Starberry Passion are you sure your comment is relevant at all?

This is just a proposal for having a badge saying "this resident is verified to be 18+ years old" and nothing else.

Why should this "the residency"? Assuming that there are any validation costs involved, these should obviously be paid out of the validated user's pockets — and nobody else.

Remember, LL doesn't really care if you're 18+, or if you have just stolen the credit card from your parents, and used it to register an 'adult' account. But residents care. This would be a way of self-labelling oneself as 'yes, I'm an adult, and I've proven that to LL'.

Granted, nothing prevents a careless parent to do the validation on behalf of their underage child — but not only would they be violating LL's ToS (giving access of password to third parties is forbidden, including your own offspring), but they would be held of whatever content their children would see. If it's inappropriate for their age, tough — the parent will be sued, neither the innocent bystanders who took the badge to be valid, nor LL, which would have done their best to filter out underage residents...

Ikaros Alpha no system is perfect! I'm one of the lucky ones: in spite of being in the USA, I went through successful validation (three times, if my memory doesn't fail me) each time.

But you're right, underage children will always find a way to still log in. However, there is a difference here: if someone deliberately lies to the system about their age, and commits identity theft (in this case, 'stealing' their parents' ID), then are responsible for whatever happens to them. Neither the other residents in adult areas, nor Linden Lab, would be accountable for anything in such a case. It would all be the fault of the parent, for negligently allowing their children to use their IDs to unlawfully register for a service or product online. Even the old 'but I didn't know!' excuse does apply — if you, as a parent, don't know what it's all about, then you should simply access to your children, and either learn more about the subject, or let the children grow up and become legal adults.

Gwyneth Llewelyn It will cost nowadays to hire a professional service that can age verify people from all over the world.

Ikaros Alpha are you sure about the costs?

Let me give you an example, Persona — I'm not endorsing them at all, mind you, it's just that they have some of their prices publicly shown. Persona has a low-end plan ('Essentials') that is very reasonable: US$250/month (for LL to pay, with a year-long commit), allows 500 verifications for free per month, and US$1.50/person afterwards (other plans have further discounts).

One dollar and a half!...

Surely, that's not much to ask, considering that it's something you just need to pay ?...

Even you wish to argue that LL will need to shell out those US$250/month, well, they can very easily cover the costs. Let's assume that we still have half a million monthly active users, all of which wanting to get verified as adults. Obviously, if try the validation on the very first day/week, LL will blow their 'free tier' in picoseconds. Therefore, what they would do is to charge $1.50 for validation. They would earn more than enough on the first month to pay for overall fees to Persona for years. And, afterwards, of course, the number of new residents (or old ones returning to SL) wishing to validate themselves would easily be below the monthly 'free' tier.

In fact, LL could easily give all paying customers the validation for free. They would get a surplus from charging US$1.50 for each Basic account!

Now, of course, there are hidden costs. The so-called 'Essential' package requires LL to do all the work themselves on their side, using pre-generated templates for validating people all over the world. That, in turn, requires quite a bit of programming, and integration into their services. One alternative would be to let Tilia do the validation — Tilia, after all, already makes money from all those fees.

And, of course, you'll need to give some training to the LL tech support team for them to know what to do if someone complains that thy cannot get validated through Persona. The lowest price tier at Persona does not include real-time phone calls for support, meaning essentially an exchange of messages between LL's tech team and Persona's. Oh, sure, it won't be perfect, it will be clumsy, and it will get a certain degree of false positives. But the point is that it works — for those who want it — and, really, I wouldn't consider their costs astronomical.

Note that LinkedIn uses Persona for validation, and very likely they pay for a very low tier. I'm one of those who, in spite of having all documents ready, cannot validate my account — because my ID card does not yet have an NFC (contactless) chip — only the latest of the latest cards have those, and I have already replaced mine merely 5 years ago, so I'll just get a new one the next time I replace it. That means waiting all that time just for validation. But if I needed to have a validated badge on LinkedIn, I would have to pay €17 (or so) for getting a new card. It's not the end of the world, but I'm not willing to pay that just to be validated on a 'social network thingy' that I barely use and have zero interest in.

