Your Selfie Is Going Places You Didn't Expect
A 53MB source code leak from Persona, the identity verification platform used by OpenAI, Reddit, Roblox, Discord, and Character.AI for age checks, has exposed what researchers describe as a hidden surveillance infrastructure that transforms routine verification selfies into entries in a biometric database linked to financial records and law enforcement systems.
The leak occurred due to a misconfigured Vite build tooling that left Persona's original frontend source code publicly accessible. Researchers who analyzed the code found capabilities and data flows that go far beyond what users are told when they snap a verification selfie.
What the Code Reveals
| Finding | Detail | Impact |
|---|---|---|
| Watchlist database | Routine ID checks feed into a dedicated "watchlist" system operational since 2023 | Users flagged without knowledge or consent |
| Biometric-to-financial linking | Facial biometrics are processed through a system connecting to financial records and law enforcement databases | Selfies become surveillance tools |
| 3-year data retention | Selfies and biometric data stored for up to 3 years | Contradicts shorter retention claims by some clients |
| Government agency sharing | Data shared with US and Canadian federal agencies | Age verification becomes a government data pipeline |
| Cross-platform linking | Verification data can be correlated across client platforms | Single selfie creates a multi-platform identity profile |
How It Works
What Users Think Happens
1. App asks you to verify your age
2. You take a selfie and upload your ID
3. Persona confirms you're 18+
4. Your data is deleted after verificationWhat Actually Happens (According to Leaked Code)
1. App asks you to verify your age
2. You take a selfie and upload your ID
3. Persona extracts facial biometrics and creates a biometric template
4. Template enters a "watchlist" database operational since 2023
5. Biometrics are cross-referenced with financial records
6. Data is accessible to law enforcement databases
7. Selfie and biometric data retained for up to 3 years
8. Data shared with US and Canadian federal agenciesPlatforms Using Persona
| Platform | Use Case | Estimated Users Affected |
|---|---|---|
| OpenAI | Age verification for ChatGPT | Tens of millions |
| Age verification for NSFW content | Millions | |
| Roblox | Age verification for voice chat | Millions of minors |
| Discord | UK age verification (pilot) | Millions |
| Character.AI | Age verification | Millions |
The Retention Discrepancy
A key finding is a mismatch between stated and actual data retention:
- OpenAI's stated policy: One-year biometric retention
- Persona's code: Three-year retention cap found in source
- Gap: Two years of additional biometric storage beyond what users were told
This discrepancy raises serious questions about whether platforms using Persona are accurately representing their data practices to users.
Privacy and Legal Implications
Biometric Privacy Laws
Several jurisdictions have strict biometric privacy regulations:
- Illinois BIPA — Requires explicit consent before collecting biometric data, with statutory damages of $1,000-$5,000 per violation
- EU GDPR — Classifies biometric data as "special category" requiring explicit consent and purpose limitation
- California CCPA/CPRA — Grants consumers rights to know, delete, and opt out of biometric data processing
- Canada PIPEDA — Requires meaningful consent for collection of sensitive biometric information
If the leaked code accurately represents Persona's operations, the company and its clients could face significant regulatory exposure across multiple jurisdictions.
Consent Problems
Users consenting to "age verification" are not consenting to:
- Long-term biometric storage
- Cross-referencing with financial databases
- Law enforcement data sharing
- Multi-platform identity correlation
Persona's Response
Persona's CEO has engaged with researchers and the security community about the findings. The company has not issued a formal public statement addressing all allegations as of publication.
Industry Reaction
"If age verification selfies are ending up in a three-year biometric watchlist linked to law enforcement databases, that fundamentally changes the privacy calculus for every user who's been asked to 'just take a quick selfie' to prove their age." — Privacy researcher
"The real question is whether the platforms using Persona — OpenAI, Reddit, Discord — knew the full extent of what was happening with user biometric data, or whether Persona was operating these capabilities without full client transparency." — Digital rights advocate
Key Takeaways
- Age verification selfies feed into a biometric surveillance system operational since 2023
- Data retained for up to 3 years — potentially exceeding what platforms tell users
- Biometrics linked to financial records and law enforcement — far beyond age verification
- Major platforms affected — OpenAI, Reddit, Roblox, Discord, Character.AI
- Significant legal exposure — Potential violations of BIPA, GDPR, CCPA, and PIPEDA