Though I applaud the effort to get age right and protect players, I'm not sure I'll ever be comfortable having me or my child scan our photo ID and selfie to upload it as part of a login flow to an application.
I would much prefer my government to take on responsibility for providing this sort of service as they do e.g. driver qualification.
Once upon a time the usual thing to get OK'd to rent a van (e.g. for students who are moving house) is you rock up to the rental place with the legal documents showing you're entitled to drive. You're relying on the fact that the person renting you a van doesn't much care and isn't keeping the exact details from those documents.
But although you can do this today, obviously the documents get scanned into a permanent data repository, so, that's not great. But, the UK government added a site so you can prove you're you, and get codes, which for a limited period show someone that yup, this person is legal to drive and so on.
They do this for right to work too. Although, annoyingly only for foreigners. If you're a citizen, you can't prove right to work this way, you need to be like "Look, I'm a citizen, here's proof" to your employer. But if you are foreign you can just go "Check this URL, your government says I'm entitled to work here" and they needn't know whether that's because your husband is a "Cultural Attaché" to the Russian Embassy, or you've got special refugee status, or you're actually an Italian and you just speak and look Russian for some reason, just that you're entitled to work here.
I in general agree to a sort of governmental (or even inter-governmental) services for lightweight identity verification. Lightweight in a sense that these services do not give any new personally identifiable information to clients, they are only given cryptographic proofs. If implemented very well, it may be usable for a whole lot of applications other than just age verification.
However a partial or faulty implementation of the concept can be very dangerous. South Korean websites used to receive a Resident Registration Number (RRN, 주민등록번호) for all imaginable reasons, including just catching double registration. RRN was and remains crucial for identity verification and it is estimated that virtually every SK national has been subject to multiple accidents that exposed their RRNs before such practice is forbidden. After that the Accredited Certificate of Authentication (공인인증서, nowadays the Recognized Common Certificate 공동인증서) is in place, which was another travesty that is based on X.509 but with non-standard practices based on ActiveX. Nowadays age and identity verification is commonly done with mobile phones, and there are multiple such services mostly run by CICs and telcos. This did dramatically reduce the use of RRNs and is much more convenient for typical people, but if you do not own SK mobile phones (e.g. you are foreigners) you can't use them and there are frequently no fallbacks. Also I generally don't trust the security of those services.
In Canada we have https://verified.me/government-sign-in-by-verified-me/, which is ultimately “the government taking on responsibility for providing this sort of service” — but the government then turning around and delegating that responsibility to major banks (the Verified.Me service acting as the SSO intermediary, is a joint venture of seven major Canadian banks, and then supports other non-shareholding financial institutions as well.) Since you need a proof of identity to open a bank account, an SSO through your bank functions as a pretty good proof of identity.
Right now, the Verified.Me service sends through your actual non-anonymized identity (Social Security Number, I think) to the service being signed into, meaning it’s only really good for services you’d want to hand information like that to anyway (i.e. government service websites.)
But it’d be only a little tweak to enable a provider like this to send the service being logged into a persisted random-per-service token, or a per-service-salted hash of that info, instead. If this was done, a flow like this would then be perfect for KYC/AML: it would precisely restrict each legal person to only having one account per service, while also not revealing who that legal person is to that service. And the only person in this flow who’d ever see your ID, is the bank clerk you interacted with to open your bank account, years/decades earlier.
It's similar in Norway. There's a government service (IDporten) which aggregates a few commercial offerings (most notably BankID, a two factor auth scheme used by the banks). But it's very restricted who gets to use these services.
Not strictly (as the sibling comment says), but also, in practice it doesn’t matter, as there are effectively no “unbanked” Canadians the way there are “unbanked” Americans.
> In Canada, you have the right to open a bank account at a bank or a federally regulated credit union as long as you show proper identification.
> You can open an account even if you: don’t have a job; don’t have money to put in the account right away; or have been bankrupt.
But that requirement to show identification is important. What it means in practice is that everyone who resides in Canada except illegal immigrants can open a Canadian bank account.
