---
Title: Identity Verification is as Bad as It Can Be
Status: published
Date: 2026-03-22
Category: cyber
Tags:
  - enforcement
  - platforms
  - tech-culture
  - security
  - software-architecture
  - rhetoric
  - services
  - fiasco
  - discord
---

This is an addendum to [OS-Level Age Attestation is the Good One][os-level], where I talk about the potential of legal standards for age attestation as an alternative to age verification. Not already convinced of the dangers of age verification? 
The extent of the evil waiting behind identification systems and deanonymization is unspeakably vast, and fortunately it's getting extensive coverage. Here's a quick look to get you up to speed.

[os-level]: /blog/2026/03/22/addendum-identity-verification-is-as-bad-as-it-can-be/

### Direct digital censorship

A lot of the energy behind age verification comes from authoritarians eager to censor political dissent, promote propaganda and retaliate against critics. 
This is a power grab, with bills designed to seize power over specific content the government objects to:

::: thread unified
    ![AriCohn: This House E&C Markup is off to a "saying the quiet part out loud" start, with the Chairman saying outright "algorithms amplify addictive, harmful content." - It is always, 100% of the time, about content. And that's why these bills continue to be unconstitutional.](https://twitter.com/AriCohn/status/2029574263670292900)
    ![AriCohn: "These platforms are engineered to capture kids' attention" - I hate to break it to Congress, but that's literally the point of all media. "Creating media that people want to keep consuming" is not a standard workable under the First Amendment.](https://twitter.com/AriCohn/status/2029578829988000089)
    ![AriCohn: @AOC Here's the problem: the FTC can just decide that whatever content it doesn't like is harming children, and find some way that platforms aren't acting "reasonably" to prevent it.  - And it will.](https://twitter.com/AriCohn/status/2029584855067963652)


Governments are, of course, trying to claim control over "public discourse". 
Like all seizing of arbitrary power, the risks associated with this are volatile and unbounded, because they depend on who holds power at any given moment in a political system where power is expected to rotate. 


### Discord

As a case study, let's take a look at one of the latest major services to attempt age verification: Discord.
At time of writing, Discord is in the process of trying to switch to a "[Teen Default](https://discord.com/press-releases/discord-launches-teen-by-default-settings-globally)" system, where every user is assumed to be a minor unless they can prove their age to Discord. 
Discord is a communications platform used widely by adults, and during COVID Discord very intentionally expanded their market domain beyond gaming to focus on being a global platform, so the assumption that all spaces are for kids is clearly incorrect.[^discord-both]
But Discord is sometimes used by children, and since it's a communications platform people can use it to communicate horrible things. 
[Boomers have learned they can be insane about this,](https://danboguslaw.substack.com/p/leaked-intel-brief-shows-feds-terrified) so Discord is under significant pressure to balance its goal of being a universal communications platform with child safety.

<!-- more -->
<!-- todo previous breach -->

But Discord is also under significant pressure not to collect identifying data. Their attempts at identity-based age verification last year led to them storing government identification, which [hackers stole in a data breach](https://arstechnica.com/security/2025/10/discord-says-hackers-stole-government-ids-of-70000-users/). 
Discord provided no recourse for the users it needlessly exposed to identity theft.
It claims 70,000 users were exposed by this, although the hackers [claimed to have vastly more data than this](https://x.com/DiscordPreviews/status/1975909634293854364).

To add insult to injury, Discord claimed none of this data existed in the first place. [Discord asserted](https://web.archive.org/web/20251210090919/https://support.discord.com/hc/en-us/articles/30326565624343-How-to-Complete-Age-Assurance-on-Discord) that "Images of your identity documents and ID match selfies are deleted directly after your age group is confirmed". 
This was an outright lie. Discord uploaded those images to a service that stored this private, personal information, perhaps indefinitely. 
The fact that made this claim (and [still do today](https://support.discord.com/hc/en-us/articles/30326565624343-How-to-Complete-Age-Assurance-on-Discord)!) should tell you that when you see this language, you should assume it's a lie. 

