Discord’s age verification plans have turned into a very public vendor fight, and Persona CEO Rick Song is now trying to draw a hard line between what Discord implied about Persona and what he says the platform can actually do. Discord’s CTO published “Getting Global Age Assurance Right: What We Got Wrong and What’s Changing,” after heavy community backlash.
We already covered Discord delaying the global rollout and moving forward without Persona in our earlier report. Now, Song is slightly pushing back at Discord’s write-up, saying “some of the implications… about the capabilities & features of our platform are patently false,” while also arguing that Persona does offer on-device age verification and even offered free credit card-based checks.
A key flashpoint is Discord’s statement that it’s setting a new bar for facial age estimation that must happen entirely on-device. Song says Persona can meet that requirement, but also claims Discord wanted stronger anti-bypass protection, including defenses against deepfakes, bots, and even “video game photo mode” attempts.
Song even mentioned how, in his discussion with Discord, he requested them not to mention that Persona doesn’t offer on-device facial age estimation tech. Yet, the Discord blog post still claims Persona did not meet that bar.
If you missed it, we highlighted how teens were bypassing on-device facial age estimation earlier this year. So it’s no surprise that Discord demanded a better system in place, but it seems to have thrown Persona under the bus.
At the same time, this isn’t just about Discord. The bigger heat around Persona came from researcher vmfunc’s ongoing “watchers” series, where “part 2” publishes a full back-and-forth email correspondence with Song. We had reported on most of the back-and-forth previously, but this post lays it all out.
In that correspondence, vmfunc notes Song’s claim that a FedRAMP-related cluster they found was a migration target under development, and that distinction matters even if it’s still a serious miss.
Song’s public thread also tries to calm the scariest interpretations that spread fast once the source maps and archived code were circulating. He says Persona wasn’t hacked, says Persona doesn’t send identities “to the government,” says it doesn’t use customer data to train AI, and says there are “NO” customers running anywhere near “all of the 269 checks” people have been talking about.
On the technical claims, the vmfunc correspondence lays out what Song answered clearly versus what he didn’t touch. The largest answered bucket centers on watchlist screening scope and data retention. vmfunc reports that Song describes openai-watchlistdb as a sanctions screening tool (OFAC/SDN) that is stateless and does not involve biometrics, with retention limits including a 3-year global cap, though shorter customer-specific policies take precedence.
Some of the most consequential questions are still hanging, though, and they’re the ones that apply to everyone using identity verification, not just one high-profile customer. vmfunc points to missing clarity around experimental selfie/ID models, what triggers “suspicious entity” flags, BIPA risk, what law enforcement access looks like, and what Persona’s internal AI tooling can see.
Persona has also pointed readers to its own post-incident review about the source map exposure on a non-production subdomain, framing it as an exposure of frontend artifacts rather than a breach of customer data or backend secrets.
For Discord users, the real test starts now: even with a revised plan and stronger on-device promises, we’ll still have to wait and see how well the age verification flow works once more people actually hit it in the wild, especially when bypass attempts and edge cases scale up.
Featured image generated with AI


