DISCLAIMER: The bug report made below is not intended to be a criticism of EU legislation or Roblox’s moderation systems. Rather, it is intended to expose a severe vulnerability which is being employed by individuals with malicious intentions having the goal of undermining the procedures set in place to protect minors online.
Hello,
I am a community developer for the Roblox open-world action role-play experience Clark County, which itself is developed and owned by the unionWARE development studio. Recently, our team has been under attack by bad actors who are misusing the protections Roblox offers to minors under the EU Digital Services Act in order to get high profile accounts faslely terminated off the platform. The individual(s) have already successfully taken down our holder account as well as the community owner’s account through the method I have detailed below.
Bad actors not currently living in the EU begin by using a Virtual Private Network connection (VPN) to pose as if they are a resident of the EU to gain access to the special DSA report terminal. Alternatively, these individuals can contact friends who do live in the EU to submit the report on their behalf. Then, individuals will find a default (or empty depending on date of account creation) starter place owned by the victim to be used as a decoy in tripping Roblox’s automated moderation system. Thought not explicit, bad actors will often select the most egregious violation listed as an option — typically child exploitation — in an attempt to elevate the weight of the report and its corresponding punishment. After this, bad actors simply have to wait for the report to be automatically processed and for an account termination to be issued to the targets.
By taking a quick look at the DSA’s Transparency Database using these specific search parameters, it is revealed that tens of fully automated actions were recently taken under the EU’s DSA against Roblox accounts resulting in complete termination of involved user’s accounts. Thought it is plausible that the majority of these actions were taken faithfully, we believe that many other Roblox accounts, alongside those of our team’s, have been terminated incorrectly. Additionally, further investigation of some of these reports reveal that actions were taken against accounts who allegedly uploaded content on the 1st of January 2001 (01-01-2001), which is of course impossible given that Roblox was not available to the public at that time. This leads me to one of two conclusions: there is a database error on the website’s end that is giving out a default fall-back date or; there is foul play involved by abusing an invalid date to provoke an erroneous response from the automated system.
This matter was briefly touched up on earlier this year in this DevForum post, but the post did not appear to receive much attention and the issue was neither resolved nor mitigated. It is for those reasons that I am writing today.
Expected behavior
I am expecting that Roblox and their moderation team will exercise their discretion fairly — as they always have — and work towards investigating and resolving this matter as soon as possible to prevent further abuse and targeting of experience administrations and holder accounts. I would like to emphasize the time sensitive nature of this matter, as every moment that a solution is not being worked on is more time for malicious individuals to spend abusing online safe guards for unclear motives.
Thank you for your time.
A private message is associated with this bug report
