If you're on LinkedIn and are thinking about verifying your account with them, maybe read this first.

@kkarhan @briankrebs That loophole has closed and the argument that any EU country could do what Ireland have done is valid too. I will concede that the DPO is very weak and deliberately so

@humanhorseshoes @briankrebs OFC it is too weak ON PURPOSE!

• #GDPR should've been sharper and harder than #BDSG and #COPPA together, banning the #BusinessModel of #DataBrokers like #NSAbook / #StasiBook for good!

The CEO of Persona responded to this post, saying they wanted to clarify about the identity verification process. They said:

"The only subprocessors (8) used are: AWS, Confluent, DBT, ElasticSearch, GCP, MongoDB, Sigma Computing, and Snowflake

All biometric personal data is deleted immediately after processing.

All other personal data processed is automatically deleted within 30 days. Data is retained during this period to help users troubleshoot.

No personal data processed is used for AI/model training. Data is explicitly used to confirm your identity.

The subprocessors used do NOT include Anthropic, Groqcloud, or OpenAI. The referenced subprocessor list is the superset of subprocessors used across all customers which is unfortunately misleading - we are updating our documentation to make this clearer going forward (thank you for helping us realize this). Our customers select which products are used which determines which subprocessors are used."

The CEO of Persona responded to this post, saying they wanted to clarify about the identity verification process. They said:

"The only subprocessors (8) used are: AWS, Confluent, DBT, ElasticSearch, GCP, MongoDB, Sigma Computing, and Snowflake

All biometric personal data is deleted immediately after processing.

All other personal data processed is automatically deleted within 30 days. Data is retained during this period to help users troubleshoot.

No personal data processed is used for AI/model training. Data is explicitly used to confirm your identity.

The subprocessors used do NOT include Anthropic, Groqcloud, or OpenAI. The referenced subprocessor list is the superset of subprocessors used across all customers which is unfortunately misleading - we are updating our documentation to make this clearer going forward (thank you for helping us realize this). Our customers select which products are used which determines which subprocessors are used."

@kkarhan @briankrebs GDPR is poorly implemented all over the EU, for example if you set up outside the EU and have EU data subjects and business nobody wants to touch you and you can do whatever you like

If you're on LinkedIn and are thinking about verifying your account with them, maybe read this first. It walks through LinkedIn's privacy disclosure to identify 17 companies that may receive and process the data you submit, including name, passport photo, selfie, facial geometry, NFC data chip, national ID #, DoB, email, phone number, address, IP address, device type, MAC address, language, geolocation etc. Unsurprisingly, it seems the biggest recipients are US-based AI companies.

https://thelocalstack.eu/posts/linkedin-identity-verification-privacy/

The CEO of Persona responded to this post, saying they wanted to clarify about the identity verification process. They said:

"The only subprocessors (8) used are: AWS, Confluent, DBT, ElasticSearch, GCP, MongoDB, Sigma Computing, and Snowflake

All biometric personal data is deleted immediately after processing.

All other personal data processed is automatically deleted within 30 days. Data is retained during this period to help users troubleshoot.

No personal data processed is used for AI/model training. Data is explicitly used to confirm your identity.

The subprocessors used do NOT include Anthropic, Groqcloud, or OpenAI. The referenced subprocessor list is the superset of subprocessors used across all customers which is unfortunately misleading - we are updating our documentation to make this clearer going forward (thank you for helping us realize this). Our customers select which products are used which determines which subprocessors are used."