Of course, different countries have different rules, and I'm aware that Persona's software will not work . But it should cover a substantial number of people. So long as your ID card or passport has a NFC chip (and all new ones have), validation is almost certainly assured. In many countries (USA being one of the examples, of course), Persona offers alternative ways of validation, and these must be included in the 'low-tier' pack because LinkedIn also has them — just not world-wide. For the EU and India, they assume the whole population has — or will shortly have — NFC-enabled ID cards or passports.

Mind you, this is the only form of validation. On higher tier levels, Persona offers validation using a larger variety of choices in documents. The principle is also simple: take a good picture of a valid ID card for your country (whatever it might be), front and back, and then do a series of selfies. Persona will match the document you presented with the long, long list of ID documents collected around the world, use a simple AI (today, it's simple) to match your selfie with your document's photo. It takes longer than a minute, but it's accurate.

This is the state-of-the-art today. I've validated with at least two different providers (I just don't remember their names right now, but they should be very easy to find with a Google search). Some, of course, are slightly harder to use than others, and give many false positives. But, ultimately, wherever I went through that process, . And I never paid a single cent for it.

LL just needs to shop around a bit, to see what ID validation provider is more adequate for their purposes, and which one has the better pricing for , considering not only the monthly fees, but also the included tier (how many can be validated for free per month), and how easy it is to integrate into LL's systems.

Since LL had (several) validation methods in the past, I assume that the actual integration process is at least , and the costs would be restricted to dealing with the actual calls to the ID validation provider's API. Granted, it might not be the work of an afternoon, but it won't bankrupt LL and force them to mortgage their San Francisco offices.

Last, but not least...

Remember, this is to be . The small badge will only mean 'I'm an adult, and LL vouches for my claim'. The method — based simply on credit card data — would to be in place, exactly as it is today, and we it's a very reasonable way of 'validating' adults. Obviously, children can grab their parents' credit cards — with or without their consent and knowledge — but if something happens, , the other residents!

Gwyneth Llewelyn How many active accounts do you think Second Life has? (Not going to ping-pong here any further. I just did my best to describe why it was a disaster in the past.)

Ikaros Alpha just for the sake of completeness, based on the last 'official numbers' that were divulged last December, the number of monthly active users is around 500,000 — which, mind you, is rather consistent with the peak number of simultaneous users, so it might be a possible, plausible number — which would cost LL about US$750,000 to fully validate, assuming they'd use Persona and got no discounts.

A hefty sum, sure, but nothing out-of-this world. We all know that LL is a multi-billionaire company, but it churns out eight-digit revenues every year (I would guess 'before taxes'). The investors are happy. So this is not far-fetched as it might seem.

The alternative would be charging, what, L$400 or so per resident wishing to be validated? Well, that works for me — it's slightly above the weekly stipend I get, but perfectly manageable otherwise 😅 I'd have to be a little less generous in my tips for a week or so, and probably not spend so much time following the ACCESS group for discount sales... but, again, it would be not an issue for residents wishing such a validation for themselves.

Kore Jardberg at some point though, it could be required by laws and LL would have to follow that.

DaniSkunk Resident I don't see any reason to anticipate non existent laws.

Kore Jardberg I'm sure that this is simply a option; as KiraYoichi Resident wrote, and I quote:

| "needs to have the option"

and not 'must do this or that'.

I'd welcome the option, even though I visit any adult areas :)

It would be incredibly useless to require some form of ID without actually verifying the ID is associated with the human submitting it. LL have no means to verify in person the identity of every user, nor I suspect do they have a sufficient budget for it. Just my .02L$

Kathrine Jansma and Mister Acacia — read my own reply to Ikaros Alpha — it explains pretty much everything: there are services that can be outsourced to do all the above, and much more, for a perfectly reasonable price.

