This was inevitable the moment they started taking government ID for proving age. It was a terrible idea, it was made worse by the companies themselves being unproven. This will lead to substantial ID theft crime in the future, as many predicted. If its on the internet someone will get it, even the most capable internet companies have been hacked.
On the one hand, it would be such an obvious proof of age that you've had the account for 21 years so why not pass you.
On the other, this would become a form of grandfathering such that all of us oldtimers and people in the establisent never directly see and experience the impact of these policies. It's mostly in the younger generations (still adults but their accounts may only be 5-10y) and people in exposed situations who get impacted.
So while it seems silly, at least process becomes visible.
My account was created in the US and it happens occasionally — regardless of country — when some YouTube video is deemed too gore-y for Google to allow me to see. It seems totally arbitrary, but on the other hand I never watch the videos so maybe they're protecting my innocence.
I don't think country has an impact. I've experienced it in both US and UK with extensive years spent in both.
I have a premium account and I still get all dirty words bleeped and st**ed. This is insane, I wish it were a European company where we are not afraid of words.
I understand moderation for obvious hate speech or violence (of course "obvious" means something different for everyone) but sex or fuck are normal words for normal adults.
I don't know about EU but in NL no company may ask you for your ID. Only government may. So if they insist, I show a censored version which hides vital data. There's also Yivi (Irna) an application which only shares (after verification) certain data like 'are you over 18 y.o.' (age of legal adolescence, driving age, drinking age) or something like your email address. Because companies CS never delete such data after verification. They sit on a goldmine of data, while data is a toxic asset (as per Schneier's essay).
Per Discord's press release, it appears only a small subset of photo IDs were leaked:
>The unauthorized party also gained access to a small number of government ID images (e.g., driver’s license, passport) from users who had appealed an age determination.
You seem to be reading the press release language exactly as they'd like you to read it.
Users only upload their government ID to Discord when the "Face Scan" [0] incorrectly estimates their age as being less than 18. Discord could reasonably classify this as a "small number" of users who need to upload their government ID image. That wouldn't preclude it from also being every user who needs to upload their government ID image — unless there is some other system that also requires them to upload it?
With that in mind, here's a rephrasing of the same statement:
> The unauthorized party also gained access to all uploaded government ID images.
Their press release does NOT say it's a small subset of photo IDs. It says a "small number" of government ID images — nothing about percentages. This would be consistent with the "small number" of users who need/choose to appeal an incorrect age estimation from Face Scan.
This comment is a fantastic study on how to adversarially read press releases like this. I suspect it's exactly correct: likely all photo IDs were leaked, but they decided to cast it as a small number by implicitly comparing it to the number of all Discord users. I guess we'll have to wait and see if that's actually correct. We may never find out.
There are two options for verifying your age on Discord - face scan OR uploading government ID. So some people may have uploaded their ID instead of doing the face scanning, for whatever reason.
For example if the face verification failed and you need to file an appeal which requires uploading government ID. That's likely sizeable number of users, especially since the breach happened shortly after the requirement was implemented and many existing users had to do it.
I'm not sure why this is being downvoted. Commenter is entirely correct. If someone has an answer to their question that would add credibility to Discord's phrasing and GP's interpretation, I'm all ears, but otherwise it does seem like this is the case, and every ID they've collected has been leaked, not a subset.
(To say nothing of... does it matter the amount of IDs leaked?)
If a message like "I'm 12", regardless of context is reported, Discord will ban the account & hold it hostage until user sends selfie + ID to them via support. (the compromised portal, not a third party app dedicated to this)
They intentionally chose NOT to disclose a date range or even how many ID tickets compared to standard tickets were leaked.
I've felt kind of miffed in the past for not being able to join Discord communities. Discord always wanted my phone number, and I wasn't ready to share that.
Regulation 1 mandates data collection, creating unintended consequences. Now, regulation 2 is required to counter the effects of regulation 1. Regulation 2's unintended consequences are similarly either unknown or ignored. This suggests that regulation 3 may be necessitated and that the trend may continue indefinitely.
