DIGITAL
IDENTITY
AS TOLL

On 16 February 2026, a group of security researchers signing as vmfunc published an analysis that in the following weeks reached Fortune, Malwarebytes, the Electronic Frontier Foundation, and dozens of specialist outlets. Access to the material had occurred without any technical breach: a development configuration left active on a federally authorized production server had left a public directory unprotected. The researchers had found it through an ordinary search. Inside were 53 megabytes of Persona source code.

Persona is one of the leading private digital identity verification infrastructures. Founded in 2018 in San Francisco, it handles user onboarding for OpenAI, Reddit, Roblox, and LinkedIn. In April 2025, it announced a $200 million funding round — a two-billion-dollar valuation — backed by Founders Fund, the fund associated with Peter Thiel, co-founder of Palantir.

The platform runs 269 distinct checks on every user submitted to verification. Some are expected: document confirmation, selfie match. Then the others begin.

The code contained a system that flags faces as “suspicious” without any public criteria defining what makes a face suspicious. A biometric comparison of the selfie against photos of politicians and public figures, returning a numerical similarity score. Screening against 14 categories of adverse media. And the ability to send suspicious activity reports directly to FinCEN — the U.S. Treasury’s financial crimes unit — with hardcoded codenames in dropdown menus.

The screening infrastructure dedicated to OpenAI had been operational since November 2023, eighteen months before OpenAI publicly disclosed that it had introduced digital identity verification requirements. The government platform and the commercial one share the same codebase — matching commit hashes between the two deployments confirm this technically — and that correspondence dissolves the boundary that corporate communications had maintained between civil verification and federal surveillance infrastructure.

The Digital Identity Market Has Already Answered

In July 2025, the UK Online Safety Act came into force, mandating age verification on platforms and social media. That same day, VPN usage in the United Kingdom rose by 1,400%. Half of the ten most downloaded apps in the country were VPNs or identity verification applications. Child protection — a legitimate goal in itself — had generated the largest civil evasion campaign in the history of the British internet.

In the United States, twenty-five states now require digital identity verification to access adult content online; nine passed those laws in 2025 alone. In Europe, eIDAS 2.0 requires every member state to make an EU Digital Identity Wallet available by the end of 2026; the European Commission is piloting an age verification blueprint in five countries, including Italy, and has proposed including a mandatory biometric photograph in the minimum dataset of each wallet.

To this regulatory demand, the market responds in the most predictable way: it organizes, consolidates, and finances itself. The digital identity verification sector is worth approximately $18 billion today and will grow to $80 billion by 2035. Profits concentrate at the infrastructure layer that integrates and coordinates all controls — whoever owns this layer decides in real time who gets through and who is stopped.

In March 2026, Spain fined Yoti — until recently presented as the model for privacy-respecting verification — €950,000 for three separate GDPR violations. The Spanish regulatory authority explicitly rejected the company’s defense that the system “merely verified age.” The distinction between authenticating and identifying, before the regulator, did not hold.

Who Controls Access Controls Digital Identity

What the overall picture produces is a bifurcation of digital life operating on a logic that has never been explicitly declared. Those who verify get in: into services, information, participation in the platforms where public opinion forms, where job opportunities are found, where educational and cultural content is accessed. But they also enter as a node in a graph — a digital identity that is correlated, scored, classifiable and reclassifiable at any moment by a shift in algorithmic or regulatory thresholds.

Those who do not verify stay out, through a progression that resembles coercion without formally being so. Reddit in the UK degrades the experience of unverified users. OpenAI requires a document for advanced features. Discord was building a system that would have made verification a condition of access to the entire platform, before stepping back under public pressure. The incentive structure remains intact: the cost of opting out is designed to be higher than the cost of opting in.

The deepest point of friction concerns the permanence of the data. A password can be changed, a credit card blocked, an email address replaced. Biometrics have a property that no other personal data shares: they are final. When Discord suffered the breach that exposed the government identity documents of 70,000 users in October 2025, those data had become unrecoverable in a sense that goes beyond technical loss: none of those users will ever get back the face they handed over. Every biometric breach is by definition permanent.

Click here to accept Marketing cookies and load this content

Digital Identity and Biometric Surveillance