Olav DreierJan 20
Paco Hope

Oh look: #discord outsourced their age verification to some vendor. You know, the #ageverification that countries like the UK want to make mandatory for basically every online service. And the vendor had a data breach exposing photos of government IDs for 70,000 people.

Do you feel safer? How many children did we protect by exposing the IDs of these 70,000 (presumably) adults? Thanks for taking one for the team, you 70,000 canaries in the #privacy coal mine.

https://discord.com/press-releases/update-on-security-incident-involving-third-party-customer-service

Update on a Security Incident Involving Third-Party Customer Service | Discord

At Discord, protecting the privacy and security of our users is a top priority. That’s why it’s important to us that we’re transparent with them about events that impact their personal information.

Jan 20 at 4:33amWeb
Show threadElaine Jackson-Pimentel 🦄🌈Jan 20
@[email protected] I don’t understand why operating system developers aren’t required to implement age verification. Apple, Microsoft, and Google could coordinate a standard that passes age group data to websites without revealing identities. It makes no sense for every app or site to handle this alone. Linux and Firefox users could use Google’s web service linked to their accounts. Problem solved. Everyone wins. Only these companies have the security scale to manage threats in real time.
Show threadjan Ki | 奇  Jan 20
@elaine @paco
So... your idea of data security is to give even more user data to these companies with too much power that we'd love to burn to the ground? (metaphorically) The very same companies that feed every piece of data they can get their hands on into LLMs?
Show threadJeferson 'Shin'Jan 20
@ki @elaine @paco not 100% sure if the intent of the OP of this was that, but Google, Apple already have a lot of data from your phone, so use the phone as the age verification device.
Show threadjan Ki | 奇  Jan 20
@shinspiegel @elaine @paco
which doesn't make things any better, though
Show threadJeferson 'Shin'Jan 20
@ki @elaine @paco nope, but at least it isn’t a third party validating…
Show threadJeferson 'Shin'Jan 21
@ki @elaine @paco I did write in my blog on this topic year ago, maybe this could better explain my reasonsing. It can be a little outdated, and I after thought this concept can be improved, but it’s a starting point: https://jeferson.me/blog/2025/06/10/pr0n/
Pr0n

Let's talk about France's new adult age verification law, highlighting privacy risks of data collection and potential blackmail, and proposes an OS fisrt privacy solution.

Show threadElaine Jackson-Pimentel 🦄🌈Jan 20
@[email protected] @[email protected] @[email protected] The LLM thing is a bit overblown. Contrary to popular beliefs, large language models do have practical size limits in terms of being able to perform inference. If we collected every single chat message, social media message, every keystroke of every user in the world, the language model would be too big. So instead of a library of all of the information in the world, you need the most popular and most relevant information.

Both xAi and Perplexity both use retrieval augmented generation, a process where they collect information from their index and pass to the prompt, of social media posts rather than including them in the model.
Show threadSpace HoboJan 20
@elaine @paco Sorry, as a Linux user, my account on *what*, exactly?
Show threadartfulrobotJan 20

@elaine @paco I don't think everyone sending their id to one of 3 American mega corps is a "win" for anyone.

1. They're all actively supporting the regime
2. Even without the current president, they're under the cloud act so that data is still accessible by US
3. Even if the mega corps were not owned by the US, they don't care about our data, privacy, human rights, they are involved in wars and oppression of various peoples.
4. Centralised services are not safer per se.

Show threadartfulrobotJan 20
...and I should not have to submit ID to my operating system, or to access my own computer!
Show threadRetJan 20
@elaine @paco worst take of 2026 so far
Show threadSebastian DjupsjöbackaJan 20
@elaine @paco Yes, let’s give the three US tech giants copies of every single human being’s photo ID. What could possibly go wrong? /s
Show threadPaco HopeJan 20

@elaine The question, though, is whether age verification does enough good (any good?) to justify the risk. The negatives are largely borne by individuals. If the entity (government agency, OS maker, mobile phone company) royally botches it, they face minimal consequences. Individuals face consequences that range from trivial (a little spam) to very damaging identity theft.

