Alternative Methods of Age Verification
Maken Tosch
The Chief Technical Officer and Co-Founder of Discord, Stanislav Vishnevskiy, posted a blog recently covering Age Verification and their roll-out plans.
On the 15th Paragraph of the blog post, they talk about Persona and mentioned something very critical. Here is the direct quote from the blog:
"One of our core goals with age assurance is to give you options. As part of that, we’ve been evaluating multiple vendors to offer a range of verification options people are comfortable with. One of those evaluations was with Persona, a company used by platforms like Roblox and Reddit. In January, we ran a limited test with Persona in the UK only. After completing the test, we decided not to move forward with them, and consistent with our privacy policy, all data was deleted after completing verification. We’ve set a new bar for any partner offering facial age estimation, including that it must be performed entirely on-device, meaning your biometric data never leaves your phone. Persona did not meet that bar."
When I verified myself with Persona through VRChat early on since its implementation, I was informed that the biometric data of my face scan was never gonna leave my device. I trusted Persona on that when I used their website. I don't know if they changed since then. But now, after Discord's own CTO and Co-Founder revealed that Persona failed to keep that part of the promise, it's time for VRChat to consider other options.
Personally, I think BlueSky has a decent alternative method for users not willing to submit government documents. BlueSky allows users to verify their unique ownership of the account (to prevent or mitigate impersonators) via their own personal Domains and using those Domains as their BlueSky Handle instead. This is because registering a Domain requires using a real identity and be registered in the Domain Registrar in accordance with ICANN. Although domain regulations will very from country to country. These rules are from the US. And maintaining that registration requires annual upkeep.
The Domain Registrar can also hide your name and address at your request and so no one but the Registrar knows who you are. Anyone who looks you up will just see the default name and address of the company with whom you registered your Domain with (examples: GoDaddy, Hover, etc.) and your registration ID is redacted. This provides a layer of protection and I never submitted my government ID to them to register. Just your name, address, and credit card information.
I think this method might be more suitable for VRChat as it still offloads the cost and procedure of verification to another company while eliminating the need for submitting an ID altogether. The only downside with this is how this will affect ownership of the user's account should they lapse in their annual upkeep of their Domain in the Registrar (or their equivalent in other countries).
Thoughts?
Log In
Maken Tosch
After thinking about it for a while, I realized the fundamental flaw with my suggest.
It turns age verification into a subscription. Something I'm not too friendly towards outside of a few exceptions. VRC+ at least offer age verification as a one-time deal. Once verified, always verified even when your VRC+ subscription lapses. Although, VRChat could possibly apply that same principle to my suggestion. Once verified through the domain registration, always verified.
Even then, it still does not address the legal problem presented of what happens when your Domain registration lapses. Does your VRC account now become property of someone else who manages to snatch your domain that you forgot to renew every year because your VRC account is still using the same domain as a personal handle or username?
All things considered, I'm taking back my suggestion. But the floor is still open for better ideas. I know there has to be a better idea out there somewhere.
Cheers,
Maken Tosch