Age Verification Feedback

VRChat has determined Persona can be trusted with a photo of your face and government ID. Persona is a VC-backed (arguably "tech bro") San Franciscan tech startup that's only existed since 2018. They operate out of a shared space behind a bar: https://maps.app.goo.gl/t5ebyhr9oTUhupMf9 Their privacy policy says (as I read it) that they explicitly have permission to take your personal information (selfie, photo of your government ID) and store it for years, and can and will send it to "vendors, agents...companies we've hired to provide customer service support..." and to "law enforcement [and] other government agencies." They say they'll use your personal information "to understand you and your preferences to enhance your experience and enjoyment" and for the purposes of "marketing, including to communicate with you about new services, offers, promotions, rewards, contests, upcoming events, and other information about our services and those of our selected partners..." and for "advertising, including display [sic] advertising to you..." Their privacy policy site also uses clickjacking to prevent you from copying the text of their privacy policy: https://withpersona.com/legal/privacy-policy These doesn't seem like the actions of a legitimate and trustworthy company, and there aren't enough guarantees that you won't be literally doxxing yourself. PII is extremely valuable and there's an entire industry of brokers that facilitate the sale and transfer of people's personal information--not to mention the risk of hacking, accidental disclosure, or a new and untrustworthy company being sloppy or reckless. These days AI can train off a photo of your face, and scams and identify fraud are extremely common. Personally, the only times I've had to provide a photo of myself holding an ID are for once-in-a-lifetime financial transactions. Never for a video game or social media. VRChat is willing to take the chance of making this de-facto-mandatory (i.e., the community normalizes it and it results in a greatly degraded experience if you don't comply)? The ask is a severe imposition and an invasion of privacy without adequate concern that the chosen data broker is trustworthy. Even the announcement incorrectly claimed your PII would be handled in accordance to the GDPR, but the company is actually based out of California, where regulations are far less strict, and fines far less burdensome.

While age verification seems to be a requirement in the age of the modern internet, persona as a company has shown they cannot be trusted with user data, especially with a recent breach in privacy. This breach has even resulted in discord dropping it as vendor. Not only has persona had that breach, it has collected data and has been accessed by things LIKE openAI and puts people on a WATCH LIST. Please, vrchat, if you care about your userbase's safety and the longevity of your platform, it is genuinely in your best interest to find another means to age verification. This is an invasion of user privacy, and while I can respect wanting to maintain safety for adults and minors, there has to be an alternative to persona! sources: https://cybernews.com/privacy/persona-leak-exposes-global-surveillance-capabilities/ https://www.therage.co/persona-age-verification/

They scan your ID against 250+ sources, not to mention keeping a record on you for years after you verify, while having your whole ID and SO many data breaches.

https://kotaku.com/discord-palantir-peter-thiel-persona-age-verification-2000668951 Thiel is the majority owner of persona the age verification provider for vrchat and he has been seen in the epstien files. https://en.wikipedia.org/wiki/Peter_Thiel Not only that, he has a notorious history of privacy violations and is currently helping ICE agents with the capturing of families and american citizens. I implore the devs to seek a new verification provider as association with somone like that puts the trust users have in vr chat at risk.

The automated system Persona uses fails to identify any form of ID I provide. Despite using every form of ID that’s available to me and trying it under different lighting conditions I get the same result. This system seems to have no way of falling back on some other form of age verification. The extent of customer support I’ve gotten on this subject so far is being told to try again. Are there plans to provide alternative methods of age verification so that people don’t get unfairly excluded through no fault of their own?

The age verification service "Persona" requires an entirely unredacted government-issued identification to grant verified age status for VRChat. I find this unacceptable. In my case, in exchange for VRChat receiving verified age information, Persona receives my: Name, first and last, Address, Driver's License Number and class, Sex, Height, Weight, Eye colour, Hair colour, Signature, and barcodes that can be used to find the same or more information about me. All so VRChat can have the one data point on the card they care about: Date of Birth. I will make concessions for the use of Height, Weight, Eye colour, Hair colour, and the photo on the ID with an accompanying self photo for the sole purpose of verification. The balance of what is required versus what is ultimately used is egregiously skewed. And while VRChat's contract with Persona stipulates that any identification data obtained by Persona must be deleted upon completion, there is comparatively little risk to Persona keeping the wealth of information illegally. Should a breach occur, users that have had their personal data exposed would be left fighting for the rest of their lives against Identity theft and fraud, while Persona would likely only be served a monetary fine. The risk versus the reward is far too unbalanced against the user. As for how likely it may or may not be that Persona is holding such data illegally, I would like to make note that Persona is based in the United States of America, and you don't have to look very hard to find the state of professional accountability for wealthy companies backed by powerful people in that country. Suffice to say that I do not trust Persona with my identification information, and am upset that the age verified features will be unavailable to me due to this. I implore VRChat to consider other avenues of age verification that do not require such extreme overreach of personal data collection. Regards -Aranethon

