Fury over Discord’s age checks explodes after shady Persona test in UK
Source: Ars Technica
Discord’s Age‑Verification Backlash
Shortly after Discord announced that all users would be defaulted to teen experiences until their ages are verified, the platform faced immediate backlash.
- The controversy was sparked by a third‑party breach that exposed 70,000 Discord users’ government IDs.
- Discord’s plan to collect more IDs as part of a global age‑verification process was seen as risky, especially after the breach.
What Happened
| Event | Details |
|---|---|
| Data breach (Oct 2025) | A former age‑check partner’s services were compromised, leaking 70,000 government IDs. [Ars Technica – 2025 breach] |
| Discord’s rollout announcement (Feb 2026) | Users would be placed in “teen” mode until age verification. The company said most users wouldn’t need to submit ID; instead, AI‑driven video selfies would estimate age. |
| Backlash | Critics warned that requiring IDs for appeal‑processes mirrored the breach scenario. Discord responded that ID data is deleted “quickly – in most cases immediately after age confirmation.” [The Verge interview] |
| FAQ disclaimer (deleted) | An FAQ note warned UK users that their data could be stored for up to 7 days by the vendor Persona before deletion. The note was later removed, raising concerns about transparency. [Archived FAQ] |
| Experiment details | Discord said the UK test involved a small number of users and lasted less than a month. Persona is no longer an active vendor. |
Quote from Savannah Badalich, Discord’s Global Head of Product Policy:
“IDs shared during appeals are deleted quickly—in most cases, immediately after age confirmation.”
Critic Reactions
- Transparency concerns: Critics argued Discord was hiding how long IDs might be stored and which third parties were involved. [The Rage analysis]
- Vendor opacity: Persona was not listed as a partner on Discord’s platform, and the experiment’s purpose and scale were undisclosed. [Rock Paper Shotgun commentary]
Discord’s Response
- The UK experiment has concluded; Persona is no longer a partner.
- Discord pledged to inform users whenever new vendors are added or updated.
- Rick Song, CEO of Persona, told Ars that all data from verified individuals in the test was deleted immediately after verification.
Takeaways
- Data minimization matters. Even temporary storage of sensitive IDs can erode user trust.
- Transparency is crucial. Clear, permanent documentation about third‑party vendors and data‑retention periods helps mitigate backlash.
- Alternative verification methods (e.g., AI‑driven video selfies) introduce new privacy questions that need careful handling.
Sources: Ars Technica, The Verge, The Verge, The Rage, Rock Paper Shotgun, archived Discord support page.
Persona Draws Fire Amid Discord Fury
The controversy began when Discord was forced to implement age‑verification solutions after Australia’s under‑16 social‑media ban and the United Kingdom’s Online Safety Act (OSA) came into effect.
The UK Challenge
In the UK, Discord struggled to find partners because it needed two kinds of protection:
- Block minors from accessing adult content – the usual age‑gate.
- Prevent adults from messaging minors – a stricter requirement imposed by the OSA.
Even though today’s age‑estimation technology has well‑documented accuracy problems (see Ars Technica’s analysis of age‑gate flaws), the nuance is that a system good enough to keep kids away from adult material may not be sufficient to stop tech‑savvy adults with malicious intent from contacting minors. The OSA explicitly required Discord’s age checks to satisfy both goals.
Why Persona Was Chosen
Discord likely assumed that Persona, an age‑verification service previously approved by the OSA for Reddit, would meet the regulator’s expectations. Reddit faces a similarly complex verification problem, making Persona an attractive candidate.
Growing Distrust
The partnership arrived at a moment when Discord users worldwide were already scrutinizing the platform’s handling of age‑check data. Discord’s sudden removal of the disclaimer about the “Persona experiment” amplified mistrust and drew even more attention to Persona.
Political and Privacy Concerns
On X (formerly Twitter) and other social platforms, critics highlighted that Peter Thiel’s Founders Fund—a major investor in Persona—could exert influence over the service or gain access to its data. Additional worries included:
- Potential ties between Thiel and the Trump administration, suggesting possible government access.
- Fears that Discord’s user data might eventually be fed into government facial‑recognition systems.
These concerns sparked a wave of conspiracy theories, intensifying pressure on Persona and leaving Discord’s leadership with little choice but to address the allegations cautiously.
Hackers Probe Persona
The mass outrage surrounding Persona prompted cybersecurity researchers to investigate the service. Their findings raised several concerns:
- Age‑verification bypass – Researchers quickly exposed a workaround that avoids Persona’s age checks on Discord. The discovery was reported by The Rage, an independent publication that covers financial surveillance.
- Exposed frontend code – The uncompressed frontend code of Persona was found “exposed to the open Internet on a U.S.‑government‑authorized server.”
“In 2,456 publicly accessible files, the code revealed the extensive surveillance Persona software performs on its users, bundled in an interface that pairs facial recognition with financial reporting—and a parallel implementation that appears designed to serve federal agencies,” The Rage reported.
Government contracts?
