Age Verification Feedback

Hey Team! Lately we are seeing more worlds add in "age checking" at the entrances of worlds (even with the option for AV only instances available). It would be very useful if world creators had access to call on AV through Udon to help groups run their lobbies a bit more smoothly and help provide them that extra level of security. Being able to access AV through Udon, lets world creators do some of the following as example: The option for groups to auto allow AV users into the world, while stopping non AV users at the door to manually check. You could provide AV users with an icon above their head. (With a toggle hopefully). Let AV users toggle on game modes that may be more targeted towards 18+ users. Restrict certain area's of a world. Restrict users from entering a world which main theme is adult/"NSFW"/ or not suitable for below -18. ( 'Age Gating' should cover this already, but at the moment you don't need to prove ID when making your VRChat account, so this would solidify it) Automated content adjustments for different age groups -18 & +18 instead of blocking younger users fully or non-verified, worlds could dynamically adjust gameplay, visuals & mechanics. Helpful in overall moderation tools for admins/groups. Enhanced trust for community worlds and create a more trustworthy environment. Improves the reputation of VRChat as a 'safer' social platform. I am sure there are many other examples/features that world creators can add that allows groups to run their lobbies more smoothly and safely, these were just a handful of ideas submitted by the community. Thanks!

It seems like that there is a heavy implication that age verification is only for instances only. I would like to see the option for group owners to additionally enforce age verification to join / retain membership for their group. Example scenario: I'm a group owner with five hundred members. At some point I would like to make my group require age verification in order for users to retain membership in the group. When requiring age verification, any member who has not verified their age on their VRChat account via Persona gets a notification stating that they have 7 days to verify, or else they will be automatically removed from the group.

Per the updated FAQ for the announcement of Age Verification, I would like to suggest a hard limit of at least 1 or at most 2 alts who are eligible for the same age verification. People may have alts for various reasons, some being that they may not want people who know their main VRC account name (especially if that name exists outside of VRC on other platforms) and may not want to engage with the more hardcore gated content (cough18+STUFFcough) for fear of other users maliciously looking them up and then harassing them on other platforms or even irl. I realize that may be an extreme example, but I can imagine I am not the only one who has their VRC name as their other socials and tries to keep it as professional as possible especially those that are creators. And while you could just say... "Well. Then just verify your alt account." ...and I could just do that, but what if in doing so I lock my main account off from my favorite worlds and or avatars should those world/avatar creators put their creations behind Age Verification gates. I apologize in advance if this was hard to follow, I'm not the best at articulating my words, so I hope this made some sense... I would just greatly appreciate being able to keep my main and an alt with the same amount of access and not feel like I have a baby gate in my way on one or the other despite being a fully grown adult. -_-

Other people have mostly been asking this, as of the other posts. When joining an instance, you sometimes have to say your age and date of birth, or they check your profile to see if your age verified. Instead of them going to your profile they can just open their menu and see 18+ underneath your name tag. I posted the example of what it should look like if it ever comes to the game. (this is a low chance that it will though.)

To be allowed access to the Creator Economy, you must be 18+ years old. Allowing instant age verification as another benefit for joining the program would be a super nice addition! This would allow for not needing to go through an age verification process again, minimizing concerns where your personal data is stored.

From the Beta launch (VRC+), we adopted an 18+ gated policy for our 24/7 instances and Parties to create a safe, dedicated environment for adult interactions. Although this move has led to a drop in overall traffic and user adoption, it sends a clear message about our commitment to proper moderation and user safety. In contrast, many groups in VRChat still operate non-gated 13+ instances, even while hosting adult activities, citing cost or fairness or not 'trusting' the system. This inconsistency is problematic. When spaces meant for adult interactions are not 18+ they should be scrutinised (by VRC moderation) to ensure that moderation is not merely user-driven. Our position is simple: if adult activities are taking place, they should do so in 18+ Gated instances that enforce strict standards for safety and moderation. This isn’t about sidestepping discussions by focusing on "against TOS", it’s about ensuring that instances, especially those open to younger users, are held to a higher standard to protect all participants. Will VRC be cracking down on adult content happening in non-gated instances specifically? If so, this (bans) could send a clear message that adult behaviour/content is not acceptable in non-gated (13+) instances.

