Discord faces backlash over new age-verification plan, says controversial UK test with Persona has ended

Discord is reportedly facing backlash after announcing plans to roll out a global age-verification system. This would default users to a teen experience until their ages are confirmed.

These new changes are said to have prompted concerns about user privacy and data collection. The live streaming service has since said that a controversial UK test involving age-assurance vendor Persona has ended and that the company is no longer an active partner.According to a report by Ars Technica, criticism intensified after users learned that Discord’s verification process could require government IDs, shortly after a breach at a former age-check partner exposed the identification documents of around 70,000 users.

Although Discord stated that most users would not be required to provide their IDs and that AI video selfies would be used instead to estimate their age, the method has been questioned for other reasons related to biometric data.Discord stated that users who disputed an incorrect age classification may still be asked to provide identification, the same process used in the previous breach. Responding to concerns, Savannah Badalich, Discord’s global head of product policy, told The Verge that IDs shared during appeals“are deleted quickly—in most cases, immediately after age confirmation.”

Backlash grew further after Discord briefly published and later removed an FAQ disclaimer stating that some UK users were part of an experiment run by Persona, in which submitted information could be stored temporarily for up to 7 days before deletion. Critics argued that the disclosure created confusion over how long IDs were retained and which external vendors handled user data, particularly since Persona had not been publicly listed as a partner.Discord later told Ars Technica that only a small number of users participated in the test, which ran for less than one month, and confirmed that the experiment has concluded. The company said Persona is no longer involved and promised to “keep our users informed as vendors are added or updated.” At the same time, Persona CEO Rick Song separately stated that all data collected from verified users during the trial was deleted immediately upon verification.

Why were some users worried about Discord’s partnership with Persona

According to the report, the main reason behind Discord’s decision to implement stricter age verification policies was the influence of regulations in the wake of the ban on users under 16 in Australia and the Online Safety Act (OSA) in the United Kingdom, which mandates that platforms not only prevent minors from accessing adult content but also restrict adults from communicating with minors.The report noted that Discord appeared to struggle to find partners capable of meeting these dual requirements in the UK, since age checks designed to restrict children from adult content may not be effective in stopping tech-savvy adults attempting to contact minors. Discord likely viewed Persona as a partner acceptable to UK regulators, as the OSA had previously approved Persona as an age-verification provider for Reddit, which faces similar compliance challenges.At the same time, Persona entered the partnership as Discord users worldwide closely monitored whether the platform could be trusted with sensitive age-verification data. Persona’s website lists OpenAI as an active partner and claims it screens millions of users monthly. According to The Rage, “the publicly exposed domain, titled ‘openai-watchlistdb.withpersona.com,’” appears to “query identity verification requests on an OpenAI database” with a “FedRAMP-authorised parallel implementation of the software called ‘withpersona-gov.com.’” Hackers warned “that OpenAI may have created an internal database for Persona identity checks that spans all OpenAI users via its internal watchlistdb,” potentially exploiting the “opportunity to go from comparing users against a single federal watchlist, to creating the watchlist of all users themselves.”After Discord abruptly removed its disclaimer referencing the Persona experiment, mistrust grew, and scrutiny of Persona intensified.

Critics on X and other social media platforms highlighted that Palantir co-founder Peter Thiel’s Founders Fund is a major investor in Persona, raising concerns that Thiel could influence the company or gain access to its data. Others speculated that Thiel’s political connections might allow government access, fuelling fears that Discord user data could eventually feed facial recognition systems, prompting Persona CEO Rick Song to respond cautiously to mounting allegations.The backlash also prompted cybersecurity researchers to investigate Persona’s systems. According to The Rage, researchers uncovered a “workaround” that could bypass Persona’s age checks on Discord and found uncompressed frontend code “exposed to the open Internet on a US government-authorised server.” The publication reported that “in 2,456 publicly accessible files, the code revealed the extensive surveillance Persona software performs on its users, bundled in an interface that pairs facial recognition with financial reporting—and a parallel implementation that appears designed to serve federal agencies.”As reported by The Rage and confirmed by Song to Ars Technica, there are no current government contracts for Persona. “The service itself appears to be fueled by an OpenAI chatbot.” But, as Song explained in correspondence with researchers, the service “uses publicly available sanctions and warning lists, does not store any user-submitted data, and does not use AI.”

What Persona said about the Discord controversy

Persona's chief operating officer, Christie Kim, responded in an email to what she described as "misleading claims" circulating online by stating that the company "invests heavily in infrastructure, compliance, and internal training to ensure sensitive data is handled responsibly."Kim said that even though the business doesn't "usually engage with online speculation," the matter needed to be addressed "because we operate in a sensitive space and your trust in us is foundational to our partnership." Kim wrote, "A number of online articles and social media posts have been circulating for the past week, repeating false information about Persona and suggesting conspiracies regarding our work with Discord and our investors."Kim said Persona has no partnerships with federal agencies, including the Department of Homeland Security or Immigration and Customs Enforcement (ICE). “Transparently, we are actively working on a couple of potential contracts which would be publicly visible if we move forward,” she wrote, clarifying that any potential engagements relate only to workforce account security for government employees and “do not include ICE or any agency within the Department of Homeland Security.”Addressing investor concerns, Kim acknowledged that Peter Thiel’s Founders Fund is an investor but said investors do not have access to Persona data and that Thiel has no operational involvement. “He is not on our board, does not advise us, has no role in our operations or decision-making, and is not directly involved with Persona in any way,” Kim wrote, adding that “Persona and Palantir share no board members and have no business relationship with each other.”On X, Persona CEO Rick Song publicly exchanged emails with a hacker known as Celeste (@vmfunc) to clarify how the business addressed security concerns brought to its attention. Celeste acknowledged that they were acting "in good faith" and that they had "found zero references" to ICE or other organisations cited by critics "in all source files we found," Celeste said."Unfortunately, there is no way I can fully trust you here, and you know this." Celeste was being cautious in the conversation, even though she acknowledged that Persona had quickly fixed a frontend vulnerability.After more conversations, Celeste later added, "I see a lot of misinformation going online about our recent post about Persona." Additional correspondence that Ars Technica obtained indicated that Song's willingness to put statements on the record despite unverified accusations was appreciated.

In addition, Kim acknowledged that Persona was organising a press outreach campaign to clarify its stance and expressed regret for any inconvenience the increased scrutiny might have caused to existing or prospective partners.The report stated that Persona's reputation issues are occurring at a time when age-verification regulations are expanding worldwide, thereby creating demand for identity verification services.

Persona's experience in financial fraud prevention, which, according to a report by The Rage, involves facial recognition and financial reporting, has made it an attractive option for platforms. Song, however, has denied that Persona connects facial biometrics to financial data or law enforcement.However, the data retention policies of Persona, which mandate the storage of certain information for legal and audit reasons, remain a source of concern for privacy activists who are apprehensive about technology companies storing large amounts of government identification information in databases that are perceived to be high-value targets for cyber attacks, especially when users of Discord have already suffered an identification data breach.