Age Verification Feedback

Please add the pre-existing support inside of Persona for IS 18013-5 mobile identification. This protocol allows for Users to submit data with minimal data sharing, only exposing the relevant parts of the identification to the service. I don't find Persona as an organization trustworthy with the image and text data that my ID contains. The municipality within which I reside has a robust mobile identification platform that already functions within most of the airports in my state for identification. Persona has a plugin advertised on their website for compatibility with this exact feature. It is by far the safest and most privacy conscious method of verifying age for the places that support it. I am not aware of whether or not this feature was supported by Persona when VRChat released the original age verification beta, but I would consider it to be the most important aspect of the Persona service to include if this program is to continue. https://withpersona.com/product/verifications/mobile-drivers-licenses https://www.iso.org/standard/69084.html

Hey Team! Lately we are seeing more worlds add in "age checking" at the entrances of worlds (even with the option for AV only instances available). It would be very useful if world creators had access to call on AV through Udon to help groups run their lobbies a bit more smoothly and help provide them that extra level of security. Being able to access AV through Udon, lets world creators do some of the following as example: The option for groups to auto allow AV users into the world, while stopping non AV users at the door to manually check. You could provide AV users with an icon above their head. (With a toggle hopefully). Let AV users toggle on game modes that may be more targeted towards 18+ users. Restrict certain area's of a world. Restrict users from entering a world which main theme is adult/"NSFW"/ or not suitable for below -18. ( 'Age Gating' should cover this already, but at the moment you don't need to prove ID when making your VRChat account, so this would solidify it) Automated content adjustments for different age groups -18 & +18 instead of blocking younger users fully or non-verified, worlds could dynamically adjust gameplay, visuals & mechanics. Helpful in overall moderation tools for admins/groups. Enhanced trust for community worlds and create a more trustworthy environment. Improves the reputation of VRChat as a 'safer' social platform. I am sure there are many other examples/features that world creators can add that allows groups to run their lobbies more smoothly and safely, these were just a handful of ideas submitted by the community. Thanks!

Accounts should be required to have the permanent +18 verification tag, regardless of the situation. The age verification tag needs to always be visible because it's precisely what serves to separate adults from children and it's what guarantees user safety. when having any type of interaction*.

This will make everything so much better. Its simple and very easy to bring in.

I would love the ability to add the age verification, maybe a symbol on my nameplate. So when entering 18+ instances. I can quickly show my verification. Or being able to quickly see someone is of age without digging through a menu.

In the FAQ ( https://ask.vrchat.com/t/age-verification-faq/28458 ) it is stated the purpose of storing an ID hash is to: --- Detect duplicate IDs: When someone submits a verification, we compare it against our existing hashes. If we find a match, we know that ID has been used before and can reject the verification. Enforce bans: We can check if an ID was previously associated with a banned account, preventing banned users from verifying new accounts with the same ID. Enable multiple accounts: We can allow users to have more than one verified account using the same ID. Previously, this would have required keeping your full ID data with Persona. While this is not planned for initial launch, we are considering the feedback that you have given us. --- This indicates that you will be storing some sort of mapping between the hashed data (which you have not clarified what data is being used in this hash, please do so) and a VRC account. This is bad. While hashing data with a salt is a one way action, it is brute force-able. With time and resources (the amount of which decreases as technology progresses) these hashes can be cracked. Salting makes this not viable on a wide scale (cracking every hash in a leak at once), but targeted cracking is still very possible. If this database of hashes leaks (assuming the pepper leaks along with it), anyone with a grudge can dedicate time to crack a specific hash for the user that they have a grudge against. Likewise, high profile users like creators/vtubers are at high risk due to simply being more known. There is also not a ton of actual information stored on the ID itself, and much of it is in predictable formats (ie: dates, names, address, etc). Not to mention that supporting every ID type likely means that only a subset of this information will actually be used for the hash. This lowers the entropy of the input to the hashing function making it easier to crack a specific hash. Storing more sensitive data to increase the entropy is a cyclical loop, in that it presents more risk in the event of the hash being cracked. Storing an association between the hashed data and a VRChat account is not required to do 2 of the 3 goals of storing the hash: --- Detect duplicate IDs: No association is required to do this, you simple store the hash itself, and check against all hashes for each new ID added. You would have to do this anyway. Enable Multiple Accounts: If you choose to do this, you can simply stop checking against your hash store, delete hashes you have, and stop storing new hashes. Alternatively, If you would like to limit the number of accounts that can be used under one ID, you can continue the same way, but also store a value with the hash that represents the number of times it has been used to verify. Enforce bans: This one does not have a solution. However, this relies on VRChat having already allowed users to verify multiple accounts with one ID. This also assumes that the person is verifying under their own identity to begin with, which is made less likely by the previous sentence. Abusers of this system would also likely rack up many verifications/accounts as they would have to keep verifying as they got banned over and over. If a limit is in place for how many accounts can be verified under one ID, it would be reached. If there is no limit, that number would still climb higher than a normal user of the platform, warranting further investigation. --- Overall, if any sensitive information is planned to be used to generate the hash, IE: Name, ID#, address. Then I personally think storing the hash with an association to a VRChat account is dangerous, and should not be done. It is not really required to do the main purpose of storing a hash in the first place, preventing ID reuse, and increases risk to users in the event that the hashes are leaked. If no link between a specific VRChat account and their hashed private information is stored, then no individual VRChat user is identifiable.