Lots of people have spent lots of time and energy studying this stuff. The advocates of age verification don’t usually have a lot of research that supports it being effective at reducing the harms that people intuitively think it reduces. It creates a lot of risk for a lot of non-children under the premise that it somehow protects children.

If we make it too onerous, businesses opt to discontinue services. Eg they just don’t do things that require age verification. If we make it too lax, companies get cavalier about it and the end users suffer. It’s super hard to find the Goldilocks level of “just right” security.

Show threadTim GJan 20

@paco
Bluesky asked me to give my ID information and documents to a third party provider when Australia introduced its under-16 ban a month or two ago.

I deleted Bluesky.

Show threadF4GRX SébastienJan 20
@TG_Esq @paco way to go!
Show threadpatproJan 20
@paco It’s never about children or safety, it’s about control (so they don’t give a sh.t about breaches).
Show threadTroed SångbergJan 20
@paco No one should let anyone get away with "third party". Your subcontractor - you own it, just as if it had been your own employees. Don't like it? Don't outsource your responsibilities.
Show threadÖlbaumJan 20
@troed @paco Do you think they wouldn’t have been hacked if discord did it themselves? The outsourcing is a red herring.
Show threadPaco HopeJan 20
I suspect we are all in agreement. Discord is trying to blame a third party to make it seem like they did everything right; that the situation is just that their vendor let them down. None of us think that’s a reasonable excuse, nor that anyone should consider it an acceptable response in these circumstances.
@oscherler @troed
Show threadThe Orange ThemeJan 20
@paco Yet another reason in the litany of reasons I refuse to join Discord. People need to like... stop... using it.
Show threadAmbient SpongeJan 20
@paco Fucking hell 🙄
Show threadMichael WestergaardJan 20
No they didn’t. They did their own age verification and stored images of passports in Zendesk (iirc, or some other support desk software). Discord acted completely irresponsibly and discord NEEDS age verification due to their young target audience and child enthusiast problem. I agree with your point, but your representation of what happened at Discord is entirely wrong.
Show threadMichael WestergaardJan 20
Yes, I remembered correctly: it was zendesk. youtube.com/watch?v=GbXATeFfkRA
Discord just got hacked...

YouTube
Show threadPaco HopeJan 20

@michael Was it Zendesk? Someone else replied that it was 5CA and sent this link

https://5ca.com/blog/holding-statement-security-incident/

The phrase “our vendor used to review age-related appeals” in the discord disclosure made it sound like the vendor did the appeals. So maybe discord did the initial verification, but this vendor was doing more than just storing images.

Holding statement regarding Security Incident

We are aware of a recent security incident. Learn how 5CA is responding and protecting client and community data.

5CA
Show threadMichael WestergaardJan 20
Then I might have been wrong and there were more leaks. They definitely had one last year, where they hosted pictures of peoples' passports in Zendesk (which is all kinds of insane).

If they used a "proper" age verification service and they leaked, that's an entire new can of worms. (Though I still think Discord in particular having age verification is not a bad thing.)
Show threadMichael WestergaardJan 24
The same channel did another video about Discord age verification.

Basically:
1) use an LLM-based system to guess your age
2) use a commercial age verification service using ID
3) send a support request via Zendesk, often attaching IDs and/or selfies (even though that should not be done via Zendesk)

Often people use them in that order due to simplicity and speed.

Only the third was "hacked" (some dude bought the password to Zendesk off an employee). Zendesk should obviously not be used for age verification or any other sensitive information.

So, age verification is in most cases bad and is obviously just a power grab when used like the UK system or the on-again-off-again EU system, but the Discord leak is not an example of why it is bad.

youtube.com/watch?v=rfspiibG_2c (about the leak from 7:13)
Discord now has age verification...

