Discord will require a face scan or ID for full access next month

Here's the October 2025 Discord data breach mentioned at the end of the article:

https://www.bbc.com/news/articles/c8jmzd972leo

> Discord, a messaging platform popular with gamers, says official ID photos of around 70,000 users have potentially been leaked after a cyber-attack.

However, their senior director states in this Verge article:

> The ID is immediately deleted. We do not keep any information around like your name, the city that you live in, if you used a birth certificate or something else, any of that information.

Why they didn't do that the first time?

It should go without saying but,

*CANCEL YOUR NITRO SUBSCRIPTION NOW IF YOU'RE PAYING FOR ONE* (for whatever reason)

This was just announced today and a flood of canceled payments within the next 24 hours are the easiest way to send a message. And also tell people on the servers you're on to do the same. It's not like they give you anything of real value for that money.

I'm biased, as I lead the Zulip project. But I think this is a reasonable place for me to post some thoughts.

Given current events in the USA, I can't emphasize enough how worried one should be about the fact that a few companies like Discord, Google (Gmail), and Meta have databases with access to the private conversations of hundreds of millions of people with their closest friends and family members, linked up with their identity.

Some of the big strengths of running a self-hosted Zulip server for your community are:

- Zulip servers are operationally simple, highly stable and easy to upgrade.

- Zulip is much better than Discord or Slack for managing the firehose of busy communities. Or at least, a lot of people tell us that they prefer the user experience to everything else they've tried, after a few weeks of getting used to it. :)

- Your community leaders get to make the policy decisions about data protection, identity, etc.

- It's 100% FOSS software, with an extremely readable and maintainable codebase that ~1500 people have successfully contributed code to. I don't think you'll find modern alternatives with a comparable featureset to Discord that are more resilient to the sponsoring company being acquired or going out of business.

- We are a values-focused organization (https://zulip.com/values/) where providing a public service is important to us all.

- Each server is completely self-contained and independent, with the only centralized services needed from us being desktop/mobile app publication and mobile push notifications delivery (which is free for community use and soon to be E2EE).

I'm happy to answer any questions.

I hope Discord understands the risks they pose to their audience when they open source their IDs again.

Discord is used by a bunch of closeted users having pseudos, who wouldn't do the same activities on it if everyone had their names.

A part of the Discord users is from countries from which Discord isn't even officially accessible (eg China) or where involvement in LGBT discussions could result to death row (Afghanis are still on Discord)

For me, a company that open sourced 70,000 IDs and ask for moooooore just weeks later is just a joke about the sharing economy

The problem isn't even for new users. Some users have over a decade of private hobbies and will now need to associate their governement ID to their profile. Discord pinky swears they ask but don't keep this time, which isn't enough.

Companies shouldn't be allowed to change such fundamental ToS after an account is created.

You’re out of your mind if you think I’m gonna upload ID to use a “shitposting about video games with friends” service.

I deleted my Facebook account in 2011. After finding out how much critical neighborhood information I have been missing, I finally registered a new Facebook account fifteen years later to follow my neighborhood groups.

A month later, the account was suspended for supposedly breaking guidelines. I never posted a single message, never reacted to any posts.

They then required me to upload a video scan of my face to prove I was a person.

We aren’t quite at the end of the internet, but man I can really see the end of this journey coming sometime soon.

Oh yay, the company that told me to "just use your wife's phone" when I couldn't verify my own phone number, instead of even trying to fix the problem, now wants a copy of my face?

Pardon me if I don't have a lot of trust in their ability to keep it safe.

What realistic open source alternatives to Discord are there? I'm currently considering moving to one of these with my friend group:

- Matrix

- Stoat, previously revolt (https://stoat.chat/)

- IRC + Mumble

- Signal

They'll have to "partner" with some company that's in the business of building a database of IDs and biometrics to do AI things with. Other companies in this space (Jumio) have a bad habit of ignoring privacy laws and will keep your information for years.

I wouldn't mind showing my ID to a person (in person), but there's no way I'm letting some company get a scan of my ID or passport to store in some giant database that's a rich target for hackers. Might as well give them access to all my bank accounts (Plaid) too.

(It sure would be nice if there were a national privacy law in the US.)

Also, it's illegal for companies to use facial recognition in my jurisdiction, so if I allowed them to "verify" me, they'd be breaking the law.

To add context to the discussion, it is important to recall that Discord was reported to have recently filed paperwork with the SEC for an IPO [1]. Thus it seems likely that the real reason for the age verification (i.e., user identification) policy is to boost its perceived earnings potential among Wall Street investors. According to this theory, Discord is the new Facebook.

[1] https://techcrunch.com/2026/01/07/discords-ipo-could-happen-...

Ignoring the implications of this for the moment, let me broach a related (and arguably more important) question: what do you do when you have multiple communities you interact with only on one platform, and suddenly that platform becomes intolerable for a subset of your community?

