Once again, we’re reminded why age verification systems are fundamentally broken when it comes to privacy and security. Discord has disclosed that one of its third-party customer service prov…

Once again, we’re reminded why age verification systems are fundamentally broken when it comes to privacy and security. Discord has disclosed that one of its third-party customer service providers was breached, exposing user data, including government-issued photo IDs, from users who had appealed age determinations.

Data potentially accessed by the hack includes things like names, usernames, emails, and the last four digits of credit card numbers. The unauthorized party also accessed a “small number” of images of government IDs from “users who had appealed an age determination.” Full credit card numbers and passwords were not impacted by the breach, Discord says.

Seems pretty bad.

What makes this breach particularly instructive is that it highlights the perverse incentives created by age verification mandates. Discord wasn’t collecting government IDs because they wanted to—they were responding to age determination appeals, likely driven by legal and regulatory pressures to keep underage users away from certain content. The result? A treasure trove of sensitive identity documents sitting in the systems of a third-party customer service provider that had no business being in the identity verification game.

To “protect the children” we end up putting everyone at risk.

This is exactly the kind of incident that privacy advocates have been warning about for years as lawmakers push for increasingly stringent age verification requirements across the internet. Every time these systems are implemented, we’re told they’re secure, that the data will be protected, that sophisticated safeguards are in place. And every time, we eventually get stories like this one.

The pattern reveals a fundamental misunderstanding of how security works in practice versus theory. Age verification proponents consistently treat identity document collection as a simple technical problem with straightforward solutions, ignoring the complex ecosystem these requirements create. Companies like Discord find themselves forced to collect documents they don’t want, storing them with third-party processors they don’t fully control, creating attack surfaces that wouldn’t otherwise exist.

These third parties become attractive targets precisely because they aggregate identity documents from multiple platforms—a single breach can expose IDs collected on behalf of dozens of different services. When the inevitable breach occurs, it’s not just usernames and email addresses at risk—it’s the kind of documentation that can enable identity theft and fraud for years to come, affecting people who may have forgotten they ever uploaded an ID to appeal an automated age determination.

Discord, to its credit, appears to have responded appropriately to this incident:

The company is notifying impacted users now over email. If your ID might have been accessed, Discord will specify that. Discord also says it revoked the support provider’s access to Discord’s ticketing system, has notified data protection authorities, is working with law enforcement, and has reviewed “our threat detection systems and security controls for third-party support providers.”

But the fundamental problem remains: we’re creating systems that require the collection and storage of highly sensitive identity documents, often by companies that aren’t primarily in the business of securing such data. This isn’t Discord’s fault specifically—they were dealing with age verification appeals, likely driven by regulatory or legal pressures to prevent underage users from accessing certain content or features.

This breach should serve as yet another data point in the growing pile of evidence that age verification systems create more problems than they solve. The irony is that lawmakers pushing these requirements often claim to be protecting children’s privacy, while simultaneously mandating the creation of vast databases of identity documents that inevitably get breached. We’ve seen similar incidents affect everything from adult websites to social media platforms to online retailers, all because policymakers have decided that collecting copies of driver’s licenses and passports is somehow a reasonable solution to online age verification.

The real tragedy is that this won’t be the last such breach we see. As long as lawmakers continue pushing for more aggressive age verification requirements without considering the privacy and security implications, we’ll keep seeing stories like this one. The question isn’t whether these systems will be breached—it’s when, and how many people’s sensitive documents will be exposed in the process.

Just as states across the country are ramping up their age verification mandates, we get another reminder of why privacy advocates have been screaming about these policies from the rooftops. Each new law creates more pressure for platforms to collect more documents, stored by more third parties, creating more opportunities for exactly this kind of breach.

Perhaps it’s time to admit that the cure—requiring platforms to collect and store government IDs—might be worse than the disease.

From Techdirt via this RSS feed