December 14th, 2024

I Don't Trust VRChat's Age Verification

If it’s not using Verifiable Credentials, I can not trust it and I will not be verfying my age with them…

But before I get into why, let’s talk a bit about VRChat’s Age Verification update.

Age Verification in VRChat

Recently VRChat announced that they will be implementing Age Verification via Persona. This process involves sending your driver’s license or some other form of government ID to Persona (a US based company) which allows them to verify that you are who you say you are. They’ll also need a picture of you so they know that you’re not a child who just swiped their parent’s ID card. Once your identity has been verified, Persona will send your birthday to VRChat, who will then use that info to give you access to the age verified and 18+ (assuming you qualify) labels in-game. More details about this can be found in VRChat’s update video:

Not Everyone Likes That Solution

Sounds great, right? Well, not for a lot of users, myself included. Zekk revealed that Persona (by default) will keep and hold on to that information indefinitely. Holding on to the data is something that members of the EU cannot tolerate. That’s why they created GDPR, afterall.

When companies store a person’s data, Foxipso points out a fact that I’ve known for a very long time. Companies always promise to protect user data. They always talk about how they are “securely storing your data”. But the fact is? Companies tend to use 3rd party services. They tend to not be as secure as they lead on. All of this “security” talk is mostly just marketing buzzwords and, as soon as they are breached, their customer’s data gets leaked to the internet. However, when it isn’t just “marketting buzz” and they do have good security practices, who’s to say that they don’t work with another business that doesn’t have strong security practices?

But how bad could it be if the data is leaked? Gabby suggests that it’s not too bad. Just some bot calls that people can block.

Unfortunately, I can speak from personal experience as to “how bad can this be?”. With enough information (such as all of the information on a driver’s license), it is possible to commit Identity Theft and Identity Fraud. “It’s not that baa–” YES IT IS! When I was younger, a family member’s sibling used their name and info to get out of a speeding ticket in another state. Because of the whole ordeal, the family member was at risk of having their driver’s license revoked, which they use to drive to work every day. If I remember correctly, during the court case their license got suspended and they had to prove to the judge in the other state that they weren’t the one who got pulled over and that they were never in the state to begin with. Not only did they have to fight the other state to get their license reinstated, but they had to prove to the local state that they were innocent. Then, in my own case not too long ago, I got a phone call from the Identity Theft protection service Norton Lifelock, stating that my information had been used to file for state tax returns. I hadn’t filed my taxes yet and someone was trying to get my tax returns from the state by falsifying tax records. I had to call up the state and have them cancel the tax return, otherwise that would’ve put me at risk of an IRS audit AND I wouldn’t have received money that was overpaid to the government.

Ever since that incident, I continually get emails informing me that someone’s used my information to apply for a loan at a bank. I’ve locked my credit down so that it’s not possible for them to do so (which also makes it more of a hassle for me to do so as well), but it keeps happening! This is the kind of thing that happens when your personal details are leaked on the internet.

Multiple emails in a row from Norton Lifelock, indicating that short-term loan applications have been filed in my name, with one of them being denied. These loans are known as "payday" loans as it gives the person filing for the loan a payday. This is made possible through identity theft.
Tap image to view full image

So, you know… “How bad could it be? It couldn’t be as bad as your future getting ruined, could it? Noooooo, impossible!”

VRChat Addressing Concerns

Due to all of the backlash, VRChat has made some changes to their integration with Persona. They are doing their best to address user’s concerns and they released an announcement in an attempt to be transparent with the community, which you can watch here:

It’s Still Not Enough for Me to Trust

While I am happy that VRChat is doing their best to address everyone’s concerns, for me, it’s still not enough. I may have a bit of a bias since I’m professionally a Software Engineer who’s been working with identity systems for the past 11 years now. The past four of which have been related to Verifiable Credentials. And no, by “Verifiable Credentials”, I don’t mean driver’s licenses and other forms of government issued ID. I mean the new standards of identification that is beginning to be rolled out to the world as we speak.

What Exactly Are Verifiable Credentials?

As mentioned, Verifiable Credentials do not refer to somebody’s physical State-issued ID. They are a digital representation of physical IDs that can be sent over the internet securely all the while protecting as much of a person’s identity and privacy as possible. This isn’t something that just appeared out of the blue and it’s not something that’s just created by VC startups. The people working on this technology include (but are not limited to) Google, Apple, The government of British Columbia, Germany, Finland, Australia, Japan, Kansas State, the European Union, the Internet Engineering Task Force (IETF), the World Wide Web Consortium (W3C), and so many more people. Protecting someone’s online identity is a BIG problem with many different caveats. Especially when it comes to protecting someone’s privacy!

Verifiable Credentials

Verifiable Credentials are an industry leading standard for making sure that your identity can be transferred safely, securely, and maintain your privacy in a world where you’re data and identity are traded and sold between companies and organizations. For those that don’t know, the W3C and the IETF are both groups that set the standards for how the web works today. You’re reading this post thanks to the specifications defined at both of these organization and in regards to Verifiable Credentials, the W3C’s Spec describes Verifiable Credentials as:

A verifiable credential can represent all the same information that a physical credential represents. Adding technologies such as digital signatures can make verifiable credentials more tamper-evident and trustworthy than their physical counterparts.