@briankrebs

In 2018 I was at a company where we had the first automated identity verification system in market

I was one four engineers on the team at the end when we finally found PMF— verifying doctors in conjunction with Duo security to allow online prescriptions

It was Ruby on Rails

We had two products

Knowledge
Photo

Knowledge was really just a pretty oauth flow wrapping a transition api

Photo was Microsoft for facial recognition between the front of an ID and a selfie

Front and back was through a provider (confirm) that had exclusive partnership with morpho trust that does all the identity verification at customs that can effectively detect the security features on IDs

NIST LOA3 SOC2 HIPPA

With three external surfaces

All this to say: WTF is LinkedIn doing and if earth needs me to rebuild a product from a decade ago, we just need a few engineers— less engineers than persona has vendors

@briankrebs “first automated PHOTO verification”

Jumio was our primary competitor

They had people physically comparing pictures with a 60-90 second SLA

We had APIs and even figured out how to optimize image size so uploads could be as small as possible on mobile while still able to catch security details

Because of the sequencing of events, we basically had the results immediately at the end of the flow

@briankrebs excellent deep dive!
Gee, I wish pur politics would read such summaries more often!
After the discord breach, this is a blatant proof that the big tech companies are simply unable to be trusted to take responsibility to make identity or age verification!

The CEO of Persona responded to this post, saying they wanted to clarify about the identity verification process. They said:

"The only subprocessors (8) used are: AWS, Confluent, DBT, ElasticSearch, GCP, MongoDB, Sigma Computing, and Snowflake

All biometric personal data is deleted immediately after processing.

All other personal data processed is automatically deleted within 30 days. Data is retained during this period to help users troubleshoot.

No personal data processed is used for AI/model training. Data is explicitly used to confirm your identity.

The subprocessors used do NOT include Anthropic, Groqcloud, or OpenAI. The referenced subprocessor list is the superset of subprocessors used across all customers which is unfortunately misleading - we are updating our documentation to make this clearer going forward (thank you for helping us realize this). Our customers select which products are used which determines which subprocessors are used."

@humanhorseshoes @briankrebs exactly!

IMHO #GDPR must be sharpened harder than #CloudAct (which is incompatible with it)!

@briankrebs all this to say— I do feel partially to blame for the mass proliferation of photo ID products since we proved it possible to automate

The company went in a different direction, I was fired along with the rest of my team

Sequoia was the primary investor of the company, so I assume the IP proliferated across their portfolio

In very short order stripe launched photo id verification that was roughly shot for shot what I built as the front end lead

Not a bad crash course in Silicon Valley economics and the hidden network effects

Venture firms definitely encourage successful startups to run startups in their startups that benefit their other startups and they’ll win no matter what

@tychi @briankrebs

If you really feel bad, then figure out a way to gum up the works.

@briankrebs
I just shared this and the first answer I got was "well, shit, but that's what most companies use and if I don't jump through their hoop I'll never get a job".

I don't share this view but I also want to read from everyone here. Any suggestions?

@MissGayle @briankrebs

I believe I’ve put more gum in more places than most and am continuing to do so

The sad reality is that most people don’t care because these types of systemic problems are invisible to them and they feel helpless against them and thinking about them takes their time away from their entertainment of choice

So I’m just putting gum where I can and hoping others are doing the same

@tychi @briankrebs

That's wonderful.

The CEO of Persona responded to this post, saying they wanted to clarify about the identity verification process. They said:

"The only subprocessors (8) used are: AWS, Confluent, DBT, ElasticSearch, GCP, MongoDB, Sigma Computing, and Snowflake

All biometric personal data is deleted immediately after processing.

All other personal data processed is automatically deleted within 30 days. Data is retained during this period to help users troubleshoot.

No personal data processed is used for AI/model training. Data is explicitly used to confirm your identity.

The subprocessors used do NOT include Anthropic, Groqcloud, or OpenAI. The referenced subprocessor list is the superset of subprocessors used across all customers which is unfortunately misleading - we are updating our documentation to make this clearer going forward (thank you for helping us realize this). Our customers select which products are used which determines which subprocessors are used."

@briankrebs And what assurances do they have that Snowflake etc aren't keeping copies? You don't master a cloud supply chain.

@briankrebs And what assurances do they have that Snowflake etc aren't keeping copies? You don't master a cloud supply chain.