Discord has a new age verification vendor. The vendor is Incode. Community reaction has been immediate, furious, and in some important ways – partly based on a real problem, and in other ways based on a misread of what is actually happening technically.
I want to be precise here, because precision is what this story needs. The anger being passed around X right now treats Incode’s involvement in Discord as an obvious red flag, pointing primarily to the vendor’s work with TikTok as proof that handing your face and government ID to this company is reckless. That concern is not invented. But it is also not a clean one-to-one comparison, and the way it is being discussed right now is collapsing some genuinely important distinctions that determine whether the risk is real or overstated.
So let me take this apart properly. The breach history, the vendor architecture, Incode’s actual technical design, its TikTok implementation and how it differs from the Discord configuration, the behavioral profiling that is already running on every account right now, and what the sum of all this means for anyone who uses Discord and cares about where their biometrics end up.
How We Got Here: The Full Disaster Timeline
None of this exists in a vacuum. You cannot understand why Incode’s addition to Discord’s verification stack sparked the reaction it did without understanding the 15 months of wreckage that preceded it.
September 2025: The Breach
The story starts on September 20, 2025, though Discord would not tell its users about it until October 3rd. That day, attackers compromised a support agent at 5CA, a Netherlands-based customer experience firm that Discord had outsourced its helpdesk and Trust and Safety ticket handling to. The method was straightforward social engineering: a deceptive phone call to a support agent at 5CA tricked the employee into surrendering their login credentials. With those credentials, the attackers had unfettered access to Discord’s customer support system for 58 hours.
What they found there was a honeypot that never should have existed. According to Discord, the stolen data included names, Discord usernames, email addresses and other contact details users had provided to receive support; messages and conversation transcripts with support agents; limited billing and payment metadata including payment method, purchase history, and the last four digits of credit cards; IP addresses associated with support interactions; and limited corporate data such as training materials stored in the support system. Most critically, it included government ID photos. Passports. Driver’s licenses. The kind of data you cannot rotate like a password.
Discord’s official figure was approximately 70,000 affected users. The group claiming responsibility, calling itself Scattered Lapsus$ Hunters – a name that explicitly references three separate notorious threat actors, Scattered Spider, LAPSUS$, and ShinyHunters claimed something very different. The group publicly taunted Discord and demanded ransom, asserting they held 2,185,151 government-issued identification photos. Their initial ransom demand was $5 million, later reduced to $3.5 million. Discord refused to pay.
Discord disputed the 2.1 million figure as an extortion-inflated claim. The underlying point – that concentrated identity document handling creates a catastrophic target is not in dispute by anyone.
The situation got stranger. 5CA, the vendor Discord named as responsible, issued its own denial, stating that “none of 5CA’s systems were involved, and 5CA has not handled any government-issued IDs for this client.” The company said the incident may have resulted from human error occurring outside its systems, without offering further explanation. So Discord blamed 5CA. 5CA denied responsibility. The 70,000+ people whose ID photos were now in circulation had no clear answer about what had actually happened to their documents.
What is technically confirmed: government IDs submitted through the manual age verification appeals process ended up in a customer support ticketing environment that a single compromised agent’s credentials could access. Whatever the precise chain of custody, that architecture created the exposure. The lesson was obvious. Nobody acted on it immediately.
February 2026: The Announcement That Lit Everything on Fire
Four months after those 70,000 IDs were stolen, Discord announced mandatory global age verification.
The timing was not lost on users. The announcement was timed to coincide with Safer Internet Day. People noticed. The February 9 announcement said that all new and existing users worldwide would receive a “teen-appropriate experience by default” starting in early March, and that adults wanting full access would need to prove their age via video selfie or government ID upload. The rollout was framed as necessary compliance with mounting global legislative pressure from the UK’s Online Safety Act, Australia’s social media age restrictions, Brazil’s incoming requirements, and a patchwork of US state laws.
