Know Your Player
I tried to link my bank account to a QR payment app. It asked me to photograph my driver's license. All I wanted was to be able to withdraw my balance back to my bank account if I ever needed to.
Front. Back. Forty-five-degree angle. Then my face. Straight on. Turn right. Turn left. My face on the phone screen looked ridiculous every time I changed the angle. eKYC, apparently. Electronic Know Your Customer. Identity verification, digitized. Anti-money laundering requirements under financial regulations, so I get why it's necessary. I get it.
Back when I was in the game industry, age verification was far more pastoral.
"Bringing the card concept to online games was an invention. Whoever came up with card fusion was a devil." A game producer I knew said that.
Kompu gacha — collecting a full set of cards to unlock a rare reward — became a social problem. JOGA published guidelines on spending caps for minors. CESA put together its own policy on protecting underage users. The whole industry scrambled to respond.
The actual implementation was messy. Carrier billing, in-app purchases, prepaid cards — how do you aggregate spending across multiple payment channels? What happens when a user's birthday falls mid-month and their age bracket changes? If someone deletes their account and re-registers, does the spending cap reset? The guidelines left a mountain of edge cases unanswered.
And age verification itself was usually just a single date-of-birth field. A dropdown for the year. Anyone could change 1990 to 2000, or the other way around. No matter how much thought went into designing the spending cap, it meant nothing if the front door was wide open. There simply wasn't a way to verify for real.
Or was there? In 2011, au launched a carrier-based age verification service. It checked the subscriber's contract information and returned a single answer: "Is this user 18 or older?" True or false. No date of birth. No name. GREE, mixi, and Mobage adopted it. DoCoMo followed with the same mechanism for LINE's ID search restrictions.
Return only the information needed, at the granularity needed. That was the right design. The digital ID wallet the EU is building now follows the same idea. Prove only the age. Hand over nothing else.
The game industry never adopted eKYC. Still hasn't. It's either self-reported birthdays in a dropdown or platform-level parental controls. Whether that's good enough is a fair question, but at least they're not hoarding personal data.
Dating apps, on the other hand, have adopted eKYC voluntarily — with no legal mandate to do so. To combat catfishing and romance scams, they say.
Anti-money laundering needs a driver's license. Fraud prevention needs facial recognition. Age verification needs a boolean. Every industry carries different risks, different trade-offs, different granularity requirements. Obvious when you spell it out. But from the user's side, it all looks like the same "identity verification."
Turning my ridiculous face toward the screen, tilting left and right as instructed, I caught myself thinking. What exactly am I being protected from right now?