Why Gamers Still Upset About Discord’s Age Verification
It’s been just over a week since Discord announced it would be implementing mandatory age verification worldwide , and despite promises that most users won’t be required to verify their age , the company still finds itself in a difficult position for gamers.
Discord’s partnership with Peter Thiel-backed Persona , a company that has itself been embroiled in numerous scandals, was recently revealed. These include accusations that the company retained Discord users’ personal data longer than initially stated, as well as reports that the company accidentally left some of its data publicly available online. Now Discord has announced it is ending its partnership with Persona, but is it worth continuing the partnership after all this?
What happened to the age verification rule on Discord?
When Discord announced the imminent introduction of mandatory age verification worldwide, the company was effectively following the lead of age verification programs already launched in regions like Australia and the UK. Discord’s only known age verification partner in the US is k-ID , which uses on-device facial scanning, but users discovered that the company is also partnering with Persona in the UK. Discord’s partnership with Persona was related to an “experiment” in which users could provide information that would be “temporarily stored for up to seven days and then deleted.”
According to PCGamer , the information surfaced after some UK Discord users received requests to submit information to Persona, raising concerns that their facial data might leave their devices, despite an initial promise that only government-issued ID data would be uploaded to the cloud, as well as questions about how long the uploaded data would be stored in the cloud. On a now-deleted support page , Discord clarified that the partnership did indeed exist and was part of an experiment, and added a note about a possible seven-day deletion period, contradicting claims that uploaded data would be deleted immediately upon age verification.
In a post on X, Persona CEO Rick Song defended the existing workflow, stating that “on-device facial scanning” is “unfortunately too easy to circumvent today,” and then added that uploaded information is still ” processed and then deleted.” However, Song did not specify a timeline for deletion. And the potential leakage of data from the user’s device, despite initial promises that it would not happen, was only one of the concerns.
Over the weekend, three hacktivists also discovered a vulnerability in the Persona data interface, which, according to an analysis by the independent publication The Rage and the anti-malware organization Malwarebytes, made 2,456 files publicly available online. Both the hackers and Persona’s CEO, who maintained ” good faith ” communication, claim that Persona itself was not hacked , and that the data was accidentally leaked and made available to anyone with the necessary knowledge to find it (it was later deleted).
A full report of the investigation’s findings was published by one of the hackers, Celeste, detailing that the breach was apparently detected through a US government-authorized endpoint that was somehow isolated from its normal operating environment. While the hackers didn’t find any personally identifiable information in the leaked files, they did discover that Persona often performs much more than just age verification based on the data sent to its servers. According to the leaked code, the company uses facial recognition to perform 269 separate watchlist checks across 14 categories (including terrorism and espionage) and tags its reports with codenames associated with known public-private partnerships to track everything from cannabis distribution to money laundering. The information, including collected IP addresses, browser and device fingerprints, phone numbers, names, faces, and more, can be stored for up to three years, according to the hackers’ findings.
Of course, it’s possible that Persona didn’t implement all these checks for users providing age information through Discord, or didn’t store the data longer than the seven days stated on the now-removed support page. But this didn’t benefit either Persona or Discord.
Discord is ending its partnership with Persona.
Following user outrage over their personal data leaving their devices or being stored in the cloud for an unknown period of time, and news that the company responsible for that data had apparently leaked a large number of its files onto the open internet, Discord began working to mitigate the damage.
The company told Ars Technica that the Persona experiment involved only a “small number of users” and that it “lasted less than a month.” More importantly, now that the experiment is presumably over, Discord told Ars and The Verge that it is no longer partnering with Persona and will “inform its users about the addition or update of providers.”
For its part, Persona clarified to Ars that it does not have any government contracts. CEO Rick Song also stated during a conversation with the hackers that the leaked information was based on publicly available records, after which he emphasized that Persona does not store any data sent to it by users. Song also stated that Persona does not use AI and, despite partial funding from Peter Thiel, has no ties to Palantir.
Is it safe to continue using Discord?
While it’s unclear to what extent Persona stored or analyzed user data, the fact that it came as a surprise to many users led to a surge in users trying alternatives like Teamspeak, which in turn took the opportunity to criticize Discord’s security .
Personally, I probably won’t delete Discord right away (if only because I need it for writing stories like this), but I would think twice about uploading information if I were asked to verify my age. It’s worth noting, however, that Discord may use information like your email address when you register to guess your age, even if you don’t provide any personal information—this is how it plans to avoid annoying age verification requests for most of its users.
But even if you ditch Discord, it’s worth noting that depending on the services you use, you may still need to interact with Persona. While Discord will no longer partner with the age verification company, Persona still maintains active relationships with social media platforms including Reddit and LinkedIn, games like Roblox, and even payments service Square and access management platform Okta .
Perhaps most notable is Persona’s connection to OpenAI: this appears to be how Persona code was leaked. Hacktivists who discovered the leak found signs of OpenAI in it, which, according to The Rage, means OpenAI may have created an internal database to access Persona identity checks. This could explain how Persona data ended up on a US government computer, despite the company allegedly not holding any government contracts.
In any case, as the internet becomes increasingly interconnected and age verification becomes more widespread, simply switching to a different mode, such as quitting a single app, is unlikely to be enough to completely delete your online activity. It’s worth controlling what you can—Discord allows you to delete information such as sent messages or server channels—but the company is legally required to retain purchase information, as well as additional information such as database backups, even after account deletion. A full list of the information Discord retains can be found on the company’s website .
In the meantime, check out my colleague Pranay Parab’s 10 tips on how to stay safe online .