The response was immediate. Google searches for Discord alternatives spiked worldwide. Hundreds of users on Reddit announced they were cancelling Nitro subscriptions or deleting accounts entirely. Discord head of product policy Savannah Badalich told The Verge the company expected “some sort of hit” to user numbers. They were right.
The backlash was about more than timing. It was about what researchers found when they started actually examining Discord’s verification infrastructure.
The Persona Revelation
Discord had been quietly running a limited UK test with Persona, an identity verification startup backed by Peter Thiel’s Founders Fund. Users were not clearly told. When the partnership became public, researchers investigated. What they found was not a simple age-checking tool.
Researchers investigating Discord’s age verification checks discovered an exposed frontend belonging to Persona on a US government-authorized server. It revealed a far more expansive surveillance and financial intelligence stack than a simple teen safety tool. Nearly 2,456 accessible files were found sitting on a US government-authorized endpoint without any exploit required. The files showed Persona conducted 269 distinct verification checks, including screening for adverse media across 14 different categories such as terrorism and espionage.
The researchers’ description of their discovery was almost offhand in its contempt: “We didn’t even have to write or perform a single exploit. The entire architecture was just on the doorstep.”
Persona is backed by Founders Fund, a venture firm co-founded by Peter Thiel, who also co-founded Palantir. Palantir is known for creating large-scale intelligence and surveillance software used by US government agencies and law enforcement. Whether or not the connection was operationally relevant, the optics were catastrophic.
Discord cut Persona loose. Discord’s CTO confirmed in a public post that the UK experiment ran for less than a month, that Persona did not meet the new requirement that any partner offering facial age estimation must perform it entirely on-device, and that all data was deleted after completing verification.
The Retreat and the Promises
Discord’s CTO Stanislav Vishnevskiy posted a public admission that the company had “made mistakes” and acknowledged that in hindsight, they should have provided far more detail about how the verification process actually works. “Many of you walked away thinking we’re requiring face scans and ID uploads from everyone just to use Discord. That’s not what’s happening, but the fact that so many people believe it tells us we failed at our most basic job.”
The commitments made in that post matter because they are what Discord is now being judged against:
Full vendor transparency. Every verification vendor documented on the website with data handling practices. Users would be told in the product who each vendor is.
On-device requirement. Any partner offering facial age estimation must perform it entirely on-device. Biometric data must never leave the user’s phone.
More verification options. Credit card verification and others were in development and would be completed before global scaling.
Technical documentation. A blog post explaining the age inference methodology before global launch.
Age assurance data in transparency reports. Numbers on how often users were asked to verify, which methods they used, and how often the automated system handled it without any user action.
The global rollout was pushed to the second half of 2026. The UK, Australia, and Brazil remained under existing regulatory requirements in the meantime.
And now, four months later, Incode is in the trial.
Who Is Incode
Before getting into what the Discord trial does or does not mean, it is worth understanding what Incode actually is, because the community reaction has been treating it as an opaque, shadowy data company, and the reality is more complicated.
Incode Technologies was founded in 2015 and raised $220 million in a Series B funding round in 2021 at a $1.25 billion valuation, led by General Atlantic and SoftBank’s Latin America fund, with additional backing from J.P. Morgan, Capital One Ventures, and Coinbase Ventures. As of late 2025, the company was in preliminary talks to raise between $150 million and $300 million at a valuation of up to $3 billion, with annual recurring revenue of approximately $170 million.
CEO Ricardo Amper has said that Incode processed more than 4.1 billion identity checks in 2024 and serves 8 of America’s top 10 banks, 8 of North America’s top 9 telcos, and 4 of Latin America’s top 5 banks. The company has also achieved FedRAMP Ready status, meaning it has cleared the preliminary requirements to handle US federal government data.
That last point is worth noting. Incode is not a scrappy startup with questionable security practices. It is a significant enterprise identity infrastructure company chasing government contracts. That context does not make every privacy concern moot, but it shapes what kind of risk we are actually talking about.
