Though I applaud the effort to get age right and protect players, I'm not sure I'll ever be comfortable having me or my child scan our photo ID and selfie to upload it as part of a login flow to an application.
I would much prefer my government to take on responsibility for providing this sort of service as they do e.g. driver qualification.
Once upon a time the usual thing to get OK'd to rent a van (e.g. for students who are moving house) is you rock up to the rental place with the legal documents showing you're entitled to drive. You're relying on the fact that the person renting you a van doesn't much care and isn't keeping the exact details from those documents.
But although you can do this today, obviously the documents get scanned into a permanent data repository, so, that's not great. But, the UK government added a site so you can prove you're you, and get codes, which for a limited period show someone that yup, this person is legal to drive and so on.
They do this for right to work too. Although, annoyingly only for foreigners. If you're a citizen, you can't prove right to work this way, you need to be like "Look, I'm a citizen, here's proof" to your employer. But if you are foreign you can just go "Check this URL, your government says I'm entitled to work here" and they needn't know whether that's because your husband is a "Cultural Attaché" to the Russian Embassy, or you've got special refugee status, or you're actually an Italian and you just speak and look Russian for some reason, just that you're entitled to work here.
My full name, physical address, and IP address were leaked with another game my kids play. I'm excited for my drivers license and picture to be leaked as well.
I don't think I'd be comfortable with this either, certainly not to play some game. On the other hand, the bizarre problems maintainers of online communities have to deal with are just wild and worth keeping in mind as context:
The worst are those that let you get invested and only then spring these requirements on you.
NBA Top Shot comes to mind. They allow you to buy with no problem. But, to sell on their platform you have to go through what is essentially a KYC check.
A component of my work is in digital identity, so I hope you don’t mind the question: what would make you comfortable doing so? For Roblox, I can see the exception taken, but some applications do require this level of identity proofing (scanning your passport in an airline mobile app to book an international flight comes to mind).
Edit: Thank you everyone for your feedback, it’s very helpful!
To be fair, it's not part of their login flow, it's part of their verification flow. It's a one-time thing, not an every-login thing.
I also see no problem with this. What could they realistically use this information for that would be nefarious? It doesn't actually store the ID in any real sense, as they explain in the link, and I see no reason for them to lie about that.
It's real easy to scream, "But My Privacy!!!", and probably a decent amount more difficult to come up with an actual and practical risk there.
Honestly, if your threat model includes "video game companies that lie about age verification systems", I don't think you're taking your security very seriously.
Where does the need for hard verification of the age come from?
My friends and I were using the internet when we were under 13 years old (although not by much), and just clicked the button to confirm that we are older than 13 (mostly on various forums), and later on the same thing with 18 years old verification screens, and we turned out alright (at least from my perspective.)
According to Roblox's S-1 filing, they want to move their customer base up from the current average age of 13. Age verification is for older users, so they can be less restricted. Roblox has a large outsourced "moderation" operation, and is working on an AI system that can bring down the ban hammer in 100ms after saying a bad word.
Tencent already does this in China. Tencent owns 49% of Roblox. So the technology is available.
Probably parents realizing their children were making in-app purchases beyond what they (the parents) were aware of, and charging them back as unauthorized use. The cc processors pass that on to the merchant, and will drop them if there are too many. Likely Roblox just reached some critical mass where they couldn't sustain it any more.
Pure speculation: Once they build a user base that over time crosses the age of 18 (or whatever the age for accessing adult material is in the player's country), they can allow them access to a separate, premium, age restricted section, where they can expand their user generated content model to a demographic with a lot more money and a market where that money is easily spent.
Depending on the country, it can be due to local regulation. I don’t think it is required yet in the US
E.g. AVMS in Europe. Youtube had to implement age verification.
EDIT: @gruez: An attestion is likely no longer sufficient for Roblox's compliance requirements, and identity proofing is now cheap to perform (~$1-2/per proofing request). Cheaper to get ahead of the curve.
> For now, only one feature requires age verification: Roblox’s new voice chat feature, Spacial Voice. During its initial beta test, it will only be available to players who verify they are at least 13 years old. (Roblox didn’t say whether it would later be available to users regardless of verification status.)
> But the implication seems to be that other features — perhaps specific Roblox games or community tools — could be age-gated as the company works to protect its relatively young user base. More than half of Roblox’s users are still under 13 (Roblox says “nearly 50 percent” were over 13 as of the second quarter of the year).
