Reddit Wants Your ID Now. That Should Bother Everyone.

Someone posted this week about being locked out of their Reddit account entirely until they handed over photo ID to a third-party verification service. Not locked out of adult content. Locked out of everything. Account settings. The ability to delete their own account. The works. Just a popup from a company called Persona, sitting there blocking the door.

That’s a fairly significant thing to happen without much fanfare.

The immediate response from a lot of people in the thread was “just use a VPN,” which is technically correct and also completely misses the point. A VPN is a workaround. It is not a solution to a corporation deciding it can hold your own account hostage until you hand over biometric-adjacent data to a third party you’ve never heard of and didn’t agree to do business with.

The EU’s GDPR exists precisely for situations like this. You have a right to access and delete your own data. Blocking that access behind a verification wall isn’t a grey area; it’s either a direct violation or someone at Reddit legal is earning their salary arguing that it isn’t. The person in the thread got a useful tip: find the right contact email, send a formal GDPR deletion request, and document everything. Someone else suggested routing a deletion request through LinkedIn InMail to the CEO, which is genuinely unhinged as a process, but apparently it worked. That’s where we are.

There’s a separate argument running through the discussion about whether this is actually about age verification for adult content (Reddit’s stated position) or something more expansive. I think that framing is a bit of a trap. Even if you take Reddit at their word, “age verification” requires collecting and storing identity data on millions of people. That data has to live somewhere. It gets sold, leaked, subpoenaed, or all three. The road to surveillance infrastructure is paved with reasonable-sounding interim steps, and “we just need to check you’re 18” is a pretty reasonable-sounding step.

What bothers me more than Reddit specifically is the pattern. A few years ago the idea that you’d need to show ID to browse a social media platform would have read as dystopian fiction. Now it’s a support thread with people sharing workarounds. The Overton window on this stuff moves fast, and it moves quietly. You don’t notice until someone posts that they can’t log into their own account.

I don’t have a tidy answer here. Australia has its own age verification debate running, and I have genuinely mixed feelings about it, because the harms the legislation is trying to address are real. Kids accessing harmful content online is not a fake problem. But identity verification as the solution collapses the distinction between “making the internet safer” and “making the internet surveillable,” and I’m not convinced those in charge of building these systems are losing much sleep over that distinction.

The practical advice from the thread is sound: if you’re in the EU and hit this wall, send a formal data deletion request citing GDPR, use Redact or similar tools to overwrite your post history before deleting, and document the timeline if they don’t comply. The ICO in the UK is worth contacting. It’s not satisfying, but it’s something.

The broader thing is harder. Stuff like this will keep happening until enough people push back through every available channel, legal and otherwise. Most people won’t, because it’s inconvenient and the friction is the point. That’s not cynicism; it’s just how institutional inertia works. The friction is load-bearing.