Inside Discord's Age Verification: Passport Scans, Biometric Data, and an Eight-Day Gap

You have just fired up your gaming rig. You're about to hop on your favorite game with your buddies, including that one guy you don't really know, or like... but he is really good at the game so you at least tolerate his existence.

You are probably using Discord, because that's where everyone is at. All your friends are there. Any other platform would render you a loner, an outcast. It's like that one house where all your friends used to hang out at, so you're just there. You probably don't even know why, to be honest, it's just how things are.

As Discord attempts to log you in, you are hit with a screen you have not been hit with before. It wants your ID? What is this, a night club? Did you just get pulled over for a routine inspection? No, Discord will eventually want to verify your age and identity. In some regions, they are required by law to do so already. But globally? Not now, not tomorrow, but sometime later in 2026.

Discord has implemented age verification in the United Kingdom in order to comply with the UK Online Safety Act, and on February 9, 2026, they announced that they would roll out "teen safety features" by default for all new and existing users. Globally. Yes, that means that by default Discord will treat you as a 13-year-old, even if it's been 30 years since you were 13. This includes content filtering and restricted access to age-gated communities. For most users who use Discord as it was intended, primarily for voice communication while gaming with friends, you won't really notice much by not verifying your identity and letting your account classify you as a 13-year-old.

But in case you use your Discord account in more scenarios than when you are about to play some game with your friends... you might actually feel like you want to get rid of some of those restrictions placed upon you. We get it. Restrictions ain't cool.

So here is how Discord initially would have you go about proving that you are, in fact, a functioning adult. Discord wanted to give you two options. You either submit to a facial age estimation scan, which is exactly what it sounds like, a camera pointed at your face trying to guess how old you are, or you can submit a government-issued ID. A passport. A driver's license. The kind of document you normally don't need in order to sign in to a non-government online account of any kind.

Discord claimed this would be handled by "vendor partners." They just wanted you to hand over your face, or your government ID, to a company you most likely have never heard of, whose name does not appear anywhere in Discord's first announcement regarding the matter. It was only disclosed later, when backlash had already started.

We went ahead and downloaded the Discord APK from February 18th and the 20th, 2026, and decided to crack it open and have a look inside. For the non-technical folks: an APK is essentially the installation package for any Android app. Everything the app does, every screen it shows you, every system it talks to, it's all in there. You just need the right tools to read it. What we found inside Discord's app was not a simple age checker. It was not a little script that looks at your face and says "yeah, seems old enough." What we found was a fully built, deeply integrated identity verification system with an internal codename: PI2. Which suggestively means it is version 2. Which means there was a version 1...

The code is littered with references to government ID scanning via NFC. One line reads:

pi2_government_id_nfc_scan_access_code

That is the access code to the chip embedded inside your passport. The same chip a border agent scans when you cross into a country. Another line:

pi2_government_id_nfc_scan_date_of_birth

Your date of birth. Pulled directly from your passport chip. The code also extracts your document number, expiration date, and photo page. This is not age verification. This is a passport read.

The facial scan tells the same story. The code contains:

pi2_selfie_left_pose pi2_selfie_right_pose

Turn your head left. Turn your head right. That is not a selfie. That is liveness detection, a biometric system confirming you are a real human sitting in front of the camera in real time. That data does not get taken by Discord. It gets handed to a company whose name does not appear anywhere in Discord's original press release.

In the APK we found thousands of hits pointing towards Persona, a virtual identity verification company. Searching for the string com.withpersona, Persona's unique package identifier, a term that cannot be confused with anything else, returned thousands of results embedded across Discord's core systems. We are not talking about a passing mention. We are talking about Persona's code woven into Discord's app at a foundational level.

Some of what we found is mundane infrastructure like UI components, styling, navigation bars. But some of it is not mundane at all. One entry reads:

com.withpersona.sdk2.inquiry.governmentid.RawExtraction

Raw extraction. Of your government ID. This tells us that the system has the capability to pull raw data directly from your document, not just a summary, not just a yes or no answer, but the raw data itself. Whether that capability is being used, and to what extent, is not something Discord has addressed. Persona was not initially mentioned. At all.

Another entry:

com.withpersona.sdk2.inquiry.selfie.view.SelfieOverlayView

That is the camera overlay used during biometric facial capture. Persona's code controls the screens you see and the camera that scans your face. The capability is there. What happens to what that camera captures is, again, something Discord has not told you.

And then there is this:

com.withpersona.sdk2.prefs

Persona has its own persistent preferences storage inside Discord's app. It has the ability to retain information beyond a single session. What it retains, and for how long, remains undisclosed.

On February 16th, 2026, Discord stated they would not be proceeding with Persona for identity verification. Our APKs are dated February 18th and 20th, 2026, several days later. They still contained thousands of references to Persona's code.

