In a development that has privacy advocates and tech users alike raising eyebrows, cybersecurity researchers have uncovered a significant exposure in the infrastructure of Persona, a company that provides age verification and identity verification services to major platforms. Originally intended to help services confirm users’ ages, the leaked frontend points to something far more intrusive lurking beneath the surface.

What Happened?

While investigating age verification checks used by services like Discord, researchers found a publicly accessible section of Persona’s software hosted on a US government–authorized server. This frontend — essentially parts of the code and interface that should have been secured — was left exposed online and contained 2,456 accessible files detailing internal processes.

The files have since been removed, but the discovery has already sparked concerns about how far age-verification systems might be capable of going beyond simply confirming someone’s age.

Beyond Simple Age Checks

Rather than performing just a basic age estimate, the exposed Persona software appeared to conduct a wide array of identity and risk assessments. Researchers found it was capable of performing 269 distinct verification checks, including:

• Facial recognition against global watchlists and databases of “politically exposed persons”
• Screening users against 14 “adverse media” categories — from terrorism to espionage
• Assigning risk and similarity scores to images submitted by users
• Collecting and potentially retaining sensitive information like IP addresses, device fingerprints, government ID numbers, names, phone numbers, and facial data for up to three years

This level of processing goes well beyond what most people expect when they simply upload an ID or selfie to verify age.

Why This Matters

The disclosure comes at a time when age verification is increasingly being mandated — or at least encouraged — by governments and platforms trying to protect minors online. Australia, for example, has implemented sweeping age verification requirements for social media platforms, and companies like Discord have begun rolling out their own checks.

But when the backend systems used for these checks contain capabilities for extensive identity and behavioral analysis, it raises pressing privacy questions:

• Are users truly aware of the amount and types of data being processed?
• How is that data stored, shared, or retained?
• And what are the risks of combining identity verification with extensive surveillance-style checks?

Many users and privacy advocates argue that such capabilities could erode trust and contribute to a surveillance culture users did not sign up for.

Who Uses Persona?

Persona’s technology has been integrated into a number of well-known platforms. According to reports:

• Discord used Persona for age checks as part of a broader effort to restrict content based on user age.
• OpenAI’s services (including ChatGPT) have previously referenced Persona as a trusted third-party for verifying age in certain contexts.
• Gaming platforms and other apps have also incorporated Persona’s biometric and document verification flows.

In response to the exposure and growing criticism, Discord said it will not continue using Persona for its age verification program.

The Broader Debate

The incident underscores a larger dilemma for tech companies and regulators: how to keep minors safe online without sacrificing privacy or introducing overly invasive systems. Age verification — on the surface — seems like a reasonable requirement. But when systems designed for that purpose are capable of extensive biometric analysis and data collection, the balance between safety and privacy becomes increasingly strained.

Critics argue this might discourage users from engaging with age verification on platforms if they fear their biometric and identity data could be repurposed for surveillance or long-term profiling.