Age Verification Feedback

VRChat has determined Persona can be trusted with a photo of your face and government ID. Persona is a VC-backed (arguably "tech bro") San Franciscan tech startup that's only existed since 2018. They operate out of a shared space behind a bar: https://maps.app.goo.gl/t5ebyhr9oTUhupMf9 Their privacy policy says (as I read it) that they explicitly have permission to take your personal information (selfie, photo of your government ID) and store it for years, and can and will send it to "vendors, agents...companies we've hired to provide customer service support..." and to "law enforcement [and] other government agencies." They say they'll use your personal information "to understand you and your preferences to enhance your experience and enjoyment" and for the purposes of "marketing, including to communicate with you about new services, offers, promotions, rewards, contests, upcoming events, and other information about our services and those of our selected partners..." and for "advertising, including display [sic] advertising to you..." Their privacy policy site also uses clickjacking to prevent you from copying the text of their privacy policy: https://withpersona.com/legal/privacy-policy These doesn't seem like the actions of a legitimate and trustworthy company, and there aren't enough guarantees that you won't be literally doxxing yourself. PII is extremely valuable and there's an entire industry of brokers that facilitate the sale and transfer of people's personal information--not to mention the risk of hacking, accidental disclosure, or a new and untrustworthy company being sloppy or reckless. These days AI can train off a photo of your face, and scams and identify fraud are extremely common. Personally, the only times I've had to provide a photo of myself holding an ID are for once-in-a-lifetime financial transactions. Never for a video game or social media. VRChat is willing to take the chance of making this de-facto-mandatory (i.e., the community normalizes it and it results in a greatly degraded experience if you don't comply)? The ask is a severe imposition and an invasion of privacy without adequate concern that the chosen data broker is trustworthy. Even the announcement incorrectly claimed your PII would be handled in accordance to the GDPR, but the company is actually based out of California, where regulations are far less strict, and fines far less burdensome.

While age verification seems to be a requirement in the age of the modern internet, persona as a company has shown they cannot be trusted with user data, especially with a recent breach in privacy. This breach has even resulted in discord dropping it as vendor. Not only has persona had that breach, it has collected data and has been accessed by things LIKE openAI and puts people on a WATCH LIST. Please, vrchat, if you care about your userbase's safety and the longevity of your platform, it is genuinely in your best interest to find another means to age verification. This is an invasion of user privacy, and while I can respect wanting to maintain safety for adults and minors, there has to be an alternative to persona! sources: https://cybernews.com/privacy/persona-leak-exposes-global-surveillance-capabilities/ https://www.therage.co/persona-age-verification/

Hey Team! Lately we are seeing more worlds add in "age checking" at the entrances of worlds (even with the option for AV only instances available). It would be very useful if world creators had access to call on AV through Udon to help groups run their lobbies a bit more smoothly and help provide them that extra level of security. Being able to access AV through Udon, lets world creators do some of the following as example: The option for groups to auto allow AV users into the world, while stopping non AV users at the door to manually check. You could provide AV users with an icon above their head. (With a toggle hopefully). Let AV users toggle on game modes that may be more targeted towards 18+ users. Restrict certain area's of a world. Restrict users from entering a world which main theme is adult/"NSFW"/ or not suitable for below -18. ( 'Age Gating' should cover this already, but at the moment you don't need to prove ID when making your VRChat account, so this would solidify it) Automated content adjustments for different age groups -18 & +18 instead of blocking younger users fully or non-verified, worlds could dynamically adjust gameplay, visuals & mechanics. Helpful in overall moderation tools for admins/groups. Enhanced trust for community worlds and create a more trustworthy environment. Improves the reputation of VRChat as a 'safer' social platform. I am sure there are many other examples/features that world creators can add that allows groups to run their lobbies more smoothly and safely, these were just a handful of ideas submitted by the community. Thanks!

add an option to create groups only visible to age verified accounts. As well as those group instances not being visible to the public without age verification.