The Technical Architecture
Incode’s identity verification platform runs on what the company calls its “Incode Omni” stack. It combines several distinct modules: facial recognition, document verification via optical character recognition, passive liveness detection, deepfake detection, and age estimation. These can be deployed individually or together depending on the customer’s requirements.
For age verification specifically, Incode operates across two architectural paths.
The first, and the one most relevant to the Discord selfie trial, is fully on-device. The face is detected on-device, a privacy-safe facial landmark map is created without identifying who the person is, and the model analyzes age-related facial features like skin texture and landmarks to estimate an age range, not a precise identity. The only output that leaves the device is a pass/fail result against a configured age threshold. No face image, no biometric template, nothing identifiable.
A second architectural path exists for environments where server-side intelligence is needed. In this mode, the image is encrypted on-device before anything is transmitted. What reaches the server is not a face image. It is an encrypted vector. Inference, including liveness detection, deepfake resistance, and anti-spoofing checks, runs directly on the encrypted signal. Decryption outside the user’s device is not possible. The result is returned and decrypted on-device.
For the Discord trial, the stated path is the fully on-device option. No biometric data transmitted. Selfie never leaves the phone.
The ML Models: What They Are Actually Running
Incode’s own manifesto describes the on-device age estimation flow: the face is analyzed locally, and only a result leaves, not the data that produced it. The underlying model has been through independent evaluation.
In the National Institute of Standards and Technology Face Analysis Technology Evaluation covering 8 age estimation algorithms, Incode achieved a mean absolute error of 3.0 years on the Application dataset. The Application dataset specifically uses images typical of real-world user uploads, not controlled lab photos. That is meaningful because it reflects the accuracy someone using the Discord app will actually experience, not a sanitized benchmark score.
The NIST FATE evaluation found that accuracy of age estimation algorithms has improved markedly since initial evaluations in 2014. Incode’s internal testing claims 99.9% accuracy, though that figure comes from their own testing rather than NIST.
The Liveness and Deepfake Problem
One thing that does not get discussed enough in coverage of age verification is what happens when someone submits a deepfake, a high-quality printed photo, or a video replay attack instead of a live face. The question of whether the selfie is coming from a real human present at the device matters enormously for whether the system actually works, and it is distinct from the privacy question.
Incode’s liveness detection software passed presentation attack detection evaluations to iBeta’s Level 3 on both iOS and Android, becoming the first liveness vendor with independent confirmation of this level for both platforms. No errors were reported during the tests, based on the ISO/IEC 30107-3 standard, for both attack presentation classification error rate and bona fide presentation classification error rate of 0 percent.
Incode’s Deepsight product won the 2026 Fortress Cybersecurity Award in Deepfake Detection and Anti-Phishing, recognized for iBeta Level 3 certification and AI-powered fraud defense.
Incode has also processed over 7 billion identity verifications total, and its own data shows that in 2024, agentic fraud i.e. fraud attempts with the help of AI agents comprised only 3% of fraud attempts but is growing rapidly. The deepfake and injection attack detection is becoming the arms race, and it is one Incode is genuinely competing in at a serious level.
The TikTok Problem, Decoded
Here is where the community criticism has a real foundation, and where precision matters most.
Incode powers age verification for TikTok Live eligibility checks. When users fail TikTok’s automated checks and need to confirm they are old enough to go live, some are routed to Incode for manual ID verification.
TikTok’s own support page explicitly states: “Our trusted partner, Incode, will retain the information you submit to confirm your age.”
The Electronic Frontier Foundation examined this specific implementation and was direct about what they found. In a disappointing failure to meet the industry standard, Incode itself does not automatically delete the data once the process is complete, but TikTok does claim to “start the process to delete the information you submitted,” which should include telling Incode to delete your data once the process is done. If you want to be sure, you can ask Incode to delete that data yourself. Incode tells TikTok that you met the age threshold without providing your exact date of birth, but then TikTok wants to know the exact date anyway, so it’ll ask for your date of birth even after your age has been verified.
