What’s worse than having one massive security incident associated with Discord? How about a second security incident.
The privacy and security scandals just keeps on piling up for age verification in general. At the centre of these scandals seems to be Discord which, at times, often feels like a company trying to do everything in their power to prove that users can neither trust age verification nor the company.
A major problem with age verification is the fact that, by its very nature, is a massive government surveillance program of people. Governments are requiring people for fork over highly sensitive personal information of users just to access the services they already use. For reasons that should be totally freaking obvious, some people have a problem with that. Not everyone wants the government to have access to their porn browsing history nor do they want the government to know what exactly they are up to on social media or what they are doing in video games. There’s this thing called human rights and there are damn good reasons why people have those rights in the first place.
Nevertheless, the anti-human rights crowd have been pushing hard to destroy that right to privacy and security and one of those fronts is through highly intrusive age verification laws. Perhaps the most disappointing aspect in all of this is the fact that some major platforms like Facebook and Bluesky have been enthusiastic to help assist governments and refuse to even protect their own users throughout all of this. This, sadly, has given the green light for government to crack down on smaller websites in the process. It’s a frustrating decision that was made, but a decision that was made nevertheless.
At any rate, the consequences are quite obvious. People’s personal information are being actively harvested and stored whether people want them to or not. Many people were rightfully questioning whether their personal information data harvesting techniques can even be trusted. In response, the companies have been pushing out buzz phrases like “AI powered” and “double blind” in a bid to assure both lawmakers that their technology is accurate (it is not) and users that their personal information is safe (it is not). Those efforts were shattered when a supposed “double blind” age verification company was busted snooping on users browsing history and the systems were defeated by sharpies and a picture of a golden retriever.
While there are many scandals that are going around with age verification, one platform has been especially rocked with numerous scandals over age verification: Discord. Discord was one of the early adopters of age verification. At first, it was just another name in a long line of platforms and services simply abiding by the new laws. However, last year, it would be Discord that was brought to the forefront of everything that is wrong with age verification. While promising that the information is secure, their age verification system suffered from a massive data breach where at least 70,000 users had their information compromised. Hackers said that the number actually ranges in the millions, but either way, this represented a massive blow not only to Discords reputation, but also to age verification as a technology. This is because it confirmed the worst fears privacy advocates everywhere had of the technology.
Fast forward to this year, Discord then, in a completely baffling move, announced that it would be expanding its age verification globally. This suggested that they ultimately learned nothing from the breach and are more interested in hoovering up as much personal information as humanly possible. For users, this represented a very callous disregard towards the interests of the users. Developers even went so far as to create a dedicated tool to defeat the age verification process.
Discord, along the way, promised that the personal information wouldn’t even leave the users devices. That promise of not collecting personal information didn’t last long as the company then “experimented” with another age verification vendor, Persona. Shortly after the revelation that they were using another age verification company, the company admitted that the personal information was, in fact, collected, but only stored for 7 days. Things got worse when revelations surfaced that Persona had links to Peter Thiel and Palantir, a surveillance company actively harvesting peoples personal information and assisting ICE in their deadly crackdown on American citizens with that gathered information. Things got even more controversial when revelations also surfaced that the fascist Trump regime was flooding platforms with subpoenas in an effort to track down people accused of posting thought crimes on the internet.
Just when you thought that things couldn’t get any worse for Discord, well, they did. New revelations have come out that Discords age verification through Persona has suffered from a data leak. The leak exposed the front end of Persona and left thousands of files exposed. Researchers examined those files and that resulted in even more damaging revelations. From Malware Bytes:
Researchers investigating Discord’s age-verification checks say they discovered an exposed frontend belonging to Persona, the identity-verification vendor used by Discord. It revealed a far more expansive surveillance and financial intelligence stack than a simple “teen safety” tool.
A short while ago we reported that Discord will limit profiles to teen-appropriate mode until you verify your age. That means anyone would wants to continue using Discord as before would have to let it scan their face—and the internet was far from happy.
To analyze these scans, Discord uses biometric identity verification start-up Persona Identities, Inc. a venture that offers Know Your Customer (KYC) and Anti-Money Laundering (AML) solutions that rely on biometric identity checks to estimate a user’s age.
To demonstrate the privacy implications, researchers took a closer look and found a publicly exposed Persona frontend on a US government–authorized server, with 2,456 accessible files.
You read that right. According to researcher “Celeste” the exposed code, which has now been removed, sat at a US government-authorized endpoint that appears to have been isolated from its regular work environment.
In those files, the researchers found details about the extensive surveillance Persona software performs on its users. Beyond checking their age, the software performs 269 distinct verification checks, runs facial recognition against watchlists and politically exposed persons, screens “adverse media” across 14 categories (including terrorism and espionage), and assigns risk and similarity scores.
Persona collects—and can retain for up to three years—IP addresses, browser and device fingerprints, government ID numbers, phone numbers, names, faces, plus a battery of “selfie” analytics like suspicious-entity detection, pose repeat detection, and age inconsistency checks.
That is one damning report right there. Forget the data never leaving the device and forget about it just being temporarily stored for 7 days, we’re talking about data retention of a whopping 3 freaking years as the company builds a highly detailed profile of you and your movements across 269 types of data. Like, holy shit, dude! This is the worst case scenario for privacy advocates times 10 at this point. Somewhere, a tin foil hat wearing government conspiracy theorists head is exploding right now over such revelations.
The age verification supporters talking points about age verification system security is not only dead, but have the coffin lid sealed shut with nails, the coffin filled with garlic, and buried 6 feet under right now. Age verification is not little more than a very blatant and obvious mass government surveillance system and this revelation only further proves that point. Anyone who says age verification systems will protect your privacy deserves to get laughed out of the room because the reputation damage has already been done. There’s just no coming back from this.
Update: After feedback, I attempted to corroborate the connection of a government approved server and was unable to find it. The article has been amended accordingly.
Drew Wilson on Mastodon, Twitter and Facebook.
Discover more from Freezenet.ca
Subscribe to get the latest posts sent to your email.
they have officially cut ties with Persona. also I have looked into it and while it was extremely bad, the government ties bit seems to have been missinformation at least from where I’ve read
Took a second look into that aspect. You are right from what I can tell. This point appears to only be in the source article. Other sources aren’t mentioning this, so I removed the couple of words I wrote and added an editorial note on the bottom.
Wonder if this will finally make Canadian senators, politicians, and the government stop following like blind sheep what other countries have fallen for — this population surveillance and control disguised as age‑gate nonsense or “think of the children” .
I tagged Senator Paula Simons on this one (she was opposed to this during the senate debate) through Mastodon. Don’t know how much of a difference that will make, but figured it was worth a shot.
https://discord.com/blog/getting-global-age-assurance-right-what-we-got-wrong-and-whats-changing
looks like Discord is running scared and at least delaying things and doing some…semi reasonable things like verifying with credit cards like Steam does (and even then I dont trust discord with that info) and such.
But like anything involving this more ugliness pops up next to it. looks like Persona is starting to be used by Twitch to verify for new affiliates. and I hear Patreon is rolling out the same
Found an article on the Verge and was going to use that as a source, but the direct post works even better. Thanks. Used that in my followup article. https://www.freezenet.ca/discord-cuts-ties-with-persona-delays-global-age-verification/