• How we got here
• The vendor layer
• How the trap works
• Where this is heading
• The part that bothers me most
• The pattern
  • Sources

In February 2026, security researchers found something on a U.S. government-authorized server that I keep thinking about. The uncompressed frontend code of Persona, the company that handles age verification for Discord, Reddit, Roblox, and OpenAI, was sitting there in 2,456 accessible files.

What they found wasn’t an age checker.

Persona’s software runs 269 distinct verification checks. It performs facial recognition against watchlists. It screens identities against databases of politically exposed persons. It scans “adverse media” across 14 categories including terrorism and espionage. It assigns risk and similarity scores. It can retain your IP address, browser fingerprint, government ID number, phone number, face, and something called “selfie analytics” including pose repeat detection, for up to three years.

All of that is sitting behind the “verify your age” button on Discord.

§How we got here

The story starts with a real problem. Kids are getting hurt online. The research on mental health effects of social media on minors is real and growing. Parents feel powerless. Legislators feel pressure.

So age verification became the answer.

In June 2025, the Supreme Court upheld Texas’s age verification law 6-3. The Court applied intermediate scrutiny, a less stringent standard than it used in 2004 when it struck down a similar federal law. State legislatures read this correctly: these laws will survive challenges.

They moved fast. Half of U.S. states now mandate age verification for adult content or social media. Texas, Utah, Louisiana, and California require age gates on app stores. Australia banned under-16s from social media entirely in December 2025, and 4.7 million accounts have already been deactivated. The EU’s Chat Control regulation passed committee in November 2025 with scanning “voluntary” but age verification mandatory. KOSA cleared a House subcommittee that December and is heading to full committee.

Every single one of these laws requires the same thing: a system that can determine who is using the internet and report back.

§The vendor layer

Here’s the part that gets less attention. Governments write the laws. Platforms comply with them. But neither governments nor platforms verify anyone’s age themselves. They hire companies like Persona to do it.

Persona’s investors include Peter Thiel’s Founders Fund, which led both its $150 million Series C and $200 million Series D. Thiel co-founded Palantir, whose government surveillance contracts include ICE, the CIA, the NSA, and the Department of Defense.

I want to be careful here because “Peter Thiel surveillance connection” can sound conspiratorial. But this is just straightforward capital flow. The same money that built government surveillance tools is now funding the company that verifies your identity on consumer platforms. The tech is the same: facial recognition, watchlist matching, risk scoring, long-term data retention. The difference is the front door. Instead of a CBP agent demanding your papers, it’s a friendly screen asking you to hold your ID up to the camera so you can message your friends.

In October 2025, a breach of Discord’s third-party customer service provider exposed 70,000 government ID photos, along with names, usernames, emails, partial credit card data, and IP addresses. NBC News confirmed the breach. Those were the IDs people had submitted for age verification.

Discord cut ties with Persona in late February 2026 after the frontend exposure went public. But the pattern is already visible: age verification creates centralized stores of government identification documents in the hands of private companies whose security track record has not been great.

§How the trap works

I’ve been calling this the Protection Racket. The mechanism has three parts.

First, a legislature passes a child protection law requiring age verification. The politics guarantee this because nobody wants to be the person who voted against protecting children. The Texas law survived the Supreme Court. Twenty states followed. The EU is next.

Second, platforms hire identity verification vendors to comply. These vendors build systems far more comprehensive than “is this person 18,” because they have to. Persona doesn’t run 269 checks out of thoroughness about age verification. It runs 269 checks because the same infrastructure serves KYC compliance, fraud detection, government contracts, and enterprise identity. Age verification is the wedge that gets the full stack deployed at consumer scale.

Third, once millions of verified identities sit in a vendor’s database, the pressure to monetize and repurpose that data becomes enormous. Data collected to protect children can be sold to law enforcement, used to train AI models, or subpoenaed in investigations. A February 2026 report found that Discord data, including verification data, is being sold to law enforcement agencies and AI companies.

And then it feeds back on itself. Each breach generates outrage. Outrage generates demand for regulation. Regulation generates more verification. More verification generates more data in more databases. Which generates more breaches.

§Where this is heading

If you want to see the endgame, watch Mark Zuckerberg.

During testimony in a child safety lawsuit in February 2026, Zuckerberg argued that age verification shouldn’t happen at the app level. It should happen at the operating system level, built into iOS and Android by Apple and Google. Colorado’s SB 26-051, introduced that same month, would require exactly this.

Think about what that means. Every smartphone would have a verified identity layer that every app can query. Not just social media. Every app. Your age, confirmed by your government ID, accessible to any service that asks.

That’s not age verification. It’s a national digital ID system entering through the side door of child protection. It would end anonymous internet access for the 97% of smartphone users who run iOS or Android.

