Explained: What is Discord's age verification backlash in the UK linked to Peter Thiel-backed company Persona

Discord announced earlier this month that all users will soon be defaulted to teen experiences until their ages are verified. Soon after, the messaging platform faced backlash from users and privacy advocates over its expanded age verification plans.

The company faced criticism, particularly concerning the collection and handling of government identification data.The controversy began as users questioned Discord’s decision to introduce broader age checks shortly after a breach involving a former third-party age verification partner exposed government IDs belonging to around 70,000 Discord users. Critics argued that the move increased the risks associated with sensitive personal data, especially as the company confirmed that identity documents could still be required in certain cases under its global verification framework.

How Discord tried to reassure users about its handling of government IDs

Discord tried to reassure users by saying that most people would not need to submit government IDs, instead relying on video selfies analysed by AI systems to estimate user age. However, this approach raised separate privacy concerns, with users questioning biometric data processing and long-term data storage. The company also suggested that behavioural signals could eventually reduce the need for age verification checks, a statement some critics interpreted as downplaying the risks associated with data collection.

Concerns intensified after Discord confirmed that users appealing incorrect age assessments may still be required to submit identification documents, the same process linked to the earlier breach. Responding to criticism, Savannah Badalich, Discord’s global head of product policy, told The Verge that IDs shared during appeals “are deleted quickly—in most cases, immediately after age confirmation”.The backlash grew further when Discord briefly published, and later removed, a disclaimer from its age assurance FAQ that appeared to contradict earlier messaging about how long identification data might be stored, Ars Technica reported.An archived version of the page (seen by Ars Technica) included the note: “Important: If you’re located in the UK, you may be part of an experiment where your information will be processed by an age-assurance vendor, Persona. The information you submit will be temporarily stored for up to 7 days, then deleted. For ID document verification, all details are blurred except your photo and date of birth, so only what’s truly needed for age verification is used.

”Users and digital rights groups said the disclosure raised additional questions about transparency, including the role of Persona, a Peter Thiel-backed identity verification company that had not been publicly listed as a Discord partner. Initially, Discord did not clarify what the experiment entailed or how many users were affected, which added to concerns about third-party access to personal data.In a statement to Ars Technica, Discord said only a small number of users participated in the UK-based experiment, which ran for less than a month and has since concluded.

The company confirmed that Persona is no longer an active vendor and said it would “keep our users informed as vendors are added or updated”.Despite Discord distancing itself from Persona, the company’s CEO Rick Song addressed growing concerns, stating that data collected during the test did not remain stored. He told Ars Technica that all information belonging to verified individuals involved in Discord’s experiment was deleted immediately after verification, as scrutiny around age verification practices and data protection continues to intensify in the UK.

Why Discord turned to Persona for age verification in UK and how it sparked privacy fears

Discord’s decision to explore age verification solutions appears to have followed regulatory pressure after Australia introduced its under-16 social media ban and the United Kingdom’s Online Safety Act (OSA) came into force, requiring platforms to implement stricter safeguards for younger users.In the UK, Discord faced added complexity in identifying suitable verification partners, as the platform was not only required to prevent minors from accessing adult content but also needed mechanisms to stop adults from initiating contact with minors.

These dual requirements placed greater demands on age assurance systems compared to standard content-access checks.Beyond ongoing concerns about the accuracy of age estimation technologies, experts note an important distinction in how verification systems function. Age checks designed to restrict children from viewing adult material may not be sufficient to prevent determined adults from attempting to contact minors.

Under the UK’s OSA, Discord’s verification framework was expected to address both risks simultaneously.Persona appeared to fit these regulatory expectations, as the company had previously received approval under the OSA as an age verification provider for Reddit, a platform facing similar challenges related to user safety and access controls. Discord likely viewed Persona as a partner capable of meeting UK compliance standards.For Persona, the reported partnership came at a time when Discord users worldwide were closely assessing whether they were comfortable sharing age verification data with the platform. Concerns grew after Discord abruptly removed a disclaimer referencing an experimental programme involving Persona, prompting questions about transparency and data handling practices.Discussion quickly spread across X and other social media platforms, where critics pointed out that Palantir co-founder Peter Thiel’s Founders Fund was a major investor in Persona.

Some users expressed concern that Thiel could influence Persona or potentially gain access to data collected through verification processes. Others suggested that Thiel’s connections to the Trump administration could raise the possibility of government access. Fears that Discord user data could eventually be linked to government facial recognition systems circulated online, increasing scrutiny of Persona and prompting CEO Rick Song to respond cautiously to the allegations.

What security researchers said about Peter Thiel backed age verification company Persona

Security researchers began examining Persona’s systems following growing public criticism of the Peter Thiel-backed age verification company and its reported involvement in Discord’s UK age assurance experiment. Their findings added another layer to the privacy debate surrounding the platform’s data collection practices.According to The Rage, an independent publication focused on financial surveillance, researchers identified what they described as a “workaround” that could allow users to bypass Persona’s age verification checks on Discord.