Incode’s own privacy policy confirms the concern: for biometric data, the company will retain the information until the initial purpose for collecting it has been satisfied, or three years after your last interaction with the customer, whichever comes first.
That three-year default window is the problem. The TikTok implementation relies on TikTok initiating a deletion process after verification rather than Incode deleting data automatically on completion. That is a gap. It is the kind of gap that matters when retention equals exposure window.
Incode’s biometric data policy also notes that the company and its partners collect, store, and use biometric data for identity verification services, as well as related training of models if the individual has consented. That last clause is worth reading again. If you consented somewhere in the verification flow, your data may also be used to train their models.
Why the Discord Comparison Is Not Clean
Now here is where the community discussion is getting the comparison wrong.
Discord’s trial documentation does not reflect the TikTok configuration. Per Discord’s support page: for the Incode ID scan trial, “everything is permanently deleted once your age is confirmed and Discord never sees it.” That is a different contractual mandate from TikTok’s arrangement with the same vendor.
Identity verification vendors do not deploy identically across every customer. The data handling configuration, the retention schedule, the deletion mandate – these are negotiated at the customer level. When Incode deploys for a bank doing KYC onboarding, the retention requirements are completely different from when it deploys for a social platform doing age gating. What TikTok’s agreement with Incode says tells you almost nothing certain about what Discord’s agreement with Incode says.
What users are trusting, if they believe Discord’s documentation, is two things: first, that Discord actually negotiated a deletion-on-verification mandate with Incode for this trial; and second, that Incode is implementing it correctly.
Both of those are things you cannot independently verify. That is the actual problem. Not Incode specifically, not TikTok’s implementation specifically, it is the fundamental architecture of trusting a multi-vendor chain with your most sensitive documents on the basis of a support page entry that cannot be audited.
The Vendor Stack Nobody Is Talking About
When people discuss Discord’s age verification, they mostly talk about Discord and Incode. The real picture is considerably more complicated.
Discord’s primary age assurance vendor right now is k-ID, a Singapore-based compliance orchestration firm. k-ID is not a biometrics company. k-ID is technically an orchestration platform, not a biometrics vendor with its own algorithm. While it may process the selfie, the technology it uses to analyze facial features on-device is provided by external vendors it calls subprocessors.
k-ID’s list of subprocessors includes Veratad for age checks based on ID documents and server-based facial age estimation, while the k-ID privacy policy names Privately as the provider of on-device facial age estimation. Privately is a Swiss firm. Their on-device FAE technology is what actually runs when you take a selfie through k-ID’s flow on Discord.
Discord’s public vendor transparency page mentions k-ID and Veratad. Privately does not appear. So users reading that transparency page are seeing two of the three companies that handle their data, not all three.
k-ID also led the launch of the OpenAge Initiative in November 2025, a reusable age check system. Persona, Incode, and Veratad are among the companies in the OpenAge network. So Persona, the vendor Discord dropped and publicly cut ties with is in a reusable credential network alongside Incode and Veratad, who are still active in Discord’s stack. The age assurance industry is small and heavily interconnected. Treating one vendor relationship as cleanly separate from another is not entirely realistic.
Now Incode is being added as a parallel experiment, and users still have no mechanism to know, in a given verification session, whether they are hitting k-ID’s stack (which uses Privately for on-device FAE and Veratad for server-side ID checks) or Incode’s stack. There is no indication of how or when Discord will advise a user which facial age estimation method is being deployed in any given scenario. The implication is not that anything sinister is afoot. Rather, it illustrates how accountability gets layered through orchestrated age assurance, leaving users to follow a breadcrumb trail to find out who is actually feeding their biometrics into an algorithm.
Discord promised full transparency on vendors. That promise has not been fully kept. You cannot tell which vendor processed your biometrics in a specific session.
The Silent Surveillance That Is Already Running
Before any of the vendor drama. Before Persona, before Incode, before the breach. Discord was already profiling every account for age.
