Discord announced earlier this month that all users will soon be defaulted to teen experiences until their ages are verified. Soon after, the messaging platform faced backlash from users and privacy advocates over its expanded age verification plans. The company was criticised, especially regarding the collection and processing of government identification information.The issue arose when users questioned Discord’s decision to implement general age verification checks only after a breach involving a former third-party age verification partner revealed the government IDs of approximately 70,000 Discord users. Critics argued that the move increased the risks associated with sensitive personal data, especially as the company confirmed that identity documents could still be required in certain cases under its global verification framework.

How Discord tried to reassure users about its handling of government IDs

Discord tried to reassure users by saying that most people would not need to submit government IDs, instead relying on video selfies analysed by AI systems to estimate user age. However, this approach raised separate privacy concerns, with users questioning the processing of biometric data and its long-term storage. The company also suggested that behavioural signals could eventually reduce the need for age verification checks, a statement some critics interpreted as downplaying the risks associated with data collection.Concerns intensified after Discord confirmed that users appealing incorrect age assessments may still be required to submit identification documents, the same process linked to the earlier breach. Responding to criticism, Savannah Badalich, Discord’s global head of product policy, told The Verge that IDs shared during appeals “are deleted quickly—in most cases, immediately after age confirmation”.The backlash grew further when Discord briefly published, and later removed, a disclaimer from its age assurance FAQ that appeared to contradict earlier messaging about how long identification data might be stored, Ars Technica reported.An archived version of the page (seen by Ars Technica) included the note: “Important: If you’re located in the UK, you may be part of an experiment where your information will be processed by an age-assurance vendor, Persona. The information you submit will be temporarily stored for up to 7 days, then deleted. For ID document verification, all details are blurred except your photo and date of birth, so only what’s truly needed for age verification is used.”Users and digital rights groups said the disclosure raised additional questions about transparency, including the role of Persona. This Peter Thiel-backed identity verification company had not been publicly listed as a Discord partner. Initially, Discord did not clarify what the experiment entailed or how many users were affected, which added to concerns about third-party access to personal data.In a statement to Ars Technica, Discord said only a small number of users participated in the UK-based experiment, which ran for less than a month and has since concluded. The company confirmed that Persona is no longer an active vendor and said it would “keep our users informed as vendors are added or updated”.Despite Discord distancing itself from Persona, the company’s CEO, Rick Song, addressed growing concerns, stating that the data collected during the test was not stored. He told Ars Technica that all information belonging to verified individuals involved in Discord’s experiment was deleted immediately after verification, as scrutiny around age verification practices and data protection continues to intensify in the UK.

Why Discord turned to Persona for age verification in the UK and how it sparked privacy fears

Discord began moving towards age verification in the UK under pressure from regulators, especially following the ban on users under 16 on social media platforms in Australia and the enforcement of the Online Safety Act (OSA), which required platforms to introduce stricter measures to protect minors.In the UK, Discord faced more obstacles in selecting verification partners. The service not only had to ensure that minors were not exposed to adult content but also that adults were not able to contact minors. This made the age verification filters work harder than the typical content filters.People are not only concerned about the accuracy of age-estimation technology but also about a crucial difference in age-verification filters. Preventing minors from accessing adult content may not be sufficient to prevent a determined adult from attempting to contact a minor. The UK Office of Surveillance and Regulation (OSA) addressed this problem.Persona appeared to meet such regulatory requirements, having already received approval from the OSA as an age verification service for Reddit, a site facing similar safety and access control issues. Discord probably considered Persona a partner that could help it meet UK regulatory requirements.For Persona, the reported partnership came at a time when Discord users worldwide were closely assessing whether they were comfortable sharing age verification data with the platform. Concerns grew after Discord abruptly removed a disclaimer referencing an experimental programme involving Persona, prompting questions about transparency and data handling practices.Discussion quickly spread across X and other social media platforms, where critics pointed out that Palantir co-founder Peter Thiel’s Founders Fund was a major investor in Persona. Some users expressed concern that Thiel could influence Persona or potentially gain access to data collected through verification processes. Others suggested that Thiel’s connections to the Trump administration could raise the possibility of government access. Fears that Discord user data could eventually be linked to government facial recognition systems circulated online, increasing scrutiny of Persona and prompting CEO Rick Song to respond cautiously to the allegations.

