If you're on LinkedIn and are thinking about verifying your account with them, maybe read this first.
-
@briankrebs still means data is subject to #CloudAct = incompatible with #GDPR & #BDSG!
@kkarhan @briankrebs Look where Linkedin has its HQ in Europe. Ireland. The shittest DPO in the Union and under political pressure to keep the FDI money coming into Ireland. The one stop shop approach by the EU does NOT work
-
The CEO of Persona responded to this post, saying they wanted to clarify about the identity verification process. They said:
"The only subprocessors (8) used are: AWS, Confluent, DBT, ElasticSearch, GCP, MongoDB, Sigma Computing, and Snowflake
All biometric personal data is deleted immediately after processing.
All other personal data processed is automatically deleted within 30 days. Data is retained during this period to help users troubleshoot.
No personal data processed is used for AI/model training. Data is explicitly used to confirm your identity.
The subprocessors used do NOT include Anthropic, Groqcloud, or OpenAI. The referenced subprocessor list is the superset of subprocessors used across all customers which is unfortunately misleading - we are updating our documentation to make this clearer going forward (thank you for helping us realize this). Our customers select which products are used which determines which subprocessors are used."
@briankrebs And what assurances do they have that Snowflake etc aren't keeping copies? You don't master a cloud supply chain.
-
The CEO of Persona responded to this post, saying they wanted to clarify about the identity verification process. They said:
"The only subprocessors (8) used are: AWS, Confluent, DBT, ElasticSearch, GCP, MongoDB, Sigma Computing, and Snowflake
All biometric personal data is deleted immediately after processing.
All other personal data processed is automatically deleted within 30 days. Data is retained during this period to help users troubleshoot.
No personal data processed is used for AI/model training. Data is explicitly used to confirm your identity.
The subprocessors used do NOT include Anthropic, Groqcloud, or OpenAI. The referenced subprocessor list is the superset of subprocessors used across all customers which is unfortunately misleading - we are updating our documentation to make this clearer going forward (thank you for helping us realize this). Our customers select which products are used which determines which subprocessors are used."
I'd take a pinky-finger promise from a third-party company over any data privacy law!
-
The CEO of Persona responded to this post, saying they wanted to clarify about the identity verification process. They said:
"The only subprocessors (8) used are: AWS, Confluent, DBT, ElasticSearch, GCP, MongoDB, Sigma Computing, and Snowflake
All biometric personal data is deleted immediately after processing.
All other personal data processed is automatically deleted within 30 days. Data is retained during this period to help users troubleshoot.
No personal data processed is used for AI/model training. Data is explicitly used to confirm your identity.
The subprocessors used do NOT include Anthropic, Groqcloud, or OpenAI. The referenced subprocessor list is the superset of subprocessors used across all customers which is unfortunately misleading - we are updating our documentation to make this clearer going forward (thank you for helping us realize this). Our customers select which products are used which determines which subprocessors are used."
@briankrebs and if you believe this from a company where the executives hide from the public, explicitly authoritarian goals of irreversibly identifying everyone online, and direct ties to outspoken Nazis and fascists through funding?
Then all you need to do is pay the $5000 processing fee in Visa gift cards, and I can transfer you $500M USD from the Euorpean lottery tomorrow.
-
The CEO of Persona responded to this post, saying they wanted to clarify about the identity verification process. They said:
"The only subprocessors (8) used are: AWS, Confluent, DBT, ElasticSearch, GCP, MongoDB, Sigma Computing, and Snowflake
All biometric personal data is deleted immediately after processing.
All other personal data processed is automatically deleted within 30 days. Data is retained during this period to help users troubleshoot.
No personal data processed is used for AI/model training. Data is explicitly used to confirm your identity.
The subprocessors used do NOT include Anthropic, Groqcloud, or OpenAI. The referenced subprocessor list is the superset of subprocessors used across all customers which is unfortunately misleading - we are updating our documentation to make this clearer going forward (thank you for helping us realize this). Our customers select which products are used which determines which subprocessors are used."
@briankrebs Aye right, totally trustworthy company https://youtube.com/watch?v=S-Jo-djilvo
-
@briankrebs and if you believe this from a company where the executives hide from the public, explicitly authoritarian goals of irreversibly identifying everyone online, and direct ties to outspoken Nazis and fascists through funding?
Then all you need to do is pay the $5000 processing fee in Visa gift cards, and I can transfer you $500M USD from the Euorpean lottery tomorrow.
@briankrebs which is to say: absofuckingloutely Persona is lying. They've lied the whole time. These are the same dipshits that left their entire system exposed which revealed that, surprise! They're storing all the biometrics permanently and just straight lying about everything top to bottom!