VRChat has determined Persona can be trusted with a photo of your face and government ID. Persona is a VC-backed (arguably "tech bro") San Franciscan tech startup that's only existed since 2018. They operate out of a shared space behind a bar: https://maps.app.goo.gl/t5ebyhr9oTUhupMf9 Their privacy policy says (as I read it) that they explicitly have permission to take your personal information (selfie, photo of your government ID) and store it for years, and can and will send it to "vendors, agents...companies we've hired to provide customer service support..." and to "law enforcement [and] other government agencies." They say they'll use your personal information "to understand you and your preferences to enhance your experience and enjoyment" and for the purposes of "marketing, including to communicate with you about new services, offers, promotions, rewards, contests, upcoming events, and other information about our services and those of our selected partners..." and for "advertising, including display [sic] advertising to you..." Their privacy policy site also uses clickjacking to prevent you from copying the text of their privacy policy: https://withpersona.com/legal/privacy-policy These doesn't seem like the actions of a legitimate and trustworthy company, and there aren't enough guarantees that you won't be literally doxxing yourself. PII is extremely valuable and there's an entire industry of brokers that facilitate the sale and transfer of people's personal information--not to mention the risk of hacking, accidental disclosure, or a new and untrustworthy company being sloppy or reckless. These days AI can train off a photo of your face, and scams and identify fraud are extremely common. Personally, the only times I've had to provide a photo of myself holding an ID are for once-in-a-lifetime financial transactions. Never for a video game or social media. VRChat is willing to take the chance of making this de-facto-mandatory (i.e., the community normalizes it and it results in a greatly degraded experience if you don't comply)? The ask is a severe imposition and an invasion of privacy without adequate concern that the chosen data broker is trustworthy. Even the announcement incorrectly claimed your PII would be handled in accordance to the GDPR, but the company is actually based out of California, where regulations are far less strict, and fines far less burdensome.

the current system of showing ENTIRE ID WITH FACE is totally unacceptable. I care about my anonymity much as I can. yes, companies already collecting all my data, government can and WILL find me if they want. but I'm not giving out by myself my names, city, photo and appearance. YOU CAN make it more anonymous by requesting nothing but DOB.

In the FAQ ( https://ask.vrchat.com/t/age-verification-faq/28458 ) it is stated the purpose of storing an ID hash is to: --- Detect duplicate IDs: When someone submits a verification, we compare it against our existing hashes. If we find a match, we know that ID has been used before and can reject the verification. Enforce bans: We can check if an ID was previously associated with a banned account, preventing banned users from verifying new accounts with the same ID. Enable multiple accounts: We can allow users to have more than one verified account using the same ID. Previously, this would have required keeping your full ID data with Persona. While this is not planned for initial launch, we are considering the feedback that you have given us. --- This indicates that you will be storing some sort of mapping between the hashed data (which you have not clarified what data is being used in this hash, please do so) and a VRC account. This is bad. While hashing data with a salt is a one way action, it is brute force-able. With time and resources (the amount of which decreases as technology progresses) these hashes can be cracked. Salting makes this not viable on a wide scale (cracking every hash in a leak at once), but targeted cracking is still very possible. If this database of hashes leaks (assuming the pepper leaks along with it), anyone with a grudge can dedicate time to crack a specific hash for the user that they have a grudge against. Likewise, high profile users like creators/vtubers are at high risk due to simply being more known. There is also not a ton of actual information stored on the ID itself, and much of it is in predictable formats (ie: dates, names, address, etc). Not to mention that supporting every ID type likely means that only a subset of this information will actually be used for the hash. This lowers the entropy of the input to the hashing function making it easier to crack a specific hash. Storing more sensitive data to increase the entropy is a cyclical loop, in that it presents more risk in the event of the hash being cracked. Storing an association between the hashed data and a VRChat account is not required to do 2 of the 3 goals of storing the hash: --- Detect duplicate IDs: No association is required to do this, you simple store the hash itself, and check against all hashes for each new ID added. You would have to do this anyway. Enable Multiple Accounts: If you choose to do this, you can simply stop checking against your hash store, delete hashes you have, and stop storing new hashes. Alternatively, If you would like to limit the number of accounts that can be used under one ID, you can continue the same way, but also store a value with the hash that represents the number of times it has been used to verify. Enforce bans: This one does not have a solution. However, this relies on VRChat having already allowed users to verify multiple accounts with one ID. This also assumes that the person is verifying under their own identity to begin with, which is made less likely by the previous sentence. Abusers of this system would also likely rack up many verifications/accounts as they would have to keep verifying as they got banned over and over. If a limit is in place for how many accounts can be verified under one ID, it would be reached. If there is no limit, that number would still climb higher than a normal user of the platform, warranting further investigation. --- Overall, if any sensitive information is planned to be used to generate the hash, IE: Name, ID#, address. Then I personally think storing the hash with an association to a VRChat account is dangerous, and should not be done. It is not really required to do the main purpose of storing a hash in the first place, preventing ID reuse, and increases risk to users in the event that the hashes are leaked. If no link between a specific VRChat account and their hashed private information is stored, then no individual VRChat user is identifiable.

I thought there was a canny for this already but I couldn't find it. I feel like the red for 18+ is a bit harsh and makes it feel a bit more scandalous than it actually is. I think changing it to purple or orange to mimic trust ranks would be a lot better and make it feel less like a marker you'd see on a sexually explicit website.