That breach was revealed in October 2025. Hot off the heels of having all this publicly revealed, Discord launched *another* age verification effort. 
In this latest "teen default" effort Discord verified ages with a combination of government ID and biometrics. You could either submit government ID documents or give them a "video selfie" to determine if you looked adult enough for them. 

[^discord-both]:
    ::: thread unified
        ![im.giovanh.com: I think any centralized product that’s  designed to be voice chat for preteens can’t also be the backbone of the entire creative industry. I think that’s two things](https://bsky.app/profile/im.giovanh.com/post/3mehv4spdm22i)
        ![im.giovanh.com: I also think adults having functional, modern communication infrastructure is more important than chat for games for children. If I had a monopoly on both and someone told me at gunpoint I had to choose which thing to stop doing, it’d be accommodating children.](https://bsky.app/profile/im.giovanh.com/post/3mehveu5tgs2i)

Discord promised these videos would be analyzed on your device and immediately deleted. They'd never leave your device and no one would ever get private information. Only the inferred age would be sent. 

> [Mark Smith (VP of Core Tech at Discord)](https://www.reddit.com/r/discordapp/comments/1r05vkj/discord_will_require_a_face_scan_or_id_for_full/o4j5nl1/?context=9){: .cite}
> Last, I know that there is concern about privacy and data leaks. That's a real concern. <mark>The selfie system is built purely client-side, it never leaves your device, and we did that intentionally.</mark> 

<!-- > That'll work for a bunch of users who aren't pre-identified as adults. But if you do end up in the ID bucket, then yeah, you're right that has some risk. We're doing what we can to minimize this by working with our range of partners (who are different partners than the data leak you read about), and if it's any help, we learned a lot internally from the last issue. But I get if that doesn't necessarily inspire more confidence. -->

They repeated this policy emphatically, in bold unicode letters, with no room for ambiguity or qualification:

<!-- ![discord: We’ve seen some questions about our age assurance update and we want to share more clarity. We know how important these changes are to our community. - Here’s what we want you to know: - ‣‣‣ 𝗗𝗶𝘀𝗰𝗼𝗿𝗱 𝗶𝘀 𝗻𝗼𝘁 𝗿𝗲𝗾𝘂𝗶𝗿𝗶𝗻𝗴 𝗲𝘃𝗲𝗿𝘆𝗼𝗻𝗲 𝘁𝗼 𝗰𝗼𝗺𝗽𝗹𝗲𝘁𝗲 𝗮](https://twitter.com/discord/status/2021295316469940606) -->

> [@discord](https://x.com/discord/status/2021295316469940606){: .cite}
> ‣‣‣ 𝗙𝗮𝗰𝗶𝗮𝗹 𝘀𝗰𝗮𝗻𝘀 𝗻𝗲𝘃𝗲𝗿 𝗹𝗲𝗮𝘃𝗲 𝘆𝗼𝘂𝗿 𝗱𝗲𝘃𝗶𝗰𝗲. 𝗗𝗶𝘀𝗰𝗼𝗿𝗱 𝗮𝗻𝗱 𝗼𝘂𝗿 𝘃𝗲𝗻𝗱𝗼𝗿 𝗽𝗮𝗿𝘁𝗻𝗲𝗿𝘀 𝗻𝗲𝘃𝗲𝗿 𝗿𝗲𝗰𝗲𝗶𝘃𝗲 𝗶𝘁.
> 
> ‣‣‣ 𝗜𝗗𝘀 𝗮𝗿𝗲 𝘂𝘀𝗲𝗱 𝘁𝗼 𝗴𝗲𝘁 𝘆𝗼𝘂𝗿 𝗮𝗴𝗲 𝗼𝗻𝗹𝘆 𝗮𝗻𝗱 𝘁𝗵𝗲𝗻 𝗱𝗲𝗹𝗲𝘁𝗲𝗱.
> 
> ‣‣‣ 𝗗𝗶𝘀𝗰𝗼𝗿𝗱 𝗼𝗻𝗹𝘆 𝗿𝗲𝗰𝗲𝗶𝘃𝗲𝘀 𝘆𝗼𝘂𝗿 𝗮𝗴𝗲 — 𝘁𝗵𝗮𝘁’𝘀 𝗶𝘁. 𝗬𝗼𝘂𝗿 𝗶𝗱𝗲𝗻𝘁𝗶𝘁𝘆 𝗶𝘀 𝗻𝗲𝘃𝗲𝗿 𝗮𝘀𝘀𝗼𝗰𝗶𝗮𝘁𝗲𝗱 𝘄𝗶𝘁𝗵 𝘆𝗼𝘂𝗿 𝗮𝗰𝗰𝗼𝘂𝗻𝘁.