The report also raised concerns among privacy advocates after researchers discovered that an uncompressed version of Persona’s frontend code was “exposed to the open Internet on a US government-authorised server.

”“In 2,456 publicly accessible files, the code revealed the extensive surveillance Persona software performs on its users, bundled in an interface that pairs facial recognition with financial reporting—and a parallel implementation that appears designed to serve federal agencies,” The Rage reported.As The Rage reported, and Persona CEO Rick Song confirmed to Ars Technica, the company does not currently hold government contracts. The exposed service instead “appears to be powered by an OpenAI chatbot", the publication noted. In a conversation with one of the researchers, Song clarified that the product relies on publicly available records of sanctions and warnings and does not store user data submitted to it.

Song also told Ars that the product does not use AI.OpenAI is also listed as an active partner on Persona’s website, which states that Persona screens millions of users for OpenAI each month. According to The Rage, “the publicly exposed domain, titled ‘openai-watchlistdb.withpersona.com,’” appears to “query identity verification requests on an OpenAI database” that has a “FedRAMP-authorized parallel implementation of the software called 'withpersona-gov.com'."Hackers warned “that OpenAI may have created an internal database for Persona identity checks that spans all OpenAI users via its internal watchlistdb,” potentially creating an “opportunity to go from comparing users against a single federal watchlist, to creating the watchlist of all users themselves.”What Persona said about its ties with Peter Thiel and the US governmentPersona’s chief operating officer, Christie Kim, sought to reassure Persona customers as the Discord controversy grew.

In an email, Kim said that Persona invests “heavily in infrastructure, compliance, and internal training to ensure sensitive data is handled responsibly” and not exposed.“Over the past week, multiple social media posts and online articles have circulated repeating misleading claims about Persona, insinuating conspiracies around our work with Discord and our investors,” Kim wrote.Noting that Persona does not “typically engage with online speculation,” Kim said that the scandal required a direct response “because we operate in a sensitive space and your trust in us is foundational to our partnership.”As expected, Kim noted that Persona is not partnered with federal agencies, including the Department of Homeland Security or Immigration and Customs Enforcement (ICE).“Transparently, we are actively working on a couple of potential contracts which would be publicly visible if we move forward,” Kim wrote. “However, these engagements are strictly for workforce account security of government employees and do not include ICE or any agency within the Department of Homeland Security.”Kim acknowledged that Thiel’s Founders Fund is an investor but said that investors do not have access to Persona data and that Thiel was not involved in Persona’s operations.“He is not on our board, does not advise us, has no role in our operations or decision-making, and is not directly involved with Persona in any way,” Kim wrote. “Persona and Palantir share no board members and have no business relationship with each other.”In the email, Kim confirmed that Persona was planning a press campaign to go on the defensive, speaking with media to clarify the narrative. She apologized for any inconvenience that the heightened scrutiny on the company’s services may have caused.That scrutiny has likely spooked partners that previously considered Persona to be a partner that was savvy about government approvals.Persona combats ongoing trust issuesFor Persona, the PR nightmare comes at a time when age verification laws are gaining popularity and beginning to take force in various parts of the world.

Persona’s background in verifying identities for financial services to prevent fraud seems to make its services—which The Rage noted combine facial recognition with financial reporting—an appealing option for platforms seeking a solution that will appease regulators.

Song has denied that Persona links facial biometrics to financial records or law enforcement databases in response to LinkedIn threads.But because of Persona’s background in financial services and fraud protection, its data retention policies—which require some data be retained for legal and audit purposes—will likely leave people uncomfortable with a tech company that gathers a massive database of government IDs.

Such databases are viewed as hugely attractive targets for bad actors behind costly breaches, and Discord’s users have already been burned once.On X, Song responded to one of the hackers—a user named Celeste with the handle @vmfunc—aiming to provide more transparency into how Persona was addressing the flagged issues. In the thread, he shared screenshots of emails documenting his correspondence with Celeste over security concerns.The correspondence showed that Celeste credited Persona for quickly fixing the front-end issue but also noted that it was hard to trust Persona’s story about government and Palantir ties, since the company wouldn’t put more information on the record. Additionally, Persona’s compliance team should be concerned that the company had not yet started an “in-depth security review,” Celeste said.“Unfortunately, there is no way I can fully trust you here and you know this,” Celeste wrote, “but I’m trying to act in good faith” by explicitly stating that “we found zero references” to ICE or other entities concerning critics “in all source files we found.”But Song and Celeste eventually ironed out some of the misunderstandings, with Celeste agreeing that flagged security concerns were not of such great severity. On Friday, Celeste posted on X, “I see a lot of misinformation going online about our recent post about Persona.” Later correspondence shared with Ars showed Celeste thanked Song for his honesty in responding to questions, noting that when a CEO puts statements on the record that counter the rumors, it carries weight in a situation where Persona’s claims couldn’t all necessarily be independently verified.