And the fact that so many crucial government services assume that you have a Canadian bank account (not just for SSO, but also because they assume things like the ability to do direct deposit for tax refunds, welfare/unemployment, etc.), means that it’s really hard to be an illegal immigrant in Canada. Which is probably one reason among many that people generally aren’t interested in trying. (Other reasons: we don’t have any land borders except with the US, and it’s easier to be an illegal immigrant in the US, so why not just stop there? And: the Canada Border Services Agency is terrifying to interact with, even for Canadian citizens.)
I don't know about Canada specifically, but generally there are situations where one can be waiting for a residence permit or waiting to be fully registered as a resident, etc. It can take several months in some western European countries despite the same laws that nobody can be denied a bank account. This can create a lot of inconvenience for legal residents that recently immigrated since some of those countries also have systems that use banks for ID.
I would much prefer my government to take on responsibility for providing this sort of service
After witnessing enough leaks and hacks of government databases, this is one application where I'd favor a cryptographically secure, decentralized solution based on open-source code that's been competently audited to show the system keeps my sensitive info provably private.
Ideally something that's been in the wild under sustained and motivated efforts to hack it for long enough to convince me there's some substance to the claims.
Each government already has a complete list of all their citizens (probably multiple duplicated across various departments). Having the government have a service that provides temporary keys associated with an identity isn't much of an add toward security risk.
Sounds a bit like e-verify. Don’t forget to lard it up with some denials for folks on domestic terrorist watchlists, wife beaters, bench warrants for parking tix, etc. etc.
>But, the UK government added a site so you can prove you're you, and get codes, which for a limited period show someone that yup, this person is legal to drive and so on.
I'd rather not subsidize roblox with government systems. If they can't figure out an age verification system that works thats on them. The government shouldn't be verifying the age of people for businesses. It's a waste of tax dollars to subsidize a business with major profits.
No. If its not good for the public, then either don't use it, or pass legislation to ban it. subsidizing a business because they can't do it is wasting tax money for a video game.
Regulating that vast swarms of businesses need to make their own age verification system seems like a waste of economic value. Especially considering how many normal tasks that near everyone does would also benefit from such a government system: Loans, Rentals, Housing, etc.
You would also only need to provide the evidence once to the governing body that gave it to you in the first place, instead of giving it to dozens of companies.
My taxes shouldn’t provide economic value to random companies who want to verify age, and creating a centralized identification system that is available to non governmental entities is ripe for abuse.
This happened to me with twitter. made an account, followed some people, they locked the account and told me it exhibited bot like behaviour and I needed to scan some photo id to send to them for them to unlock it.
Never worried about twitter ever again. Probably the healthier choice in the long run.
With most of these, the service itself doesn’t demand your ID; they demand that you give your ID to some third-party KYC/AML provider, who then just sends a “yes, this account isn’t fraudulent” signal back to the service. It’s like really overwrought SSO.
And if that third party is the same that actually issues your ID (I.e. the government), you give no one anything they didn't have already. It could even be constructed cryptographically so that
1. the government doesn't know for what purpose it verified your identity, only that it did
2. The party receiving the proof of ID (or proof of age, or proof of non-duplicate registration - it could potentially be a lot more limited than full ID) gets it in a zero-knowledge form, so they can't turn around and give it to someone else.
That's only really comparable if you're exchanging a few hundred dollars worth of crypto. What if you need to exchange several thousand? The spreads are going to be terrible, as would be counter-party risk. Timing would also be an issue, which is important if you're trying to trade (as opposed to HODLing).
The fees and inconvenience are only an issue for regular traders that are repeatedly buying and selling. For 6+ figure amounts it is even better to use 'over the counter' peer-to-peer services. Companies that are buying hundreds of millions worth are not using exchanges. I found it easy to do 5 figure trades even in 2014. There are significant fees and inconveniences when moving fiat to centralised exchanges so it evens out.
My full name, physical address, and IP address were leaked with another game my kids play. I'm excited for my drivers license and picture to be leaked as well.
I don't think I'd be comfortable with this either, certainly not to play some game. On the other hand, the bizarre problems maintainers of online communities have to deal with are just wild and worth keeping in mind as context:
The worst are those that let you get invested and only then spring these requirements on you.
NBA Top Shot comes to mind. They allow you to buy with no problem. But, to sell on their platform you have to go through what is essentially a KYC check.