This was a lie. Instead of analyzing it privately on peoples' local devices, Discord [started secretly exfiltrating the videos from peoples' devices anyway](https://www.eurogamer.net/discord-advises-uk-users-that-they-may-be-part-of-an-experiment-where-instead-of-their-age-verification-data-never-leaving-their-phone-it-will-now-actually-leave-their-phone). Children took videos of themselves with an absolute expectation those videos would never be shared or analyzed by humans, but they were. Discord exploited these children.

This was an [obvious and predictable turn](https://bsky.app/profile/im.giovanh.com/post/3mei2rjcy3k2i). Even before you get into the base corporate instincts of data harvesting, the reason the age verification category exists at all is a refusal to trust the client device. As long as the client's device can answer "yes", client-side verification is attestation.

<!-- #### wait did you say persona -->

Discord didn't analyze this video themselves, they sent it to a third-party biometric service provider, Persona.
So what happens to government id or biometric information sent to Persona? 

Persona is actually bulk screening users for an *enormous* list of troubling criteria. 
This was never disclosed by Persona or regulators, but documented by independently security researchers [vmfunc](https://twitter.com/vmfunc), [MDL](https://twitter.com/mdlcsgo), and [Dziurwa](https://github.com/Dziurwa14). in [the watchers: how openai, the US government, and persona built an identity surveillance machine that files reports on you to the feds](https://vmfunc.re/blog/persona). 

When Persona runs a government ID, they don't just verify the validity, they compile an identity dossier and return the full data compilation to their customer, including detailed personal information not provided on the ID. 
Its handling of biometric data is also disastrous. Persona's `watchlistdb` program uses biometric data like selfies in conjunction with OpenAI to detect "Politically Exposed Persons", compare identities against a list of "suspicion types" including "terrorist financing", and worse.
It compares screened identities to government watchlists, checking for sanctions, citizenship, nationality, "politically exposed persons", and involvement with "business adverse media".

A few choice conclusions from the vmfunc essay, which I recommend you read fully if you're interested in this sort of thing:

