If you're on LinkedIn and are thinking about verifying your account with them, maybe read this first.
-
In 2018 I was at a company where we had the first automated identity verification system in market
I was one four engineers on the team at the end when we finally found PMF— verifying doctors in conjunction with Duo security to allow online prescriptions
It was Ruby on Rails
We had two products
Knowledge
PhotoKnowledge was really just a pretty oauth flow wrapping a transition api
Photo was Microsoft for facial recognition between the front of an ID and a selfie
Front and back was through a provider (confirm) that had exclusive partnership with morpho trust that does all the identity verification at customs that can effectively detect the security features on IDs
NIST LOA3 SOC2 HIPPA
With three external surfaces
All this to say: WTF is LinkedIn doing and if earth needs me to rebuild a product from a decade ago, we just need a few engineers— less engineers than persona has vendors
@briankrebs “first automated PHOTO verification”
Jumio was our primary competitor
They had people physically comparing pictures with a 60-90 second SLA
We had APIs and even figured out how to optimize image size so uploads could be as small as possible on mobile while still able to catch security details
Because of the sequencing of events, we basically had the results immediately at the end of the flow
-
@briankrebs “first automated PHOTO verification”
Jumio was our primary competitor
They had people physically comparing pictures with a 60-90 second SLA
We had APIs and even figured out how to optimize image size so uploads could be as small as possible on mobile while still able to catch security details
Because of the sequencing of events, we basically had the results immediately at the end of the flow
@briankrebs all this to say— I do feel partially to blame for the mass proliferation of photo ID products since we proved it possible to automate
The company went in a different direction, I was fired along with the rest of my team
Sequoia was the primary investor of the company, so I assume the IP proliferated across their portfolio
In very short order stripe launched photo id verification that was roughly shot for shot what I built as the front end lead
Not a bad crash course in Silicon Valley economics and the hidden network effects
Venture firms definitely encourage successful startups to run startups in their startups that benefit their other startups and they’ll win no matter what
-
@briankrebs excellent deep dive!
Gee, I wish pur politics would read such summaries more often!
After the discord breach, this is a blatant proof that the big tech companies are simply unable to be trusted to take responsibility to make identity or age verification!RE: https://infosec.exchange/@briankrebs/116103192779110422
@Bundesregierung and @ambnum (and any other government) please make sure to read the referenced article: it is an illusion to solve a problem by an Identity check done by big tech companies.
Either you make such a platform or you stop making laws that require that!
-
The CEO of Persona responded to this post, saying they wanted to clarify about the identity verification process. They said:
"The only subprocessors (8) used are: AWS, Confluent, DBT, ElasticSearch, GCP, MongoDB, Sigma Computing, and Snowflake
All biometric personal data is deleted immediately after processing.
All other personal data processed is automatically deleted within 30 days. Data is retained during this period to help users troubleshoot.
No personal data processed is used for AI/model training. Data is explicitly used to confirm your identity.
The subprocessors used do NOT include Anthropic, Groqcloud, or OpenAI. The referenced subprocessor list is the superset of subprocessors used across all customers which is unfortunately misleading - we are updating our documentation to make this clearer going forward (thank you for helping us realize this). Our customers select which products are used which determines which subprocessors are used."
And everyone who believes no third party processes keep that data should stand on their heads and gargle peanut butter, because the likelihood that LinkedIn or their processing partners don't keep and sell that data is...zero.
Zero.
Everything is being sold to Palentir.
Amyone who claims otherwise is lying, or stupid.
-
@humanhorseshoes @briankrebs exactly!
IMHO #GDPR must be sharpened harder than #CloudAct (which is incompatible with it)!
@kkarhan @briankrebs I am in a dispute with an Irish government department re this exact issue. I am saying that they cannot send personal data to the US and they are being deliberately dumb
-
@briankrebs all this to say— I do feel partially to blame for the mass proliferation of photo ID products since we proved it possible to automate
The company went in a different direction, I was fired along with the rest of my team
Sequoia was the primary investor of the company, so I assume the IP proliferated across their portfolio
In very short order stripe launched photo id verification that was roughly shot for shot what I built as the front end lead
Not a bad crash course in Silicon Valley economics and the hidden network effects
Venture firms definitely encourage successful startups to run startups in their startups that benefit their other startups and they’ll win no matter what
If you really feel bad, then figure out a way to gum up the works.
-
If you really feel bad, then figure out a way to gum up the works.
I believe I’ve put more gum in more places than most and am continuing to do so
The sad reality is that most people don’t care because these types of systemic problems are invisible to them and they feel helpless against them and thinking about them takes their time away from their entertainment of choice
So I’m just putting gum where I can and hoping others are doing the same
-
@briankrebs
I just shared this and the first answer I got was "well, shit, but that's what most companies use and if I don't jump through their hoop I'll never get a job".I don't share this view but I also want to read from everyone here. Any suggestions?
Maybe it's time to start your own business for local customers at a reasonable price and without the predatory capitalist surveillance and AI Slop.
I would happily pay for Linux support of de-enshittified desktop versions of the software I used to like until it became low quality bug-ridden garbage holding our data hostage on their servers.
Be part of the resistance, not the empire.
-
I believe I’ve put more gum in more places than most and am continuing to do so
The sad reality is that most people don’t care because these types of systemic problems are invisible to them and they feel helpless against them and thinking about them takes their time away from their entertainment of choice
So I’m just putting gum where I can and hoping others are doing the same
That's wonderful.
-
That's wonderful.