I think people on HN underestimate how easy it is to accidentally build a money laundering system —- which NBA Top Shot did and now has to correct with KYC checks.
>I think people on HN underestimate how easy it is to accidentally build a money laundering system, which NBA Top Shot did and now has to correct with KYC checks
Oh, I understand the "why", but seems to me NBA Top Shot is the one that underestimated how easy it is to build a money laundering system.
And, suddenly requiring KYC checks of all users--irrespective of amounts involved and without an option for refunds--isn't the most customer-friendly way to "correct" their oversight.
A component of my work is in digital identity, so I hope you don’t mind the question: what would make you comfortable doing so? For Roblox, I can see the exception taken, but some applications do require this level of identity proofing (scanning your passport in an airline mobile app to book an international flight comes to mind).
Edit: Thank you everyone for your feedback, it’s very helpful!
Generally I would be comfortable showing my ID to either an established bank or the government which issued the ID. And airport security. Otherwise if a private company wants me to upload my ID I would probably avoid using their service.
You've never been to a bar that swipes the mag strip on your ID? Or the many doctor's offices that take scans of your ID with your insurance card?
I'm totally on board with ID cards not having your address on them because of the stalking potential but it's an ID card, if it has to be secret for it for it to be useful it's a really shitty form of identification.
If at all possible, I would want a hard guarantee that my photo ID and all derived information (e.g. my real name (as in the case of Roblox, they don't care about your identity, just your age)) would be completely deleted as soon as possible, as well as a description of exactly when that would be (e.g. "we have to contact your federal government to verify the authenticity of this ID, and then ensure that they know that we've verified your user account, and then we'll delete everything immediately - this typically take 4-8 business days, and we'll email you when the process is completed").
Regardless of the above, I would require that no personal information linked to my ID would be used for any purpose (analytics, marketing, ads, or sale/transfer to a third party) except identity verification.
Unfortunately it seems like "hard guarantee" for most things in tech is almost laughable, and if there is a chance data can be gathered, probably not even worth dreaming about
Indeed. Plus even if they "hard guarantee" it at service launch they could and likely would quietly change it after the press has moved on, with a TOS update on line 194,404,4008 that nobody will read.
Putting photos of my ID documents online just seems like an incredibly bad move for my security and privacy.
The only time I'd even consider sharing photos of my ID documents over the internet is if I'm sharing them with an organisation I have a multi-year high-trust relationship with (like my e-mail provider of 20 years). And even then, I'd prefer not to if I can avoid it.
>but some applications do require this level of identity proofing (scanning your passport in an airline mobile app to book an international flight comes to mind).
I never had to do this when booking a flight. The max I had to do was provide my personal info (name, birthday, passport number). If they asked for a passport scan and a selfie I would have noped out.
Some applications do require this level of identity proofing (scanning your passport in an airline mobile app to book an international flight comes to mind).
I don't know about presently but historically, you didn't need a passport to buy an international ticket. You needed a passport to get on the plane at the airport. So if you buy a ticket in a fake name, it's your problem if you can't fly and tickets aren't refundable for this.
Which is to say that no app space comes to mind when I think of something that needs id scanning - or the only apps like this are extensions of state control to the virtual space (virtual parole hearings or whatever).
Basically, anything that isn't the state should use it's own fricking account system to relate to people online. And the state itself is kind of iffy.
I did it for a crypto exchange, but that was for KYC / AML verification and I intentionally chose an exchange that's regulated by my country's KYC/AML regulator, so I was expecting to have to do it.
Giving up that much PII for a game is insane. I'd uninstall it without even thinking. Any industry that's not regulated to require photo ID when they're asking for it doesn't need to ask for it.
Nothing would make me comfortable doing so, any more than sharing my bank credentials with a 3rd party for example. The only question is whether the benefit or necessity of doing so outweighs my discomfort.
Built-in watermark support. When the system eventually gets hacked and the pictures end up in the hands of hackers, their use will be limited due to a "COMPANY + DATE" watermark plastered all over.
Reality disagrees with your theory though. Most companies that get their data breached are still in business and class action lawsuits aren't even a thing in most countries in the world (maybe the US is the only country that has that?).