> the platform has a full SAR module for filing directly with FinCEN (Financial Crimes Enforcement Network, US Treasury). it’s not a third-party integration or an export. they literally have a “Send to FinCEN” button.  
> ...  
> government agencies using this platform can flag individuals and generate FinCEN filings, Suspicious Activity Reports sent directly to the US Treasury’s Financial Crimes Enforcement Network. the code handles the full lifecycle from creation to government acceptance or rejection.  
> ...  
> alongside US FinCEN, the platform files STRs (Suspicious Transaction Reports) with FINTRAC (Financial Transactions and Reports Analysis Centre of Canada). the STR form schema maps 1:1 to FINTRAC’s reporting format  
> ...  
> operators build facial databases, selfies from verifications get added, incoming verifications get matched against them, and it’s supposedly a 3-year max retention with automatic deletion.  
> ...  
> the CheckName enum contains 269 individual verification checks across 14 check types. some highlights:
> 
> **selfie checks (23):**
> 
> ```
> SelfieIdComparison              - face vs ID photo
> SelfieAccountComparison         - face vs existing account
> SelfieLivenessDetection         - spoof detection
> SelfiePublicFigureDetection     - do you LOOK LIKE someone famous?
> SelfieSuspiciousEntityDetection - you look "suspicious." literally.
> SelfieExperimentalModelDetection - EXPERIMENTAL ML models on your face
> SelfieRepeatDetection           - duplicate selfie detection
> SelfieSimilarBackgroundDetection - same background as another user
> SelfieAgeComparison             - estimated age from face
> SelfieAgeInconsistencyDetection - age doesn't match ID
> SelfieFaceCoveringDetection     - wearing a mask? flagged.
> SelfieGlassesDetection          - glasses? noted.
> SelfiePoseRepeatDetection       - same pose as last time?
> ```
> 
> `SelfieSuspiciousEntityDetection`. what makes a face “suspicious”? the code doesn’t say. the users aren’t told.
> 
> **government ID checks (43):** including AAMVA database lookup (US driver’s license database), physical tamper detection, MRZ detection, electronic replica detection, NFC chip reading with PKI validation, public figure detection, Real ID detection.
> 
> **database checks (27):** including deceased detection (SSA death master file), social security number comparison, phone carrier checks, SERPRO (Brazil) face comparison, Aadhaar (India) database checks, TIN validation.
> 
> **document checks (29):** including JPEG original image detection, PDF editor detection, PDF annotation detection, synthetic content detection, digital text modification detection.
> 
> **business checks:** including AI identity comparison, website backlink detection, domain age check, terms of service legitimacy detection.
> 
> 269 checks. for wanting to use a chatbot in 2026.  
> ...  
> the same company that takes your passport photo when you sign up for ChatGPT also operates a government platform that files Suspicious Activity Reports with FinCEN and tags them with intelligence program codenames. same codebase. confirmed by matching git commit hashes across deployments.

It's bad. 
Once your data is in someone else's hands, regardless of the purpose it was collected for, companies are hungry to use it for everything they can think of. 

### The Hunger

There is an insatiable hunger to misuse identity data. 
Tyrants are eager to wage war against an ever-expanding category of political enemies and are trying to accumulate arbitrary power to do it.

It's no coincidence groups like the Heritage Foundation are pushing to tie online speech to legal identities while the government is exercising vicious policing power to treat legal speech as criminal terrorism. 
[Activists are being arrested and jailed for possessing anarchist zines](https://theintercept.com/2026/02/16/daniel-sanchez-estrada-prairieland-trial-zines/) and [owning a printing press to print left-wing books.](https://prairielanddefendants.com/about-the-case/)
People are being imprisoned for speaking political dissent and for reading political theory the current administration opposes. 

In the digital world, people using their real names online [are being deported for political speech](https://www.msn.com/en-us/news/politics/state-dept-revokes-visas-for-foreigners-celebrating-charlie-kirks-assassination-including-a-neurosurgeon-depraved/ar-AA1MBMok). These are legal residents mocking personal allies of the current administration -- not even elected officials -- having their lives destroyed.

This is already happening in the UK, in the wake of the "Online Safety Act" which requires "highly effective" identity verification, such as linking social media accounts to a government ID. 
This is designed to [impose sweeping restrictions on speech and expression](https://www.usermag.co/p/the-uks-censorship-catastrophe-is).
It's disguised as a child safety measure, but its true purpose is (avowedly!) intentional control over ["services that have a significant influence over public discourse"](https://archive.ph/2025.08.13-190800/https://www.thetimes.com/comment/columnists/article/online-safety-act-botched-2xk8xwlps):

> [Juliet Samuel, "Online Safety Act was botched from the start"](https://archive.ph/2025.08.13-190800/https://www.thetimes.com/comment/columnists/article/online-safety-act-botched-2xk8xwlps){: .cite}
> ...the relevant secretary of state (Michelle Donelan) expressed “concern” that the legislation might whack sites such as Amazon instead of Pornhub. In response, officials explained that the regulation in question was “not primarily aimed at … the protection of children”, but was about regulating “services that have a significant influence over public discourse”, a phrase that rather gives away the political thinking behind the act. 

