This is wrong
complete
Arctic Tortie
I am sorry, but this is a massive issue. I hope more people express similar concerns, but I am really uneasy about this.
For one, the Vendor, Persona, appears to be very shady in its data privacy, retention, and security. For a company wanting to know so much about you, they do not give you the same courtesy. This is a company that appears to be doing everything to get into the market quick, which tends to be at the expense of real security and real robust systems. LinkedIn users have been complaining about the reliability of their verification service for months now. If this company seems to not even prioritize the reliability of their verification service, how much worse do you think everything else is?
For two, this puts users at risk. This should be point one, but it appears to be less important to the community at present. To get to the point, this platform has many members of the queer community. It is awful timing that VRC is rolling this out in the wake of a recent US election of which LGBTQ+ human rights are under threat. One data breach of Persona which leaks any data about LGBT members can be life-threatening. Once it is out there, it is out there. Persona seems to be OK with this due to their massive data collection, and so does VRC based on the disinterest in alternative solutions. Data breaches happen, especially easy lucrative targets like an insecure data harvesting company burning VC money. It is never a matter of if, but when a breach will happen. The only things Cybersecurity can do is mitigate the damage and make it harder to acquire the target. Of which, Persona does not care to consider or implement due to the lack of US-based regulations forcing them to, putting profits above human decency.
For three, this age verification system is way too broad in what it collects. If we were to entertain that a photo and government ID are needed for the community's desired age verification, the system should only be looking at confirming A. the ID is the user’s and B. the birthdate is over 18 years ago. After that, everything should be deleted. An ID is a big deal, and despite the US’s lack of privacy regulation, should be considered a “hot potato” to handle. A company should be very afraid when working with this data as a screw up could cost the company majorly. I do not understand why VRC goes one step in the right direction by only storing birth date on their end, but agreed to let Persona collect as much data as it wants from your ID, picture, and everything else they can get their hands on in the process.
This feels wrong. Something feels fishy and I am afraid of a future headline that will read “Persona suffers massive data breach and now you all are screwed...again, and after the other major data breach of SSNs and addresses.” The fact I see many users on VRC are willing to fork over so much information to “avoid kids” in a 13+ game in the process is disheartening. This is just a slow boil of increasing data harvesting that will continue to isolate and put pressure on the ones of us who will hold out and reject giving this data out so that we relent on our values in order to participate in what few communities exist for us.
We don't need this system to gather together and share experiences, content, and joy. We can demand more, and reject this authoritarian, surveillance-capitalist company.
Log In
Tupper - VRChat Head of Community
complete
In line with this request:
> the system should only be looking at confirming A. the ID is the user’s and B. the birthdate is over 18 years ago.
Our recent changes illustrated in this video demonstrate how the system works.
We validate that the ID belongs to the user, create a non-reversible hash to ensure the validity of the ID, and then save the user's birth date and the hash. All other data is deleted. Please see our FAQ thread for more details.
Keeping your birth date is necessitated by our regulatory requirement to adhere to COPPA, as well as allowing us to update Verification state when users reach their 18th birthday. VRChat has always collected the user birth date upon their first-time agreement with our Terms of Service.
Since these updates address the core feedback of this post, I'm marking it as completed.
SaphiGoat
Tupper - VRChat Head of Community it is still possible to get the data stolen. You still have to give persona a full ID, with unblurred data (wich is against GDPR art 5).
The ID photo should only be containing the Photo and Date of Birth
ᴋᴀᴡᴀ
>non-reversible
That's not full truth.
The result of the hash function is the same for the same data, that's whole purpose. So, it's possible to reverse the hash.
It's hard to reverse hash for changeable data with high entropy like XTt~SH<2(:&`_]3$E>qkVD passwords.
But with real paper data like names, birthdays, issue numbers, etc which have low entropy it more than possible.
If DB and hash-fucntion is leaked, then with help of leaked databases, it's solvable/reversible in minutes.
THE_LOTTUS
i have to agree
ByteByte-Baxi
Sadly vrchats official platforms are edging on cults at this point. Don't even try to speak against this on the discord for instance. I did pointing out the same things you just did and others did. Only to be ban for no reason other than "enough" and "toxic behavior toxic person" after I asked the mods if speaking against the AV is a ban able offence and they refused to answer straight. While the people who spammed my dms calling me a child groomer and child rapist for being against the AV are talking in the discord right now
Dominik 25kt
I fully agree, this is not good, everyone who refuses to give Persona a picture of their ID (for whatever reason (not trusting them, them not accepting your ID, ...)) will be isolated since all events and group world will just tick the box "because we don't want kids" and say things like "I just takes 5 mins"
MidnightWolfFox
Alot of my friends and I are going to be giving ChilloutVR and Resonite a spin in the near future. ChilloutVR does the 18+ DLC in a brilliant way: Linking it to your steam account. No ID required.
It's sad that it is easier now to buy/play an M-Rated game, Watch an R rated movie, or even access porn; than it will be to play vrchat. The whole system sounds like a pain.
piѕѕ
this shit is so buns bro
Corbent
Here's a tweet showing off a couple of lawsuits involving them...
"one for using your data for training AI" LOL
Pepperpop
Perpetually storing even just enough of your ID to reliably determine that it's been used before is ludicrous, and I have no doubt that they will store more than that. I once had my SSN leaked by a third party address service to my healthcare provider that had no business even receiving my SSN from them, because companies with data are appealing targets. People seem to have no idea how dangerous this kind of data is and it should be the #1 concern they have.