ISSUE No. 11Identity Verification

You handed your face to a company you never chose

To watch a video, read a forum, or open an app you now upload your ID or scan your face for a verification company you did not pick and cannot see. Here is what they keep, why 'we delete it' is rarely the whole story, and why 'anonymous' already failed in front of a regulator.

D

THE DÆTRAX TEAM

PRIVACY RESEARCH · WITH DECKARD, OUR AI AGENT

"To continue, upload your ID"

You came to read something, watch something, or open an account. Before you could, a box appeared: prove you are old enough. Upload your passport. Scan your face. Hold still for the camera. You did it, because the alternative was to leave, and in the few seconds it took you handed your identity to a company whose name you may not even have caught.

That company is the point of this piece. You chose the website. You did not choose the verifier sitting behind it, and increasingly the same handful of verifiers sit behind thousands of sites. This is the part of the new "prove who you are" internet that should worry you most, because it is built to feel like a formality and it is anything but.

What the check actually takes

A verification is not a yes-or-no on your age. To run it, the provider typically photographs your government ID and pulls the data off it: your full name, date of birth, address, document number, and expiry. It takes a selfie or a live face scan to match against the document, and often a short "liveness" video to prove you are real. Around that it logs your device, your rough location, and the one piece of metadata that ties it all together: which site sent you, and when.

So the record is not "this person is over 18." The record is you, your face, your government document, and the place you were trying to go.

The company you never chose, behind every door

Here is the shape of it. A small number of verification companies now stand behind a vast number of websites: the video site, the forum, the dating app, the gambling page, the social network. Every time one of them checks you, the same provider can see another door you walked up to. You think you are proving your age to one site. You may be adding another entry to a single company's map of everywhere you go and everything you are old enough, or curious enough, to want behind a wall. It is the same concentration risk that makes a single national identity so dangerous, which we wrote about in the honeypot.

Whether that map is the goal or just a profitable side effect does not change what it is. The intent is beside the point. The pattern gets built the same way, and the pattern is you.

"We delete it right after." Read it again.

Every verifier reassures you it removes your data once the check is done. Then read the retention section. Spain's data-protection regulator recently went through one of the largest face-scan providers and found close to the opposite of "deleted": location data kept for five years, identity documents it had flagged as fraudulent retained to train the company's software, liveness videos held for a month, and a pre-ticked box that quietly enrolled your face into training its age-estimation AI unless you found it and switched it off. The fine ran to the better part of a million euros.

You cannot audit any of this. You upload your face, you get waved through, and what happens next is a sentence in a policy you have no way to check. "We delete it" is a promise with no receipt, made by the party with the most reason to keep what you gave it.

"It's anonymous." A regulator already disagreed.

The deeper reassurance is that none of this really identifies you: that your face becomes a template, a hash, a number, something abstract and safe. In that same case the company argued exactly this. It said its biometric data only authenticates you, it does not uniquely identify you. The regulator rejected that outright and ruled the company builds a facial pattern "with the aim of unambiguously identifying" you, which makes it the most protected class of personal data there is.

That is the whole game in one ruling. A unique pattern of your face is not anonymous. It is you, reduced to something a machine can match for life, and unlike a password you can never change it. We set out why "anonymised" almost never means anonymous in a separate piece. Here it is not a theory. It is a finding, with a fine attached.

Why everyone wants to be the one holding it

This is not a quiet corner of the internet. The thing that links your real-world identity to your online life is one of the most valuable records there is, and the firms best placed to collect it are the ones you are now required to pass through. Researchers have found verifier pages carrying the same advertising and analytics trackers as everywhere else, quietly reporting verification attempts onward, and providers stretching the face scan into wider checks. Exposed code from one verifier showed it screening people against adverse-media lists while it was at it. The age check is the doorway. What walks through it is a data business.

What it means if it gets out

This is not an email on a list. It is your government ID and your face, the master key to your identity, sitting next to a log of the specific places you used it: the adult sites, the political forums, the health communities, the dating apps. A leak here does not expose an account, it exposes you, and what you were doing, and you cannot reissue your face afterwards. It has already happened: tens of thousands of government-ID photos, handed over by people appealing an age check, were exposed through one platform's support contractor. They had done nothing but try to prove how old they were. We have written before about where these face scans actually go after the check.

You can't stop being asked. You can still keep the record.

There is no clean "leave" here. You cannot opt out of being asked, not while the law and the platforms require it. What you can refuse is to let it happen in the dark. Every check hands your identity to two companies at once: the site that demanded it, and the verifier behind the button. Both are holders. Both can be asked, in writing, what they kept and to delete it. And the reply they send back is the only proof you will ever have.

Start the record

Here is the uncomfortable part. Right now you have no list. You could not name the verifiers holding your ID if someone asked you tonight, you have proof of exactly zero deletions, and if your face turns up in the next breach you will have nothing to show for the request you never sent. That is not laziness. The system is built so that keeping up is too scattered and too tedious for any normal person to do by hand, and the companies are counting on precisely that.

That is the gap we close, and we are honest about its edges, including our own. We cannot make your face vanish from their servers, and the ruling above is proof that nobody being straight with you can. We do not send the request for you either. What we do is the part that stops most people from ever starting: you search for a company and add it, we work out what it likely holds on you, and we draft the legally grounded deletion request, worded and ready. You send it. We keep the list and log where each request lands; their reply comes to your own inbox, not ours, so "they said they deleted it" becomes "here is the dated email where they said it." The demand was always free. What was missing was knowing who held your data, what they had, and how to ask. That is the part we take off you, and even just seeing the list, every company and verifier that holds a piece of you in one place, is more control than you have right now.

You will not un-hand your face. But you can know exactly who holds it, you can be the one who asked them to stop, and you can be holding the paper when it counts. That is control, and right now it is the only kind on offer. Start your record →