Discord has severed its ties with Persona Identities, a verification software provider, following revelations that the company’s frontend code was openly accessible and contained functionalities linked to government surveillance operations. The move comes after researchers discovered nearly 2,500 files on a U.S. government-authorized endpoint, revealing Persona’s capacity to conduct facial recognition checks against watchlists and screen users for connections to politically exposed individuals. This partnership, which lasted less than a month, has drawn scrutiny to the methods and transparency of third-party identity verification services.
The accessible files indicated that Persona performs 269 distinct verification checks, extending far beyond simple age verification. These checks reportedly included screening for “adverse media” across 14 categories, such as terrorism and espionage, subsequently assigning risk and similarity scores to user data. Researchers detailed their findings, noting that no exploits were necessary to access this information, describing the entire architecture as “just on the doorstep.” They reportedly uncovered 53 megabytes of data on a Federal Risk and Authorization Management Program (FedRAMP) government endpoint, which also contained reports tagged with codenames from active intelligence programs. Persona, partially funded by Palantir co-founder Peter Thiel’s venture firm Founders Fund, continues to provide similar age verification services for other major platforms like OpenAI, Lime, and Roblox.
Discord confirmed the dissolution of its brief collaboration with Persona, stating that only a limited number of users participated in the short-lived test. Any data submitted during this period was reportedly stored for a maximum of seven days before deletion. This incident is not the first time Discord, a platform popular among diverse communities from gamers to professionals, has faced issues concerning third-party vendors and user data. Last year, a breach at a third-party service provider, 5CA, led to hackers accessing government IDs of over 70,000 users who had undergone age verification. Discord clarified at the time that the incident was not a breach of its own systems but rather of a vendor assisting its customer support and trust and safety teams.
Earlier this month, Discord initiated a policy to default all accounts to teen-safety settings, a move that initially implied mandatory age verification using Persona for users seeking full access. This decision sparked immediate user backlash, fueled by lingering concerns from the previous data breach. Discord quickly amended its stance, clarifying that age verification would remain optional unless users wished to access age-restricted servers and channels. The company emphasized that it could determine the ages of most users through existing information and offered video selfies as an alternative to uploading government IDs. Discord asserted that facial scans would not leave users’ devices and that identifying documents submitted to third-party vendors would be deleted promptly, typically immediately after age confirmation.
However, an archived version of Discord’s FAQ on age verification policies appeared to contradict some of these assurances. It mentioned an “experiment” in the UK where user information would be processed by Persona and temporarily stored for up to seven days. Persona CEO Rick Song addressed the findings, stating that the accessible files were not a vulnerability but rather publicly available frontend information, akin to uncompressed source maps already present on users’ devices. Song acknowledged that having uncompressed files online might not be ideal but maintained that the information discovered was not considered a major vulnerability internally.
Song also defended Persona’s operational integrity, asserting that the company has no ties to Palantir, ICE, or other government entities, despite pursuing FedRAMP authorization for workforce security applications. He clarified that while Persona offers 269 verification options, clients only utilize those relevant to their specific needs, distinguishing between social media age verification and employer background checks. Song further denied that Persona links facial biometrics to financial records or law enforcement databases, publicly sharing email exchanges to refute claims of a connection between Persona, Palantir, and ICE. He also responded to criticism regarding his own LinkedIn profile, which showed a verified badge but no photo, emphasizing the irony of privacy advocates demanding individuals “facedox” themselves online.
