What is the main concern raised by the TBOTE Project about age verification laws?

The TBOTE Project argues that the infrastructure built to comply with age verification laws functions as a cross-border biometric surveillance system, not merely a tool for protecting minors. It documents undisclosed data processors, silent phone authentication, and government reporting modules embedded in the code.

What is the connection between Peter Thiel and the data collection described in the investigation?

Peter Thiel co-founded Palantir, which sells surveillance analytics to governments, while his venture capital firm Founders Fund is the primary investor in Persona, an identity verification company that captures biometric data. The investigation describes this as a 'collection and analysis' nexus where the same financial stakeholder benefits from both sides of the data pipeline.

What security vulnerabilities were found in the Persona SDK?

Investigators discovered a hardcoded AES encryption key in the Persona SDK, which was rotated after the finding was disclosed in version 1.15.3. The SDK also lacked certificate pinning, a standard security measure that prevents man-in-the-middle interception of data in transit.

Were users notified about the phone authentication occurring during Persona verification sessions?

No, the investigation found that Telesign performed silent network authentication without user notification, and carrier-level phone verification ran via Vonage without explicit user awareness.

What government reporting capabilities were found in Persona's leaked source code?

Persona's leaked source code reportedly contains government reporting modules built specifically for FinCEN and FINTRAC, the financial intelligence units of the United States and Canada respectively.

Age Verification Laws Are Building a Global Surveillance Network

Age verification laws are spreading across the United States, United Kingdom, and Brazil with a stated goal of protecting minors online. But a detailed technical investigation by the TBOTE Project argues that the infrastructure being assembled to comply with these laws functions as something much broader: a cross-border biometric surveillance system with undisclosed data processors, silent phone authentication, and government reporting modules baked directly into the code.

The investigation, updated in April 2026, draws on DNS analysis, SDK decompilation, certificate transparency logs, corporate registry records, and SEC EDGAR filings. All sources cited are public.

The Thiel Nexus: One Investor, Two Sides of the Data Pipeline

One of the investigation's central structural findings concerns Peter Thiel. Thiel co-founded Palantir Technologies, a company that sells surveillance analytics to governments and corporations worldwide. His venture capital vehicle, Founders Fund, is also the primary investor in Persona, an identity verification company whose SDK is embedded in platforms ranging from Roblox to Robinhood.

The TBOTE Project describes this as a "collection and analysis" nexus: the same financial stakeholder benefits from both the capture of biometric identity data and the downstream analytics performed on that data. The investigation does not allege coordination between Persona and Palantir at the product level, but it documents the shared ownership structure as a material fact that is not disclosed to users who interact with Persona's verification flows.

Persona's leaked source code, reviewed as part of the investigation, reportedly contains 269 verification checks, 43 verification types, and government reporting modules built for FinCEN and FINTRAC, the financial intelligence units of the United States and Canada respectively.

What the Technical Analysis Found

The SDK decompilation portion of the investigation produced several specific findings that go beyond standard privacy concerns.

A hardcoded AES encryption key was discovered in the Persona SDK. The key was rotated in version 1.15.3 after the finding was disclosed, suggesting the issue was confirmed and addressed. The SDK also lacked certificate pinning, a standard security measure that prevents man-in-the-middle interception of data in transit.

Seven simultaneous analytics services were found running during a standard verification session. Telesign, a company majority-owned by Proximus, the Belgian state-owned telecom operator, was identified as performing silent network authentication without user notification. Carrier-level phone verification was also found to run via Vonage without explicit user awareness.

The facial recognition component of Persona's system is powered by Paravision, a company ranked first at a Department of Homeland Security biometric accuracy evaluation. Paravision does not appear on Persona's publicly disclosed subprocessors page, according to the investigation. The TBOTE Project identified 12 data processors it describes as undisclosed.

Subdomain enumeration of withpersona.com revealed 197 subdomains, including 65 staging environments that exposed internal machine learning services, a graph database identified as TigerGraph, and a gateway to the AAMVA, the American Association of Motor Vehicle Administrators, which manages driver's license data across US states.

The investigation also documents LinkedIn as running four separate identity verification vendors simultaneously, alongside what it describes as a parallel Chinese surveillance stack in the same Android APK, including Sesame Credit social scoring integration, ShanYan carrier authentication, and government device identifiers.

Roblox, a platform with a large population of child users, was found to embed the full Persona SDK including NFC passport reading functionality, within a verification flow that users reportedly cannot exit without completing.

What This Means For You

The TBOTE Project's investigation does not argue that age verification itself is illegitimate. Its argument is more specific: the infrastructure being built to implement age verification has technical capabilities and ownership structures that extend well beyond any single age-gating use case.

For ordinary internet users, this means that complying with an age verification prompt on a gaming platform, a social network, or an adult content site may involve biometric data being processed by multiple undisclosed third parties, carrier-level authentication happening without visible notification, and data flowing into systems with government reporting functions.

Legislative mandates in more than 25 US states, Brazil, and the United Kingdom are creating what the investigation calls a "mandatory market" for these services. The report notes that Meta spent $26.3 million lobbying in connection with this legislation. Brazil's Serpro database, which holds records on approximately 220 million Brazilian citizens, is identified as part of the infrastructure environment in which these verification systems operate.

The convergence of identity verification with AI agent infrastructure is flagged as an emerging concern. The investigation suggests that identity verification is being positioned as a prerequisite for participation in automated internet transactions more broadly, not just age-restricted content.

Actionable Takeaways

Readers who want to understand their exposure to this infrastructure can take several practical steps.

First, review the privacy policies and subprocessor disclosures of any platform that has asked you to complete identity verification. Note whether facial recognition vendors and carrier authentication services are listed.

Second, be aware that "age verification" on a platform does not mean your data stays with that platform. SDK-based verification routes data through third-party identity systems, each with their own data retention and sharing practices.

Third, follow legislative developments in your jurisdiction. Laws requiring age verification create legal obligations for platforms, which in turn drive adoption of the infrastructure described in this investigation. Understanding what your state or country is mandating is relevant to understanding what data you may be required to submit to use certain online services.

The TBOTE Project's full investigation, including its methodology and source documents, is publicly available. The findings represent one of the more technically detailed public analyses of the age verification industry to date, and the questions it raises about disclosure, data flows, and structural conflicts of interest are ones that regulators, journalists, and privacy researchers are likely to continue examining.