The Chief Technical Officer and Co-Founder of Discord, Stanislav Vishnevskiy, posted a blog recently covering Age Verification and their roll-out plans. https://discord.com/blog/getting-global-age-assurance-right-what-we-got-wrong-and-whats-changing On the 15th Paragraph of the blog post, they talk about Persona and mentioned something very critical. Here is the direct quote from the blog: "One of our core goals with age assurance is to give you options. As part of that, we’ve been evaluating multiple vendors to offer a range of verification options people are comfortable with. One of those evaluations was with Persona, a company used by platforms like Roblox and Reddit. In January, we ran a limited test with Persona in the UK only. After completing the test, we decided not to move forward with them, and consistent with our privacy policy, all data was deleted after completing verification. We’ve set a new bar for any partner offering facial age estimation, including that it must be performed entirely on-device, meaning your biometric data never leaves your phone. Persona did not meet that bar." When I verified myself with Persona through VRChat early on since its implementation, I was informed that the biometric data of my face scan was never gonna leave my device. I trusted Persona on that when I used their website. I don't know if they changed since then. But now, after Discord's own CTO and Co-Founder revealed that Persona failed to keep that part of the promise, it's time for VRChat to consider other options. Personally, I think BlueSky has a decent alternative method for users not willing to submit government documents. BlueSky allows users to verify their unique ownership of the account (to prevent or mitigate impersonators) via their own personal Domains and using those Domains as their BlueSky Handle instead. This is because registering a Domain requires using a real identity and be registered in the Domain Registrar in accordance with ICANN. Although domain regulations will very from country to country. These rules are from the US. And maintaining that registration requires annual upkeep. The Domain Registrar can also hide your name and address at your request and so no one but the Registrar knows who you are. Anyone who looks you up will just see the default name and address of the company with whom you registered your Domain with (examples: GoDaddy, Hover, etc.) and your registration ID is redacted. This provides a layer of protection and I never submitted my government ID to them to register. Just your name, address, and credit card information. I think this method might be more suitable for VRChat as it still offloads the cost and procedure of verification to another company while eliminating the need for submitting an ID altogether. The only downside with this is how this will affect ownership of the user's account should they lapse in their annual upkeep of their Domain in the Registrar (or their equivalent in other countries). Thoughts?

Replace Trust Shield icon on the nameplate with a rank colored "(18+)" or something to that effect to make the proper verified status viewable at a glance.

I'm unsure whether this is something that depends on the plan VRChat has with Persona or something else, but after some digging it appears that Persona supports more methods of verification than VRChat lets on. To make an example of my personal situation here in Denmark, I would like to verify my age but I simply cannot. Why not? Because when I go to verify my age, I get 3 options for providing an ID that must be physical: Driver's license (this is not a priority for me, and costs upwards of 1.5k EUR to acquire) Passport (also not a priority for me as I don't travel, and costs 300 EUR to acquire) Residency permit card (only given to immigrants, which I am not one) Normally, our identification is all done digitally with an app. We don't have a standardised national physical ID card that is just an ID card. We do have municipal ID cards which are cheap to acquire, but these aren't standardised and, as far as I can tell, not supported by Persona. With database verification we could leverage digital ID, but VRChat doesn't have this option despite it being supported by Persona: https://help.withpersona.com/articles/63nOZwnvR8lmhzIWEkWSm0/ I'm sure Denmark isn't the only country in this situation with Persona and that I'm not the only person who would like to verify but cannot for similar reasons. If the plan is to lock certain content tags behind age verification, then the most common identification method in any given country should be able to be used for age verification.

To be allowed access to the Creator Economy, you must be 18+ years old. Allowing instant age verification as another benefit for joining the program would be a super nice addition! This would allow for not needing to go through an age verification process again, minimizing concerns where your personal data is stored.