-
@kkarhan @briankrebs Look where Linkedin has its HQ in Europe. Ireland. The shittest DPO in the Union and under political pressure to keep the FDI money coming into Ireland. The one stop shop approach by the EU does NOT work
@humanhorseshoes @briankrebs that's due to #Ireland artifically grifting itself into a "#nearshore #TaxHaven"…
See "#DoubleDutchIrishSandwich" #TaxEvasion setup…
-
@humanhorseshoes @briankrebs that's due to #Ireland artifically grifting itself into a "#nearshore #TaxHaven"…
See "#DoubleDutchIrishSandwich" #TaxEvasion setup…
@kkarhan @briankrebs That loophole has closed and the argument that any EU country could do what Ireland have done is valid too. I will concede that the DPO is very weak and deliberately so
-
@kkarhan @briankrebs That loophole has closed and the argument that any EU country could do what Ireland have done is valid too. I will concede that the DPO is very weak and deliberately so
@humanhorseshoes @briankrebs OFC it is too weak ON PURPOSE!
- #GDPR should've been sharper and harder than #BDSG and #COPPA together, banning the #BusinessModel of #DataBrokers like #NSAbook / #StasiBook for good!
-
@humanhorseshoes @briankrebs OFC it is too weak ON PURPOSE!
- #GDPR should've been sharper and harder than #BDSG and #COPPA together, banning the #BusinessModel of #DataBrokers like #NSAbook / #StasiBook for good!
@kkarhan @briankrebs GDPR is poorly implemented all over the EU, for example if you set up outside the EU and have EU data subjects and business nobody wants to touch you and you can do whatever you like
-
The CEO of Persona responded to this post, saying they wanted to clarify about the identity verification process. They said:
"The only subprocessors (8) used are: AWS, Confluent, DBT, ElasticSearch, GCP, MongoDB, Sigma Computing, and Snowflake
All biometric personal data is deleted immediately after processing.
All other personal data processed is automatically deleted within 30 days. Data is retained during this period to help users troubleshoot.
No personal data processed is used for AI/model training. Data is explicitly used to confirm your identity.
The subprocessors used do NOT include Anthropic, Groqcloud, or OpenAI. The referenced subprocessor list is the superset of subprocessors used across all customers which is unfortunately misleading - we are updating our documentation to make this clearer going forward (thank you for helping us realize this). Our customers select which products are used which determines which subprocessors are used."
@briankrebs this also contradicts their own privacy policy which calls out companies like OpenAI. Also don't remember it saying anything about any data being deleted after any period of time too.
(This was for a wire transfer and I politely said fuck you and got a cashiers check instead)
-
The CEO of Persona responded to this post, saying they wanted to clarify about the identity verification process. They said:
"The only subprocessors (8) used are: AWS, Confluent, DBT, ElasticSearch, GCP, MongoDB, Sigma Computing, and Snowflake
All biometric personal data is deleted immediately after processing.
All other personal data processed is automatically deleted within 30 days. Data is retained during this period to help users troubleshoot.
No personal data processed is used for AI/model training. Data is explicitly used to confirm your identity.
The subprocessors used do NOT include Anthropic, Groqcloud, or OpenAI. The referenced subprocessor list is the superset of subprocessors used across all customers which is unfortunately misleading - we are updating our documentation to make this clearer going forward (thank you for helping us realize this). Our customers select which products are used which determines which subprocessors are used."
The CEO of Persona... can go fuck themselves.
-
@kkarhan @briankrebs GDPR is poorly implemented all over the EU, for example if you set up outside the EU and have EU data subjects and business nobody wants to touch you and you can do whatever you like
@humanhorseshoes @briankrebs exactly!
IMHO #GDPR must be sharpened harder than #CloudAct (which is incompatible with it)!
-
If you're on LinkedIn and are thinking about verifying your account with them, maybe read this first. It walks through LinkedIn's privacy disclosure to identify 17 companies that may receive and process the data you submit, including name, passport photo, selfie, facial geometry, NFC data chip, national ID #, DoB, email, phone number, address, IP address, device type, MAC address, language, geolocation etc. Unsurprisingly, it seems the biggest recipients are US-based AI companies.
https://thelocalstack.eu/posts/linkedin-identity-verification-privacy/
@briankrebs excellent deep dive!
Gee, I wish pur politics would read such summaries more often!
After the discord breach, this is a blatant proof that the big tech companies are simply unable to be trusted to take responsibility to make identity or age verification! -
The CEO of Persona responded to this post, saying they wanted to clarify about the identity verification process. They said:
"The only subprocessors (8) used are: AWS, Confluent, DBT, ElasticSearch, GCP, MongoDB, Sigma Computing, and Snowflake
All biometric personal data is deleted immediately after processing.
All other personal data processed is automatically deleted within 30 days. Data is retained during this period to help users troubleshoot.
No personal data processed is used for AI/model training. Data is explicitly used to confirm your identity.