As somebody who used to breach them for rewards. I concur with your reasoning, but I imagine their security is much better than it was half a decade ago.
I understand the massive investments into "rolling your own" system for ID verification, but I always feel sketched out when companies ask you to send your ID and your photo to "a third-party" - where the privacy terms of that relationship are so obtuse/vague it's not worth reading.
Is it really that hard on the privacy front to hire someone to keep watch and manually verify that someone is who they say they are? I assume the amount of people verifying will be massive at first, but after 2-3 months I could see the amount of people signing up (AND verifying their ID) would be in the thousands per week - easily handled by humans instead of "a third-party service"
I'd feel _more_ sketched out if a provider was handling it themselves. I don't know how much I want someone unqualified handling the storage of this themselves...
I mean yeah, you could, but forging identity documents is illegal in most places with functioning legal systems, for obvious reasons. Forging a government ID and presenting it as a real one is a giant minefield that most people probably don't want to be in.
The age verification appears to be opt-in, however they don't say what happens if you don't hand over your kids ID. One would hope that it would disable or limit communication between players and keep the player in a suitable for all category. I wouldn't be surprised that because their user base is growing up, they they would want to change it into kind of a "second life" for teenagers.
> nearly 50% of the users on our platform are over the age of 13 as of Q2 2021
Hahahaha... jeez... /wipes a tear
They are in for a surprise of their corporate lives.
We have several accounts with them for our kids and I had all of them set with the birthday set to some random year between 1960 and 1990. Because, as every parent knows, any sort of "kids" account comes with random restrictions, needing to create parent account and all sort of other bullshit that complicates everyone's life and prolongs the sign-up process.
They must be smoking crack if they think that a non-trivial amount of teens (leave alone adults) are playing Roblox games. Because 99.9% of these games is a complete and utter junk that makes your eyes bleed and gets traction because of the (way) younger kids that play them. That's it. That's the Roblox secret sauce. But, yeah, let's card them. Brilliant, brilliant move.
> sort of "kids" account comes with random restrictions, needing to create parent account and all sort of other bullshit that complicate everyone's life and prolong the sign-up process.
I set up one of these for Apple and Microsoft, and boy oh boy, has it been an absolute shit-show. There have been tons of bugs with both, it is a terrible user experience all around, and it has actually cost me more money in very real terms (e.g. IAPs needing to be re-purchased three times).
Unfortunately it seems like nobody at tech companies actually dog-foods kid/family accounts, and just does it as a butt covering exercise to avoid regulation. They do the bare minimum and then let it rot.
This is so absolutely spot on. I have my kids’ fake birthday memorized because I use it so often. As soon as you enter a birthday that actually would mean under 13, be prepared for _nothing to work_.
Yea..I've always assumed Roblox was at best majority 7-15. I haven't set up anyone's account, but isn't the "at least 13 or older" a generic checkbox that is sort of used as a default for everything from youtube to netflix?
Haha. Yeah. And if they start verifying identity and locking accounts that can't prove the identity info provided at signup, that's going to be a lot of locked accounts.
I think they're overestimating the importance of a gaming account.
I didn't have an ID until I started driving at 15. I wonder how many of the Roblox player base even has a government ID. Will children beg their parents to go to the DMW so they can get verified on Roblox?
First off... NOT A FUCKING CHANCE. If a kid came to me with a game that was asking for "opt in" age verification by scanning government ID, and they wanted to do it, we'd have a long talk about privacy and that game would get uninstalled even if it means the end result is the kid crying over it.
Second, how is this going to work? I don't know a single kid that plays Roblox and has a government issued photo ID. And are they REALLY going to roll out a system where they're trying to train minors to scan their ID and submit it to a corporation for something as trivial as a game?
> When a government-issued ID is scanned for verification, an anonymized value is generated, allowing Roblox to safely verify identity without risking exposure of the user’s real identity.
There are two possibilities here:
1. It's absolutely bullshit and they store some portion of uniquely identifiable identity info, like your name + birthdate, somewhere.
2. It's absolutely useless because someone will create a website or app that fools the system by showing fake id and a matching "likeness".
So I don't believe at all the glossed over claims of respecting privacy on this. This is a bad idea and I hope it fails spectacularly.
This is a bandaid measure. Roblox spends most of its time convincing young children that they will be successful while simultaneously cheesing the 'robux' exchange rate so that these children get nothing.
