The U.K.’s Online Safety Act, which requires social media and other companies to implement age estimation and verification tools in order to prohibit minors from accessing a variety of content, went into effect in July. It was only a matter of time until an age assurance system was breached. Discord’s vendor is the first known related breach, providing warnings for lawmakers seeking to replicate the rules of the Online Safety Act.
According to The Verge, Discord reported early on that the data compromised by the hack included “names, usernames, emails, and the last four digits of credit card numbers.” Discord also noted that they “have identified approximately 70,000 users that may have had government-ID photos exposed.” Discord explained that an unauthorized party compromised the service provider reviewing these documents. Basically, if a user believed their age was wrongfully estimated to be too young, then they could upload their government ID through this other system for an appeal to prove their age. That was the system that was hacked. The hackers of this data demanded several million dollars for ransom of the data, which holds value for many reasons including that such identification information can be used to steal identities or hack into people’s bank accounts.
Advocates of facial estimation tools—where users scan their faces online and a service estimates their ages to see if they’re above or below a certain age—note that these systems avoid the need for uploading more sensitive information than a face scan. Although, they often acknowledge that when these tools underestimate the age of the person, these users will need to use a fallback method of uploading government identification. But even if these systems only err 5% of the time, that can still mean millions of IDs will need to be checked, especially as most people use more than one social media or other regulated platform.
The hacked IDs from Discord’s vendor belong to people trying to prove that their real age allows them to view age-restricted content—a broad category under the U.K. law, including even violence against fictional characters. This is an important reminder of the security risks inherent in age verification policy. Government ID is sometimes the first choice for age assurance or otherwise remains the method of choice when other methods of verification fail. And systems can be compromised.
Whether platforms choose to build their own verification systems or use vendors for these services in order to hand over the work to the experts, these systems are vulnerable. This holds true for websites, apps, app stores, or device-level age verification. All kinds of these requirements by the government would run into the same issues because the methods of age assurance are limited to those discussed here. Earlier this year, the Tea app breached government IDs along with other sensitive information such as user locations. And the fact that they maintained these documents at all violated their own privacy policy. It is worth noting that they used age verification by choice rather than to comply with law, and they used their own verification systems. Users cannot know if providers live up to the privacy and security standards that companies profess. Last year, the age and identity verifier that worked with many of the top tech companies including X and TikTok was also breached for over a year, with malicious actors able to access users’ sensitive documents.
These security risks have never been theoretical, but now the Discord vendor breach provides an early example of a breach directly tied to the requirements of the U.K.’s age verification law. Government-mandated age verification, as demonstrated in this case, in effect means that bad actors will have more vectors to access user’s private information. The more data that is shared, the more opportunity there is to access that data. Other systems may opt to implement age assurance systems on their own, but the government ought to be careful about requiring them to do so and heed this early warning from the U.K. Breaches and hacks are inevitable, and the Discord vendor breach is only the first we should expect to see here.