Discord's ID / Age Verification Hack: How Xbox Plans to Avoid a Similar Situation
The UK's age verification laws, designed to protect children from accessing adult content, have been widely criticized for their ineffectiveness and potential privacy nightmares. Major websites like Imgur are now blocked in the UK, reducing the functionality of sites like Reddit and Steam. But it's not just websites that are affected – the laws also represent a trend across the world, with various US states and countries adopting or exploring age verification systems.
As a result, major players like Microsoft have scrambled to accommodate the legislation for Xbox and its other platforms. At least, they're trying to make it work in theory. Recently, it emerged that Discord, one of the earliest tech companies to implement these types of laws, was hacked. The company failed to protect the data of users utilizing its age verification services, including government IDs and selfies of users trying to get support being leaked to the public domain.
It's almost as if anyone with a brain said something like this would happen. So, I reached out to Xbox to see how they plan to handle things. Microsoft is using a third-party company called Yoti for its age verification systems on Xbox, a company that is also leveraged by the UK government, sites like OnlyFans, and PlayStation.
How Does Yoti Work?
The way Yoti and other similar platforms work generally revolves around scanning a government ID or using your device's camera to estimate the user's age. The "age estimation" via camera was notoriously beaten by Death Stranding's photo mode, but companies are always iterating on workarounds.
But what happens when you verify your Xbox account's age? I already verified my Xbox account's age using Yoti and found it to be quick and painless. According to Yoti spokespersons, "Yoti provides highly effective age assurance options for Xbox, allowing users to prove their age without revealing unnecessary personal information."
"Yoti simply returns a yes/no response to [Microsoft], to confirm whether the user meets the required age threshold," they explained. "Yoti's technology is highly robust and independently tested by the likes of NIST and others. Privacy and security are central to everything they do, and solutions are built to minimise data collection and ensure user privacy."
"Any images taken for facial age estimation are instantly deleted, nothing is stored," Yoti added.
A Comparison with Discord's Approach
The reason Discord ended up leaking user data was because the support service it was using actually was storing people's data. In contrast, Yoti says that it immediately removes all personal data once it has satisfied the age requirement, and that's the only information that is eventually sent and then stored on your Microsoft account.
"We are committed to making sure player data stays private and secure," a Microsoft spokesperson explained. "We are partnering with Yoti, a trusted third-party identity verification provider, to give UK players a menu of options to securely verify their age as 18 or over while minimizing the data needed."
A More Secure Solution?
Given Yoti's government-grade contracts, it's likely that this is a more secure solution than Discord's. However, whether or not you feel reassured by this depends on your mileage.
It doesn't alleviate the fact that the age verification laws are silly and ineffectual, but they are the law nonetheless, and Microsoft, PlayStation, and others have to comply regardless of their opinions.
About the Author
Jez Corden is the Executive Editor at Windows Central, focusing primarily on all things Xbox and gaming. Jez is known for breaking exclusive news and analysis as relates to the Microsoft ecosystem while being powered by tea. Follow him on Twitter (X) and tune in to the XB2 Podcast, all about, you guessed it, Xbox!