To reply directly to Kathrine Jansma:

Granted, as written above, there are some hidden costs, but far, far less than if LL had to do it all by themselves...

If you wish to get a taste of how it works, try to get validated at LinkedIn; if you have an ePassport or any valid document with an NFC-enabled chip, it should just take a minute or so.

The provider then looks up the token that LL has given them, and returns it with a tag of some sort, saying 'validated'. LL doesn't get any of the data that the provider gathered from the resident (if any); conversely, the provider will not know the resident's avatar name or any other identifying data. Once the validation is confirmed, and LL received the 'all ok' message, the provider will destroy whatever data they retrieved from the resident (sometimes, they might do it immediately; most will keep it around for just a few weeks or so, in the case that the system is down — either on their side or on LL's side — and the person needs to be validated again).

All these ID validation services are audited independently by different agencies, some of which listed on their respective webpages. They are compelled to respect all PII laws for all the countries they work with (aye, all 170 of them!). I _can_ expect that they'd have some difficulties validating citizens from China, North Korea, Iran, or Syria, though!

The validation provider store some information from the user, but see 4. above: whatever they store will, very likely, be short-lived in nature. The best that they might be able to say is 'yes, on that date, at such hour, the person who was identified by LL with token XXXX presented their ID documents to our app, and we validated them according to the laws in their country'. They really won't need to store anything beyond . If there are frauds or something similar, the best that LL and the provider can say is that this person presented a valid ID, and when that happened, but they can't be blamed for not having further records (in fact, they should be for that!).

My best guess — and that's just what it is, a guess — is that these ID validation service providers act, in a limited way, as a notary public, and, as such, might be able to provide equivalent services in all countries they operate in. However, I really have no idea; I didn't check!

Bleuhazenfurfle Resident They Cant pass it that way because KYC - need photo of id and selfi video with moving face like AI ask during it, No way to bypass that.

Marty Mouse: Good to know the bar has at least been raised some.

Though I suspect you're being a little overly-optimistic on the "no way to bypass that"… A little luck and some creative video editing by someone vaguely skilled, plus a virtual camera app, and that goes out the window.

Not to mention AI deep fakes that're also a thing these days (yes, they do videos now, too). If school kids can make "nudified" pictures (and videos) of their classmates (been in the news several times over), it's fair to expect they can do something like that, too. Oh, and using a mobile app is often forced as a way to counter this, but even that isn't foolproof, at worst, it just takes someone with a rooted phone.

This is, unfortunately, an arms race that is going to swing back and forth many times, and it's the people who flout the rules who generally have the upper hand; like DRM barely slows down the pirates, but falsely impedes legitimate users on a regular basis.

Marty Mouse you seemt to have missed the parts about storing perosnal and some times sensative information for malicious hackers to get a hold of then use to breach other accounts.

prissypaw Aldrin I can see a situation where LL outsource the verification process and then adjust the existing DoB data in the user's account without adding any other details. Naturally there will be a cost to LL regardless of the final solution, and whether they choose to pass on cost to users would be their decision.

Ultimately, it seems LL will have to comply with the most restrictive laws applicable in the countries in which their users reside, much like they have to do now for skills gaming access.

Bleuhazenfurfle Resident let me just reinforce Marty Mouse's point. This is now 2025, not 2005. Back when LL started, there was no easy way that worked to validate users. You do it manually. Or you could require the user to go to a public notary and sign a valid document — bound by the laws of the State of California — to prove your identity. This is not pure speculation on my part; it was actually how businesses got validated for the purpose of getting SSL certificates, for instance (in my country, the same kind of paper trail was needed to be able to register a domain name under our TLD).

When 'validation' was simply 'using a credit card', well, sure, this was prone to all sorts of fraud. Not only could kids 'borrow' their parents' credit cards — or even their IDs/passports — and easily 'pass' any validation questions, but there were already databases with all sorts of personal information spread around the Internet. In fact, when LL opened their virtual world for beta-testing, one of the requirements was to have a valid US physical address. A friend I know went through one of those databases, and just used the real address of a really existing gas station in the middle of nowhere, including its listed phone number. He was allowed to join SL before anyone else outside the US, and while he certainly was a legal adult, he entered under completely false assumptions. He told that story often enough, even to his close-knit circle of Linden friends, and they all laughed together.