The watermark is an extra threshold. It's like an extra bike lock, they'll get the bike with only one lock instead.
(I think) I feel like I'd be similar in opinion about this with the OP, so hopefully you don't mind me putting my thoughts here!
The main issue that I have is that it's down to a matter of trust. I'm mainly using the article on Roblox as an example for my thoughts here, but I'm sure it could be easily translated to other services/companies doing digital ID verification.
I don't like digital identity verification at all however I am open to other options. I have no trust in these identity verification companies using my ID for the sole purpose they say it will be used for. I have no idea if they're holding onto the ID and using it for training their algorithms, or if they sell it to a data collection agency, or if they etc. etc. etc. - why do I need to read a 10+ page privacy policy document to figure that out?
For a company like Roblox - I don't see why they couldn't roll out their own system for digital verification. Yes, you'd have an absolutely massive influx of users at this point since they seem to _just now_ be adding age verification, but after a month or two - barring special events/promos in game - I'm sure an ID Verification department could be handed out to a few people.
That being said - I'm not considering any issues in other aspects like Legal issues, Privacy issues, data retention issues, number of users, numerous ID types etc. etc. etc. and I'm sure those are HUGE factors as to why people aren't "rolling their own" solution.
In Britain they proposed an anonymous system for checking age before viewing pornography. (It was cancelled.)
The idea was you could show your ID to someone qualified to check (like a shop selling alcohol), they'd give some sort of pass, and that could be used to access the website. I wouldn't mind that, so long at the shop person only looks at the ID.
(And I've never been asked to scan a passport when booking a flight.)
Not OP but there is NO SITUATION where I'd EVER do this for a web site. There are NONE I trust enough for that kind of information and NO web site offers sufficient value to even consider the risk.
If we absolutely need to have software that has this level of identity, then we need to build infrastructure to support it. That infrastructure already exists to some degree as notaries and could be expanded and modernized to allow privacy preserving identity verification.
I don't ever want to provide a storable version of my ID to you. I don't trust you or anyone else to keep it safe. I would expect my identity to compromised over and over as companies get breached.
>scanning your passport in an airline mobile app to book an international flight comes to mind
I'm curious as to why this might be necessary.
Whenever I've traveled internationally, while I've had to provide the airline with a bunch of info when booking my flight, I've never had to provide a scanned version of my passport.
Rather, when I arrive at my destination (at both ends) I need to show the nice customs folks my passport.
Which airlines require providing them with a scan of a passport to book a flight? I ask so that I can make sure never to use those airlines. Thanks!
Absolutely nothing. "Digital" identities should be exactly that. I will never be comfortable identifying myself beyond my activity. If you require more data, then your services aren't for me, unless you're a municipal provider.
>>scanning your passport in an airline mobile app to book an international flight comes to mind
Why? Proof of ID would be required at boarding time, and by Security who simply verify the supplied info matches the actual ID, but does not actually scan and store the document (nor should they)
I am unclear what in a booking process would require a person to scan in your passport to book the travel?
How would this work if I am a corporate booker needing to book flights for others, do I need to maintain a copy of their ID's?
Your example is pretty flawed, as is most examples you will come up with because in reality there is no reason to have to upload your ID. It is draconian and should be resisted by everyone for any purpose
To be fair, it's not part of their login flow, it's part of their verification flow. It's a one-time thing, not an every-login thing.
I also see no problem with this. What could they realistically use this information for that would be nefarious? It doesn't actually store the ID in any real sense, as they explain in the link, and I see no reason for them to lie about that.
It's real easy to scream, "But My Privacy!!!", and probably a decent amount more difficult to come up with an actual and practical risk there.
Honestly, if your threat model includes "video game companies that lie about age verification systems", I don't think you're taking your security very seriously.
In the Netherlands we have a government app that blacks out the sensitive stuff called kopieID.
Honestly if you are going to ask for identification ask for a passport or driver's license not this idiocy of credit cards and bank statements. That's just insulting my intelligence.
Where does the need for hard verification of the age come from?
My friends and I were using the internet when we were under 13 years old (although not by much), and just clicked the button to confirm that we are older than 13 (mostly on various forums), and later on the same thing with 18 years old verification screens, and we turned out alright (at least from my perspective.)
