So, I looked at age verification - it was made clear photos were on device only and never transmitted.
If this turns out to be false, then the legal fallout would be apocalyptic.
What legal fallout? Discord made users agree to new terms just a week ago that involves forced arbitration.
These were photos submitted via the compromised support provider (Zendesk) via the Discord support portal.
Automated age verification via their partner (k-ID, which has its own issues) is a separate system, which was only available to some users. Other users had to contact Discord support manually and submit photo ID, which went through Zendesk, which was then compromised in this breach.
Additionally, for the automated process, it’s the video selfie that’s on-device and never transmitted, but photos of your ID and selfie photo are transmitted, just supposedly deleted afterwards. Those ones are *not included in this breach, as far as we’re aware, as it’s an entirely different third-party with wholly separate infrastructure.
Which is why you farm off stuff like this to third parties whenever possible
DiscordCorp will get a slap on the wrist and give people an offer of a free six months of discord turbo (so long as you provide payment info so it can auto-renew on month seven).
But ANY meaningful consequences will go toward Zendesk Corp for not doing what they were supposed to. And… then everyone will just use ZZendesk instead
Well, yeah. Discord isn’t exactly at fault here, they’re operating as best they can within the boundaries of a piece of legislation that could be best described as gods gift to the “I-told-you-so” crowd. This breach is exactly what everyone was warning would happen with the UK ID laws, and discord got stung first as they’re one of the few companies trying to adhere to the law in good faith (which, yes, why in hell they’re trying to do this is good faith is a very good question)
Here’s the information directly from the FAQ as of right now:
Q: Is my data stored when I use Face Scan or Scan ID verification?
A: Discord and k-ID do not permanently store personal identity documents or your video selfies. The image of your identity document and the ID face match selfie are deleted directly after your age group is confirmed, and the video selfie used for facial age estimation never leaves your device.
Yeah, but those methods of verification weren’t the subject of this breach, this was some manual bullshit done through Zendesk.
That sounds like the video stays on your device but the photos do not.
Big company lies again what a big surprise
Where is that small print? It should be archived before Discord tries to change it.
Check down on data security ;)
Looks like it’s already been archived: https://web.archive.org/web/20250930051220/https://support.discord.com/hc/en-us/articles/30326565624343-How-to-Complete-Age-Verification-on-Discord
It’s also here:
Idk it doesn’t seem like there are any legal consequences for tech companies anymore.
The fact that these photos and PII (personally identifiable information) were not destroyed after the verification process was certified is absolutely atrocious OpSec. I don’t even care which of the two companies is ultimately responsible, because they are both responsible.
- Zendesk for their bad OpSec
- Discord for both outsourcing this AND not having contractual requirements to properly secure and destroy PII when it was no longer required.
I work in IT, and treat PII like it’s dangerously radioactive, because in the digital world, it really is.
Anyone still defending age verification online is an idiot.
I don‘t think I‘ve ever seen someone defend it online but there were a few people laughing it off which is not much better.
Oh no it’s that thing everyone would say would happen!
deleted by creator
To the surprise of no one here. This is the first thing I think of when a system wants me to upload an ID.
Age verification photos?
So they have 2 million ai generated or free stock photos of faces?
These were images of people’s ID’s, along with photos of their faces to check for a match, not stock photos or even just real selfies on their own.
Half of those are Norman Reedus in Death Stranding 2.
So glad I ditched discord the second they considered going public, converting people to Matrix sucks because Element is terrible for group calls, [Edit] tried setting up a Snikket server via Docker compose yesterday but their documentation sucks for manual setups, I don’t need them handling reverse proxying for me and rather they didn’t bind to the host network and instead bind to a docker network eventually my tweaks broke docker itself and I had to restart the service.
Who exactly was required to submit age verification photos? Just US citizens?
UK ones too.
Just the UK, as far as I’m able to find. Some US users have to verify by clicking the box, but I do not believe they’ve been en-masse required to upload ID or use the UK’s facial recognition nonsense.
From the discord age verification FAQ:
The age verification features described in this article are fully available only to users in the United Kingdom and apply to all new and existing UK accounts.
So I guess it was only UK ones. For some reason I thought they were asking pictures in the US too.
You might be confusing it with how several states have attempted to implement identity verification for access to porn sites (which has so far avoided a similar scandal to this one by virtue of rampant, contemptuous noncompliance on the part of the porn sites)
Well, now I feel better about using a throwaway email when I made my account.
Throw away email! Are you going something illegal online that you would want to bypass the government and big techs absolute right to spy on everything you do! That’s it people will henceforth only get one single email address assigned at birth that they will be forced to use for all online interactions henceforth. I hope you feel ashamed of yourself with all the children you put at risk with your thoughtless selfish behaviour. Now upload an image of your face certified by a government official and a copy of your birth certificate just to be sure that
terrorists, uhcriminals, uh child abusers don’t win.*Please tell me this is the most superfluous /s of all time. *