Those were simpler days. They were also days when fraudsters didn't exist at the massive scale we have today, and, as such, those very limited and primitive methods would suffice — since they would be enough to defend the provider (in this case, LL) from litigation.

Today, however, things are far more advanced. From your comment, it's clear to me that you never went through a current-generation identity check. You will need not only one legitimate form of identity issued in your country (and forget about your 'rights' to be identified solely by your school card, just because particular jurisdiction allows that — you get the choices that the identity checking provider allows you, not more, and not less, whatever 'rights' you think you might have), but it must be a identity card.

This is mostly for two reasons: first and foremost, of course, you wish to still be recognisable based on your identifying document's photo. If it's so old that you don't look remotely like that any more, then the system won't validate your identity, period. As, indeed, it . Again, it's irrelevant what 'rights' you might have to use a decades-old identification in your jurisdiction; the ID checking provider couldn't care less about that.

But a second reason is that contemporary ID cards and passports already include unforgeable, quantum-proof cryptographic seals, which can be read by any NFC/RFID tag reader — such as your mobile phone. You be able to outsmart an automated camera-based validation system with a bit of photoshopping, but that's impossible to do with such an embedded chip in your ID. It matters little if the passport is wholly written in Arabic or Chinese; the embedded chip will provide the authoritative transliteration of your name, address, and age, and there is no way to 'break the seal' and replace it with someone else's ID. Since everything is signed using a public-key infrastructure, and all governments freely publish the key they used to sign that document, validating the integrity of the sealed data is trivial.

Next, of course, the system needs to make sure that the person holding that ID is, in fact, the of the ID card/passport. While some countries have more sophisticated schemes, such as embedding biometrics data in the card itself, which can only be unlocked by providing a similar check (e.g., using Touch ID to use your fingerprints, or the more advanced retinal checks present in latest-generation mobile phones), this is not universally done, since most jurisdictions forbid biometric data to be freely exchanged.

But there is a universal way of doing the check...

Gwyneth Llewelyn yea its important, but need be also done easly if we have 10 alts or bots for our stores or anything how we will verifi them cause at the end will be person have 30 avis (i know some may have especialy if it is managment of sim, rp, or even social park) how we will it must be simple process or noone will do it,

My idea in it is could be made verifi.secondlife.com where can do verification KYC by Verif or some other company who do it or other way if country not allow it and then add all avis there. If will be too hard people will complain and that will fail again. So must be Secure and Easy. That way also not will be mess

... and that, of course, is by using the picture. Again, modern ID cards/passports don't even need the ID provider to take a picture to compare with your own selfie: they get the validated, encrypted picture in decent resolution (I checked that — although my ID card is not yet NFC-enabled, it has all the rest of the bells & whistles, and with a cheap card reader I can easily get my own photo from there. It works like that!). That prevents, say, a kid from affixing their own picture on top of their parents' passport, take a snapshot, let the NFC reader confirm the validity of the document, let the kid 'pass' the photo identification phase when taking a selfie for that purpose.

Well, sorry, kid. Nice try, but your parents' photo is stored on the chip as well. In fact, the only purpose of the plastic document is for human consumption only. It could just be a blank card with nothing written on it. The chip provides all information and all validation. And all of that is self-contained, that is, you don't need to establish a vast network of government-connected institutions who just happen to exchange a lot of information about each other's citizens. No, the ID card or passport has inside that is ever needed, and can be validated by anyone, anywhere, without needing special equipment (since modern smartphones all have NFC readers).