Discord called this age verification. The code suggests the infrastructure is capable of quite a bit more than that.

On February 24th, 2026, Discord's CTO Stanislav Vishnevskiy published a public statement admitting the company had "made mistakes" in how they handled and communicated the rollout. In it, he confirmed that Persona had been dropped as a partner, stating that Discord had "set a new bar" requiring that facial age estimation must be performed entirely on-device, meaning biometric data must never leave your phone. Persona, he confirmed, did not meet that bar.

Read that again. Persona did not meet the bar of keeping your biometric data on your device. Which means Persona was sending it off your device. Which is exactly what thousands of lines of network infrastructure code sitting inside Discord's app suggested it was capable of doing.

We downloaded the APK released on February 24th, the same day as the CTO's statement, and ran the same search. For the first time, com.withpersona returned no results. Persona's code was gone.

But let's be precise about what that timeline actually looks like:

February 16th — Discord says they are not proceeding with Persona.
February 18th — Persona's code still present. Thousands of references.
February 20th — Persona's code still present. Thousands of references.
February 24th — CTO issues public apology. Clean APK released same day.
February 25th — Independently confirmed by KILLTRACE. Persona is gone (from Discord).

Eight days passed between Discord's first statement and their app actually reflecting it. Eight days where Persona's code remained in the app after Discord said they would not proceed with them. In response to the controversial age verification plans, users across social media and online forums publicly expressed privacy concerns, with many stating they would cancel their Nitro subscriptions or close their accounts, a backlash so pronounced that major tech publications noted it as a factor in Discord's decision to delay and rework the rollout.

So who is Persona, anyway? Persona is a US-based identity verification company valued at $2 billion. They build the infrastructure that other companies plug into, you hand over your face or your government ID, Persona processes it, and tells the platform whether you are who you say you are.

Persona is not some obscure startup burning through venture capital in a garage somewhere. According to their own website, they are trusted by clients including Reddit, LinkedIn, Fiverr, Lyft, Udemy, and OpenAI, platforms that collectively serve billions of users worldwide.

Their most notable financial backer is a man named Peter Thiel. Thiel's venture capital firm, Founders Fund, was involved in both Persona's $150 million Series C funding round and their $200 million Series D funding round. That is a generous amount.

You may not know Peter Thiel by name. You may not even know the name of his company. But consider this: he builds infrastructure at a scale where billions of digital identities flow through the systems he funds. Of course, it is not Thiel himself sitting in a basement somewhere with JPEGs of your passport. It is the infrastructure he funds, and the empire around it, that merits attention.

Persona and Palantir are separate companies, but both are connected through the same strategic architecture, the backer shaping their technology and influence. That same backer now finances the company whose code was sitting inside Discord's app thousands of times over, with the capability to access the chip in your passport.

Before you hand over your passport and trust that everything will be fine, consider this. In February 2026, independent security researchers at vmfunc set out to do something fairly routine, examine how Persona's age verification system worked under the hood. No hacking. No exploits. Just passive reconnaissance using publicly available tools: Shodan, certificate transparency logs, DNS records, the kind of work any competent researcher might do before breakfast.

According to vmfunc's blog, they discovered 53 megabytes of Persona's source code sitting completely unprotected on a FedRAMP-authorized government endpoint. A development build, deployed to a federal government server, readable by anyone. The door was not just unlocked, it was wide open.

So, anyway… where does Discord go from here? According to their February 24th blog post, the global rollout of age verification has been delayed until the second half of 2026. In regions where age verification is already legally required, the UK, Australia, and Brazil, Discord continues to operate with their currently approved partner, k-ID.

For the eventual global rollout, Discord has promised to publish a full list of every verification vendor on their website, along with details about their data handling practices. They have also committed to expanding verification options beyond face scans and ID uploads, including credit card verification as an alternative.

Discord's CTO stated that over 90% of users will never be asked to verify their age at all, since most users do not access age-restricted content and the platform's internal systems can already estimate age using account signals, such as how long an account has existed or whether a payment method is on file.

If you think handing your government ID to a database you know nothing about is fine because they promised to keep it safe… consider Tea App. Tea App was a social platform built around one core promise: a safe, anonymous space for women to speak freely. It relied on ID verification, and women handed over their information in good faith, trusting it would be handled securely.

In July 2025, Tea App was breached. Tens of thousands of women's identities, photos, and private messages were exposed online, including roughly 72,000 images containing government IDs and verification selfies. A second breach followed, exposing over a million private direct messages, conversations about divorce, abortion, and assault, the kinds of things you only share when you believe nobody else is listening. The data quickly appeared on dark web forums. Women who trusted the platform with their legal identities suddenly had that information in the hands of strangers.

Tea App, in similar fashion to Discord, stated the ID information would not be stored long term. The real question: will Discord actually follow through?