Discord will require a face scan or ID for full access next month

I'm biased, as I lead the Zulip project. But I think this is a reasonable place for me to post some thoughts.

Given current events in the USA, I can't emphasize enough how worried one should be about the fact that a few companies like Discord, Google (Gmail), and Meta have databases with access to the private conversations of hundreds of millions of people with their closest friends and family members, linked up with their identity.

Some of the big strengths of running a self-hosted Zulip server for your community are:

- Zulip servers are operationally simple, highly stable and easy to upgrade.

- Zulip is much better than Discord or Slack for managing the firehose of busy communities. Or at least, a lot of people tell us that they prefer the user experience to everything else they've tried, after a few weeks of getting used to it. :)

- Your community leaders get to make the policy decisions about data protection, identity, etc.

- It's 100% FOSS software, with an extremely readable and maintainable codebase that ~1500 people have successfully contributed code to. I don't think you'll find modern alternatives with a comparable featureset to Discord that are more resilient to the sponsoring company being acquired or going out of business.

- We are a values-focused organization (https://zulip.com/values/) where providing a public service is important to us all.

- Each server is completely self-contained and independent, with the only centralized services needed from us being desktop/mobile app publication and mobile push notifications delivery (which is free for community use and soon to be E2EE).

I'm happy to answer any questions.

It is a great irony that the heavy handed push for "protect da kids" is all happening while we learn, day by day, that the richest and most powerful members of our society have no problem hanging out with a convicted child sex trafficker.

Rules for thee, free love for me.

I deleted my Facebook account in 2011. After finding out how much critical neighborhood information I have been missing, I finally registered a new Facebook account fifteen years later to follow my neighborhood groups.

A month later, the account was suspended for supposedly breaking guidelines. I never posted a single message, never reacted to any posts.

They then required me to upload a video scan of my face to prove I was a person.

We aren’t quite at the end of the internet, but man I can really see the end of this journey coming sometime soon.

It should go without saying but,

*CANCEL YOUR NITRO SUBSCRIPTION NOW IF YOU'RE PAYING FOR ONE* (for whatever reason)

This was just announced today and a flood of canceled payments within the next 24 hours are the easiest way to send a message. And also tell people on the servers you're on to do the same. It's not like they give you anything of real value for that money.

Here's the October 2025 Discord data breach mentioned at the end of the article:

https://www.bbc.com/news/articles/c8jmzd972leo

> Discord, a messaging platform popular with gamers, says official ID photos of around 70,000 users have potentially been leaked after a cyber-attack.

However, their senior director states in this Verge article:

> The ID is immediately deleted. We do not keep any information around like your name, the city that you live in, if you used a birth certificate or something else, any of that information.

Why they didn't do that the first time?

When will it be normalized to be able to say "Parents should just be doing their job" before we decide to ruin everything online for everyone else.

Although I know it's not really about protecting the kids. I wonder if the politicians are exempt from this too as they were chat control.

> The scanning would apply to all EU citizens, except EU politicians. They might exempt themselves from the law under “professional secrecy” rules.

https://nextcloud.com/blog/how-the-eu-chat-control-law-is-a-...

What about my "PERSONAL SECRECY" ?

Okay, that's the end of #Discord (at least for me) because I will never upload 'selfies' or a copy of my id to a social media site, or something.

I hope Discord understands the risks they pose to their audience when they open source their IDs again.

Discord is used by a bunch of closeted users having pseudos, who wouldn't do the same activities on it if everyone had their names.

A part of the Discord users is from countries from which Discord isn't even officially accessible (eg China) or where involvement in LGBT discussions could result to death row (Afghanis are still on Discord)

For me, a company that open sourced 70,000 IDs and ask for moooooore just weeks later is just a joke about the sharing economy

The problem isn't even for new users. Some users have over a decade of private hobbies and will now need to associate their governement ID to their profile. Discord pinky swears they ask but don't keep this time, which isn't enough.

Companies shouldn't be allowed to change such fundamental ToS after an account is created.

You’re out of your mind if you think I’m gonna upload ID to use a “shitposting about video games with friends” service.

> The first option uses AI to analyze a user’s video selfie, which Discord says never leaves the user’s device. If the age group estimate (teen or adult) from the selfie is incorrect, users can appeal it or verify with a photo of an identity document instead.

Are they shipping a video classifier model that can run on all the devices that can run Discord, including web? I've never heard of this being done at scale fully client-side. Which begs the question of whether the frames are truly processed only client-side...

I guesa i dont need to use discord anymore

They'll have to "partner" with some company that's in the business of building a database of IDs and biometrics to do AI things with. Other companies in this space (Jumio) have a bad habit of ignoring privacy laws and will keep your information for years.

I wouldn't mind showing my ID to a person (in person), but there's no way I'm letting some company get a scan of my ID or passport to store in some giant database that's a rich target for hackers. Might as well give them access to all my bank accounts (Plaid) too.