Privacy-preserving alternatives do exist. A European identity wallet developer described on Hacker News how zero-knowledge proofs can confirm “over 18” without disclosing your birthdate or identity. France has mandated a “double-blind” system where the website doesn’t learn the user’s identity and the verification provider doesn’t learn which site the user visits.

These approaches are technically viable. They are almost never what gets implemented, because the companies building age verification have financial incentives that point in the opposite direction.

§The part that bothers me most

Look, the harm to children is real. I’m not dismissing that. Tech executives shield their own children from their own products, a fact that got 4,400 upvotes on Reddit’s privacy community this month. If the people who built these platforms won’t let their kids use them, the harm is not theoretical.

But there are other ways to deal with it, and I don’t see anyone seriously pushing them.

Regulate engagement design: the infinite scroll, the notification loops, the algorithmic amplification that makes these platforms harmful to developing minds. Ban targeted advertising to minors, and the economic incentive to keep children hooked disappears. Require opt-in algorithms instead of opt-out, so the default experience isn’t built to extract maximum attention.

None of that requires a database of everyone’s government ID. None of it creates targets for hackers or data that gets repurposed for surveillance.

It also doesn’t create a $200 million venture-backed business. Which, I suspect, is the real reason it isn’t what’s being built.

§The pattern

There’s a line I keep returning to from a Hacker News commenter: “The purpose of a system is what it does.”

What age verification actually does, in practice, is build a global database of verified identities linked to online activity, operated by private companies with surveillance-industry funding, secured to standards that have already failed, and accessible to law enforcement through legal processes that expand every year.

In Texas, a police officer used a network of 83,000 cameras to track a woman who got an abortion. In February 2026, Reddit, Meta, and Google voluntarily handed DHS information about anti-ICE users. The infrastructure being built for age verification will be used for whatever the people with access decide to use it for. That’s not speculation. That is what happens to every surveillance infrastructure ever built.

The question isn’t whether age verification protects children. Some implementations might. The question is whether requiring every internet user to prove their identity to private companies is proportionate to the problem of minors accessing inappropriate content.

Half of U.S. states, the European Union, and Australia have said yes. The databases are filling up faster than anyone can secure them.

70,000 government IDs have already leaked from a single vendor. And that was before most of the mandates even took effect.

§Sources

• “Is Age Verification a Trap?” IEEE Spectrum (Waydell D. Carvalho, Feb 23, 2026)
• “Hackers expose the massive surveillance stack hiding inside your age verification check,” Techdirt (Feb 25, 2026)
• “Age verification vendor Persona left frontend exposed,” Malwarebytes (Feb 2026)
• “Persona leak exposes global surveillance capabilities,” Cybernews (Feb 2026)
• “70,000 government ID photos exposed in Discord user hack,” NBC News (Oct 2025)
• “Discord says 70,000 age verification ID photos may have been leaked,” PC Gamer (Oct 2025)
• “Discord’s age verification rollout has ties to Palantir co-founder Peter Thiel,” PC Gamer (Feb 2026)
• “Discord-Peter Thiel-backed Persona identity verification breach,” Fortune (Feb 24, 2026)
• “Roblox, Reddit and Discord users compelled to use biometric ID system backed by Palantir co-founder,” Open Rights Group (Feb 22, 2026)
• “Discord postpones age verification rollout amid criticism,” ABC News (Feb 2026)
• “Discord pushes back age verification rollout after backlash,” NBC News (Feb 2026)
• “Discord co-founder admits age check privacy missteps,” Reddit r/technology (Feb 25, 2026)
• Free Speech Coalition v. Paxton, Supreme Court (June 27, 2025)
• “Age Verification Systems Are Surveillance Systems,” EFF (Dec 2025)
• “The Year States Chose Surveillance Over Safety,” EFF (Dec 2025)
• “Discord Voluntarily Pushes Mandatory Age Verification Despite Recent Data Breach,” EFF (Feb 2026)
• “After years of controversy, EU’s Chat Control nears its final hurdle,” EFF (Dec 2025)
• “Chat Control: Voluntary Surveillance, Mandatory Age Verification,” ComplianceHub (Nov 2025)
• Australia under-16 social media ban (Dec 10, 2025), CNBC
• Colorado SB 26-051: OS-level age verification bill (Feb 2026)
• “Zuckerberg’s Fix for Child Safety Could End Anonymous Internet Access for Everyone,” Reddit r/privacy (Feb 22, 2026)
• “She Got an Abortion. So A Texas Cop Used 83,000 Cameras to Track Her Down,” Reddit r/privacy (Feb 2026)
• “Reddit, Meta, and Google Voluntarily Gave DHS Info of Anti-ICE Users,” Reddit r/privacy (Feb 2026)
• “Tech billionaires are publicly shielding their children from their products,” Reddit r/privacy (Feb 2026)
• KOSA (S.1748/H.R.6484) House subcommittee markup (Dec 11, 2025)

Originally published at https://noahaust2.github.io/strategist-dashboard/blog/the-protection-racket.html