UK law is pushing Discord and others into rushed face-scan ID checks — here’s why that’s dangerous
Why this matters – and why I’m annoyed
This caught my attention because the platforms I use every day – Discord, Reddit, Xbox, Bluesky – are being pushed into fast, imperfect solutions that trade user privacy for regulatory compliance. The UK’s Online Safety Act has created a hard deadline for age assurance, and companies are scrambling to plug holes with third‑party vendors and device-based face scans. That scramble is already producing leaks, sketchy vendor ties, and rushed experiments that should make anyone who values their data uneasy.
- Regulation is the immediate cause: the Online Safety Act is forcing age checks, and platforms are rolling out solutions fast.
- Security researchers (reported by PC Gamer) found evidence Persona runs 269 different verification checks, some tied to facial recognition and even terrorism screenings.
- Data exposure is a real problem — past leaks of ID photos and an exposed Persona frontend on a government-authorized server amplify the risk.
- Users are already pushing back with VPNs, spoofing face scans, and platform switching — expect more workarounds if rollouts go global.
What platforms are doing — and why “tests” aren’t comforting
To satisfy the Online Safety Act, platforms have few options: do rough, centralized age checks using third‑party vendors, or try to keep processing on-device so biometric data never leaves a phone. Both approaches have problems. Third‑party vendors bring a supply chain of trust issues — who else can access that data, how long is it retained, and where is it stored? On-device crypto can reduce risk, but it’s technically harder and less uniform across ecosystems.
Discord’s approach illustrates the tension. The company ran a UK trial with a vendor called Persona and has said it will use a combination of on-device checks and vendor services. But that “experiment” matters: security researchers reported by PC Gamer say they discovered a Persona frontend exposed on a FedRAMP-authorized server, and the company’s code appears to perform 269 different verification checks across multiple categories — including a facial recognition flag called “SelfieSuspiciousEntityDetection” and screenings that read like counter‑terrorism indicators. That’s not the sort of detail most people expect when they upload an ID to prove their age.
Why the vendor world matters — money, influence, and surveillance ties
These vendors aren’t neutral civic actors. Venture capital, investor networks, and prior work with government agencies create plausible lines of influence and mission creep. PC Gamer notes Persona’s investors include people tied to high‑profile surveillance outfits, which makes users rightly suspicious. TechCrunch’s reporting on regulatory capture in AI and Silicon Valley influence (via interviews with figures like Bill Gurley) is a useful reminder: frantic regulatory compliance can create markets for private companies that benefit from centralizing sensitive data.
FinalBoss // Gear
Level up your setup
01Top-rated gaming headsetson Amazon→02High-refresh gaming monitorson Amazon→03Gaming chairson Amazon→04Discounted game keyson Kinguin→Affiliate links · As an Amazon Associate, FinalBoss earns from qualifying purchases.
Real risks: leaks, subpoenas, and scope creep
We’ve already seen how brittle these systems can be. Discord reportedly faced an earlier breach that may have exposed tens of thousands of ID photos, and researchers say they found Persona infrastructure exposed to the open internet. Add to that reports that U.S. authorities have subpoenaed platforms for user data related to immigration enforcement, and you end up with a plausible nightmare in which age verification photos and metadata are swept into law‑enforcement requests or insecure vendor backups.
Scope creep is another concern. A checkbox meant to block minors from “harmful content” can morph into broader monitoring for extremism or other behaviors if vendors’ toolkits include those flags. Users uploading IDs or scanning their faces don’t usually consent to being entered into databases used for unrelated profiling — but that’s the direction some of these vendor features suggest.
Want to Level Up Your Gaming?
Get access to exclusive strategies, hidden tips, and pro-level insights that we don't share publicly.
Ultimate Gaming Strategy Guide + Weekly Pro Tips
What gamers should expect and do
Expect more rollouts and tests. The UK law acts as a template: platforms will test solutions there and then push similar measures globally to avoid complex geofencing and compliance overhead. Expect user backlash — VPN skirting, fake selfies, and migration to smaller niche communities — and expect platforms to iterate quickly to close obvious workarounds.
If you care about privacy, two practical responses: (1) press platforms for transparency — ask exactly what vendor they’re using, what checks run, and how long data is retained; (2) lobby for technical alternatives like age attestations that don’t transfer raw IDs or biometrics (proof-of-age tokens, certified age‑verifier authorities with minimal data sharing, on-device attestations).
TL;DR
The Online Safety Act is forcing platforms into rushed age verification that often relies on third‑party vendors. Recent reporting about Persona’s expansive checks and exposed infrastructure, combined with past leaks and government subpoena reports, means this isn’t a theoretical risk — it’s a live privacy problem. Platforms can build safer systems, but right now compliance pressure is producing messy tradeoffs between protecting kids and protecting everyone else’s biometric data.