(It sure would be nice if there were a national privacy law in the US.)

Also, it's illegal for companies to use facial recognition in my jurisdiction, so if I allowed them to "verify" me, they'd be breaking the law.

Oh yay, the company that told me to "just use your wife's phone" when I couldn't verify my own phone number, instead of even trying to fix the problem, now wants a copy of my face?

Pardon me if I don't have a lot of trust in their ability to keep it safe.

Ignoring the implications of this for the moment, let me broach a related (and arguably more important) question: what do you do when you have multiple communities you interact with only on one platform, and suddenly that platform becomes intolerable for a subset of your community?

What realistic open source alternatives to Discord are there? I'm currently considering moving to one of these with my friend group:

- Matrix

- Stoat, previously revolt (https://stoat.chat/)

- IRC + Mumble

- Signal

I think she is a polarizing figure to some, but journalist Taylor Lorenz has been complaining about this sort of thing for a long time. She has been increasingly warning about a future in which we need to scan IDs for all of our online services, in the name of protecting kids. (With the obvious implications about that data leaking, governments using it to track dissidents, etc.)

I talk to three people on Discord. If I have to choose between A) giving Discord my ID, B) giving Discord a fraudulent ID, or C) just chatting with them on some other program, I'll just go with C. If I cared about Discord more I guess I'd figure out B. May get started with C ahead of time anyway.

The sad thing is that I think many people will en masse pony up their ID or snapshot without a second thought. I'm not sure if enough people will refuse to actually force Discord to back off this decision (unless their idea is to grab as much data as possible at once with the understanding that they are going to back off either way).

IIRC EU was going for a zero-knowledge-proof of age system, but I guess discord isn't going to be using that then. (I don't think the ZKP system is available yet)

(here's part of it: https://digital-strategy.ec.europa.eu/en/news/commission-rel... )

To add context to the discussion, it is important to recall that Discord was reported to have recently filed paperwork with the SEC for an IPO [1]. Thus it seems likely that the real reason for the age verification (i.e., user identification) policy is to boost its perceived earnings potential among Wall Street investors. According to this theory, Discord is the new Facebook.

[1] https://techcrunch.com/2026/01/07/discords-ipo-could-happen-...

There's a special phenomenon that happens as startups grow large. They begin to drift away from the ground truth of their product, their users and how it's used. It's a drift away from users. And a drift towards internal politics. A lot like Rasmussen's drift towards danger, https://risk-engineering.org/concept/Rasmussen-practical-dri...

As startups grow beyond a critical threshold, they start to attract a certain type of person who is more interested in mercenarily growing within the company / setting themselves up for future corporate rise than building a product. These people play to the company's internal court and create deeply bitter environments that leads to more mission-driven individuals leaving the company.

Which is why we end up with decisions like OnlyFans hitting $1B / yr in revenue (with extreme profitability) off of porn and then deciding to ban porn, https://www.ft.com/content/5468f11b-cb98-4f72-8fb2-63b9623b7...

Or, Digg deciding to kill its "bury" button and doing a radical "redesign" that made Reddit worth billions.

Unity's decision to update its pricing. Sonos' app "redesign" etc etc.

Corporate vampires will cheerfully slaughter your golden goose. Or, in the best case, severely cripple it.

It's kind of surprising that no-one has really come out with a proper privacy-preserving approach to this yet. It is clearly _possible_; there are reasonable-looking designs for this. But no-one's doing it; they're just collecting photos and IDs, and then leaking them all over the place.

I can see the moderation and age-verification motivations here, but I am wary of how this changes expectations around identity on social platforms.

Mandatory age checks with biometric or ID data can create long-term privacy and reuse risks that the ecosystem has not fully reckoned with yet.

My social group are moving to a private IRC server already. This is probably the best outcome really. I don't think any of us are under 50. But we have relatives who remember when this would have resulted in some of us being killed. I wish I was sensationalising but I'm not.

It took all of 2 minutes to delete my account and block Discord from my network. Credit to Discord for making the process very easy using the mobile app. I'm not going to put up with this crap just to occasionally use this app to play games with friends. My kids sure as hell aren't going to comply with this policy either.

> After completing a chosen method, users will receive confirmation via a direct message from Discord’s official account.

Why isn’t this delivered via some sort of notification, menu, pop-up, etc? DMs seem prime for phishing

If you're looking for an alternative to Discord, check out Stoat (formerly Revolt). [1] Especially if you're an iOS dev with some free time as the iOS client could really use some love... [2]

(not affiliated with the project, just really want to see it succeed)

[1] https://stoat.chat/ [2] https://github.com/stoatchat/for-ios

Taylor Lorenz has done excellent reporting on this. It's a right wing censorial moral panic that's forced some Democrats to go along with it by positioning it as "protecting kids". This legislation is moving at a fast clip and we have to fight back.