According to Roblox's S-1 filing, they want to move their customer base up from the current average age of 13. Age verification is for older users, so they can be less restricted. Roblox has a large outsourced "moderation" operation, and is working on an AI system that can bring down the ban hammer in 100ms after saying a bad word.
Tencent already does this in China. Tencent owns 49% of Roblox. So the technology is available.
> According to Roblox's S-1 filing, they want to move their customer base up from the current average age of 13.
I'm guessing that's because things like COPPA don't apply to 13+ and identity verification lets them start building accurate PII profiles for children the day they turn 13. What a nasty business.
As long as I can remember, you could attest that you’re over 13 on Roblox with zero proof and that would grant them the right to collect data anyways.
I think the goal here is to expand into 18+ where there’s less need for chat moderation (save for slurs) and game moderation, while still having a sandboxed environment where parents are comfortable letting their kids use without exposure to the 18+ content.
Given this angle I wonder if Roblox is actually hoping for rampant falsifications so they can keep their underage players but also tell regulators that they are protecting minors from possible exposure to harmful content.
Wow - I had no idea that Tencent owned that much of Roblox.
Now I'm even more wary of sending my ID to a company that's owned by another company that's owned by a repressive government and can influence how anyone in the chain can do business.
Probably parents realizing their children were making in-app purchases beyond what they (the parents) were aware of, and charging them back as unauthorized use. The cc processors pass that on to the merchant, and will drop them if there are too many. Likely Roblox just reached some critical mass where they couldn't sustain it any more.
When I read about the age verification system for Roblox, it immediately made me think of a post on the official Patreon blog from just a few days ago, talking about how they're going to have to start asking for identity verification for "adult/18+ creators" due to new standards from Mastercard. And, yes, this clearly isn't exactly the same thing, but the similarity in requirement combined with the timing make it at least fractionally more suspicious to me that this is driven by payment processor requirements -- or at the very least, whatever concerns are driving those requirements.
It's also worth pointing out that unlike Patreon's requirement for adult material creators, Roblox's verification is optional, which most of the discussion here on HN seems to be eliding.
> For now, only one feature requires age verification: Roblox's new voice chat feature. During its initial beta, it will only be available to players who verify they are at least 13 years old. But the implication seems to be that other features -- perhaps specific Roblox games or community tools -- could be age-gated as the company works to protect its relatively young user base.
Pure speculation: Once they build a user base that over time crosses the age of 18 (or whatever the age for accessing adult material is in the player's country), they can allow them access to a separate, premium, age restricted section, where they can expand their user generated content model to a demographic with a lot more money and a market where that money is easily spent.
Depending on the country, it can be due to local regulation. I don’t think it is required yet in the US
E.g. AVMS in Europe. Youtube had to implement age verification.
EDIT: @gruez: An attestion is likely no longer sufficient for Roblox's compliance requirements, and identity proofing is now cheap to perform (~$1-2/per proofing request). Cheaper to get ahead of the curve.
> For now, only one feature requires age verification: Roblox’s new voice chat feature, Spacial Voice. During its initial beta test, it will only be available to players who verify they are at least 13 years old. (Roblox didn’t say whether it would later be available to users regardless of verification status.)
> But the implication seems to be that other features — perhaps specific Roblox games or community tools — could be age-gated as the company works to protect its relatively young user base. More than half of Roblox’s users are still under 13 (Roblox says “nearly 50 percent” were over 13 as of the second quarter of the year).
> COPPA imposes certain requirements on operators of websites or online services directed to children under 13 years of age, and on operators of other websites or online services that have actual knowledge that they are collecting personal information online from a child under 13 years of age.
I didn't read the whole thing. I plan to one day though because I want to see what the rules are, but, to me, that summary sounds like the only reason you need to do it is if you want to collect personal information for children that are 13-17 year old.
Here's a wild idea... How about not collecting the personal information of children?
COPPA has a very broad definition of personal information (see https://www.ecfr.gov/current/title-16/part-312). "Online contact information" counts as personal information, and that includes email addresses, IRC nicks, IM usernames, etc. Some other things that count as personal information under COPPA are IP addresses, the user's voice, and full names. Virtually all online services with user accounts collect personal information as defined by COPPA.