@MissGayle I call my gum placement my circus and where the gum sits are my tent poles and eventually once the circus is ready it’ll be more like turning on the lights for a vaudeville show than
*points at silicon valley*
-
The CEO of Persona responded to this post, saying they wanted to clarify about the identity verification process. They said:
"The only subprocessors (8) used are: AWS, Confluent, DBT, ElasticSearch, GCP, MongoDB, Sigma Computing, and Snowflake
All biometric personal data is deleted immediately after processing.
All other personal data processed is automatically deleted within 30 days. Data is retained during this period to help users troubleshoot.
No personal data processed is used for AI/model training. Data is explicitly used to confirm your identity.
The subprocessors used do NOT include Anthropic, Groqcloud, or OpenAI. The referenced subprocessor list is the superset of subprocessors used across all customers which is unfortunately misleading - we are updating our documentation to make this clearer going forward (thank you for helping us realize this). Our customers select which products are used which determines which subprocessors are used."
@briankrebs Okay, so this is just one company, right? On face value, I believe him, but what about Amazon, Snowflake, MongoDB and the others? And how much harm can you do in 30 days? Let's see what the clarification does.
-
@briankrebs And what assurances do they have that Snowflake etc aren't keeping copies? You don't master a cloud supply chain.
@davep You don't trust big capital? Wow.
-
R AodeRelay shared this topic
-
@briankrebs And what assurances do they have that Snowflake etc aren't keeping copies? You don't master a cloud supply chain.
@davep
️ -
@briankrebs I'm feeling relieved that I never put myself on LinkedIn.
@angiebaby i have to say the value proposition is dramatically below sea level now
-
@briankrebs I've been applying for over a year. I'd just really like a job at this point.
@chad @briankrebs brother i have been there. 14mo looking for a place that even understands what i can do, but the hiring pipeline is completely irrevocably fscked. the only interviews i got were from constant contact and/or having an insider.
i included canada in my search because it would be great for one of my kids in particular considering the us gov doesn't want to acknowledge she exists, found out fast canada isn't competitive or accommodating; nothing like H1B program very limited spots.
-
The CEO of Persona responded to this post, saying they wanted to clarify about the identity verification process. They said:
"The only subprocessors (8) used are: AWS, Confluent, DBT, ElasticSearch, GCP, MongoDB, Sigma Computing, and Snowflake
All biometric personal data is deleted immediately after processing.
All other personal data processed is automatically deleted within 30 days. Data is retained during this period to help users troubleshoot.
No personal data processed is used for AI/model training. Data is explicitly used to confirm your identity.
The subprocessors used do NOT include Anthropic, Groqcloud, or OpenAI. The referenced subprocessor list is the superset of subprocessors used across all customers which is unfortunately misleading - we are updating our documentation to make this clearer going forward (thank you for helping us realize this). Our customers select which products are used which determines which subprocessors are used."
Persona is linked to Thiel IIRC. I guess I trust them less far than I could throw Thiel.
-
The CEO of Persona responded to this post, saying they wanted to clarify about the identity verification process. They said:
"The only subprocessors (8) used are: AWS, Confluent, DBT, ElasticSearch, GCP, MongoDB, Sigma Computing, and Snowflake
All biometric personal data is deleted immediately after processing.
All other personal data processed is automatically deleted within 30 days. Data is retained during this period to help users troubleshoot.
No personal data processed is used for AI/model training. Data is explicitly used to confirm your identity.
The subprocessors used do NOT include Anthropic, Groqcloud, or OpenAI. The referenced subprocessor list is the superset of subprocessors used across all customers which is unfortunately misleading - we are updating our documentation to make this clearer going forward (thank you for helping us realize this). Our customers select which products are used which determines which subprocessors are used."
@briankrebs As @aral pointed out, for goons like this "deleting data" often amounts to a "SET deleted = 'true' WHERE uid = 'customer23'" or something similar.
I trust the CEO of Persona about as far as I can throw Peter Thiel's bank account.
-
If you're on LinkedIn and are thinking about verifying your account with them, maybe read this first. It walks through LinkedIn's privacy disclosure to identify 17 companies that may receive and process the data you submit, including name, passport photo, selfie, facial geometry, NFC data chip, national ID #, DoB, email, phone number, address, IP address, device type, MAC address, language, geolocation etc. Unsurprisingly, it seems the biggest recipients are US-based AI companies.
https://thelocalstack.eu/posts/linkedin-identity-verification-privacy/
-
If you're on LinkedIn and are thinking about verifying your account with them, maybe read this first. It walks through LinkedIn's privacy disclosure to identify 17 companies that may receive and process the data you submit, including name, passport photo, selfie, facial geometry, NFC data chip, national ID #, DoB, email, phone number, address, IP address, device type, MAC address, language, geolocation etc. Unsurprisingly, it seems the biggest recipients are US-based AI companies.
https://thelocalstack.eu/posts/linkedin-identity-verification-privacy/
@briankrebs I wish @thelocalstack had opened up with the clarification that they are in the .EU. I think it's totally valid to center their .EU experience in their blog. But since there is a global audience, it's worth pointing out that in the US, Personna is not used, CLEAR is used. I doubt CLEAR is any better and probably worse. But, I would have liked to see it added to avoide confusion from folks.
-
@briankrebs I wish @thelocalstack had opened up with the clarification that they are in the .EU. I think it's totally valid to center their .EU experience in their blog. But since there is a global audience, it's worth pointing out that in the US, Personna is not used, CLEAR is used. I doubt CLEAR is any better and probably worse. But, I would have liked to see it added to avoide confusion from folks.
@adoug @briankrebs
Fair point on the EU context, though the .eu domain does signal it.
On CLEAR: you’re right, and it’s worth a dedicated look. My post was never meant to make accusations, I was documenting exactly what the privacy disclosure says. The goal was clarity, not condemnation.
The terms are theirs, not mine.
