Fury Over Discord's Age Checks Explodes After Shady Persona Test In UK (arstechnica.com) 62
Backlash intensified against Discord's age verification rollout after it briefly disclosed a UK age-verification test involving vendor Persona, contradicting earlier claims about minimal ID storage and transparency. Ars Technica explains: One of the major complaints was that Discord planned to collect more government IDs as part of its global age verification process. It shocked many that Discord would be so bold so soon after a third-party breach of a former age check partner's services recently exposed 70,000 Discord users' government IDs.
Attempting to reassure users, Discord claimed that most users wouldn't have to show ID, instead relying on video selfies using AI to estimate ages, which raised separate privacy concerns. In the future, perhaps behavioral signals would override the need for age checks for most users, Discord suggested, seemingly downplaying the risk that sensitive data would be improperly stored. Discord didn't hide that it planned to continue requesting IDs for any user appealing an incorrect age assessment, and users weren't happy, since that is exactly how the prior breach happened. Responding to critics, Discord claimed that the majority of ID data was promptly deleted. Specifically, Savannah Badalich, Discord's global head of product policy, told The Verge that IDs shared during appeals "are deleted quickly -- in most cases, immediately after age confirmation."
It's unsurprising then that backlash exploded after Discord posted, and then weirdly deleted, a disclaimer on an FAQ about Discord's age assurance policies that contradicted Discord's hyped short timeline for storing IDs. An archived version of the page shows the note shared this warning: "Important: If you're located in the UK, you may be part of an experiment where your information will be processed by an age-assurance vendor, Persona. The information you submit will be temporarily stored for up to 7 days, then deleted. For ID document verification, all details are blurred except your photo and date of birth, so only what's truly needed for age verification is used."
Critics felt that Discord was obscuring not just how long IDs may be stored, but also the entities collecting information. Discord did not provide details on what the experiment was testing or how many users were affected, and Persona was not listed as a partner on its platform. Asked for comment, Discord told Ars that only a small number of users was included in the experiment, which ran for less than one month. That test has since concluded, Discord confirmed, and Persona is no longer an active vendor partnering with Discord. Moving forward, Discord promised to "keep our users informed as vendors are added or updated." While Discord seeks to distance itself from Persona, Rick Song, Persona's CEO [...] told Ars that all the data of verified individuals involved in Discord's test has been deleted. Ars also notes that hackers "quickly exposed a 'workaround' to avoid Persona's age checks on Discord" and "found a Persona frontend exposed to the open internet on a U.S. government authorized server."
The Rage, an independent publication that covers financial surveillance, reported: "In 2,456 publicly accessible files, the code revealed the extensive surveillance Persona software performs on its users, bundled in an interface that pairs facial recognition with financial reporting -- and a parallel implementation that appears designed to serve federal agencies." While Persona does not have any government contracts, the exposed service "appears to be powered by an OpenAI chatbot," The Rage noted.
Hackers warned "that OpenAI may have created an internal database for Persona identity checks that spans all OpenAI users via its internal watchlistdb," seemingly exploiting the "opportunity to go from comparing users against a single federal watchlist, to creating the watchlist of all users themselves."
Attempting to reassure users, Discord claimed that most users wouldn't have to show ID, instead relying on video selfies using AI to estimate ages, which raised separate privacy concerns. In the future, perhaps behavioral signals would override the need for age checks for most users, Discord suggested, seemingly downplaying the risk that sensitive data would be improperly stored. Discord didn't hide that it planned to continue requesting IDs for any user appealing an incorrect age assessment, and users weren't happy, since that is exactly how the prior breach happened. Responding to critics, Discord claimed that the majority of ID data was promptly deleted. Specifically, Savannah Badalich, Discord's global head of product policy, told The Verge that IDs shared during appeals "are deleted quickly -- in most cases, immediately after age confirmation."
It's unsurprising then that backlash exploded after Discord posted, and then weirdly deleted, a disclaimer on an FAQ about Discord's age assurance policies that contradicted Discord's hyped short timeline for storing IDs. An archived version of the page shows the note shared this warning: "Important: If you're located in the UK, you may be part of an experiment where your information will be processed by an age-assurance vendor, Persona. The information you submit will be temporarily stored for up to 7 days, then deleted. For ID document verification, all details are blurred except your photo and date of birth, so only what's truly needed for age verification is used."
