Discord recently started requiring age verification for some users. Upload your ID, take a selfie, and you're verified as an adult. Simple enough. But what happens to that data after you hand it over?
Security researchers at vmfunc.re found that Discord's identity verification partner, Persona, operates a government platform that does a lot more than just check your age. The same company collecting your ID photos and selfies also files Suspicious Activity Reports to financial intelligence agencies, maintains biometric face databases, and compares your selfie against photos of politicians worldwide.
#Discord Already Collects Everything
This isn't new territory for Discord. As documented by Spyware Watchdog, the platform already logs every text message, voice call, and image you send. It records your IP address, uniquely identifies every device you use, and monitors what other programs you have running on your computer. The company has confirmed it receives government requests for user data.
None of your conversations on Discord are private. They're all routed through Discord's servers where they can be recorded. That's the deal you sign up for when you use the platform.
But now Discord is asking for something more sensitive. Your government ID. Your face. Your biometric data.
#The Identity Verification Pipeline
When Discord asks you to verify your age, that verification happens through Persona. You upload a government ID and take a selfie. Persona confirms it's really you. Discord says the ID gets deleted and facial scans never leave your device.
But Persona's backend tells a different story. The researchers found source code showing Persona can retain biometric face data for up to 3 years. Your selfie gets compared against databases of politicians and public figures, with a similarity score assigned to each comparison. The system runs 269 different verification checks on your identity.
The same company processing your ID for Discord also operates a FedRAMP-authorized government platform. That platform files reports directly to FinCEN, the US Treasury's financial crimes unit. It files reports to FINTRAC in Canada, tagged with intelligence program codenames like Project GUARDIAN and Project SHADOW.
This doesn't mean your data is being sent to these agencies. But it does mean the company handling your identity verification has the infrastructure and capabilities to do so.
#A Pattern of Broken Trust
Discord has a history of privacy issues. In 2025, attackers accessed roughly 70,000 users' government IDs and selfies after compromising Discord's customer support system. The company said it switched to new verification vendors after that breach.
Now users are being asked to trust the platform again. Upload your ID. Take a selfie. Trust that Discord's partner will delete it. Trust that the data won't be retained longer than promised. Trust that it won't end up in the wrong hands.
But the gap between what users are told and what the backend can do keeps widening. Discord says IDs are deleted quickly. The source code says 3 years. Discord says facial scans stay on your device. The source code shows facial comparison pipelines and biometric databases.
#What You Can Do
You don't have to verify your age on Discord. Accounts that aren't verified get placed into a restricted "teen" mode with limited features. If that works for you, it's the safest option.
If you've already uploaded your ID, you can't really undo it. The data has been collected. You can delete your Discord account, but that won't necessarily delete the data Persona holds about you.
The full technical research is at vmfunc.re/blog/persona if you want to dig into the details. But the bigger picture is simple. Discord already collects everything you say and do on the platform. Now they want your biometric data too. And the company they've entrusted with that data has deep ties to government intelligence infrastructure.
That's a lot of trust to place in a chat app.
#An Alternative
If you're looking for a platform that respects your privacy, consider Matrix. It's an open protocol for decentralized communication. You can host your own server, or use one of the many public homeservers. Messages are end-to-end encrypted by default in most clients, meaning not even the server operator can read them. There's no identity verification, no process logging, no central company collecting everything you say.
Element is the most popular Matrix client, and there are dozens of others. The transition takes some getting used to, but your messages actually stay private.