>Virtually all online services with user accounts collect personal information as defined by COPPA.
And that makes it right to do so? I think not.
Sure, it's necessary to store stuff like login credentials, if a login is required to access the site.
As such, it shouldn't matter how old (or young) you are, unless there's a specific need to store such information (and there rarely is) to support the use of whatever services are provided by a website, it's invasive and untrustworthy to do so.
And I respond accordingly.
Feel free to disagree, but that's not a discussion which will end in me changing my position.
I'm sure it's more of a "cover your ass" scenario where in the future, if someone gets past the ID verification system and uses an account to commit a crime on their platform, Roblox can just say "the ID company verified it!"
I don't think anything has changed, but COPPA isn't the only regulation with age requirements. GDPR also includes age requirement (https://gdpr-info.eu/art-8-gdpr/).
From a quick read of the article, I think this is intentionally going beyond the requirements. They obviously feel that this will build a safer and more trustworthy environment at the expense of other issues, including a loss of users who don't want to provide identity.
There are truly unsavory elements that will intrude on a virtual environment for children. Roblox corp knows exactly what they're dealing with due to their existing support requests- and they can imagine the implications of adding a spacial voice feature into that mix.
As somebody who used to breach them for rewards. I concur with your reasoning, but I imagine their security is much better than it was half a decade ago.
I understand the massive investments into "rolling your own" system for ID verification, but I always feel sketched out when companies ask you to send your ID and your photo to "a third-party" - where the privacy terms of that relationship are so obtuse/vague it's not worth reading.
Is it really that hard on the privacy front to hire someone to keep watch and manually verify that someone is who they say they are? I assume the amount of people verifying will be massive at first, but after 2-3 months I could see the amount of people signing up (AND verifying their ID) would be in the thousands per week - easily handled by humans instead of "a third-party service"
I'd feel _more_ sketched out if a provider was handling it themselves. I don't know how much I want someone unqualified handling the storage of this themselves...
Outsourced to Ping? Ok. Outsourced to some identity SaaS I never heard of that just closed their series B? Pass.
But then obviously I'd expect Microsoft to own their own identity story, and if they ever didn't I would immediately suspect I wasn't actually even dealing with Microsoft.
What seems really sketchy to me is the third party together with a lot of the language in the press release - Roblox does not store raw ID document nor the selfie data.
I mean yeah, you could, but forging identity documents is illegal in most places with functioning legal systems, for obvious reasons. Forging a government ID and presenting it as a real one is a giant minefield that most people probably don't want to be in.
Who exactly is the victim of the crime which such a law creates? If the purpose of age verification is ostensibly to protect children, and if children are the ones lying about their age, then are they both the perpetrator and the victim?
In any case, dragging a 12 year old through the legal system seems like a greater harm than allowing them to play Roblox (although perhaps not by much).
If a child is using a fake ID to buy cigarettes and alcohol, the harm they suffer is not from owning or presenting the ID, but from consuming the product which the ID gives them access to.
A company could in theory ask for ID before selling any product (ignoring age discrimination laws), and you wouldn't say that a child is harmed if they use their fake ID to buy a bottle of water, for example, so the use of the fake ID doesn't necessarily lead to harm.
The age verification appears to be opt-in, however they don't say what happens if you don't hand over your kids ID. One would hope that it would disable or limit communication between players and keep the player in a suitable for all category. I wouldn't be surprised that because their user base is growing up, they they would want to change it into kind of a "second life" for teenagers.
> nearly 50% of the users on our platform are over the age of 13 as of Q2 2021
Hahahaha... jeez... /wipes a tear
They are in for a surprise of their corporate lives.
We have several accounts with them for our kids and I had all of them set with the birthday set to some random year between 1960 and 1990. Because, as every parent knows, any sort of "kids" account comes with random restrictions, needing to create parent account and all sort of other bullshit that complicates everyone's life and prolongs the sign-up process.
They must be smoking crack if they think that a non-trivial amount of teens (leave alone adults) are playing Roblox games. Because 99.9% of these games is a complete and utter junk that makes your eyes bleed and gets traction because of the (way) younger kids that play them. That's it. That's the Roblox secret sauce. But, yeah, let's card them. Brilliant, brilliant move.
