Three hacktivists tried to find a workaround to Discord’s age-verification software. Instead, they found its frontend exposed to the open internet.
Ten days ago, the social chat app Discord announced that it would launch “teen-by-default” settings for its global audience. As part of this update, all new and existing users worldwide will have a teen-appropriate experience, with updated communication settings, restricted access to age-gated spaces, and content filtering that preserves privacy and meaningful connections, the platform said.
This, of course, means that to use Discord the way you are used to, you’ll have to let it scan your face, and the internet wasn’t happy. Many communities quickly announced their move to other platforms. Others, like the security researcher Celeste, who goes by the handle vmfunc, were convinced there would be a workaround.
Together with two other researchers, they set out to look into Persona, the San Francisco-based startup that’s used by Discord for biometric identity verification – and found a Persona frontend exposed to the open internet on a US government authorized server.
In 2,456 publicly accessible files, the code revealed the extensive surveillance Persona software performs on its users, bundled in an interface that pairs facial recognition with financial reporting – and a parallel implementation that appears designed to serve federal agencies. On Monday, Discord stated that it will not be proceeding with Persona for identity verification.
Screengrab of Persona's exposed interface displaying a US government systems notification. source
Persona, Beyond Age Verification
Persona Identity, Inc. is a Peter Thiel-backed venture that offers Know Your Customer (KYC) and Anti-Money Laundering (AML) solutions that leverage biometric identity checks to estimate a user’s age that use a proprietary “liveliness check” meant to distinguish between real people and AI-generated identities. At a $2 billion valuation, Persona powers identity verification processes for the likes of OpenAI, Roblox, Heritage Bank, and the ride-sharing service Lime.
Persona feeds on a growing trend of age-verification legislation that is making its way around the world. From the EU’s Chat Control to the UK’s Online Safety Act and the KOSA and EARN IT Acts proposed in the US, governments argue that as long as we can verify anyone’s age on the World Wide Web, we can keep children safe from the dangers of free information. This, it seems, is far from true.
Beyond offering simple services to estimate your age, Persona’s exposed code compares your selfie to watchlist photos using facial recognition, screens you against 14 categories of adverse media from mentions of terrorism to espionage, and tags reports with codenames from active intelligence programs consisting of public-private partnerships to combat online child exploitative material, cannabis trafficking, fentanyl trafficking, romance fraud, money laundering, and illegal wildlife trade.
Once a user verifies their identity with Persona, the software performs 269 distinct verification checks and scours the internet and government sources for potential matches, such as by matching your face to politically exposed persons (PEPs), and generating risk and similarity scores for each individual. IP addresses, browser fingerprints, device fingerprints, government ID numbers, phone numbers, names, faces, and even selfie backgrounds are analyzed and retained for up to three years.
The information the software evaluates on the images themselves includes “Selfie Suspicious Entity Detection,” a “Selfie Age Inconsistency Comparison,” similar background detection, which appears to be matched to other users in the database, and a “Selfie Pose Repeated Detection,” which seems to be used to determine whether you are using the same pose as in previous pictures.
In short, the software “flags you as a ‘suspicious entity’ based on your face alone,” the researchers write. An act that may prove dangerous, as Persona’s software has reportedly made significant mistakes when attempting to estimate the age of users in the past. When paired with AML reporting, such suspicious analysis can quickly lead to the unjust termination of bank accounts. And that seems to be exactly what Persona was built to do.
In addition to facial recognition, Persona’s software is able to perform checks on financial data — including running checks on sanctions lists, running checks on cryptocurrency activity via the blockchain analysis firms Chainalysis and TRM Labs, and an interface to file suspicious activity reports (SARs) directly with US and Canadian federal agencies.