In their "what you share leaves a trace" campaign, UK counterterrorism brags about their ability to destroy the lives of children accused of reposting "terrorist content" links:

![]({attach}./uk-counterterrorism.mp4)
{: .size-s}

But what is "terrorist content?" *Oh, you know.*
[Holding pro-Palestinian political positions](https://www.bbc.com/news/articles/c8rvly00440o), for sure.
[Protesting overly-aggressive antiterrorism law that allows arresting protestors is terrorism too.](https://www.independent.co.uk/news/uk/crime/protest-palestine-action-terror-arrest-london-b2804835.html)
There doesn't appear to be any speech exempt from nuclear suppression if the regime decides they want it gone. 

In the US, age verification laws are [expected to force trans people to identify themselves on-record in order to use the internet](https://www.theverge.com/policy/892075/age-verification-kansas-id-trans) even as a government-sanctioned genocide against people continually ramps up in ferocity. 
[Age verification laws like KOSA are purposed to "Protect Kids from The Transgender"](https://www.them.us/story/kosa-senator-blackburn-censor-trans-content), and anti-trans groups like the Heritage Foundation are already foaming at the mouth, eager to use obscenity law to [categorize "trans content" as generally harmful to minors as a way of wiping it out.](https://www.techdirt.com/2023/05/24/heritage-foundation-says-that-of-course-gop-will-use-kosa-to-censor-lgbtq-content/)

Identification mechanisms give eager busybodies who are not interested in preserving free expression tools to censor and regulate content. It's a back door to invasive, unpopular, illegal regulation of peoples' personal lives. They know it and that's why they want it. 

## Related Reading


::: container related-reading
    - [Jeremy Bubsy, "Prison-Style Free Speech Censorship Is Coming for the Rest of Us"](https://theintercept.com/2026/02/16/daniel-sanchez-estrada-prairieland-trial-zines/)
    - [Taylor Lorenz, "The UK's censorship catastrophe is just the beginning"](https://www.usermag.co/p/the-uks-censorship-catastrophe-is)
    - [Juliet Samuel, "Online Safety Act was botched from the start"](https://archive.ph/2025.08.13-190800/https://www.thetimes.com/comment/columnists/article/online-safety-act-botched-2xk8xwlps).
    - [the watchers: how openai, the US government, and persona built an identity surveillance machine that files reports on you to the feds](https://vmfunc.re/blog/persona)
    - [Mike Masnick, "Heritage Foundation Says That Of Course GOP Will Use KOSA To Censor LGBTQ Content"](https://www.techdirt.com/2023/05/24/heritage-foundation-says-that-of-course-gop-will-use-kosa-to-censor-lgbtq-content/)
    - [Ken Klippenstein, "Trump Declares War on Left With "Domestic Terrorist" Designation"](https://www.kenklippenstein.com/p/breaking-trump-declares-war-on-left)
    - [Jacob Ridley, "Scientists warn against crappy age verification: 'if implemented without careful consideration… the new regulation might cause more harm than good'"](https://www.pcgamer.com/hardware/scientists-warn-against-crappy-age-verification-if-implemented-without-careful-consideration-the-new-regulation-might-cause-more-harm-than-good/)
    - [Janus Rose, "‘Age Verification’ could force trans people to out themselves to use the internet"](https://www.theverge.com/policy/892075/age-verification-kansas-id-trans)
    - [Vikki Blake, "Discord advises UK users that they 'may be part of an experiment' where instead of their age verification data never leaving their phone, it will now actually leave their phone"](https://www.eurogamer.net/discord-advises-uk-users-that-they-may-be-part-of-an-experiment-where-instead-of-their-age-verification-data-never-leaving-their-phone-it-will-now-actually-leave-their-phone)
	- [Taylor Lorenz, "The UK’s Online Safety Act is a licence for censorship – and the rest of the world is following suit"](https://www.theguardian.com/commentisfree/2025/aug/09/uk-online-safety-act-internet-censorship-world-following-suit)