Discord leverages an advanced machine learning model developed in-house to predict whether a user falls into a particular age group based on patterns of user behavior and several other signals associated with their account on Discord. The model only assigns users to an age group when its confidence level is high; when it is not, users go through the standard age assurance flow.
The signals feeding that model: account tenure, whether you have a payment method on file, the types of servers you are in, activity timing, device type, game metadata. The model excludes message content but not overall usage.
Over 90% of users are reportedly classified this way and never prompted to do anything active. Discord frames this as the least invasive option – the thing that spares most users from explicit verification. That framing holds up if you compare it only to submitting a face scan. It does not hold up if you compare it to not being demographically profiled at all.
What Discord does not acknowledge is that silent, universal behavioral profiling is itself a form of surveillance, even if no face scan is involved. Anti-spam detection, which Discord uses the same signal categories to describe, identifies bad behavior. Age inference assigns you a demographic classification based on how you use the platform, which servers you join, what games you play, when you are online. The purpose is categorically different even when the data inputs overlap.
Discord expanded its data collection and ad targeting capabilities in August 2025, broadening the behavioral signals it captures to power sponsored content and Quests. The age inference model uses many of the same signal categories 0 activity patterns, server joins, connected accounts, usage behavior that feed Discord’s advertising engine. Discord’s FAQ says age assurance data will not be used for ad targeting. When the underlying behavioral data already serves both purposes, that distinction is narrower than it sounds.
The Methods Discord Is Testing Right Now
The Incode trial is one piece of a larger verification expansion happening between June and July 2026. Here is the full picture of what is being tested.
Selfie via Incode (Facial Age Estimation)
Your selfie never leaves your device, and no biometric data is shared. The experiment may not be available to all users and runs from June 2026 to July 2026. The on-device ML model analyzes facial features, returns an age estimate, and sends only a pass/fail result to Discord. Discord receives your age group, nothing else.
ID Scan via Incode
Your ID and selfie go directly to Incode. Only the date of birth is reviewed for age confirmation purposes, and the entire process is fully automated so no human ever sees your ID. Everything is permanently deleted once your age is confirmed and Discord never sees it. Discord only receives your age and your ID is never linked to your Discord account.
This is the flow where the TikTok comparison is most relevant. Incode’s servers receive actual identity documents in this path. Whether the deletion mandate in Discord’s contract is being correctly implemented is what users cannot independently verify.
Credit Card Check
This method confirms you are an adult by verifying ownership of a credit card. Card details are passed to k-ID, who sends them to Stripe, a secure payment processor. Your details are never seen by Discord and are not retained by k-ID or Discord. Discord only receives confirmation of whether or not you are an adult. A small temporary charge under $0.50 USD may be placed to confirm the card is valid, and if charged, you will be fully refunded within 14 business days. Only credit cards are accepted. Debit cards and prepaid gift cards are not eligible.
This is the possession proxy model. If you own a credit card, the system infers you are an adult. No biometrics. No government ID. For anyone already paying for Nitro with a credit card, this is probably the least invasive verification path available.
Google Wallet
This method uses a passport ID pass saved in Google Wallet to confirm age. Google shares the birthdate with Discord, and Discord derives the age from it. Discord does not store or retain the birthdate after that. All other information included in the form of ID stays within Google Wallet and is never shared.
The Google Wallet path introduces a different trust question: instead of trusting Incode or k-ID with your documents, you are trusting Google’s handling of your passport data within their wallet infrastructure. For users already deeply embedded in the Google ecosystem, this may feel more acceptable. For users trying to limit Google’s data collection, it is a different kind of problem.
The Legal Landscape Underneath All of This
The reason Discord is building this system at all comes down to regulatory pressure, and understanding that pressure explains both the urgency and why the company has made choices that look, from the outside, like they prioritize compliance over user privacy.
The UK’s Online Safety Act creates mandatory age assurance obligations for platforms with significant UK user bases. All UK users are already under the new requirements: automatic content filtering enabled by default, age assurance required before accessing content flagged by sensitive media filters, age-restricted channels, or before turning off message request filtering.
