It’s been a little over a week since Discord said it will take its age verification mandate global, and despite promises that most users wouldn’t need to verify, the company is still in hot water with gamers.
Most recently, Discord’s been discovered to have worked with Peter Thiel-backed company Persona, which itself is embroiled in multiple scandals. These include allegations that it was keeping personal identifying data from Discord users longer than was initially stated, and a reveal that the company accidentally left some of its data available to view on the open internet. Discord now says it’s backing away from its partnership with Persona, but is it worth sticking around after all this?
What happened with Discord’s age verification rule?
When Discord announced that it would soon require age verification globally, it actually followed age verification programs that had already started in regions like Australia and the UK. Discord’s only known age verification partner in the United States is k-ID, which uses on-device facial scanning, but users discovered that in the UK, the company had also partnered with Persona. Discord’s partnership with Persona was for an “experiment” that could have seen users submitting information that would have been “temporarily stored for up to seven days, then deleted.”
According to reporting from PCGamer, the information came to light following reports that some UK-based Discord users had gotten requests to submit information to Persona, which prompted concerns about their facial data leaving their devices despite the initial announcement’s promise that only government ID data would go to the cloud, as well as how long any uploaded data would stay in the cloud. In a now-deleted support page, Discord clarified that the partnership was indeed real and part of an experiment, and added the note about the potential seven-day window for deletion, which contradicted statements that uploaded data would be deleted directly after age verification.
In a post on X, the CEO of Persona, Rick Song, attempted to defend the workflow, saying that “on-device facial scanning” is “unfortunately too easy to bypass today,” before later adding that uploaded information is still “processed and then deleted.” However, Song did not provide a timeline for deletion. And data potentially leaving the user’s device despite initial promises that it wouldn’t was only one part of the concern.
Over the weekend, a trio of hacktivists also discovered a vulnerability in Persona’s data front end, which—according to analysis from independent publication The Rage and anti-malware organization Malwarebytes—left 2,456 files accessible to the open internet. Both the hackers and Persona’s CEO, who have been in “good faith” communication, say that Persona itself was not hacked, and that the data was accidentally leaked and viewable to anyone with the know-how to find it (it has since been deleted).
The full report of the findings has been published by one of the hackers, Celeste, and details that the leak was apparently found via a U.S. government-authorized endpoint that had somehow been isolated from its regular work environment. While the hackers did not find personal identifying information in the leaked files, they did find that Persona often performs far more than age verification on data sent to its servers. According to the leaked code, the company uses facial recognition to perform 269 separate verification checks against watchlists across 14 categories (including terrorism and espionage) and tags its reports with codenames related to known public-private partnerships for tracking anything from cannabis distribution to money laundering. Information including collected IP addresses, browser and device fingerprints, phone numbers, names, faces, and more, can be stored for up to three years, according to the hackers’ findings.
Granted, it’s possible that Persona was not implementing all of these checks on users submitting age verification information via Discord, or keeping data for longer than the seven days mentioned on the now deleted support page. But it has not been a good look for either Persona or Discord.
Discord is ending its relationship with Persona
Following user outrage about personal data leaving their devices or staying on the cloud for an unknown period of time, as well as the news that the company responsible for said data had apparently allowed so many of its files to leak to the open internet, Discord has begun damage control.
The company told Ars Technica that only a “small number of users was included in the experiment” involving Persona, and that it “ran for less than one month.” More importantly, now that the experiment is purportedly over, Discord told both Ars and The Verge that it is no longer partnering with Persona, and that it will “keep our users informed as vendors are added or updated.”
On Persona’s end, the company clarified to Ars that it doesn’t have any government contracts. CEO Rick Song also said in communication with the hackers that the leaked information was based on publicly available records, before iterating that Persona does not store data that users send to it. Song also said that Persona does not use AI, and despite being funded in part by Peter Thiel, does not have a relationship with Palantir.
What do you think so far?
Is it safe to stick with Discord?
While it’s unclear the extent to which Persona was storing or analyzing user data, that it came as a surprise to so many users has been enough to see a massive increase in users trying alternatives like Teamspeak, which itself has taken the opportunity to criticize Discord’s security.
Personally, I likely won’t uninstall Discord right away (if only because I need it to write stories like this), but I would think twice about uploading information if asked to verify my age. Note, however, that Discord can use metrics like your signup email to guess your age even if you don’t send it personal identifying information—that’s actually how it’s planning to avoid pestering most of its users with age verification prompts.
But even if you divest from Discord, it should be noted that, depending on the services you use in your life, you might still have to interact with Persona. While Discord will no longer work with the age verification company, Persona still has active relationships with social media sites including Reddit and LinkedIn, games like Roblox, and even payment service Square and access management platform Okta.
Most notable might be Persona’s relationship with OpenAI: This appears to be how Persona’s code could have leaked in the first place. The hacktivists that discovered the leak found OpenAI signifiers in it—which, according to The Rage, means that OpenAI might have built an internal database for accessing Persona identity checks. This could explain how Persona’s data found its way onto a U.S. government computer despite the company supposedly not having any government contracts.
At any rate, as the internet becomes more connected and age verification becomes more common, flipping one switch, like divesting from a single app, likely isn’t enough to fully wipe your online presence anymore. It’s worth controlling what you can—Discord lets you delete information like sent messages or server channels—but it’s legally obligated to retain purchase information, and also chooses to retain additional information such as database backups as well, even after account deletion. You can see a full list of retained Discord information on the company’s website.
In the meantime, check out these 10 tips from my colleague Pranay Parab for staying secure while online.
