If you're on LinkedIn and are thinking about verifying your account with them, maybe read this first.
-
If you're on LinkedIn and are thinking about verifying your account with them, maybe read this first. It walks through LinkedIn's privacy disclosure to identify 17 companies that may receive and process the data you submit, including name, passport photo, selfie, facial geometry, NFC data chip, national ID #, DoB, email, phone number, address, IP address, device type, MAC address, language, geolocation etc. Unsurprisingly, it seems the biggest recipients are US-based AI companies.
https://thelocalstack.eu/posts/linkedin-identity-verification-privacy/
@briankrebs fuck lol
-
If you're on LinkedIn and are thinking about verifying your account with them, maybe read this first. It walks through LinkedIn's privacy disclosure to identify 17 companies that may receive and process the data you submit, including name, passport photo, selfie, facial geometry, NFC data chip, national ID #, DoB, email, phone number, address, IP address, device type, MAC address, language, geolocation etc. Unsurprisingly, it seems the biggest recipients are US-based AI companies.
https://thelocalstack.eu/posts/linkedin-identity-verification-privacy/
@briankrebs@infosec.exchange hi, reading through this and i assume you're posting this after my research piece came up since you mention all the checks persona are running. could you please attribute credit?
https://www.malwarebytes.com/blog/news/2026/02/age-verification-vendor-persona-left-frontend-exposed
https://vmfunc.re/blog/persona -
If you're on LinkedIn and are thinking about verifying your account with them, maybe read this first. It walks through LinkedIn's privacy disclosure to identify 17 companies that may receive and process the data you submit, including name, passport photo, selfie, facial geometry, NFC data chip, national ID #, DoB, email, phone number, address, IP address, device type, MAC address, language, geolocation etc. Unsurprisingly, it seems the biggest recipients are US-based AI companies.
https://thelocalstack.eu/posts/linkedin-identity-verification-privacy/
The CEO of Persona responded to this post, saying they wanted to clarify about the identity verification process. They said:
"The only subprocessors (8) used are: AWS, Confluent, DBT, ElasticSearch, GCP, MongoDB, Sigma Computing, and Snowflake
All biometric personal data is deleted immediately after processing.
All other personal data processed is automatically deleted within 30 days. Data is retained during this period to help users troubleshoot.
No personal data processed is used for AI/model training. Data is explicitly used to confirm your identity.
The subprocessors used do NOT include Anthropic, Groqcloud, or OpenAI. The referenced subprocessor list is the superset of subprocessors used across all customers which is unfortunately misleading - we are updating our documentation to make this clearer going forward (thank you for helping us realize this). Our customers select which products are used which determines which subprocessors are used."
-
@briankrebs@infosec.exchange hi, reading through this and i assume you're posting this after my research piece came up since you mention all the checks persona are running. could you please attribute credit?
https://www.malwarebytes.com/blog/news/2026/02/age-verification-vendor-persona-left-frontend-exposed
https://vmfunc.re/blog/persona@celeste Unless I'm missing something, the post I linked to and cited from was published 4 days before yours. It's not about the reported frontend exposure.
-
The CEO of Persona responded to this post, saying they wanted to clarify about the identity verification process. They said:
"The only subprocessors (8) used are: AWS, Confluent, DBT, ElasticSearch, GCP, MongoDB, Sigma Computing, and Snowflake
All biometric personal data is deleted immediately after processing.
All other personal data processed is automatically deleted within 30 days. Data is retained during this period to help users troubleshoot.
No personal data processed is used for AI/model training. Data is explicitly used to confirm your identity.
The subprocessors used do NOT include Anthropic, Groqcloud, or OpenAI. The referenced subprocessor list is the superset of subprocessors used across all customers which is unfortunately misleading - we are updating our documentation to make this clearer going forward (thank you for helping us realize this). Our customers select which products are used which determines which subprocessors are used."
@briankrebs still means data is subject to #CloudAct = incompatible with #GDPR & #BDSG!
-
@briankrebs still means data is subject to #CloudAct = incompatible with #GDPR & #BDSG!
@kkarhan @briankrebs Look where Linkedin has its HQ in Europe. Ireland. The shittest DPO in the Union and under political pressure to keep the FDI money coming into Ireland. The one stop shop approach by the EU does NOT work
-
The CEO of Persona responded to this post, saying they wanted to clarify about the identity verification process. They said:
"The only subprocessors (8) used are: AWS, Confluent, DBT, ElasticSearch, GCP, MongoDB, Sigma Computing, and Snowflake
All biometric personal data is deleted immediately after processing.
All other personal data processed is automatically deleted within 30 days. Data is retained during this period to help users troubleshoot.
No personal data processed is used for AI/model training. Data is explicitly used to confirm your identity.