What security researchers said about Peter Thiel-backed age verification company Persona

Security researchers began examining Persona’s systems following growing public criticism of the Peter Thiel-backed age verification company and its reported involvement in Discord’s UK age assurance experiment. Their findings added another layer to the privacy debate surrounding the platform’s data collection practices.According to The Rage, an independent publication focused on financial surveillance, researchers identified what they described as a “workaround” that could allow users to bypass Persona’s age verification checks on Discord. The report also raised concerns among privacy advocates after researchers discovered that an uncompressed version of Persona’s frontend code was “exposed to the open Internet on a US government-authorised server.”“In 2,456 publicly accessible files, the code revealed the extensive surveillance Persona software performs on its users, bundled in an interface that pairs facial recognition with financial reporting—and a parallel implementation that appears designed to serve federal agencies,” The Rage reported.As The Rage reported, and Persona CEO Rick Song confirmed to Ars Technica, the company does not currently hold government contracts. The exposed service instead “appears to be powered by an OpenAI chatbot”, the publication noted. In a conversation with one of the researchers, Song clarified that the product relies on publicly available records of sanctions and warnings and does not store user-submitted data. Song also told Ars that the product does not use AI.OpenAI is also listed as an active partner on Persona’s website, which states that Persona screens millions of users for OpenAI each month. According to The Rage, “the publicly exposed domain, titled ‘openai-watchlistdb.withpersona.com,’” appears to “query identity verification requests on an OpenAI database” that has a “FedRAMP-authorised parallel implementation of the software called ‘withpersona-gov.com’.”Hackers warned “that OpenAI may have created an internal database for Persona identity checks that spans all OpenAI users via its internal watchlistdb,” potentially creating an “opportunity to go from comparing users against a single federal watchlist, to creating the watchlist of all users themselves.”

What Persona said about its ties with Peter Thiel and the US government

Persona’s chief operating officer, Christie Kim, sought to reassure Persona customers as the Discord controversy grew. In an email, Kim said that Persona invests “heavily in infrastructure, compliance, and internal training to ensure sensitive data is handled responsibly” and not exposed.“Over the past week, multiple social media posts and online articles have circulated repeating misleading claims about Persona, insinuating conspiracies around our work with Discord and our investors,” Kim wrote.Noting that Persona does not “typically engage with online speculation,” Kim said that the scandal required a direct response “because we operate in a sensitive space, and your trust in us is foundational to our partnership.”As expected, Kim noted that Persona is not partnered with federal agencies, including the Department of Homeland Security or Immigration and Customs Enforcement (ICE).“Transparently, we are actively working on a couple of potential contracts which would be publicly visible if we move forward. However, these engagements are strictly for workforce account security of government employees and do not include ICE or any agency within the Department of Homeland Security,” Kim wrote.Kim acknowledged that Thiel’s Founders Fund is an investor but said that investors do not have access to Persona data and that Thiel was not involved in Persona’s operations.“He is not on our board, does not advise us, has no role in our operations or decision-making, and is not directly involved with Persona in any way. Persona and Palantir share no board members and have no business relationship with each other,” Kim added.In the email, Kim confirmed that Persona was planning a press campaign to go on the defensive, speaking with media to clarify the narrative. She apologised for any inconvenience that the heightened scrutiny on the company’s services may have caused. That scrutiny has likely spooked partners who previously considered Persona a savvy player in government approvals.For Persona, the PR nightmare comes at a time when age-verification laws are gaining popularity and beginning to take effect worldwide. Persona’s background in verifying identities for financial services to prevent fraud makes its services, which The Rage noted combine facial recognition with financial reporting, an appealing option for platforms seeking a solution that will appease regulators. Song has denied that Persona links facial biometrics to financial records or law enforcement databases in response to LinkedIn threads.But because of Persona’s background in financial services and fraud protection, its data retention policies, which require some data be retained for legal and audit purposes, will likely leave people uncomfortable with a tech company that gathers a massive database of government IDs. Such databases are viewed as hugely attractive targets for bad actors behind costly breaches, and Discord’s users have already been burned once.On X, Song responded to one of the hackers, a user named Celeste with the handle @vmfunc, aiming to provide more transparency into how Persona was addressing the flagged issues. In the thread, he shared screenshots of emails documenting his correspondence with Celeste over security concerns.The correspondence showed that Celeste credited Persona for quickly fixing the front-end issue but also noted that it was hard to trust Persona’s story about government and Palantir ties, since the company wouldn’t put more information on the record. Additionally, Persona’s compliance team should be concerned that the company had not yet started an “in-depth security review”, Celeste said.“Unfortunately, there is no way I can fully trust you here, and you know this,” Celeste wrote, “but I’m trying to act in good faith” by explicitly stating that “we found zero references” to ICE or other entities concerning critics in all source files we found.But Song and Celeste eventually ironed out some of the misunderstandings, with Celeste agreeing that flagged security concerns were not of such great severity. Last week, Celeste posted on X, “I see a lot of misinformation going online about our recent post about Persona.” Later correspondence shared with Ars Technica showed Celeste thanked Song for his honesty in responding to questions, noting that when a CEO puts statements on the record that counter the rumours, it carries weight in a situation where Persona’s claims couldn’t all necessarily be independently verified.