identity Your Privacy

Discord is on fire after authorities report codes and other information were found in Persona code, which is supposed to be used for age verification

Nat 2026-02-22 No Comments
610 VIEWS
Pinterest LinkedIn LINE

The source code for the Persona front-end used by Discord for age verification was accidentally made public. Analysis of this code has revealed that, while it was supposed to be "age verification," it also had modules that compared facial images with watchlists and PEPs, and reported directly to the government, causing a stir.

What was "found"?

Researchers and hacktivists have reportedly found the Persona front end (2,456 files) on a server authorized for the US government (federal agency), from which the following can be read:

  • Implemented 269 validation checks.
  • Ability to match facial images against watchlists and PEP lists.
  • "Adverse media" screening function for 14 categories, including terrorism and espionage activities.
  • It is designed to store IP addresses, browser/device fingerprints, government ID numbers, phone numbers, names, facial images, and selfie analysis (including age mismatch detection) for up to three years.

Additionally, the following modules were reportedly found within the same codebase:

  • Suspicious Activity Report (SAR) submission module for FinCEN (implemented according to the XML schema on the FinCEN site).
  • Suspicious Transaction Report (STR) submission module for Canada's FINTRAC.

In other words, what was exposed was not just a "single-function library for age verification," but the entire front end of a fully-featured KYC/AML platform. This has raised doubts and sparked outrage as to whether Discord's "age verification" is actually age verification.

What Discord's age verification actually did

However, at this point, it is not clear from the publicly available information which functions were actually enabled.

  • Discord initially claimed that facial photos were processed on the device, but later reportedly explained that in implementations using Persona, photos are sent to the server and stored for up to seven days.
  • The leaked code indicates it is a “general-purpose KYC/AML engine” that includes PEP, sanctions, adverse media, and FinCEN/FINTRAC reports.

It is not surprising, or even expected, that such modules are included in Persona's codebase, since Persona's customers include cryptocurrency exchanges and financial institutions. However, the following is merely inferred from the existence of the code.

  • Whether PEP/sanctions screening was always carried out for each age verification transaction.
  • Whether SARs/STRs were automatically sent to FinCEN/FINTRAC, etc. based on age verification results and user behavior.

It is unclear from current reports whether these features were enabled in the Discord settings.

Therefore,

  • "Age verification was performed on the same platform, and PEP, sanctions, and FinCEN compliance features were also implemented and available."
  • However, there is no evidence to suggest that "PEP verification and FinCEN reporting were conducted for every age verification transaction" (level of concern or doubt).

This understanding is probably correct.

However, what is considered to be the problem?

The technical and legal facts are still under investigation, but the case has drawn criticism for the following reasons:

  • Over-design that seems beyond its purpose
    It was supposed to just be a "check to see if someone is over 18," but the stack behind the scenes was a huge KYC/AML suite capable of PEP, sanctions, adverse press checks, and even reporting to regulators.
  • Lack of transparency
    While the company explained to users that this was merely an "age verification" process, it did not disclose in advance that the process was actually being run on a full financial monitoring stack.
  • Data retention and "sharing" concerns
    The gap between Discord's promises (short-term retention/minimal use) and the design and government agency collaboration module shown in the Persona code base, which can be retained for up to three years.

In particular, with the emergence of the SAR/STR coordination code with regulatory authorities, suspicions are spreading that reports are being sent to FinCEN and other organizations.

In this situation, how can Discord/Persona clear the doubt?

It is nearly impossible to prove that something has not been done, but to show with some degree of persuasiveness that something has not been done,

  1. The design makes it impossible to reach or use the function due to its configuration (settings/architecture).
  2. There is no trace of the use of this function in the actual operation logs (KYC event log, external link log, SAR management log).
  3. Data is not stored for long periods or used for secondary purposes (retention and deletion logs).
  4. An audit report verifying these by a third party.

Only when these four layers are in place can we reach a level where, from an expert's perspective, it is "unthinkable that they were doing it."

At present, the only country where it can be clearly confirmed that Discord used Persona is the United Kingdom (UK), based on publicly available information. Attention is focused on how the UK's Information Commissioner for Privacy and Data Protection (ICO) will act.

