Hackers Expose The Massive Surveillance Stack Hiding Inside Your “Age Verification” Check:
We’ve been saying this for years now, and we’re going to keep saying it until the message finally sinks in: mandatory age verification creates massive, centralized honeypots of sensitive biometric data that will inevitably be breached. Every single time.
[...] A couple weeks ago, Discord announced it would launch “teen-by-default” settings for its global audience, meaning all users would be shunted into a restricted experience unless they verified their age through biometric scanning. The internet, predictably, was not thrilled. But while many users were busy venting their frustration, a group of security researchers decided to do something more useful: they took a look under the hood at Persona, one of the companies Discord was using for verification (specifically for users in the UK).
[...] Let me say that again: 2,456 publicly accessible files sitting on a government-authorized server, exposed to the open internet. Files that revealed a system performing not a simple age check, but a ton of potentially intrusive checks:
Once a user verifies their identity with Persona,the software performs 269 distinct verification checks and scours the internet and government sources for potential matches, such as by matching your face to politically exposed persons (PEPs), and generating risk and similarity scores for each individual. IP addresses, browser fingerprints, device fingerprints, government ID numbers, phone numbers, names, faces, and even selfie backgrounds are analyzed and retained for up to three years.
[...] Discord, to its credit, has now said it will not be proceeding with Persona for identity verification. And to be fair, Discord and similar internet companies are in an impossible position here—facing mounting regulatory pressure in multiple jurisdictions to verify ages while being handed a market of vendors who keep turning out to be security nightmares. But this is part of a pattern that should be deeply familiar by now.
[...] See the pattern? Discord keeps swapping vendors like someone frantically rotating buckets under a leaking roof, apparently hoping the next bucket won’t have a hole in it. But the problem was never the bucket. The problem is the hole in the roof — the never-ending stream of age-verification government mandates.
And this brings us to the bigger, more important point that almost nobody in the “protect the children” policy crowd seems willing to engage with honestly. Every single time you mandate age verification, you are mandating the creation of a centralized database of extraordinarily sensitive personal information. Government IDs. Biometric facial data. The kind of data that, once breached, cannot be “changed” like a password. You get one face. You get one government ID number. When those leak—and they will leak—the damage is permanent.
[...] We have been cataloging these breaches for years. In 2024, Australia greenlit an age verification pilot, and hours later a mandated verification database for bars was breached. That same year, another ID verification service was breached, exposing private info collected on behalf of Uber, TikTok, and more. Then came the Discord vendor breach last year. And now Persona.
(Score: 5, Insightful) by JoeMerchant on Saturday February 28, @04:01AM (2 children)
This was always obviously the true motivation.
I'm pleased that they can no longer do things like this and keep them secret for decades.
I'm saddened that they can do things like this in plain sight and such a large portion of the population believes it's all a hoax, or blown out of proportion, or not worth worrying about, or somebody else's problem entirely, because their pundits tell them so.
🌻🌻🌻🌻 [google.com]
(Score: 0) by Anonymous Coward on Saturday February 28, @07:25PM (1 child)
It's the only thing we can do to protect the underage girls and boys from sexual predators. There's absolutely nothing else we can do. Religious and other venerable institutions are here to save us.
(Score: 1, Touché) by Anonymous Coward on Sunday March 01, @01:57AM
(Score: 2) by DadaDoofy on Saturday February 28, @02:59PM
I've been accused of advancing "crazy conspiracy theories" on this very site for suggesting age check is anything more than protecting "the children". Who knew it was a lot more? A whole lot more.
(Score: 2, Interesting) by VLM on Saturday February 28, @03:11PM (2 children)
I still say this whole thing is corporate PR.
They can't publicly say they don't want discord used by groomers and chez pizza traders and dick pick sharers for political reasons. The kind of people that burn down a city for a country having borders would riot at that. They can't oppose the actions of "those people" in public at this time.
But, just like how anything inconvenient or annoying is done "for your security" or food package sizes only get smaller as prices go up WRT inflation, we're "totally not opposed to groomers we just need to verify IDs for some obscure regulatory reason" so I guess those guys will unavoidably have to go elsewhere. "Oh well."
Corporations are not ruining my stuff this time so I don't care, and corporates gotta ruin stuff (ruining as a service) so its not like they can be stopped from ruining stuff its literally all they do. This is why the story isn't getting traction from the general public who near universally want to see kiddie predators tossed into ovens, and the kind of people who find nothing wrong with Epstein Island other than they weren't invited (mostly) are in charge of our government, t least one of our political parties, and legacy media, and they are panicking at the idea of being "noticed" so they won't stop pushing the story despite the disinterest from the public.
Does Discord make money and/or good PR off the people who will have to flee discord if an identity is matched to their ... actions? The answer is no? And what exactly do I get personally out of big companies being prevented from not financially supporting "those people" and "their activities"? Nothing? Oh that must be why the general population isn't rioting about this issue. How will Discord ever survive not having stories in the press about anonymous users committing infinite illegal acts (sarcasm)?
(Score: 0) by Anonymous Coward on Saturday February 28, @07:27PM
Alcohol is a hellova drug.
(Score: 1, Insightful) by Anonymous Coward on Monday March 02, @02:05PM
You're missing the forest for the trees. Several EU countries have straight up said they want to de-anonymize the internet. That's where this push is from. The companies are stuck in the middle but probably enjoy the better paying ads.. now that they're going to a "real" person.