Australia banned social media for under-16s starting December 2025. Brazil has its own incoming requirements. The EU is moving toward an EU-wide minimum age of 16 for social media. At least 20 US states had enacted some form of age gating laws for certain content by mid-2025, with more in progress.
Discord is explicitly preparing for a public stock listing. A company heading toward an IPO with age verification non-compliance across multiple major jurisdictions is a company with a serious regulatory liability problem. The teen safety push is not purely altruistic, and acknowledging that is not cynical, it is just accurate.
The Biometric Privacy Law Problem
On the US side, platforms doing age verification are operating in the overlap of four distinct legal regimes that push in different directions: state mandates requiring age verification, state biometric privacy statutes penalizing how verification is done, federal statute that has not yet arrived, and Supreme Court precedent that has settled some constitutional ground while leaving social-media mandates in active litigation.
Illinois’s Biometric Information Privacy Act, Texas’s Capture or Use of Biometric Identifier Act, and Washington’s My Health My Data Act all apply differently to biometric age verification flows. BIPA in particular is the one that has generated significant litigation. TikTok agreed to pay $92 million to settle a BIPA class action alleging collection and sharing of biometric data without consent. The suit alleged TikTok collected facial scans without providing proper notice, informing subjects their biometric information was being collected, or seeking and obtaining written releases.
An on-device facial age estimation flow where no biometric data is transmitted sidesteps most BIPA exposure, because BIPA’s core requirements apply to the collection and storage of biometric identifiers. If the identifier never leaves the device, the legal exposure profile changes significantly. That is part of why Discord’s on-device requirement for facial age estimation vendors is both a genuine privacy improvement and a compliance-driven decision.
What the EFF’s Position about this
The EFF’s position goes beyond specific vendor choices. They have stated that Discord went beyond what any applicable law requires, and have encouraged all services to stop adopting these systems when they are not mandated by law, framing voluntary age verification as both a censorship and surveillance risk.
The EFF’s 10 dangers of age verification, published in December 2025, catalogues specific harms that do not appear in most news coverage of these systems:
15 million US adults lack driver’s licenses. 2.6 million have no government photo ID at all. 34.5 million do not have ID with their current name and address. These populations skew Black, Hispanic, low-income, and disabled. Age verification systems that require government ID lock these populations out of online spaces that have become essential to daily life.
AI age estimation has documented racial bias. These systems show higher error rates for Black, Asian, Indigenous, and Southeast Asian faces. Adults get misclassified as minors. Unequal platform access based on skin color.
Transgender users face particularly sharp tradeoffs. 43% of transgender Americans lack ID reflecting their correct name or gender. Age estimation fails more often on trans faces. The choice becomes: out yourself by submitting mismatched ID, or lose access.
Anonymity in communities built around sensitive topics – mental health, sexuality, political activism disappears when accessing those spaces requires identity verification. Discord is not a pornography platform. It is where queer teens find community, where people in crisis reach support networks, where marginalized people build space for themselves. The identity verification requirement changes the character of those spaces in ways that go beyond what a simple “teen safety” framing captures.
The Breach Architecture That Has Not Been Fixed
The October 2025 breach has been widely characterized as a vendor problem. Discord used a third-party support system that got compromised. The fix is better vendors. But that reading misses the structural issue.
Even with on-device processing for facial estimation, a structural vulnerability remains. The October breach did not occur because Discord collected face scans. It occurred because the manual appeals process required government documents to be held within a third-party vendor’s support system, accessible via a single compromised agent’s credentials. Replacing the vendor does not eliminate that architecture.
The manual appeals flow – the path for users whose automated age estimation fails and who want to contest a teen classification – still requires submitting identity documents that get routed through a processing environment accessed by support staff. On-device selfie processing solves the problem for the majority path. It does not solve the problem for the minority path where a user needs to appeal a failed estimate or provide documentary proof.