The subprocessors used do NOT include Anthropic, Groqcloud, or OpenAI. The referenced subprocessor list is the superset of subprocessors used across all customers which is unfortunately misleading - we are updating our documentation to make this clearer going forward (thank you for helping us realize this). Our customers select which products are used which determines which subprocessors are used."
In 2018 I was at a company where we had the first automated identity verification system in market
I was one four engineers on the team at the end when we finally found PMF— verifying doctors in conjunction with Duo security to allow online prescriptions
It was Ruby on Rails
We had two products
Knowledge
PhotoKnowledge was really just a pretty oauth flow wrapping a transition api
Photo was Microsoft for facial recognition between the front of an ID and a selfie
Front and back was through a provider (confirm) that had exclusive partnership with morpho trust that does all the identity verification at customs that can effectively detect the security features on IDs
NIST LOA3 SOC2 HIPPA
With three external surfaces
All this to say: WTF is LinkedIn doing and if earth needs me to rebuild a product from a decade ago, we just need a few engineers— less engineers than persona has vendors
-
In 2018 I was at a company where we had the first automated identity verification system in market
I was one four engineers on the team at the end when we finally found PMF— verifying doctors in conjunction with Duo security to allow online prescriptions
It was Ruby on Rails
We had two products
Knowledge
PhotoKnowledge was really just a pretty oauth flow wrapping a transition api
Photo was Microsoft for facial recognition between the front of an ID and a selfie
Front and back was through a provider (confirm) that had exclusive partnership with morpho trust that does all the identity verification at customs that can effectively detect the security features on IDs
NIST LOA3 SOC2 HIPPA
With three external surfaces
All this to say: WTF is LinkedIn doing and if earth needs me to rebuild a product from a decade ago, we just need a few engineers— less engineers than persona has vendors
@briankrebs “first automated PHOTO verification”
Jumio was our primary competitor
They had people physically comparing pictures with a 60-90 second SLA
We had APIs and even figured out how to optimize image size so uploads could be as small as possible on mobile while still able to catch security details
Because of the sequencing of events, we basically had the results immediately at the end of the flow
-
@briankrebs “first automated PHOTO verification”
Jumio was our primary competitor
They had people physically comparing pictures with a 60-90 second SLA
We had APIs and even figured out how to optimize image size so uploads could be as small as possible on mobile while still able to catch security details
Because of the sequencing of events, we basically had the results immediately at the end of the flow
@briankrebs all this to say— I do feel partially to blame for the mass proliferation of photo ID products since we proved it possible to automate
The company went in a different direction, I was fired along with the rest of my team
Sequoia was the primary investor of the company, so I assume the IP proliferated across their portfolio
In very short order stripe launched photo id verification that was roughly shot for shot what I built as the front end lead
Not a bad crash course in Silicon Valley economics and the hidden network effects
Venture firms definitely encourage successful startups to run startups in their startups that benefit their other startups and they’ll win no matter what
-
@briankrebs excellent deep dive!
Gee, I wish pur politics would read such summaries more often!
After the discord breach, this is a blatant proof that the big tech companies are simply unable to be trusted to take responsibility to make identity or age verification!RE: https://infosec.exchange/@briankrebs/116103192779110422
@Bundesregierung and @ambnum (and any other government) please make sure to read the referenced article: it is an illusion to solve a problem by an Identity check done by big tech companies.
Either you make such a platform or you stop making laws that require that!
-
The CEO of Persona responded to this post, saying they wanted to clarify about the identity verification process. They said:
"The only subprocessors (8) used are: AWS, Confluent, DBT, ElasticSearch, GCP, MongoDB, Sigma Computing, and Snowflake
All biometric personal data is deleted immediately after processing.
All other personal data processed is automatically deleted within 30 days. Data is retained during this period to help users troubleshoot.
No personal data processed is used for AI/model training. Data is explicitly used to confirm your identity.
The subprocessors used do NOT include Anthropic, Groqcloud, or OpenAI. The referenced subprocessor list is the superset of subprocessors used across all customers which is unfortunately misleading - we are updating our documentation to make this clearer going forward (thank you for helping us realize this). Our customers select which products are used which determines which subprocessors are used."
And everyone who believes no third party processes keep that data should stand on their heads and gargle peanut butter, because the likelihood that LinkedIn or their processing partners don't keep and sell that data is...zero.
Zero.
Everything is being sold to Palentir.
Amyone who claims otherwise is lying, or stupid.
-
@humanhorseshoes @briankrebs exactly!
IMHO #GDPR must be sharpened harder than #CloudAct (which is incompatible with it)!
@kkarhan @briankrebs I am in a dispute with an Irish government department re this exact issue. I am saying that they cannot send personal data to the US and they are being deliberately dumb
