Persona, used by Roblox, Discord, Reddit, etc for age verification, accused of enabling sweeping identity surveillance

Persona, the identity verification service powering age checks on platforms like Roblox, Discord (briefly), Reddit, and ChatGPT, is getting heat this week after security researchers published what they’re calling a deep look into a large-scale identity surveillance setup — one that users handing over their selfies and IDs to these platforms likely had no idea about.

The report, published on February 16 by researchers at vmfunc, claims the entire Persona government dashboard codebase, all 53 megabytes of it across 2,456 files, was sitting unprotected on a FedRAMP-authorized government endpoint. No breach, no exploit needed. Just JavaScript source maps left publicly accessible via a live /vite-dev/ path, apparently a dev-build config that somehow made it to production on a platform handling government identity data.

According to the researchers, the platform can file Suspicious Activity Reports directly to FinCEN, the US Treasury’s financial crimes unit, and similar reports to Canada’s FINTRAC, with internal codenames attached like Project SHADOW, Project LEGION, and others.

Selfies uploaded during a routine verification can reportedly land in biometric face lists stored for up to three years. There’s a check that compares your selfie against photos of politicians and public figures, returning a similarity score.

Another check is literally named “SelfieSuspiciousEntityDetection” and the code apparently offers no explanation of what qualifies a face as suspicious. There are even lookups against Social Security Administration records for deceased persons. In total, researchers counted 269 verification checks running across the system.

One thing that stood out in the report was that the government-facing Persona platform and the regular consumer one reportedly share the same underlying codebase, as confirmed by matching code commits. Persona earned FedRAMP authorization in October 2025, yet the source maps were still live, which raises fair questions about how that slipped through.

Persona’s CEO Rick Song is apparently now in direct contact with the researchers and has agreed to answer 18 written questions for a planned follow-up. Some of those questions touch on a mismatch between OpenAI’s stated one-year biometric retention policy and a three-year cap found in the code, as well as why users in Ukraine appear to be getting blocked despite no active sanctions.

This same Persona service is what Reddit, Roblox, Character.AI, and Discord have been routing users through for age checks. We covered Discord’s case just last week after it was spotted routing UK users through Persona before calling it an experiment and wrapping up. We’d also reported on ChatGPT’s and Character.AI’s Persona-based age verification rollouts earlier.

The story has taken off on X, reached the front page of Hacker News, and sparked discussion on r/privacy and r/ChatGPT. Persona calls its tools privacy-focused compliance infrastructure. The researchers clearly disagree.

We stand out from the tech-media crowd because we break news stories; we mainly bring you stuff that you won’t find anywhere in the mainstream tech media. Our stories have been picked up by some of the world’s most popular websites and media outlets—more info is available here.