The CTO’s post says that information submitted for age verification “is stored only for the minimum time necessary, which in most cases means it’s deleted immediately.” The qualifier “in most cases” is doing significant work there. For users routed into manual appeals, retention and handling practices remain unclear.
This is not an accusation of bad faith. It is a statement about unsolved architecture. Any system that has a manual appeals track with human review of identity documents is a system that creates the same category of exposure that produced the October breach, regardless of which vendors are handling the primary verification flow.
The Identiq Acquisition and What It Means
One development in the Incode story that has not received much coverage in the Discord context is the acquisition Incode completed on June 25, 2026 – four days before this article went to publication.
Identiq spent nearly a decade and invested over $50 million developing patented privacy-enhancing technology that enables fraud pattern sharing across institutions without any raw customer data leaving each organization. No central data lakes. No data brokerage. Institutions share fraud signals without exposing customer data to any third party.
The acquisition’s stated purpose is to add a third architectural layer to Incode’s platform: collaboration without exposure. The underlying cryptographic approach is that companies can detect repeat fraud patterns across a network without centralizing the personal data that would make that network a breach target.
For the Discord trial specifically, the Identiq acquisition is not directly relevant – the trial uses Incode’s on-device age estimation and ID scan capabilities, not the fraud network layer. But it does indicate where Incode is heading architecturally. If the acquisition represents genuine implementation of privacy-by-design rather than marketing, Incode in two years may look meaningfully different from Incode in its TikTok deployment from a year ago.
What it does not do is address the specific concern about Incode’s TikTok retention configuration. Acquiring Identiq demonstrates a long-term architectural intent. It does not retroactively change what TikTok’s implementation agreement with Incode says about deletion timelines.
The OpenAge Problem
Here is something almost nobody is discussing: the age verification industry is building shared infrastructure, and Incode is in the middle of it.
The OpenAge Initiative, launched under k-ID’s leadership in November 2025, aims to create reusable age verification credentials. The concept: a user verifies their age once, using approved methods like biometric FAE or credit card checks, receives a FIDO passkey-based “AgeKey” credential, and can then reuse that verification across multiple platforms without re-verifying each time. Persona, Incode, and Veratad are all members.
On paper, this sounds like a privacy improvement. Verify once, prove everywhere, reduce the number of times you hand your face or ID to a vendor.
In practice, the implications depend entirely on how the credential is implemented at each layer. If the OpenAge AgeKey is truly device-bound and issuer-blinded – meaning the issuer does not see where the credential is used after issuance then it could represent a genuine privacy advance. If the issuer is involved in each verification request, the AgeKey becomes a cross-platform tracking token, and the issuer can build a profile of everywhere you have used it.
Critics have noted this distinction clearly. “Token-based on its own tells you almost nothing until you know what it is anchored to and what gets logged,” one researcher noted. “A backend token sounds less invasive than uploading your face or your credit card, but that is mostly marketing.”
Discord is involved with k-ID, which runs OpenAge. Incode is a member of OpenAge. Veratad, which processes Discord’s ID scans through k-ID, is also in OpenAge. The network of companies handling Discord’s age verification data is tighter than the public documentation suggests.
What Incode’s Manifesto Says
I read Incode’s public “manifesto” document – it went up on their website four days ago, alongside the Identiq acquisition announcement and it is worth quoting from because it describes the technical approach in more precise terms than press releases usually do.
On why they built on-device processing: “By their very nature, these workflows involve sensitive populations, including those under 18. For us, that means the privacy standard is not just high – it is absolute. When you estimate age with Incode, a human never sees an end user’s biometric data as part of the standard verification process. Now, we are taking these safety measures even further. With On-Device Age Estimation, zero data transmission occurs, period. Biometric processing happens entirely on the user’s own device. Sensitive information stays inside the user’s environment by design, with no tradeoff on accuracy. We are the first company to deliver on-device age assurance at enterprise scale and at this level of accuracy.”
And: “We did not build it this way because the law required it. We built it this way because we saw no other responsible option. The law has since caught up.”