> sort of "kids" account comes with random restrictions, needing to create parent account and all sort of other bullshit that complicate everyone's life and prolong the sign-up process.
I set up one of these for Apple and Microsoft, and boy oh boy, has it been an absolute shit-show. There have been tons of bugs with both, it is a terrible user experience all around, and it has actually cost me more money in very real terms (e.g. IAPs needing to be re-purchased three times).
Unfortunately it seems like nobody at tech companies actually dog-foods kid/family accounts, and just does it as a butt covering exercise to avoid regulation. They do the bare minimum and then let it rot.
Yep. It's absolutely brutal. Ex: EA Play won't work with XBox Game Pass if it's on a child account.
All the kids I know just use fake info with fake birthdays. There's a huge risk of losing the account, but who even knows what to do. Obviously these companies don't want to invest in moderation, so I think they should focus on moderation tools and leave the parent/organizer account holders do the actual moderation.
Microsoft does the money handling on child accounts really well, but the family sharing is absolutely brutal. It's an insanely bad user experience.
This is so absolutely spot on. I have my kids’ fake birthday memorized because I use it so often. As soon as you enter a birthday that actually would mean under 13, be prepared for _nothing to work_.
Yea..I've always assumed Roblox was at best majority 7-15. I haven't set up anyone's account, but isn't the "at least 13 or older" a generic checkbox that is sort of used as a default for everything from youtube to netflix?
Haha. Yeah. And if they start verifying identity and locking accounts that can't prove the identity info provided at signup, that's going to be a lot of locked accounts.
I think they're overestimating the importance of a gaming account.
I didn't have an ID until I started driving at 15. I wonder how many of the Roblox player base even has a government ID. Will children beg their parents to go to the DMW so they can get verified on Roblox?
First off... NOT A FUCKING CHANCE. If a kid came to me with a game that was asking for "opt in" age verification by scanning government ID, and they wanted to do it, we'd have a long talk about privacy and that game would get uninstalled even if it means the end result is the kid crying over it.
Second, how is this going to work? I don't know a single kid that plays Roblox and has a government issued photo ID. And are they REALLY going to roll out a system where they're trying to train minors to scan their ID and submit it to a corporation for something as trivial as a game?
> When a government-issued ID is scanned for verification, an anonymized value is generated, allowing Roblox to safely verify identity without risking exposure of the user’s real identity.
There are two possibilities here:
1. It's absolutely bullshit and they store some portion of uniquely identifiable identity info, like your name + birthdate, somewhere.
2. It's absolutely useless because someone will create a website or app that fools the system by showing fake id and a matching "likeness".
So I don't believe at all the glossed over claims of respecting privacy on this. This is a bad idea and I hope it fails spectacularly.
> It will be available globally in over 180 countries on both mobile and desktop for anyone 13 years of age or older with a government-issued ID or passport.
That's a quick ticket to getting a lot of 13-16 year old forbidden (by parents) from playing your game IMO.
This is a bandaid measure. Roblox spends most of its time convincing young children that they will be successful while simultaneously cheesing the 'robux' exchange rate so that these children get nothing.
Roblox is undoubtedly responding to backlash from revelations that they are exploiting children for economic growth. Here's a great summary: https://youtu.be/_gXlauRB1EQ
> Roblox spends most of its time convincing young children that they will be successful
I've never seen this. Could you give an example? Me and my kids are pretty heavy players, with a couple games released, with one giving my kid a nice stream of Robux.
Use some official eID. They are pretty pervasive across the world and typically it’s just one system per country to intract with like Freja in Norway, BankID in Sweden and so on.
That leaves the bad methods for countries that doesn’t have a good official or de facto standard eID system. But maybe that will create public pressure to adopt one.
This appears to be designed to encourage the user to lie. I have never seen a workflow where a low age enables some type of restriction and that restriction is disclose when asking your age for verification. This is a first.
Something I think that should be mentioned: Everytime you submit an image of an id: That gets shared through out the verifying organizations communication channels.
Wither it's via database accessibility (even if it's encrypted), a web front end, email, or IMs. They'll say all they want, but ids do leak.