I hope that this causes enough outrage that Discord starts to lose its effective-monopoly for gamers and other folks. The platform has been getting more and more shitty over time and it isn't healthy for one product to have this much power.

The sad thing is that I think many people will en masse pony up their ID or snapshot without a second thought. I'm not sure if enough people will refuse to actually force Discord to back off this decision (unless their idea is to grab as much data as possible at once with the understanding that they are going to back off either way).

I have mentioned this before, but age verification can be solved by hash chains. They can prove age without compromising privacy.

It is crazy that the solutions Discord goes for are IDs and selfies. It definitely gives the impression that there are shady ulterior motives.

Hash chains are simple. If they were adopted, Discord would clearly be in bad faith taking the steps that they do now. If you search you will find quite a bit of information. My introduction to hash chains is for for age verification specifically: https://spredehagl.com/2025-07-14/

I talk to three people on Discord. If I have to choose between A) giving Discord my ID, B) giving Discord a fraudulent ID, or C) just chatting with them on some other program, I'll just go with C. If I cared about Discord more I guess I'd figure out B. May get started with C ahead of time anyway.

I think she is a polarizing figure to some, but journalist Taylor Lorenz has been complaining about this sort of thing for a long time. She has been increasingly warning about a future in which we need to scan IDs for all of our online services, in the name of protecting kids. (With the obvious implications about that data leaking, governments using it to track dissidents, etc.)

Please do not fall of the deceptive language that is used here. They're calling this "teen experience".

This is not about "i see gentila we ban". They're very vague about what is obscene, sticking to that level of a consistent definition, and they're very heavy handed in punishing.

They're introducing a highly restricted experience unless you hand over your details to either a "technology" (which that's very unclear about how honest they're being) or a company that has been caught for leaking sensitive details.

It's a relief to finally read that Discord is indirectly shutting down and getting rid of it's users. It was inevitable but dragged out far too long with all the VC money to burn. Hopefully everyone can figure out how to use XMPP and/or get back on IRC. It is a genuine shame how much culture and information will be lost inside their walled garden though.

I think Apple / Google need to implement verification on the device - we already accept the device knows who we are.

And then social media platforms should be able to have the device confirm the user is over 18 and that’s all they need to know.

IIRC EU was going for a zero-knowledge-proof of age system, but I guess discord isn't going to be using that then. (I don't think the ZKP system is available yet)

(here's part of it: https://digital-strategy.ec.europa.eu/en/news/commission-rel... )

> The first option uses AI to analyze a user’s video selfie, which Discord says never leaves the user’s device. If the age group estimate (teen or adult) from the selfie is incorrect, users can appeal it or verify with a photo of an identity document instead.

Are they shipping a video classifier model that can run on all the devices that can run Discord, including web? I've never heard of this being done at scale fully client-side. Which begs the question of whether the frames are truly processed only client-side...

I understand the frustration towards Discord, especially because this is a global rollout of a policy they're only required to enforce in specific countries, but it's IMO misdirected. They're likely trying to get ahead of the legislation. The way the winds are blowing indicates the Western governments that haven't already passed legislation mandating ID verification soon will.

You can move to $ALT_PLATFORM but unless it's self hosted they'll eventually have to enforce the same policy.

Direct your anger at the geriatrics in government who don't understand the risks of these laws first. You only have to watch the TikTok CEO's hearing in Congress to see how American politicians don't understand technology.

I'm not necessarily opposed to age restrictions, but letting each website figure out its own age verification system is a terrible idea. Uploading your ID to lots of websites opens you up to identity theft.

Any government that demands age verification from websites, should offer an eID system where each site can redirect you for the age verification. That way random sites don't have to worry about handling sensitive data.

It's kind of surprising that no-one has really come out with a proper privacy-preserving approach to this yet. It is clearly _possible_; there are reasonable-looking designs for this. But no-one's doing it; they're just collecting photos and IDs, and then leaking them all over the place.

There's a special phenomenon that happens as startups grow large. They begin to drift away from the ground truth of their product, their users and how it's used. It's a drift away from users. And a drift towards internal politics. A lot like Rasmussen's drift towards danger, https://risk-engineering.org/concept/Rasmussen-practical-dri...

As startups grow beyond a critical threshold, they start to attract a certain type of person who is more interested in mercenarily growing within the company / setting themselves up for future corporate rise than building a product. These people play to the company's internal court and create deeply bitter environments that leads to more mission-driven individuals leaving the company.

Which is why we end up with decisions like OnlyFans hitting $1B / yr in revenue (with extreme profitability) off of porn and then deciding to ban porn, https://www.ft.com/content/5468f11b-cb98-4f72-8fb2-63b9623b7...

Or, Digg deciding to kill its "bury" button and doing a radical "redesign" that made Reddit worth billions.

Unity's decision to update its pricing. Sonos' app "redesign" etc etc.

Corporate vampires will cheerfully slaughter your golden goose. Or, in the best case, severely cripple it.