In theory infinite regulations would suggest that no one would be permitted to do anything eventually. However, before we reach that point, the cost of compliance will be so high that publishing websites will become untenable.
An equilibrium of regulatory capture favoring large publishers will likely emerge before this point. Those large interests will have the resources to influence regulatory outcomes. Their incentives will include maintaining a sufficiently high barrier to entry while optimizing their own compliance costs.
Discord doesn't store ID indefinitely either, but there is a time frame, both between data submission and processing, as well as between the start of the breach and the end, during which the data can be leaked.
The best part is the ticket they say I’m a part of the breach with… Discord literally never even acted on it. They let the ticket go to the void and never had anyone in support answer it.
Effin hell, and they don't even let you remove your payment method from your account, just like Anthropic/Claude. Who needs to be smacked in the head to be taught that basic bit of user privacy/security?
Oh shit I received an email from discord saying some of my personal data on my discord account got breached. I have never used discord support aside from the one time where I contacted support to try to get my original discord account back because I lost my email but it was inevitable I didn't link my discord with any credit card info but maybe my phone number? What should I do now??
This was inevitable the moment they started taking government ID for proving age. It was a terrible idea, it was made worse by the companies themselves being unproven. This will lead to substantial ID theft crime in the future, as many predicted. If its on the internet someone will get it, even the most capable internet companies have been hacked.
I am not going to give youtube a copy of my ID just to watch videos with bad words in them.
I hate what the internet is becoming through government and corporate policies
My Google account is 21 years old and I still get asked to verify my age is older than 18 years.
I'm of two minds on this.
On the one hand, it would be such an obvious proof of age that you've had the account for 21 years so why not pass you.
On the other, this would become a form of grandfathering such that all of us oldtimers and people in the establisent never directly see and experience the impact of these policies. It's mostly in the younger generations (still adults but their accounts may only be 5-10y) and people in exposed situations who get impacted.
So while it seems silly, at least process becomes visible.
You missed the obvious one, it creates a black market for old accounts
That market already exists and not really something I care about.
In all fairness you could have taken over the account of the human host you burst out from.
What country are you in? I have never been asked to verify my age and my account is the around the same age.
My account was created in the US and it happens occasionally — regardless of country — when some YouTube video is deemed too gore-y for Google to allow me to see. It seems totally arbitrary, but on the other hand I never watch the videos so maybe they're protecting my innocence.
I don't think country has an impact. I've experienced it in both US and UK with extensive years spent in both.
I have a premium account and I still get all dirty words bleeped and st**ed. This is insane, I wish it were a European company where we are not afraid of words.
I understand moderation for obvious hate speech or violence (of course "obvious" means something different for everyone) but sex or fuck are normal words for normal adults.
youtube demonetizes videos that have "too much" cursing in them
I know, I am aware of the consequences of putting "inappropriate" content. The idea itself is flawed.
> This was inevitable the moment they started taking government ID for proving age.
Who wants to bet that this was the intended outcome all along?
Comment I wrote on the other thread (which didn't get any traction at all):
some key facts Discord are maliciously intentionally withholding:
(approx.) amount of affected users, seeing hundreds of comments on reddit + twitter
tickets timespan, I personally have multiple support accounts, one has only one ticket from July which got the email
affected ticket categories
whether phone numbers were leaked (can lead to further attacks such as SIM swapping)
whether addresses were leaked (they carefully use language "limited billing information" rather than stating the exact pieces)
I don't know about EU but in NL no company may ask you for your ID. Only government may. So if they insist, I show a censored version which hides vital data. There's also Yivi (Irna) an application which only shares (after verification) certain data like 'are you over 18 y.o.' (age of legal adolescence, driving age, drinking age) or something like your email address. Because companies CS never delete such data after verification. They sit on a goldmine of data, while data is a toxic asset (as per Schneier's essay).
Is this true even for financial services like for example cryptocurrency exchanges?
Per Discord's press release, it appears only a small subset of photo IDs were leaked:
>The unauthorized party also gained access to a small number of government ID images (e.g., driver’s license, passport) from users who had appealed an age determination.
https://discord.com/press-releases/update-on-security-incide...