The Rage noted that Persona does not currently have any government contracts. Instead, the exposed service “appears to be powered by an OpenAI chatbot.” In correspondence with one of the researchers, Persona’s founder Rick Song clarified:
- The product is based on publicly available records for sanctions and warnings.
- The service does not store any user data sent to it.
- The product does not leverage AI.
“The exposed service appears to be powered by an OpenAI chatbot,” The Rage noted.
— Rick Song, in a tweet to a researcher (see tweet)
OpenAI partnership
Persona’s website highlights OpenAI as an active partner and claims that “Persona screens millions of users for OpenAI each month” (source). According to The Rage:
- The publicly exposed domain
openai-watchlistdb.withpersona.comqueries identity‑verification requests against an OpenAI database. - A “FedRAMP‑authorized parallel implementation” of the software exists at
withpersona-gov.com.
Potential internal watchlist
Hackers warned that OpenAI may have created an internal database for Persona identity checks that spans all OpenAI users via its internal watchlistdb. This could enable a shift “from comparing users against a single federal watchlist to creating the watchlist of all users themselves.”
“OpenAI may have created an internal database for Persona identity checks that spans all OpenAI users via its internal watchlistdb,” the warning stated.
OpenAI did not immediately respond to Ars Technica’s request for comment.
Persona Denies Government, ICE Ties
On Wednesday, Persona’s chief operating officer, Christie Kim, sought to reassure Persona customers as the Discord controversy grew. In an email, Kim said that Persona invests “heavily in infrastructure, compliance, and internal training to ensure sensitive data is handled responsibly,” and not exposed.
“Over the past week, multiple social media posts and online articles have circulated repeating misleading claims about Persona, insinuating conspiracies around our work with Discord and our investors,” Kim wrote.
Kim noted that Persona does not typically engage with online speculation, but the scandal required a direct response because “we operate in a sensitive space and your trust in us is foundational to our partnership.”
Key Points from Kim’s Email
- No partnership with federal agencies – Persona is not partnered with the Department of Homeland Security (DHS) or Immigration and Customs Enforcement (ICE).
- Potential government contracts – The company is actively working on a couple of potential contracts that would be publicly visible if they move forward. These engagements would focus solely on workforce account security for government employees and would not involve ICE or any DHS agency.
- Investor clarification – While Thiel’s Founders Fund is an investor, the fund’s investors have no access to Persona data. Peter Thiel is not on the board, does not advise the company, and has no role in Persona’s operations or decision‑making.
- No relationship with Palantir – Persona and Palantir share no board members and have no business relationship.
- Planned press campaign – Persona will launch a defensive press campaign, speaking with media to clarify the narrative.
- Apology – Kim apologized for any inconvenience the heightened scrutiny may have caused.
Kim concluded that the scrutiny has likely spooked partners who may have previously viewed Persona as a savvy, government‑approved partner.
Persona combats ongoing trust issues
For Persona, the PR nightmare comes at a time when age‑verification laws are gaining popularity and beginning to take force in various parts of the world. Persona’s background in verifying identities for financial services to prevent fraud seems to make its services— which The Rage noted combine facial recognition with financial reporting— an appealing option for platforms seeking a solution that will appease regulators. Song has denied that Persona links facial biometrics to financial records or law‑enforcement databases in responses to
Because of Persona’s financial‑services pedigree, its data‑retention policies— which require some data to be kept for legal and audit purposes—will likely make anyone uncomfortable with a tech company gathering a massive database of government IDs. Such databases are attractive targets for bad actors behind costly breaches, and Discord’s users have already been burned once.
On X, Song responded to one of the hackers—a user named Celeste with the handle @vmfunc to provide more transparency about how Persona was addressing the flagged issues. In the thread he shared screenshots of emails documenting his correspondence with Celeste over security concerns.
The correspondence showed that Celeste credited Persona for quickly fixing the front‑end issue but also noted that it was hard to trust Persona’s story about government and Palantir ties, since the company wouldn’t put more information on the record. Additionally, Persona’s compliance team should be concerned that the company had not yet started an “in‑depth security review,” Celeste said.
“Unfortunately, there is no way I can fully trust you here and you know this,” Celeste wrote, “but I’m trying to act in good faith” by explicitly stating that “we found zero references” to ICE or other entities concerning critics “in all source files we found.”
Song and Celeste eventually ironed out some of the misunderstandings, with Celeste agreeing that the flagged security concerns were not of great severity. On Friday, Celeste posted on X that “I see a lot of misinformation going online about our recent post about Persona.” Later correspondence shared with Ars showed Celeste thanked Song for his honesty in responding to questions, noting that the CEO putting statements on the record countering the rumors carried weight in a situation where Persona’s claims couldn’t all necessarily be independently verified.
This story has been updated to include additional insights from Persona.
About the author
Ashley Belanger is a senior policy reporter for Ars Technica, dedicated to tracking the social impacts of emerging policies and new technologies. She is a Chicago‑based journalist with 20 years of experience.
Comments
32 Comments
Related image