Roblox is undoubtedly responding to backlash from revelations that they are exploiting children for economic growth. Here's a great summary: https://youtu.be/_gXlauRB1EQ
Use some official eID. They are pretty pervasive across the world and typically it’s just one system per country to intract with like Freja in Norway, BankID in Sweden and so on.
That leaves the bad methods for countries that doesn’t have a good official or de facto standard eID system. But maybe that will create public pressure to adopt one.
This appears to be designed to encourage the user to lie. I have never seen a workflow where a low age enables some type of restriction and that restriction is disclose when asking your age for verification. This is a first.
Something I think that should be mentioned: Everytime you submit an image of an id: That gets shared through out the verifying organizations communication channels.
Wither it's via database accessibility (even if it's encrypted), a web front end, email, or IMs. They'll say all they want, but ids do leak.
kosei|4 years ago
tialaramex|4 years ago
Once upon a time the usual thing to get OK'd to rent a van (e.g. for students who are moving house) is you rock up to the rental place with the legal documents showing you're entitled to drive. You're relying on the fact that the person renting you a van doesn't much care and isn't keeping the exact details from those documents.
But although you can do this today, obviously the documents get scanned into a permanent data repository, so, that's not great. But, the UK government added a site so you can prove you're you, and get codes, which for a limited period show someone that yup, this person is legal to drive and so on.
They do this for right to work too. Although, annoyingly only for foreigners. If you're a citizen, you can't prove right to work this way, you need to be like "Look, I'm a citizen, here's proof" to your employer. But if you are foreign you can just go "Check this URL, your government says I'm entitled to work here" and they needn't know whether that's because your husband is a "Cultural Attaché" to the Russian Embassy, or you've got special refugee status, or you're actually an Italian and you just speak and look Russian for some reason, just that you're entitled to work here.
_jal|4 years ago
If your service demands my ID, I'll close my account.
If you have KYC requirements, I'll meet you in person or find a different vendor.
nomel|4 years ago
pvg|4 years ago
https://www.wired.com/story/roblox-online-games-irl-fascism-...
unclebucknasty|4 years ago
NBA Top Shot comes to mind. They allow you to buy with no problem. But, to sell on their platform you have to go through what is essentially a KYC check.
Your investment is sunk otherwise.
unknown|4 years ago
[deleted]
president|4 years ago
toomuchtodo|4 years ago
Edit: Thank you everyone for your feedback, it’s very helpful!
TameAntelope|4 years ago
I also see no problem with this. What could they realistically use this information for that would be nefarious? It doesn't actually store the ID in any real sense, as they explain in the link, and I see no reason for them to lie about that.
It's real easy to scream, "But My Privacy!!!", and probably a decent amount more difficult to come up with an actual and practical risk there.
Honestly, if your threat model includes "video game companies that lie about age verification systems", I don't think you're taking your security very seriously.
watermelon0|4 years ago
My friends and I were using the internet when we were under 13 years old (although not by much), and just clicked the button to confirm that we are older than 13 (mostly on various forums), and later on the same thing with 18 years old verification screens, and we turned out alright (at least from my perspective.)
Animats|4 years ago
Tencent already does this in China. Tencent owns 49% of Roblox. So the technology is available.
Lavery|4 years ago
tgsovlerkhgsel|4 years ago
daleco|4 years ago
toomuchtodo|4 years ago
https://www.ftc.gov/enforcement/rules/rulemaking-regulatory-...
EDIT: @gruez: An attestion is likely no longer sufficient for Roblox's compliance requirements, and identity proofing is now cheap to perform (~$1-2/per proofing request). Cheaper to get ahead of the curve.
https://www.theverge.com/2021/9/21/22684672/roblox-age-verif...
> For now, only one feature requires age verification: Roblox’s new voice chat feature, Spacial Voice. During its initial beta test, it will only be available to players who verify they are at least 13 years old. (Roblox didn’t say whether it would later be available to users regardless of verification status.)
> But the implication seems to be that other features — perhaps specific Roblox games or community tools — could be age-gated as the company works to protect its relatively young user base. More than half of Roblox’s users are still under 13 (Roblox says “nearly 50 percent” were over 13 as of the second quarter of the year).
A business decision was made.