You seem to be reading the press release language exactly as they'd like you to read it.
Users only upload their government ID to Discord when the "Face Scan" [0] incorrectly estimates their age as being less than 18. Discord could reasonably classify this as a "small number" of users who need to upload their government ID image. That wouldn't preclude it from also being every user who needs to upload their government ID image — unless there is some other system that also requires them to upload it?
With that in mind, here's a rephrasing of the same statement:
> The unauthorized party also gained access to all uploaded government ID images.
Their press release does NOT say it's a small subset of photo IDs. It says a "small number" of government ID images — nothing about percentages. This would be consistent with the "small number" of users who need/choose to appeal an incorrect age estimation from Face Scan.
[0] https://support.discord.com/hc/en-us/articles/30326565624343...
This comment is a fantastic study on how to adversarially read press releases like this. I suspect it's exactly correct: likely all photo IDs were leaked, but they decided to cast it as a small number by implicitly comparing it to the number of all Discord users. I guess we'll have to wait and see if that's actually correct. We may never find out.
There are two options for verifying your age on Discord - face scan OR uploading government ID. So some people may have uploaded their ID instead of doing the face scanning, for whatever reason.
> for whatever reason
For example if the face verification failed and you need to file an appeal which requires uploading government ID. That's likely sizeable number of users, especially since the breach happened shortly after the requirement was implemented and many existing users had to do it.
I'm not sure why this is being downvoted. Commenter is entirely correct. If someone has an answer to their question that would add credibility to Discord's phrasing and GP's interpretation, I'm all ears, but otherwise it does seem like this is the case, and every ID they've collected has been leaked, not a subset.
(To say nothing of... does it matter the amount of IDs leaked?)
If a message like "I'm 12", regardless of context is reported, Discord will ban the account & hold it hostage until user sends selfie + ID to them via support. (the compromised portal, not a third party app dedicated to this)
They intentionally chose NOT to disclose a date range or even how many ID tickets compared to standard tickets were leaked.
Not going to defend discord here, I hate them with a passion but COPPA violations have the potential to kill your company.
I've felt kind of miffed in the past for not being able to join Discord communities. Discord always wanted my phone number, and I wasn't ready to share that.
I am no longer miffed :)
Make storing personal data which is not essential to normal operation illegal.
It really is that simple.
Regulation 1 mandates data collection, creating unintended consequences. Now, regulation 2 is required to counter the effects of regulation 1. Regulation 2's unintended consequences are similarly either unknown or ignored. This suggests that regulation 3 may be necessitated and that the trend may continue indefinitely.
In theory infinite regulations would suggest that no one would be permitted to do anything eventually. However, before we reach that point, the cost of compliance will be so high that publishing websites will become untenable.
An equilibrium of regulatory capture favoring large publishers will likely emerge before this point. Those large interests will have the resources to influence regulatory outcomes. Their incentives will include maintaining a sufficiently high barrier to entry while optimizing their own compliance costs.
It isn't because age verification has made storing personal information like this an "essential" operation.
Absolutely untrue. Make "user proved with ID they're 18+" an immutable flag of the account, and delete the toxic data you verified to prove it.
You don't need to store the information after verification.
Discord doesn't store ID indefinitely either, but there is a time frame, both between data submission and processing, as well as between the start of the breach and the end, during which the data can be leaked.
And a few people thought I was being ridiculous by not providing my ID to verify to Discord that I am over 18. How sadly predictable.
The best part is the ticket they say I’m a part of the breach with… Discord literally never even acted on it. They let the ticket go to the void and never had anyone in support answer it.
Imagine a place…
Effin hell, and they don't even let you remove your payment method from your account, just like Anthropic/Claude. Who needs to be smacked in the head to be taught that basic bit of user privacy/security?
Yet another reason (if one where needed beyond the obvious stupidity) why the Online Safety Act was a ruinously stupid piece of legislation.
Oh shit I received an email from discord saying some of my personal data on my discord account got breached. I have never used discord support aside from the one time where I contacted support to try to get my original discord account back because I lost my email but it was inevitable I didn't link my discord with any credit card info but maybe my phone number? What should I do now??