Backlash against Discord’s global age verification rollout intensified after the company briefly published, and then removed, a notice about a UK-based age verification test involving vendor Persona. The disclosure appeared to contradict earlier assurances about limited ID storage and transparency, according to Ars Technica.
One of the main concerns raised by users was Discord’s plan to collect more government-issued IDs as part of its global age checks. The issue drew heightened attention following a recent breach at a former third-party age verification partner that exposed 70,000 Discord users’ government IDs.
In response to criticism, Discord stated that most users would not need to submit government identification. Instead, the platform said it would rely on AI-powered video selfies to estimate users’ ages. That approach, however, raised additional privacy concerns.
Discord also suggested that behavioral signals might eventually reduce the need for age checks for most users. At the same time, the company acknowledged that users appealing incorrect age assessments would still be required to submit ID documents. That process mirrors the method involved in the prior breach.
Savannah Badalich, Discord’s global head of product policy, told The Verge that IDs submitted during appeals “are deleted quickly in most cases, immediately after age confirmation.”
Further criticism emerged after Discord posted, and later deleted, a disclaimer in its age assurance FAQ related to UK users. An archived version of the page stated that some users in the UK were part of an experiment in which their information would be processed by Persona. It noted that submitted data would be temporarily stored for up to seven days before deletion. For document verification, the notice said all details would be blurred except the user’s photo and date of birth.
Critics argued that the notice raised questions about how long IDs might be stored and which entities were involved in collecting data. Discord did not specify what the experiment was testing or how many users participated. Persona was also not listed as a partner on Discord’s platform.
Discord told Ars Technica that only a small number of users took part in the test, which lasted less than one month and has now concluded. The company confirmed that Persona is no longer an active vendor and said it would keep users informed as vendors are added or updated.
Rick Song, Persona’s chief executive, told Ars that all data related to individuals verified during the Discord test has been deleted.
Ars Technica reported that hackers identified a method to bypass Persona’s age checks on Discord. They also found a Persona frontend exposed to the open internet on a US government-authorized server.
The Rage, an independent publication focused on financial surveillance, reported that 2,456 publicly accessible files revealed details about Persona’s software. According to the report, the code showed extensive data collection, combining facial recognition with financial reporting features. It also described what appeared to be a parallel implementation designed to serve federal agencies.
Persona does not have government contracts, according to the publication. The exposed service was reported to be powered by an OpenAI chatbot.
Hackers further alleged that OpenAI may have created an internal database for Persona identity checks that spans all OpenAI users through what they described as an internal watchlist database. They suggested this could expand from comparing users against a single federal watchlist to building a broader user watchlist.