TedShiller|4 years ago
mustyoshi|4 years ago
daleco|4 years ago
scohesc|4 years ago
Is it really that hard on the privacy front to hire someone to keep watch and manually verify that someone is who they say they are? I assume the amount of people verifying will be massive at first, but after 2-3 months I could see the amount of people signing up (AND verifying their ID) would be in the thousands per week - easily handled by humans instead of "a third-party service"
ollien|4 years ago
throwaway2214|4 years ago
I would use it quite often for this kinds of things.
Shank|4 years ago
void_mint|4 years ago
What could go wrong?
asperous|4 years ago
davemtl|4 years ago
Whichever way, they're not getting my kids ID.
unknown|4 years ago
[deleted]
eps|4 years ago
Hahahaha... jeez... /wipes a tear
They are in for a surprise of their corporate lives.
We have several accounts with them for our kids and I had all of them set with the birthday set to some random year between 1960 and 1990. Because, as every parent knows, any sort of "kids" account comes with random restrictions, needing to create parent account and all sort of other bullshit that complicates everyone's life and prolongs the sign-up process.
They must be smoking crack if they think that a non-trivial amount of teens (leave alone adults) are playing Roblox games. Because 99.9% of these games is a complete and utter junk that makes your eyes bleed and gets traction because of the (way) younger kids that play them. That's it. That's the Roblox secret sauce. But, yeah, let's card them. Brilliant, brilliant move.
Someone1234|4 years ago
I set up one of these for Apple and Microsoft, and boy oh boy, has it been an absolute shit-show. There have been tons of bugs with both, it is a terrible user experience all around, and it has actually cost me more money in very real terms (e.g. IAPs needing to be re-purchased three times).
Unfortunately it seems like nobody at tech companies actually dog-foods kid/family accounts, and just does it as a butt covering exercise to avoid regulation. They do the bare minimum and then let it rot.
jjoonathan|4 years ago
Ad networks still figured out my real birthday :/
monocularvision|4 years ago
Avicebron|4 years ago
donmcronald|4 years ago
I think they're overestimating the importance of a gaming account.
davedx|4 years ago
unknown|4 years ago
[deleted]
officeplant|4 years ago
sevenf0ur|4 years ago
donmcronald|4 years ago
Second, how is this going to work? I don't know a single kid that plays Roblox and has a government issued photo ID. And are they REALLY going to roll out a system where they're trying to train minors to scan their ID and submit it to a corporation for something as trivial as a game?
> When a government-issued ID is scanned for verification, an anonymized value is generated, allowing Roblox to safely verify identity without risking exposure of the user’s real identity.
There are two possibilities here:
1. It's absolutely bullshit and they store some portion of uniquely identifiable identity info, like your name + birthdate, somewhere.
2. It's absolutely useless because someone will create a website or app that fools the system by showing fake id and a matching "likeness".
So I don't believe at all the glossed over claims of respecting privacy on this. This is a bad idea and I hope it fails spectacularly.
judge2020|4 years ago
Chances are their age verification system only applies if you say you’re 18+. I doubt they’re going to throw away players.
q_andrew|4 years ago
Roblox is undoubtedly responding to backlash from revelations that they are exploiting children for economic growth. Here's a great summary: https://youtu.be/_gXlauRB1EQ
jbigelow76|4 years ago
fauxblox.com is available for registration, someone more enterprising than myself is welcome :)
MomoXenosaga|4 years ago
I see the logic of it. If you make laws that state kids can't have access to services you need a way to verify someone is in fact an adult.
unknown|4 years ago
[deleted]
meepmorp|4 years ago
musicale|4 years ago
alkonaut|4 years ago
That leaves the bad methods for countries that doesn’t have a good official or de facto standard eID system. But maybe that will create public pressure to adopt one.
garrettjoecox|4 years ago
gruez|4 years ago
Symbiote|4 years ago
But at that age, it's going to be kept somewhere safe by parents. The passport probably costs more than the budget airline holiday flight.
bla15e|4 years ago
hndamien|4 years ago
dmead|4 years ago
kingo55|4 years ago
maybenotafart|4 years ago
Well atleast video game code is nice and secur..... oh.
sprite|4 years ago
smartbit|4 years ago
Driving force Bart Jacobs won the 2021 Stevin Prize €2.5M for his work on privacy & security https://www.ru.nl/english/research/prizes-achievements/stevi...
devrand|4 years ago
daleco|4 years ago
wtf77|4 years ago
KatrKat|4 years ago
monksy|4 years ago
Wither it's via database accessibility (even if it's encrypted), a web front end, email, or IMs. They'll say all they want, but ids do leak.