Nevertheless, as Marty Mouse explained, there a photo validation step required to complete the process. In order to defeat deepfakes, the procedure is simple: you're not really just going to take picture. Rather, you will need to move your head and take pictures from the side as well, and/or do a short movie moving your head in one direction, then the other. — to prevent an AI to deepfake the procedure. Granted, in the future (perhaps not that far in the future!), you have AIs generating deepfakes on demand, and then those ID checking providers will have to come up with something equally simple and much harder to fake.

As it is, this process is close to 100% accurate.

Granted, like all automated security procedures, you trick the system easily — using .

Essentially, what the kid will do in that scenario is to get an adult — possibly a grandparent — to do the whole validation on their behalf, coming up with a wild story that this is the only way they can buy a Christmas gift for their Papa and Mama on Amazon, but, since they're not adults, they have to engage their grandparents in the 'conspiracy' and ask them to tell their parents anything, it's supposed to be a surprise!

And, of course, the kid buy that gift and get it delivered, lest their grandparents suspect of something. And if the parents are delightfully surprised, the kid can always tell that it wouldn't have been possible without the help of their grandparent, who was told not to say anything because it was a !

That will be the high point on Christmas day, with all laughing a lot and praising the little kid to be so clever!

And, of course, in the meantime, all that the kid had done was to validate themselves as a senior citizen to join SL in peace — and without anyone ever suspecting of anything.

such social engineering will defeat any contemporary validation system — and that is a ruse that clever kids may come up with. So the system be 100% accurate in identifying the being validated, but that doesn't mean that Linden Lab can be 100% sure that Old Grandpa is using the account, and not his clever granddaughter.

But, let's be honest, how many kids will do that? And among those, how many will act 'adult enough' never to raise any suspicion?

yep Gwyneth Llewelyn if KYC then look more or less like Send Text Data + Send ID + Send Document with address (example bill) + Record video , this mostly is verified by Company who is verifier i mention "verif", that way is fast and 100% accurate, after done it hash data is send to company (in this case LL) , when verification is done in verif company not keep any data so its secure. Deep fake will be imposible because video take 1 minute life check so there is no ai who can generate that, also to make video on screen say how to do it (example open mouth, move head to right etc) so no able to predict before start recording, so cant fake it.

In fact, in the distant past — even the Teen Grid was set up — there were some notable SL residents who underage teens on the 'adult' grid, and who had been ousted as such. They were (still are) mature enough to not reveal their age, , and avoid any possibility of being ousted — and that meant staying away from adult regions, for example. Many thrived for years before they finally reached adulthood and could now safely 'reveal' that they weren't of age when they joined. But all of them were, and are, exceptionally intelligent persons, mature well beyond their years, even when they were just 13 or so.

In my own experience, none of those were interested in engaging into the 'adult community' — for the simple reason that it really didn't them. Not as much as building things, scripting interactive devices, playing as DJs, or whatever grabbed their attention in SL. While certainly the weight of the adult community cannot be ever underestimated, the number of actual underage kids who are in that sort of thing is not high.

Therefore, you should consider the probabilities of all of that put together. You need to have a very mature, very clever, very deceitful kid, who also simultaneously is a great planner and deviser of complex schemes that work, and, after joining, keep a very low profile; and, on top of all that, they must also be interested in engaging in sex with adults, of their free and spontaneous will, obsessively so.

Obviously, such cases exist. We call some of them 'sociopaths' and 'psychopaths'. These were all young once, after all; some of them are clever, in their deviant ways. Such a possibility cannot be discarded; in fact, the US NIH has published articles that the average US population contains 1.2% of psychopaths. Not all of them will be in Second Life, of course, much less while they're underage; but it's fair to admit that will.

... but if that's the case, well, we would need to assume that 1% of the overall SL population (adults and non-adults alike) a psychopath. Many more than that will have some sort of mental disease. Well, since they're adults, obviously, LL allows them in; it's their , after all, so long as they are free agents (e.g., not locked in a cell in a psychiatric hospital in isolation under charge of multiple serial murders...). LL does not discriminate between sane individuals and insane ones; there is no 'psychopath grid', after all.

