Persona pushes back against fears its age assurance tech isn’t secure

The increased prevalence of age checks to access certain online services has brought increased scrutiny to the age assurance sector, often from people who are suspicious of the technology and have the means and skills to interrogate it on their own terms.

Persona is learning this in real time. When messaging platform Discord announced the introduction of mandatory age assurance measures, it included the following bit of language in its FAQ: “If you’re located in the UK, you may be part of an experiment where your information will be processed by an age-assurance vendor, Persona. The information you submit will be temporarily stored for up to 7 days, then deleted. For ID document verification, all details are blurred except your photo and date of birth.”

“You may be part of an experiment” is not a phrase likely to figure high on anyone’s list of things they hope to hear on any given day. The notice triggered a wave of questions from concerned Discord users – no surprise, given the platform’s very public recent data breach, which saw around 70,000 government-issued ID images used in age appeal cases exposed by its customer service vendor (not the age assurance provider). Discord responded, but did itself no favors by quietly removing the mention of Persona from its website.

A piece in Ars Technica says Discord told its reporters “only a small number of users was included in the experiment, which ran for less than one month.” The UK test has since concluded, and Discord says Persona is no longer an active vendor partner. Nonetheless, the platform has seen an exodus of users to competitors like TeamSpeak and Stoat, which, after reaching a certain user threshold, will likely also be covered by laws such as the UK Online Safety Act and Australia’s Social Media Minimum Age Act.

Frontend code gives researchers a tour of Persona’s process

But for Persona, the damage is done. “After Discord shocked users by abruptly retracting the disclaimer about the Persona experiment, mistrust swelled, and scrutiny of Persona intensified,” says Ars. The attention led to a revelation that surveillance and defense firm Palantir’s co-founder Peter Thiel is an investor in the company through his Founders Fund. It also prompted cybersecurity researchers to put Persona’s tech through a bit of testing, which soon exposed a workaround to age checks – and found the uncompressed version of Persona’s frontend code “exposed to the open Internet on a U.S. government authorized server.”

“In 2,456 publicly accessible files, the code revealed the extensive surveillance Persona software performs on its users, bundled in an interface that pairs facial recognition with financial reporting – and a parallel implementation that appears designed to serve federal agencies,” says a report from financial surveillance publication The Rage. Researchers said they could see how requests were formatted, how validation occurred, and how various services communicated during the age check process.

According to a blog from Malwarebytes Labs, “beyond checking their age, the software performs 269 distinct verification checks, runs facial recognition against watchlists and politically exposed persons, screens ‘adverse media’ across 14 categories (including terrorism and espionage), and assigns risk and similarity scores.”

Persona to launch public campaign to defend itself

With Thiel’s name in the mix, all kinds of suspicion has blossomed, forcing Persona to issue a response. Ars quotes its chief operating officer Christie Kim, who says Persona invests “heavily in infrastructure, compliance, and internal training to ensure sensitive data is handled responsibly. She alludes to the concerns from Discord users as “conspiracies.” And she confirms that Persona is not partnered with federal agencies, including the Department of Homeland Security (DHS) or Immigration and Customs Enforcement (ICE), which leverages surveillance tech from Palantir.

“Transparently, we are actively working on a couple of potential contracts which would be publicly visible if we move forward,” Kim says. “However, these engagements are strictly for workforce account security of government employees and do not include ICE or any agency within the Department of Homeland Security.”

Likewise, the Thiel connection is genuine – but as an investor, says Kim, he is not involved in the firm’s operations. “He is not on our board, does not advise us, has no role in our operations or decision-making, and is not directly involved with Persona in any way. Persona and Palantir share no board members and have no business relationship with each other.”

Persona CEO Rick Song has also waded into the fray, corresponding on X with one of the cybersecurity researchers who discovered the frontend code – and winning a concession that the company has fixed the flagged security concerns quickly. Song is firm in his assertion that “we do not want our technology to be used by ICE or the government for any surveillance purposes.”

He also points to the double-blind model as a step in the direction of privacy, saying that “if Persona has to know who you are (briefly), ideally, Persona should NOT know what you’re doing.”

A February 18 update on the blog of “Celeste” – the researcher with whom Song exchanged tweets – says they are “in direct written correspondence” with Song, who has been “responsive and engaged in good faith.”

Persona continues to provide age assurance for Roblox (facial age estimation and ID verification for chat access), ChatGPT and ride-sharing service Lime. The company may suffer a mild shock to its business; however, it has already launched a public relations campaign to try and limit the damage, and will likely be fine. Biometric Update has reached out to the company for further comment.

Little brother knows where you keep your code

A larger issue is the effect on the larger age assurance ecosystem, which is in the midst of trying to establish societal trust while laws increasingly bring its services into the spotlight. For individual users, each age assurance vendor is a stand-in for the industry as a whole, and every breach of trust fosters more public pushback to age checks.

The situation also illustrates a hard truth for age assurance vendors. While age check technology is meant to be enabling, and many providers imagine themselves working “in the background” or as a fully integrated, frictionless experience, in the age of social media and online messaging, there is no background. The global user base is sufficiently engaged and connected to do a Google search for a company’s privacy policy, and many advanced users have the capacity to take their independent investigations much further. The fact sends an ironic warning to the age check sector, so often battling fears it will support a surveillance state: little brother is watching you.

Article Topics

age verification  |  biometrics  |  digital identity  |  digital trust  |  Persona  |  surveillance