaches for the dev team.
That one comment explicitly from the backend engineer is reassuring, hearing that they have a way of confirming data is deleted on Persona’s side.
I just wish that the age verification process didn’t require that initial sending of PII with un-censored irrelevant information.
If i could just like, cover everything on my ID aside from the birthdate and most of my face, and maybe one other data point to confirm legitimacy.
Because at the end of the day, we still have to trust the word of Persona that the data isn’t being misused, or exposed at any point. And all we have is their word and VRC’s word.
I know VRC devs have a reputation among their user base, but I don’t believe them to be malicious (that’s my choice to believe).
If they say their setup with persona is trustworthy, i believe they believe that.
But I can’t bring myself to believe Persona themselves.
I need some means of protecting myself from them before agreeing to send them any kind of data whatsoever.
Masking the ID physically in the photo is one. And biometric face scans are just a non-starter for me.
Airports even let you refuse them if you want.
So long as the tech industry just keeps the “go fast and break things” mentality, I am unwilling to trust them with things I can barely trust my own government with.
We don’t get the luxury of living in a world where private companies are genuinely bound by law, not if they have enough money. And the times we live in right now explicitly, an individual can’t afford to risk their privacy in such a way. I know there are pleanty of folk who are well off enough and/or insulated enough to not need to worry about sending PII to private companies for the purpose of recreation. But I’m not gonna pretend that a data security company with investment ties to Palentir is not a concern that can be ignored, not in today’s climate. I don’t have any intention of believing other’s comments that either downplay or deny it as a concern, either.
3 Likes
I hope recent news regarding persona will lead to a different provider being chosen, or ideally a system locally run on vrchat servers. I’m not sure we can trust that persona are deleting what they claim to after this.
2 Likes
In addition I wish to know how to exercise my privacy rights eg. delete my data from Persona.
1 Like