Notably, by doing this Discord lied in their initial announcement. They originally said [1] that all processing would be on-device, but that's not true for users subject to this "experiment".
> "By immediately I mean we send it to k-ID who said that's what they do."
People have already validated this fyi. When k-ID was first added you could send a bogus age result to discord from your local device, which probably still works. There's no evidence your facial scans leave the device.
> "By that I mean they partnered with Persona to do the actual verification."
Which isn't true, it was a UK-only experiment being run for a small subset of users, which has now been discontinued.
I get people are outraged, but this is sensationalism at best.
After the last screwup, by the same company, why would you trust the data to stay on your device?
> Of the accounts impacted globally, we have identified approximately 70,000 users that may have had government-ID photos exposed, which our vendor used to review age-related appeals.
And by same company, I don't mean discord. I mean Persona.
was it “uk only” or was it the only place that required them to notify users theyre being experimented on?
we know US law allows tech companies to experiment on us without notifying at all. facebook was caught experimenting on users to see if a timeline full of sad posts would cause the users to become depressed.
im guessing his companies will get ahold of discord users data in most other countries. i’d be shocked if he only wants data from a tiny number of UK people.
Discord probably still claims they weren't hacked. How they handle incidents like this matters to a lot of folks, and that's what this is about.
3 months after a major breach, how could anybody possibly believe that they fixed all their wrong organizational policies and security measurements within that time, while still not even acknowledging the incident?
I don't want to defend Discord, but that's just not true. That announcement did not say all processing would be on-device, only when you use the face scan.
> Video selfies for facial age estimation never leave a user’s device
> Facial scans never leave your device. Discord and our vendor partners never receive it.
Meanwhile they're also clear that uploaded IDs do get sent to "partners":
> Quick deletion: Identity documents submitted to our vendor partners are deleted quickly— in most cases, immediately after age confirmation.
Ah, I assumed that Persona is being used for face scans too. I haven't been able to find a screenshot of the actual flow, but based on this article [1] with a screenshot of the message UK users are receiving, I suspect they are:
>The information you submit will be temporarily stored for up to 7 days, then deleted. For ID document verification, all details are blurred except your photo and date of birth... [emphasis mine]
To me, that implies that Persona is/was doing more than just IDs.
1: https://discord.com/press-releases/discord-launches-teen-by-...