Critics felt that Discord was obscuring not just how long IDs may be stored, but also the entities collecting information. Discord did not provide details on what the experiment was testing or how many users were affected, and Persona was not listed as a partner on its platform. Asked for comment, Discord told Ars that only a small number of users was included in the experiment, which ran for less than one month. That test has since concluded, Discord confirmed, and Persona is no longer an active vendor partnering with Discord. Moving forward, Discord promised to "keep our users informed as vendors are added or updated." While Discord seeks to distance itself from Persona, Rick Song, Persona's CEO [...] told Ars that all the data of verified individuals involved in Discord's test has been deleted. Ars also notes that hackers "quickly exposed a 'workaround' to avoid Persona's age checks on Discord" and "found a Persona frontend exposed to the open internet on a U.S. government authorized server."
The Rage, an independent publication that covers financial surveillance, reported: "In 2,456 publicly accessible files, the code revealed the extensive surveillance Persona software performs on its users, bundled in an interface that pairs facial recognition with financial reporting -- and a parallel implementation that appears designed to serve federal agencies." While Persona does not have any government contracts, the exposed service "appears to be powered by an OpenAI chatbot," The Rage noted.
Hackers warned "that OpenAI may have created an internal database for Persona identity checks that spans all OpenAI users via its internal watchlistdb," seemingly exploiting the "opportunity to go from comparing users against a single federal watchlist, to creating the watchlist of all users themselves."
Leisure Suit Larry Age Check (Score:5, Funny)
It was decades ahead of its time!
https://allowe.com/games/larry... [allowe.com]
Re: (Score:2)
> use prophylactic
[CENSORED]
IPO bust (Score:2)
5 billion to 25 billion is a broad range, but that is what people are saying. MS offered 10 billion, and at the time I thought it was a low offering.
But now... its looking like a yahoo.com failure.
Re: (Score:2)
Yeah I thought a few months ago it was going to be the next facebook or twitter - now I suspect its going to be one of those IPOs which just looks like a little spiky mountain with a downward slope going off to the right to infinity.
Re: (Score:2)
Re: (Score:2)
Protection doesn't stay effective over the years because evil Google keeps changing the rules of web browsers to help advertising bypass the blockers.
Currently, I've found that PopupOff extension can remove the mongo ("mongo is webscale!" [youtube.com]) banner in aggressive mode, but aggressive mode causes other issues with navigation elements on various websites.
Not suggesting to use that extension just saying some current extensions can do the needful with flaws.
Re: (Score:2)
Google changes the rules of Chrome. Firefox still has full adblockers. And there are so many reasons to get rid of a Google browser.
Re: (Score:2)
Re: (Score:2)
My filters work fine.
Re: (Score:2)
Re: (Score:2)
I see zero ads on Slashdot using uBlock Origin on Firefox.
Re: (Score:2)
Because having an adblocker running makes Slashdot freak out on occasion, refusing to load articles, refusing to expand comment threads, etc.
Re: (Score:2)
Re:HEY SLASHDOT (Score:4, Insightful)
Well, the bar at the bottom is a bit better, but the close box doesn't close it.
Re: (Score:2)
Even the "Try Free" button doesn't work. LOL!
Re: (Score:2)
Cool. Probably all made with vibe "coding"...
Re: (Score:2)
And no QA testing.
Obvious profiling for repression (Score:5, Insightful)
Sorry, maybe y'all are new here, but this is an old, familiar pattern.
Platform used by social movements to organize protests becomes highly effective.
But think of the children gets trotted out, new regulations under a plausible guise.
And then suddenly the would be civil society participants are finding ICE kicking in their doors.
Have seen this during Iran's Green Revolution, Arab Spring, Occupy, Black Lives Matters, same crap over and over and over and over, and people just keep going for it.
Re: (Score:1)
Discord is a common hop-off point for groomers that hunt kids in games. Almost all the instances of pedos on Roblox have featured the pedos asking the victim to join a private Discord.
Re: (Score:1)
Just so we are clear on this-
There is an apparent world-wide cabal of child rapers that have been side-stepped by law enforcement for decades, but a social media platform where grooming is probably less than 1% of activity requires immediate verification of all parties that use it.
Very selective in which kids are worth being saved, isn't it?
Re: (Score:2)
Of course. One set of rules for them, another set of rules for us. What don't you get?