The subprocessors used do NOT include Anthropic, Groqcloud, or OpenAI. The referenced subprocessor list is the superset of subprocessors used across all customers which is unfortunately misleading - we are updating our documentation to make this clearer going forward (thank you for helping us realize this). Our customers select which products are used which determines which subprocessors are used."
@briankrebs And what assurances do they have that Snowflake etc aren't keeping copies? You don't master a cloud supply chain.
-
The CEO of Persona responded to this post, saying they wanted to clarify about the identity verification process. They said:
"The only subprocessors (8) used are: AWS, Confluent, DBT, ElasticSearch, GCP, MongoDB, Sigma Computing, and Snowflake
All biometric personal data is deleted immediately after processing.
All other personal data processed is automatically deleted within 30 days. Data is retained during this period to help users troubleshoot.
No personal data processed is used for AI/model training. Data is explicitly used to confirm your identity.
The subprocessors used do NOT include Anthropic, Groqcloud, or OpenAI. The referenced subprocessor list is the superset of subprocessors used across all customers which is unfortunately misleading - we are updating our documentation to make this clearer going forward (thank you for helping us realize this). Our customers select which products are used which determines which subprocessors are used."
I'd take a pinky-finger promise from a third-party company over any data privacy law!
-
The CEO of Persona responded to this post, saying they wanted to clarify about the identity verification process. They said:
"The only subprocessors (8) used are: AWS, Confluent, DBT, ElasticSearch, GCP, MongoDB, Sigma Computing, and Snowflake
All biometric personal data is deleted immediately after processing.
All other personal data processed is automatically deleted within 30 days. Data is retained during this period to help users troubleshoot.
No personal data processed is used for AI/model training. Data is explicitly used to confirm your identity.
The subprocessors used do NOT include Anthropic, Groqcloud, or OpenAI. The referenced subprocessor list is the superset of subprocessors used across all customers which is unfortunately misleading - we are updating our documentation to make this clearer going forward (thank you for helping us realize this). Our customers select which products are used which determines which subprocessors are used."
@briankrebs and if you believe this from a company where the executives hide from the public, explicitly authoritarian goals of irreversibly identifying everyone online, and direct ties to outspoken Nazis and fascists through funding?
Then all you need to do is pay the $5000 processing fee in Visa gift cards, and I can transfer you $500M USD from the Euorpean lottery tomorrow.
-
The CEO of Persona responded to this post, saying they wanted to clarify about the identity verification process. They said:
"The only subprocessors (8) used are: AWS, Confluent, DBT, ElasticSearch, GCP, MongoDB, Sigma Computing, and Snowflake
All biometric personal data is deleted immediately after processing.
All other personal data processed is automatically deleted within 30 days. Data is retained during this period to help users troubleshoot.
No personal data processed is used for AI/model training. Data is explicitly used to confirm your identity.
The subprocessors used do NOT include Anthropic, Groqcloud, or OpenAI. The referenced subprocessor list is the superset of subprocessors used across all customers which is unfortunately misleading - we are updating our documentation to make this clearer going forward (thank you for helping us realize this). Our customers select which products are used which determines which subprocessors are used."
@briankrebs Aye right, totally trustworthy company https://youtube.com/watch?v=S-Jo-djilvo
-
@briankrebs and if you believe this from a company where the executives hide from the public, explicitly authoritarian goals of irreversibly identifying everyone online, and direct ties to outspoken Nazis and fascists through funding?
Then all you need to do is pay the $5000 processing fee in Visa gift cards, and I can transfer you $500M USD from the Euorpean lottery tomorrow.
@briankrebs which is to say: absofuckingloutely Persona is lying. They've lied the whole time. These are the same dipshits that left their entire system exposed which revealed that, surprise! They're storing all the biometrics permanently and just straight lying about everything top to bottom!
-
@kkarhan @briankrebs Look where Linkedin has its HQ in Europe. Ireland. The shittest DPO in the Union and under political pressure to keep the FDI money coming into Ireland. The one stop shop approach by the EU does NOT work
@humanhorseshoes @briankrebs that's due to #Ireland artifically grifting itself into a "#nearshore #TaxHaven"β¦
See "#DoubleDutchIrishSandwich" #TaxEvasion setupβ¦
-
@humanhorseshoes @briankrebs that's due to #Ireland artifically grifting itself into a "#nearshore #TaxHaven"β¦
See "#DoubleDutchIrishSandwich" #TaxEvasion setupβ¦
@kkarhan @briankrebs That loophole has closed and the argument that any EU country could do what Ireland have done is valid too. I will concede that the DPO is very weak and deliberately so
-
@kkarhan @briankrebs That loophole has closed and the argument that any EU country could do what Ireland have done is valid too. I will concede that the DPO is very weak and deliberately so
@humanhorseshoes @briankrebs OFC it is too weak ON PURPOSE!
- #GDPR should've been sharper and harder than #BDSG and #COPPA together, banning the #BusinessModel of #DataBrokers like #NSAbook / #StasiBook for good!