Source: W3C Verifiable Credential Data Model v2.0

One of the key factors in many implementations of Verifiable Credentials is that they don’t reside on a centralized server. The credentials are stored on your own personal devices instead. By storing them on your own device (such as a mobile phone), this does a few things when it comes to security:

  1. Instead of hackers breaking into a single server to gain access to millions of PII Records (Personally Identitfying Information), they now have to break into millions of phones instead. This is much harder to do and regarded as impossible in comparison.
  2. In order for someone to pretend to be you, they must have your verifiable credential. Credential forgery or modifications are noticed immediately and rejected. If they have all your driver’s license information, they’re still unable to pretend to be you without your Credentials.
  3. Verifiable Credentials are locked behind biometrics using encrypted local storage and must be unlocked each time you want to share information with someone.
  4. Depending on the type of credential, you get to choose what data to share. Not some company that says “trust me bro” and you can deny to send your credentials when the company is asking for too much data.

When it comes to Verifiable Credentials, there are multiple different format standards out there. Each one has it’s own pros and cons. The two main ones that I know about in the industry are mDLs and SD-JWTs, of which, I’ll touch on here.

mDLs

For those in the US, you may be familiar with mDLs (mobile Driver’s Licenses). mDLs are a form of Verifiable Credential that is being pushed by some states such as New York, Georgia, Virginia, and Utah. More and more states are issuing mDLs to their citizens through the Get Mobile app. The mDL Specification is standardized at ISO (Internation Organization for Standardization) as ISO/IEC 18013-5.

I personally have not worked much with mDLs, so I’ll defer to Dock.io’s document on their website]mdlexp.

SD-JWT VCs

SD-JWTs on the other hand are a bit less public facing. mDLs got all the press while SD-JWTs have been working behind the scenes in projects like OpenID 4 Verifiable Credentials (OID4VC). Everyone is familiar with the effects of OpenID, even if they aren’t familiar with the name. Have you ever pressed “Sign in with Google/Facebook/Twitter/Pixiv/VRChat”? That’s OpenID Connect! OID4VC is an extension upon the OpenID workflows that allows for the issuance and presentation of Verifiable Credentials.

While multiple credential types are supported by OID4VC, one of the primary ones used are are IETF SD-JWTs. Acording to the specs, SD-JWTs are:

Selective Disclosure JWT (SD-JWT) is a specification that introduces conventions to support selective disclosure for JWTs: For an SD-JWT document, a Holder can decide which claims to release (within bounds defined by the Issuer).

Source: IETF SD-JWT Specification

What is Selective Disclosure?

Selective Disclosure is an amazing feature of some Verifiable Credentials. It allows you to choose what you want to reveal. Let’s use VRChat’s new age verification to show how VCs with Selective Disclosure can help to ensure that the user’s data is secure.

In the latest video that VRChat released, they stated that “your personal information is stored for the absolute minimum time necessary”. I beg to differ. With VRChat & Persona, you must send your entire ID to Persona, who then stores the ID during the verification process. Once they have verified your identity, they delete your ID from their system (trust me bro) after generating the hash which is presented to VRChat along with your birthdate. VRChat is specifically looking for the date of birth from your ID to add to their system for the “age verified” and “18+” labels.

They don’t need your full birthday. You don’t need to send a full ID card to Persona and trust that they’ll handle your data securely.

With Verifiable Credentials that support Selective Disclosure, the only data that would be sent across the internet is the data that you choose to send them. In the case of VRChat’s requirements, all they need to ask is “Are you over 13?” and “Are you over 18?”. The answer that you send them would simply be a “yes” or “no” with cryptographic signatures that let VRChat know the answer originally came from your ID card. It wasn’t tampered with and it isn’t a forged identity. They got just the minimal amount of information that they needed, without ever storing or asking for your ID. Think of the lock icon on your bank website. Similar tech that let’s you know that you’re talking to the real PayPal or your real bank website.

Verifiable Credentials provide more confidence that the ID card hasn’t been forged or tampered with than the physical ID card itself. Fake IDs are more common than you might think. The process to verify fake IDs can become quite expensive and time consuming and you may not even be able to tell the difference when it’s presented online.

I Just Can’t Trust the New VRChat Age Verification

In short, Verifiable Credentials are the secure solution that solves many of the privacy and security concerns. In comparison to using biometrics to protect a person’s Verifiable Credentials, coupled with Selective Disclosure only transferring the absolute bare minimum information needed to verify the ID & age, VRChat & Persona’s mechanisms for verifying our age and identity just isn’t enough. I can’t trust the systems that are in place for it. The tech just doesn’t compare in terms of privacy and security.

I’ll never verify my age using the systems that they have in place.