Re: (Score:2)
Re: (Score:2)
It's a soft target. What do you expect? Also failing to police one group doesn't mean you ignore the other.
Re: (Score:2)
Discord is a common hop-off point for people who play games.
Here is the explanation for why you find many groomers there: https://xkcd.com/1138/ [xkcd.com]
Re: (Score:2)
Indeed it is, which is why it shows up so often in scandals involving online game communities where kids get groomed. There were shenanigans on various TF2 discords a few years ago as well:
https://www.reddit.com/r/tf2/c... [reddit.com]
Re: (Score:2)
Step 2 and 3 of your claims are off base. The reality is there's just a generalised crackdown on social media. Countries are flirting with age verification (or have actively implemented it) the world over. This has nothing to do with targeting Discord specifically because they may or may not have been involved in something. The reality is it's a platform full of kids, and a platform full of kids attracts specific media attention every time some pedo s found using it.
No one gives a shit if Discord is used by
Re: (Score:2)
Step 2 and 3 of your claims are off base. The reality is there's just a generalised crackdown on social media.
that reality doesn't preclude particular interests in particular segments either, and there are precedents. so a targeted operation on discord is far from proven, but not unplausible.
Countries are flirting with age verification (or have actively implemented it) the world over.
also (going back to our exchange a few days ago) this instance clearly shows that personal info protection in age verification processes is far from what it is touted to be. this again might be deliberate or just greed and incompetence. in the latter case it would be showing really gross and possibly criminal incompetence, but
Re: (Score:2)
"The reality is it's a platform full of kids"
This comes across as, "stop thinking our politicians are not doing this out of the goodness of their hearts, For the Children". There is a reason that countries, US cities and states alike have decided to legislate away anonymity to cull social media 20 years after it arrived, and it's not the reasons you are saying.
Age blocks elsewhere are clearly intended to keep adults out, just as Discord has decided to start treating all adults as if they are children, so pr
Re: (Score:2)
This is not a social media problem though. It is a problem of a population too inept to keep their government under control. Governments are the most immoral constructs known and need to be kept on a tight leash. And this is in no way a new thing.
Re: Obvious profiling for repression (Score:2)
Yea, but they are bullying and oppressing the right people so it must be a good thing and you better applaud it, or else the tolerant inclusive people will use their psychological and physical violence against you.
And these systems and data can surely never be used against the wrong people, so it HAS to be a good thing! /s
Re: (Score:2)
You were doing so well until you mentioned ICE. The real threat is from your own Military Intelligence Industrial Complex. The union of state and corp
Re: (Score:2)
same crap over and over and over and over, and people just keep going for it.
It is easy to trick the uneducated... which is why we are all educated so poorly. No schools that I was exposed to taught critical thinking, logic, or ANY interesting history. I wonder why that is? Do powerful people prefer the populations to be easy to manipulate? Why yes, they do.
And here you sit insulting the people who never had access to quality education. It is easy to punch downwards, so why not?
It's all in the name (Score:2)
Discord is simply living up to its name. Truth in advertising!
Strike Two (Score:2)
Discord claimed that most users wouldn't have to show ID, instead relying on video selfies using AI to estimate ages
So since we're obviously all against both of these, what's option three? Surely there's a fallback. A Leisure Suit Larry style quiz?
Re: (Score:2)
A dicks and boobs CAPTCHA is clearly the way to go. Or maybe classifying porn pictures by genre? I fear quite a few teens would beat that one easily though.
Re: (Score:2)
Their commitment that the face scan is on device is pretty strong, I doubt their lawyers would let them send it off device without a warrant forcing them.
I don't like it, but I can live with it. I would immediately wipe the app data after doing it though, since they don't commit to not storing it on device.
Re: (Score:2)
What are the security implications of a local face scan? Somehow the code needs to send the "is 18" flag to the server. What prevents me from faking that? Cryptographic signature? The code must contain the key to sign the response. A local-only check can only use obscurity for security. Given a huge user base like Discord has, sooner or later someone will extract the secrets that certify that the person on the webcam was 18. And then they will come back and tell you they need another verification, this time
Re: (Score:2)
Android and iOS have integrity/attestation frameworks and secure enclaves for keys. Presumably the app uses those.
So the device signs the flag as coming from the supposedly uncompromised app running on supposedly uncompromised hardware, ultimately certified using Google/Apple's private keys. Can it still be hacked? Sure, but not in the way you describe.