I read the reason why VRC put age verification behind VRC+. They said age verification is expensive. I call BS on that. Maybe it is expensive, maybe it isn't, I honestly don't know. But you can't tell us you're unable to process that information without being paid. "We can't trust your government issued ID is real unless you give us your credit card info and pay us a monthly fee" is the absolute worst Looney Tunes logic I've ever heard. Remove age verification from payment requirement. Period. Because this isn't about cost, it's about greed

The Chief Technical Officer and Co-Founder of Discord, Stanislav Vishnevskiy, posted a blog recently covering Age Verification and their roll-out plans. https://discord.com/blog/getting-global-age-assurance-right-what-we-got-wrong-and-whats-changing On the 15th Paragraph of the blog post, they talk about Persona and mentioned something very critical. Here is the direct quote from the blog: "One of our core goals with age assurance is to give you options. As part of that, we’ve been evaluating multiple vendors to offer a range of verification options people are comfortable with. One of those evaluations was with Persona, a company used by platforms like Roblox and Reddit. In January, we ran a limited test with Persona in the UK only. After completing the test, we decided not to move forward with them, and consistent with our privacy policy, all data was deleted after completing verification. We’ve set a new bar for any partner offering facial age estimation, including that it must be performed entirely on-device, meaning your biometric data never leaves your phone. Persona did not meet that bar." When I verified myself with Persona through VRChat early on since its implementation, I was informed that the biometric data of my face scan was never gonna leave my device. I trusted Persona on that when I used their website. I don't know if they changed since then. But now, after Discord's own CTO and Co-Founder revealed that Persona failed to keep that part of the promise, it's time for VRChat to consider other options. Personally, I think BlueSky has a decent alternative method for users not willing to submit government documents. BlueSky allows users to verify their unique ownership of the account (to prevent or mitigate impersonators) via their own personal Domains and using those Domains as their BlueSky Handle instead. This is because registering a Domain requires using a real identity and be registered in the Domain Registrar in accordance with ICANN. Although domain regulations will very from country to country. These rules are from the US. And maintaining that registration requires annual upkeep. The Domain Registrar can also hide your name and address at your request and so no one but the Registrar knows who you are. Anyone who looks you up will just see the default name and address of the company with whom you registered your Domain with (examples: GoDaddy, Hover, etc.) and your registration ID is redacted. This provides a layer of protection and I never submitted my government ID to them to register. Just your name, address, and credit card information. I think this method might be more suitable for VRChat as it still offloads the cost and procedure of verification to another company while eliminating the need for submitting an ID altogether. The only downside with this is how this will affect ownership of the user's account should they lapse in their annual upkeep of their Domain in the Registrar (or their equivalent in other countries). Thoughts?

It seems like that there is a heavy implication that age verification is only for instances only. I would like to see the option for group owners to additionally enforce age verification to join / retain membership for their group. Example scenario: I'm a group owner with five hundred members. At some point I would like to make my group require age verification in order for users to retain membership in the group. When requiring age verification, any member who has not verified their age on their VRChat account via Persona gets a notification stating that they have 7 days to verify, or else they will be automatically removed from the group.

I try several time to get my ID recognized, it's the old french format of id, the green one, it's not expired, all four corner were seen, no glazed, no out of focus, everything was good and it's the only thing i have to prove that im 18+, but it's not geting recognized and now i can't even try again, it tell me to contact support, which i did two time, so please help me because i literally paid for vrc+ yesterday.

You said it was secure. You lied just as horribly as Persona has been lying through their asses. Personally Identifiable Information IS NOT SECURE!!! FIND A NEW ALTERNATIVE THAT ACTUALLY CARES ABOUT USER TRUST AND SAFETY AND DOESN'T FORCIBLY INVADE PRIVACY OF USERS!!!

They scan your ID against 250+ sources, not to mention keeping a record on you for years after you verify, while having your whole ID and SO many data breaches.