YouTube
Show threadDamiano GacíkJan 20
@paco Damn, this is both hilarious and terrifying. 70,000 people handed over their documents so Discord could “verify their age,” and now all those files are just floating around the internet. Does anyone really think this is safe?
Show threadwikiyuJan 20
@paco isnt it the platform @GrapheneOS goes to with their support channel? Great! Lest FOSS/DeGoogle communities go more into another data mess company!
Show threadLaurensJan 20
@paco Well, you know, at least that company knows how to NOT safely store sensitive personal data...
Show threadMartinJan 20
@paco Yeah, I'm pretty sure we all knew this was inevitable; except the government wonks, obvs.
Show threadAndy GatesJan 20
@harryadney @paco The government wonks were told too, it's just that this time instead of holding off on deployment (kicking it into the long grass) they charged ahead and damn the consequences. Brexit grade "who needs experts?" idiocy.
Show threadCuriousJan 20
@paco inevitable.
Too good a target of course this happened and will keep happening. Waiting for the big one that makes photo ID worthless.
Show threadsalguod, man 🍂🍁 lazysupperJan 20
@paco
When I logged back into LinkedIn a few a months ago (after years of blissful absence) it asked me to "verify" my identity. So I click "ugh, fine" and got redirected to a 3rd party asking for all of my personal info. lol. that was a quick "Cancel".
Show threadGuntisJan 20
@paco
Sadly: "called it!"
Show threadMalcolm HerbertJan 20
@paco ... huh, that explains all the account signup emails I'm seeing using the address I gave to discord ... awesome ...
Show threadBeeCyclingJan 20

@paco If any Discord server I use starts asking for age-verification, that's the day I leave that server.

It's one thing to be asked to trust Discord (or whatever other company) who you know you're dealing with because that's their name on the website. I can decide if I trust them or not. It's another thing for them to be using some third party who I never heard of and have no idea if I should trust.

Show threadXoa GrayJan 20
@paco Yet another reason to not use Discord. It was bad from the start and it hasn't gotten better. I wish companies would stop leaning on it more and more for things like tech support too. We shouldn't have to risk identity theft for tech support.
Show threadPaco HopeJan 20

@xoagray Agreed. Plus, discord is not organized or searchable. What I can’t understand is why the maintainer of a product would want people to pop in and ask basic questions in chat. Advanced questions? Sure. Inter-developer communication on the core team? Sure. We’ve had IRC for that for ages and I can see how discord fills that need. But when we think about the basics, that’s what forums and faq’s and web pages and stuff are for. As a maintainer I’d want easy stuff to be answered by RTFM and only ping a person for unusual stuff.

I get frustrated with projects that have crappy documentation and push everyone to discord. It’s so hard to get basic info out of it.

Show threadXoa GrayJan 20
@paco Or even just basic email support. That should be a universal constant and it's just not anymore.
Show threadLuna / Miika ☭ Jan 20
@paco @xoagray Id already be glad when FOSS projects would stop using it.
Show threadCeri   Jan 20
@paco the post states it was a customer support vendor, not K-ID, that had the breach

this incident is relating to stuff from before OSA. and was more influenced by apples age verification policies from way before the OSA.

I don't like the OSA, but I also don't like people spreading misinformation, intentionally or unintentionally
Show threadStefan Rower🏴‍☠️🦊 🇺🇳🐧 🏳️‍🌈🤝Jan 20
@paco the only thing discord is better than a forum: it is not searchable!
When aksing dumb question in the chat, nobady can answer "use search function first, we answered this about 1k times!" because everbody knows even following the own thread is a pain in the ass. Reading the followUps to questions from random dudes is like runnning naked in 6 circle of hell beeing chased by porcupines.
Show threadferricoxideJan 20
@paco

Arguably, the likelihood of data-exposure is the whole point of gating things that could be embarrassing.