Discord's Age Verification Plan Sparks Global Privacy Backlash
Discord, the popular live streaming and communication service, is reportedly facing significant backlash following its announcement to implement a global age-verification system. This new policy would default users to a teen experience until their ages are confirmed, raising widespread concerns about user privacy and data collection practices.
Controversial Partnerships and Data Breach Fears
According to a report by Ars Technica, criticism intensified when users learned that Discord's verification process might require government identification documents. This revelation came shortly after a breach at a former age-check partner exposed the identification documents of approximately 70,000 users. Although Discord clarified that most users would not need to provide IDs and would instead use AI video selfies to estimate age, this method has been questioned for its implications regarding biometric data.
Discord stated that users disputing an incorrect age classification could still be asked for identification, a process similar to the one involved in the previous breach. In response to concerns, Savannah Badalich, Discord's global head of product policy, told The Verge that IDs shared during appeals are deleted quickly, often immediately after age confirmation.
Confusion Over Data Retention and Vendor Transparency
Backlash grew further after Discord briefly published and later removed an FAQ disclaimer indicating that some UK users were part of an experiment run by Persona, an age-assurance vendor. The disclaimer noted that submitted information could be stored temporarily for up to seven days before deletion. Critics argued this created confusion over data retention periods and which external vendors handled user data, especially since Persona had not been publicly listed as a partner.
Discord later informed Ars Technica that only a small number of users participated in the test, which ran for less than a month, and confirmed the experiment has concluded. The company stated Persona is no longer involved and promised to keep users informed as vendors are added or updated. Meanwhile, Persona CEO Rick Song separately stated that all data collected from verified users during the trial was deleted immediately upon verification.
Regulatory Pressures Driving Stricter Policies
The report highlighted that Discord's decision to implement stricter age verification policies was influenced by regulations such as the ban on users under 16 in Australia and the Online Safety Act (OSA) in the United Kingdom. These laws mandate platforms to prevent minors from accessing adult content and restrict adults from communicating with minors.
Discord appeared to struggle to find partners capable of meeting these dual requirements in the UK, as age checks designed to restrict children from adult content may not effectively stop tech-savvy adults attempting to contact minors. Persona was likely viewed as a partner acceptable to UK regulators, having been previously approved by the OSA as an age-verification provider for Reddit, which faces similar compliance challenges.
Scrutiny of Persona's Systems and Investor Concerns
After Discord removed its disclaimer referencing the Persona experiment, mistrust grew, and scrutiny of Persona intensified. Critics on social media platforms highlighted that Palantir co-founder Peter Thiel's Founders Fund is a major investor in Persona, raising concerns about potential influence or data access. This fueled fears that Discord user data could eventually feed facial recognition systems.
Cybersecurity researchers investigated Persona's systems and uncovered a workaround that could bypass age checks on Discord. They also found uncompressed frontend code exposed on a US government-authorised server, revealing extensive surveillance capabilities in Persona's software, which pairs facial recognition with financial reporting. However, Song confirmed to Ars Technica that there are no current government contracts for Persona and that the service uses publicly available sanctions lists without storing user-submitted data or using AI.
Persona's Response to Allegations
Persona's chief operating officer, Christie Kim, responded to what she described as misleading claims by stating that the company invests heavily in infrastructure, compliance, and training to handle sensitive data responsibly. Kim clarified that Persona has no partnerships with federal agencies like the Department of Homeland Security or ICE, and any potential contracts relate only to workforce account security for government employees.
Addressing investor concerns, Kim acknowledged Peter Thiel's Founders Fund as an investor but emphasized that investors have no access to Persona data and Thiel has no operational involvement. On X, Persona CEO Rick Song publicly exchanged emails with a hacker known as Celeste to address security concerns, with Celeste acknowledging finding no references to ICE or other cited organizations in source files.
Broader Implications for Age-Verification Services
Persona's reputation issues occur as age-verification regulations expand globally, increasing demand for identity verification services. Persona's experience in financial fraud prevention, involving facial recognition and financial reporting, has made it attractive to platforms. However, Song denied that Persona connects facial biometrics to financial data or law enforcement.
Data retention policies remain a concern for privacy activists, who worry about technology companies storing large amounts of government identification information in databases that could be high-value targets for cyber attacks, especially given Discord's previous identification data breach.
This controversy underscores the challenges platforms face in balancing regulatory compliance with user privacy, as digital services navigate evolving global standards for online safety and data protection.