Re: (Score:2)
Still trivially though for any talented reverse engineer. Somewhere in the code they have a function that checks if they think they're 18 and returns a boolean. Change the function to always return true. It would be harder if it was sending the image up to the server to analyze, but local is easy to break.
Re: (Score:2)
Also, Android is an open source OS. You can always run it on a modified OS that pretends to have secure storage but logs all data sent to it.
Re: (Score:3)
Only certified hardware gets attestation keys provisioned to the devices at the factory and they will only attest integrity for certified operating sytems and apps.
See the Graphene OS and Play Integrity mess.
Re: (Score:2)
What does the website do?
But let's think about devices with a TPM (the enclave is less relevant, I think). They can sign things without the user having access to the key. I guess you can also find a clever scheme to make it only sign the original request of the site. But they cannot check the webcam image. Instead of getting the key, you patch the image detector to return a false negative and let the rest of the code sign things as usual.
looking for a proper alternative (Score:2)
Re: (Score:2)
Maybe with Matrix/Discord or other bridges it can be easier to make a transition there
Re: (Score:2)
You can stay unverified on Discord. Most stuff still works and it sends a message.
Re: (Score:2)
If I understood it correctly, this also means they turn on all the features to protect minors. This includes for example an AI scanning the images you send and receive, which you currently can turn off as long as your account is not marked as teen account.
Re: (Score:2)
Do you have a reference for that?
Re: (Score:2)
So far I only connected the dots: There is a safety setting for checking images you receive (maybe also you send?) that adults can disable, and they claim to force the teen experience on everyone. I never had the "teen experience" so I can't tell you more than what I think will follow from these two things.
Re: (Score:2)
Hmm. I agree that is pretty suspicious. What I am unclear on is whether they can have AI or people look at your messages without getting informed (!) consent to that, according to EU laws and the GDPR. They might simply be violating the law though.
Well, we will see how this mess evolves.
Re: (Score:2)
The switch is already in the settings for quite some time. I guess the ToS and privacy policy just declare it and they tell something about only using it for checking and acting only if there is something to report about you. Don't tell me you ever trusted Discord to provide privacy? Most other chats at least try or claim to use end to end encryption, Discord seems to have that not even on the roadmap.
Re: (Score:2)
Don't tell me you ever trusted Discord to provide privacy?
Obviously not.
Re: (Score:2)
IRCv3 would need a boost (in particular the functions related to reconnects). Stoat, Spacebar and Fluxer try to clone Discord (not sure how successful). XMPP scales better than Matrix but most UIs feel less like discord than the matrix UIs do. For your local game chat you can also host a teamspeak, Mattermost, Rocketchat or similar tool to be independent, but they only cover a subset of the Discord features.
Re: (Score:2)
It's early days, but I think Roomy has a better chance than Matrix. Roomy is build on the Bluesky at protocol and server infrastructure.
Federation is cute, but obtuse to most normal users (account migration, server/chatroom visibility). The at protocol being more centrally managed is more user friendly, of course that means they could also be more easily forced into age verification.
How tone-deaf can you get? (Score:2)
These people seem to have zero understanding of their user population. Yes, the age-verification process (excluding that UK experiment) may not be that problematic, but users care and do not want to do it. And in that situation you lie to your users? How exceptionally stupid can you be?
I am frankly astonished at the sheer ineptitude on display and I retract my earlier recommendation to just do that verification. Obviously discord is not even trustworthy when their own core business is at stake.
Well, something else I don't/won't use... (Score:2)
majority of data (Score:2)
The description uses a lot of qualifiers like "he majority of ID data was promptly deleted". But either the process deletes the data, or it keeps it, it's not like deleting data is roulette. If a minority of data is not deleted, it means that the data minimization claims are generally a lie.
Aussie on Discord - yet to be asked to confirm age (Score:3)
Discord has apparently been doing age checks in Australia since late last year.
I'm in Australia.
I use Discord - infrequently, not daily but several times a week to look at a very small number of posts and perhaps post a reply or comment.
I've not (yet) been asked for any age ID, nor has anyone on the same server/s that I've asked.
So, it may be that we are worrying about nothing?
Or it may be that I and my friends are not people in their target range due to our very minor useage of Discord?
Or maybe they've deduced that our age is WELL ABOVE 18 via our posts, length of time on discord and topics that we discuss - I dunno, but the youngest of the group is in their 30s, so...??