* SCREEN Act age verification with huge implications for all online privacy: https://www.youtube.com/watch?v=8bnp3nmpK9g&list=PLu4srHCWJr...

* Abolishing Section 230, the law that protects platforms like this from being sued for user content (just published today): https://www.youtube.com/watch?v=_eqt8vrtP-U&list=PLu4srHCWJr...

* UK online safety act (it's not just the U.S.) - interview with the lawyer defending 4chan: https://www.youtube.com/watch?v=DD3PGp9RhTw&list=PLu4srHCWJr...

> and will see content filters for any content Discord detects as graphic or sensitive.

I didn't even realise discord scans all the images that i send and recieve.

So how do we know (other than obvious, NSFW servers) if we are in a server that is not "teen appropriate"? I don't feel the need to prove I'm old af, so if I'm in a server for sports betting, is that not teen appropriate? What about a pokemon server with a lot of swearing? Or just a custom server made by a friend for web dev, but has lots of random politics thrown around?

I really just don't know what isn't "safe" for teens, so hopefully this will be pretty clear somewhere.

> Facial age estimation

This clearly doesn't work and they're surely aware of it. Perhaps it's even intentional as a choice to give kids a way out, just trying to cover their own asses in regards to regulation.

F** that, guess I'm leaving that platform too now...

Why does the idea of collecting millions of images of minors not sit right? Roblox, Character.ai, Discord…

Are they going to leak IDs of minors again like they did last time? Who does this protect exactly?

Based on the (lack of) people I see refusing the optional facial recognition check at the TSA checkpoint for flying, I can't imagine this will be anything other than an overwhelming success for Discord and the surveillance state.

I truly do hope this sinks Discord. It's a dreadful platform and an information black hole.

it's like there's an inherent user-hostility in every platform that is expressed in a less-than-ideal user experience in it's usage or in the ways that the host will harvest all of your personally identifying information for various purposes (which it will also inevitably fail to properly secure, resulting in a near guaranteed leak at some point in the future).

I personally don't find ease-of-use to be worth the price of my privacy but most people are more than happy to sell themselves out piecemeal in the form of data until there's nothing left but a bunch of numbers in a spreadsheet to attest to their ever having existed.

Okay, i'm not very good at coding, especially web.

It seems to me that the "logical" solution to this is some sort of local key like "sudo" that the user enters/has access to. This key is on a cookie or request or something that says "This request is being done by a verified adult" and then the website goes "cool here's your data". If the request does not have it, then the website says "Sorry you need one of these keys/permissions to access".

I see this as elegant because like modern IDs, YES THEY COULD GET AROUND IT, but at least it gives parents and users who want to abide and try the ability. Kids get fake id's, they get stuff they shouldn't. So long as audits show that the businesses are trying to catch this and punishing those who ignore procedures properly, things are "fine".

How infeasible is this from a coding perspective? I get that we're fucking with standards here, but I figured it would make most sane users and companies happy. Companies don't have to keep PII, just a log of "yes this access from this IP was approved, but we discovered is was used falsely and banned that key", and users have a tool that's setup once locally (or refreshed when you want a new key).

I guess you'd need some way to authenticate these as if it's too easy to spoof whats the point, but it strikes me as leagues better of "store everyone's colonic map"

How off base am I here? Is the theory somewhat sound or is this just dead from the ground up?

Delete!

In case anyone else can’t read it: https://archive.is/PvpAx

Good. Maybe then we'll stop having Open Source projects using it as their only store of knowledge :)

Medium term, moving to another platform is the best solution. In the short term, I think using some other platform for the locked features is best?

For example, if we are in a server for coding, maybe we will have to use zoom or google meet as a stopgap. Curious if others have better alternatives.

Jump here, you can see Lucca (as we say in Italy, more or less..)

Good, this will hit hard on nazi-incel-related "communities".

Wow.

On one hand, I'm not surprised.

But on the other hand-- I would be terrified to be in charge of a company who needed to make this ask. It's just such a big deal, such an important bit of information to protect from hacks.

I hope they lose most of their customer base. But I'm terrified they won't.

The gradual erosion of privacy is no longer gradual.

I set up a forum when I started my site for Linux content creation. Discord had become a black hole for technical know-how on a scale IRC could never dream of, and finding answers to common questions was nigh impossible since the technology has changed and the modern way to solve problem X was never asked in a forum and never indexed by a search engine. Granted, Reddit provided a bit of a stopgap over the last decade, but the solutions in the comments these days are more often than not a confidently incorrect copy-pasta from GPT.

I use Discord for chat and voice calls since that is what I expect from a chat app, but the amount of companies that have built their community / knowledge base / support system around Discord is worrying. You know they can just delete that, right?

I'll continue to use Discord for chat until prompted to put my face in the hole :)

Great news, there’s finally going to be sufficient motivation for people to both build out and use open source alternatives.

FOSS, optionally self-hosted alternative built on nostr: https://flotilla.social/