What is it: Allow for players to request for manual approval to join instances with authentication requirements. This will allow the hosts or groups to manually filter applicants and allow for guests to join for the session or permanent approval for future group sessions. Why: VRChat is a social game: Excluding people who are just starting out and prevent SHARP loss in player retention from the Government ID requirement to participate in events or go to public spaces with other adults. New players will NOT understand what it is for and WILL feel uncomfortable, as even Facebook does not need government IDs on signup as it is a death spiral to ease of onboarding. Linkedin is the only company did it moderately okay but they are a requirement if you want to get a job and not die. VRChat does not have the same sway How: Allow players to request to join authenticated sessions and allow the hosts to approve them. The host can change their mind at any time and kick the player and add a reason for kick. This is exactly how the invite system already works.

I thought there was a canny for this already but I couldn't find it. I feel like the red for 18+ is a bit harsh and makes it feel a bit more scandalous than it actually is. I think changing it to purple or orange to mimic trust ranks would be a lot better and make it feel less like a marker you'd see on a sexually explicit website.

There has been a VERY alarming change recently that Exposes users for their Verification status on the open beta. Explaination of problem: Once the user completes ID Verification, 18+ or <18, Their profile will now earn a Tiny checkmark next to the shield on their rank, informing other users of that users completion in ID Verification, Currently this is NOT able to be disabled This came almost completly unannounced, Only users within the community leaders discord (maybe others, im Unaware) were aware before it happened (Even tho we advised that this shouldn't be an option at all Users are still able to hide and show their badge, Now this can create a multitude of problems. 1: Accidental harassment: A Friend I've known for a week was hiding their badge, Which got me Hyper alerted to when I saw they had a checkmark, I knew they were over the age, but I saw the checkmark and I freaked out on them getting way to in their face because of my expressive concern of what their Real age was due to the checkmark (In the open beta, Age verified is removed, Only none and 18+ are applicable options now.) 2: Age verification was released to help seperate adults from minors, Now VRChat appear to be potentially marking it as a "Safety" feature. Problems: This checkmark allows users to identify people who have ID Verified and expose potentially them by calling the user out for hiding their own age (badge) to hangout with younger audiences to chill or potentially worse adult faking their age for any reason of personal gain, which is Extremely Alarming behaviour. VRChat patch notes for the open beta: "The Trust Shield icon on user profiles and nameplates will now show a checkmark for all users who have undergone age verification." ALL users are now subject to this change/checkmark. Now I personally Do not understand the reasons for Minors to beable to age verify at all, One thought that comes to mind are minor content creators (tiktok), The checkmark aids that, Yes that is the real xyz content creator to help users see that its not some imposter, This should NOT be marketed as the same system as Age verification for Adult/Minor seperation My biggest conflict In asking people about this topic, Why was this change made, It doesn't make sence when the feature was released as a Offering to adults to help improve communitys and build apon a Much stronger security from minors (Granted ID verification is not perfect, NO system is non-bypassable, errors happen). Lots of feedback I got from asking randoms in publics and friends, is that Users Should NOT be allowed to hide their verification badge Regardless of status if this checkmark were to stay for the future of VRChat, It can let anyone easily Identify someone who is either underage, or potentially hiding their age (leading to much worse). If users wish to hide their badge, I don't believe VRChat should restrict that (my personal believe) as it is a choice of freedom, VRChat has excelled in giving users the freedom to do and enjoy this game as they want. (Please don't change that for us, we all love you at heart) A direct quote from Tupper also mentioning this same topic within the Community leaders discord when directly asked about this topic (quote shortened): "The ability to control what information about you is shown to others might be considered a core value of VRChat in our "psuedonymity" value." A large slice of the users I got feedback from would like the 18+ badge to be forcfully enabled as this isn't a "feature" this is a SAFETY feature which is MASSIVLY more important then having freedom of choice, We all want safety from minors when enjoying the things we love most. My personal view: I DO NOT Regardless of personal believe believe ANY user should be allowed to hide their badge to hidden or changed status, If VRChat would like to remain giving users this option , Make the checkmark status Match that of the badge's status. Do NOT Split the system up as it was founded from ID Verification, Not as a way to improve trust, If VRChat has ideas in the future to change or add more ways to verify, Do it with more push towards the community before commiting. This open beta is beta for a reason, to test features and help VRChat expand and improve, This change from the community side looks Really weird and very unexpected, With all respect of my heart and others, This change shouldn't be implemented at any cause, Maybe in the future, another open beta when ID Verification is MUCH more set in stone, Right now this is a very alarming change and should not be finalized at any cost for the protection of minors and users alone. If at any point during this post I repeated myself, I do apologize, I wrote this under Very heavy mental stress and hope my points have come across clear and valid wording for everyone to understand

I don't think its a great idea for adding age verification as a part of VRC+. Because why would someone pay to verify their age. either way paying for age verification would not be a great idea when i comes to me giving you money for me to verify.