-
@humanhorseshoes @briankrebs OFC it is too weak ON PURPOSE!
- #GDPR should've been sharper and harder than #BDSG and #COPPA together, banning the #BusinessModel of #DataBrokers like #NSAbook / #StasiBook for good!
@kkarhan @briankrebs GDPR is poorly implemented all over the EU, for example if you set up outside the EU and have EU data subjects and business nobody wants to touch you and you can do whatever you like
-
The CEO of Persona responded to this post, saying they wanted to clarify about the identity verification process. They said:
"The only subprocessors (8) used are: AWS, Confluent, DBT, ElasticSearch, GCP, MongoDB, Sigma Computing, and Snowflake
All biometric personal data is deleted immediately after processing.
All other personal data processed is automatically deleted within 30 days. Data is retained during this period to help users troubleshoot.
No personal data processed is used for AI/model training. Data is explicitly used to confirm your identity.
The subprocessors used do NOT include Anthropic, Groqcloud, or OpenAI. The referenced subprocessor list is the superset of subprocessors used across all customers which is unfortunately misleading - we are updating our documentation to make this clearer going forward (thank you for helping us realize this). Our customers select which products are used which determines which subprocessors are used."
@briankrebs this also contradicts their own privacy policy which calls out companies like OpenAI. Also don't remember it saying anything about any data being deleted after any period of time too.
(This was for a wire transfer and I politely said fuck you and got a cashiers check instead)
-
The CEO of Persona responded to this post, saying they wanted to clarify about the identity verification process. They said:
"The only subprocessors (8) used are: AWS, Confluent, DBT, ElasticSearch, GCP, MongoDB, Sigma Computing, and Snowflake
All biometric personal data is deleted immediately after processing.
All other personal data processed is automatically deleted within 30 days. Data is retained during this period to help users troubleshoot.
No personal data processed is used for AI/model training. Data is explicitly used to confirm your identity.
The subprocessors used do NOT include Anthropic, Groqcloud, or OpenAI. The referenced subprocessor list is the superset of subprocessors used across all customers which is unfortunately misleading - we are updating our documentation to make this clearer going forward (thank you for helping us realize this). Our customers select which products are used which determines which subprocessors are used."
The CEO of Persona... can go fuck themselves.
-
@kkarhan @briankrebs GDPR is poorly implemented all over the EU, for example if you set up outside the EU and have EU data subjects and business nobody wants to touch you and you can do whatever you like
@humanhorseshoes @briankrebs exactly!
IMHO #GDPR must be sharpened harder than #CloudAct (which is incompatible with it)!
-
If you're on LinkedIn and are thinking about verifying your account with them, maybe read this first. It walks through LinkedIn's privacy disclosure to identify 17 companies that may receive and process the data you submit, including name, passport photo, selfie, facial geometry, NFC data chip, national ID #, DoB, email, phone number, address, IP address, device type, MAC address, language, geolocation etc. Unsurprisingly, it seems the biggest recipients are US-based AI companies.
https://thelocalstack.eu/posts/linkedin-identity-verification-privacy/
@briankrebs excellent deep dive!
Gee, I wish pur politics would read such summaries more often!
After the discord breach, this is a blatant proof that the big tech companies are simply unable to be trusted to take responsibility to make identity or age verification! -
The CEO of Persona responded to this post, saying they wanted to clarify about the identity verification process. They said:
"The only subprocessors (8) used are: AWS, Confluent, DBT, ElasticSearch, GCP, MongoDB, Sigma Computing, and Snowflake
All biometric personal data is deleted immediately after processing.
All other personal data processed is automatically deleted within 30 days. Data is retained during this period to help users troubleshoot.
No personal data processed is used for AI/model training. Data is explicitly used to confirm your identity.
The subprocessors used do NOT include Anthropic, Groqcloud, or OpenAI. The referenced subprocessor list is the superset of subprocessors used across all customers which is unfortunately misleading - we are updating our documentation to make this clearer going forward (thank you for helping us realize this). Our customers select which products are used which determines which subprocessors are used."
In 2018 I was at a company where we had the first automated identity verification system in market
I was one four engineers on the team at the end when we finally found PMFβ verifying doctors in conjunction with Duo security to allow online prescriptions
It was Ruby on Rails
We had two products
Knowledge
PhotoKnowledge was really just a pretty oauth flow wrapping a transition api
Photo was Microsoft for facial recognition between the front of an ID and a selfie
Front and back was through a provider (confirm) that had exclusive partnership with morpho trust that does all the identity verification at customs that can effectively detect the security features on IDs
NIST LOA3 SOC2 HIPPA
With three external surfaces
All this to say: WTF is LinkedIn doing and if earth needs me to rebuild a product from a decade ago, we just need a few engineersβ less engineers than persona has vendors