That is a strong statement. It is also a marketing document, and the company’s TikTok retention configuration exists alongside that marketing document. Both things are true simultaneously. The architecture they describe is technically real and technically achievable. Whether it is correctly implemented in every customer deployment is a different question.
What the Biometric Update Analysis Found
The most technically precise coverage of the Discord-Incode trial came from Biometric Update, which covers the identity verification industry professionally rather than as a consumer tech story. Their analysis identified something important that most other coverage missed.
Discord’s announcement is simple enough on the surface. But language again becomes a load-bearing hinge. Most industry experts agree that the technical challenges of age assurance have largely been solved, at least by top providers. The technology is available. Regulatory challenges remain a going concern. But the largest challenge facing the age assurance industry may be communications. The perception that age assurance vendors are nefariously collecting user data to sell at a profit is fueled in part by an inability of providers to adequately explain to users what they actually do. Erasing that paranoia will require work from providers to ensure their privacy policies clearly reflect actions made in good faith, and do not come off as tortuous or evasive.
That is a fair characterization of the gap between what these systems actually do technically and how they are perceived. It is also somewhat self-serving from the identity industry’s perspective – the “paranoia” framing assumes that user skepticism is primarily a communications problem rather than a rational response to a documented breach and a market full of opaque data handling.
Both things can be true. The technical controls being described by Incode are real. User skepticism about whether those controls are correctly implemented is also rational. These positions are not mutually exclusive.
The Honest Assessment
So where does this leave us?
The Incode trial’s selfie flow on-device processing, no data transmitted, pass/fail result sent to Discord is technically what Discord promised after the Persona debacle. It implements the on-device requirement Discord set as a condition for any facial age estimation partner. The NIST accuracy data is real. The iBeta Level 3 liveness certification is real. The architecture Incode describes for the selfie path is genuinely privacy-preserving relative to the alternatives.
The Incode trial’s ID scan flow – government ID and selfie sent to Incode’s servers, date of birth extracted, everything deleted on confirmation is where the legitimate concern lives. The TikTok retention issue the EFF documented applies to the TikTok customer configuration, not necessarily the Discord configuration. But users cannot verify that Discord’s deletion mandate is being implemented correctly. That is the gap, and it applies equally to k-ID’s ID scan path through Veratad, which has the same structural trust problem.
The transparency failure is real. Discord promised users would be told in the product which vendor is active in a given verification session. That has not happened. Incode is now in the trial, and users have no mechanism to know when Incode processed their data versus k-ID’s stack.
The behavioral profiling is real and separate from all of this. Every account on Discord is being classified by an in-house ML model using activity signals, account history, server membership, payment data, and device information. That classification is already happening. The debate about Incode is happening on top of a surveillance layer that is not vendor-specific and that predates any of the explicit verification choices.
The structural breach risk has not been solved. The manual appeals path still exists. Anyone who fails automated estimates and wants to contest the result still submits identity documents to a processing environment. Swapping vendors does not fix the architecture that produced the October 2025 exposure.
The community’s anger is not wrong. It is pointing at real problems. The TikTok comparison is the most frequently cited and the least precise. The transparency failure is real and underreported. The behavioral profiling layer is the most significant and the least discussed. And the manual appeals architecture is the most dangerous piece of the puzzle that nobody outside of security analysts seems to be talking about.
Discord is trying, badly, to build something it was not designed to build, under regulatory pressure it did not anticipate, on top of a trust deficit it created itself. Incode may well be the best facial age estimation vendor currently on the market by several technical metrics. That does not mean Discord’s implementation of it is above criticism. And it definitely does not mean the underlying premise that a 200-million-user communication platform should be building a biometric identity infrastructure at all, absent legal compulsion is beyond questioning.
It is not beyond questioning. The EFF is right about that. But that argument is different from the argument that Incode specifically is storing your Discord selfie forever, because that is not what the technical documentation says is happening.
Keep those two arguments separate. They matter differently. And only one of them can be answered with better engineering.
This post first appeared at - The CyberSec Guru