Discord has already ended its contract with Persona

In fact, Discord has already terminated its contract with Persona due to a strong backlash caused by suspicions that data handling was more rigorous than explained and distrust of the vendor's nature and political background.

The main points of contention can be roughly summarized into three points:

  1. Server-side processing and storage period differ from explanation
    • Discord initially told users that face scanning would be done on device, but the UK FAQ now states that in its experiment with Persona, "submitted information will be stored on our servers for up to seven days."
    • After this FAQ notice was published, it was quickly removed by Discord, raising suspicions that it was an attempt to hide it.
  2. Vendor ties to surveillance and government
    • Persona has received funding from Peter Thiel's Founders Fund, and as Thiel is a co-founder of Palantir and has been deeply involved in government surveillance infrastructure, criticism has erupted that the company does not want to hand over biometric information to a vendor with ties to surveillance state players.
  3. Lack of transparency and treatment of "experiments"
    • Persona was not initially listed on Discord's "official partner list" and was only being tested secretly for UK users.
    • The explanations given about the scope of the impact, the specific processing details, and who would have access to the data were delayed and fragmented, leading to criticism that "users were used as guinea pigs" and "the quality of consent was insufficient."

According to an investigative article by Redact, "the Persona experiment began to be observed among UK users 'days' after the backlash against the global age verification announcement."A very short test was conducted in early to mid-February 2026.This suggests that this is the case.

So what do you use Discord for?

Discord is currently planning to use Singapore's k-ID and the UK's Yoti (some regions, including Europe) for age verification. Both systems estimate age from facial images captured by a camera and then compare it with other evidence if there is any doubt, similar to ISO/IEC 27566-1 Age assurance systems — Part 1: Framework (free). However, each system has its own unique features.

Age estimation by face scan

  • k-ID: Face scanning is processed only on the device, and it is possible to implement an implementation where face information does not leave the device (a server-side verification function is also provided).
  • Yoti: The facial image is sent to a server, where the age is estimated and the image is immediately deleted.

Other age verification methods

  • k-ID: Parental consent/guardian verification (using email authentication, credit card payments, national ID, etc.), matching with trusted third-party data sources.
  • Yoti: Digital ID wallet and ID + selfie verification

It appears that k-ID will be used globally, but just the name k-ID does not tell us whether it is on-device or server-side. Discord appears to be claiming that it is "on-device," so it would be desirable for them to ensure transparency by publishing third-party certification verification results that can verify this.

(references)

  1. Redact. (2026). Discord Tested Age Verification Vendor Persona: What Users Should Know.2026-02-16. https://redact.dev/blog/discord-persona-age-verification-experiment
  2. Bernier, Rony. (2026). Discord ends Persona Age Verification test activity. LinkedIn. 2026-02-16. https://www.linkedin.com/posts/rorybernier_discord-ends-persona-age-verification-test-activity-7428905652959358977-CTB2/
  3. Cress, Laura. (2026). 'I do not trust them' – top streamers left concerned by Discord age checks. BBC. 2026-02-17. https://www.bbc.com/news/articles/cn4g8ynpwl8o
  4. Naprys, Ernestas. (2026). Firm that verifies mugshots for ChatGPT and Roblox feeds US surveillance apparatus with 269 distinct checks. Cybernews. 2026-02-19. https://cybernews.com/privacy/persona-leak-exposes-global-surveillance-capabilities/
  5. Alajaji, R and S. Baldwin. (2026). Discord Voluntarily Pushes Mandatory Age Verification Despite Recent Data Breach.2026-02-12. https://www.eff.org/deeplinks/2026/02/discord-voluntarily-pushes-mandatory-age-verification-despite-recent-data-breach
  6. L0la L33tz. (2026). Hackers Expose Age-Verification Software Powering Surveillance Web. 2026-02-19. https://www.therage.co/persona-age-verification/
  7. ISO/IEC 27566-1. (2025). Information security, cybersecurity and privacy protection — Age assurance systems — Part 1: Framework. 2025-12. https://www.iso.org/standard/88143.html

Leave a comment

This site uses Akismet to reduce spam.For details of how to process comment data, please click here.