Nevertheless, while LL cannot keep the psychos away from SL, they can guarantee that 'close-to-100%' of all residents will be legitimate adults (or equally-validated as late teens, who are allowed to roam the grid, so long they stay on G regions with their special avatars that will get their underwear off). The very few exceptions that will slip through are perhaps as many as those who, in real life, avoid being spotted as teens just because they 'act mature enough'. There aren't many, but the number is zero, it's just small.

This is essentially what this proposal is saying. Let those who are adults tell that to fellow SL residents. Be it with a badge, or with something else on their profiles, let anyone who wants to authoritatively claim to be nothing else but an adult to be able to do so, in a way that is guaranteed — by LL themselves (or anyone they outsource for that purpose, of course).

Let also sensitive content be only accessible to 'verified adults' — in the same way that we can restrict content to 'oldbies', to avoid hordes of freshly-generated alts to roam the grid. So long as all of that is optional, voluntary, and opt-in, what exactly is the problem you guys have with it?

Remember: LL will get access to your ID card and/or information contained within; as explained before, the ID checking provider only sends back a token to LL, saying that this person has provided a valid ID. will have no clue as to which resident that token applies. That means that LL only knows that the resident is an adult and nothing else. They might have not the slightliest clue about who that person is, or where they live. Now that Tilia was sold, LL doesn't even have access to credit card data (or Skrill information). They cannot, even if they wish, neither confirm nor deny if a person is who they claim they are — and, frankly, LL doesn't care much.

What they care about is avoiding litigation, of course. By transferring the burden of validation to a third party which offers that service, they can wash their hands on the subject. They can explain, under oath in a courthouse, how exactly they be sure that person X is really an adult — so long as X is willing to validate themselves — and that, at least for the validated persons, LL can claim 100% conformity with whatever laws might prevent underage people to access SL.

If the system check is subverted, well, then it's a crime — and outside the scope of any litigation procedure that involves LL. Minors may or may not be brought to court in such an affair (depends on the jurisdiction, of course), for purposefully defeating the ID checking providers' system in bad faith, but LL cannot be made a party to such a plot. They did all they can do to prevent such a situation from arising; when such an exceptional case presents itself, and which might prompt the kids' parents to sue LL, LL has a legal shield in place against such a provision.

The kids' parents , in turn, try to sue the ID checking provider, but I doubt that they would be successful in that. Such providers have access to the best law firms across the world, advising them on how to provide bullet-proof procedures. Again, if someone defeats all the protections and barriers put in place, then that's a crime, and has nothing to do with a litigation. The ID checking provider can prove that it runs a legitimate operation which successfully validates the age of their users with an accuracy of close to 100%, and explain how thy went through great pains to ensure that it stays that way.

Exceptions will naturally exist, but will be up for the courts to decide. The point is... they will merely be , the rule.

prissypaw Aldrin

However...

Not even that will allow the hacker to know your .

Because...

Cute, isn't it? 😁

The that could happen, therefore, is that some stupid developer, by sheer mistake, transmits back the information read from the ID card/password, and gets it stored somewhere, unknown to anyone, because they wanted to 'do some tests' and then 'forgot all about it' (or left the company, whatever). This is supposed to happen — the company does need the data at all — but, if it does, due to stupidity, well, you can rest assured that hackers exploit it!

Marty Mouse true — but although LL might not know if we're adults or not, they know who our alts are. This is clearly stated in their ToS somewhere, where they explain that basic accounts can have 'up to 5' alts for free, and anything above that will be charged (I can't remember the limits for the others). What that means is that LL that, and it knows because they digital fingerprinting. And, allegedly, they're far better at doing that than what most people realise (i.e., no, logging in from different computers and/or different viewers is irrelevant).

What that means is that, once of your avatars is validated, LL can easily validate all the others automatically — if you wish, of course. You'd still had to go through all of them, one by one, to display their badge.

Aye, when I mentioned Persona, I had in mind companies exactly like Verif — there are a few of those around, and LL can safely shop around for the best price they can get!