If you're on LinkedIn and are thinking about verifying your account with them, maybe read this first.

The CEO of Persona responded to this post, saying they wanted to clarify about the identity verification process. They said:

"The only subprocessors (8) used are: AWS, Confluent, DBT, ElasticSearch, GCP, MongoDB, Sigma Computing, and Snowflake

All biometric personal data is deleted immediately after processing.

All other personal data processed is automatically deleted within 30 days. Data is retained during this period to help users troubleshoot.

No personal data processed is used for AI/model training. Data is explicitly used to confirm your identity.

The subprocessors used do NOT include Anthropic, Groqcloud, or OpenAI. The referenced subprocessor list is the superset of subprocessors used across all customers which is unfortunately misleading - we are updating our documentation to make this clearer going forward (thank you for helping us realize this). Our customers select which products are used which determines which subprocessors are used."

If you're on LinkedIn and are thinking about verifying your account with them, maybe read this first. It walks through LinkedIn's privacy disclosure to identify 17 companies that may receive and process the data you submit, including name, passport photo, selfie, facial geometry, NFC data chip, national ID #, DoB, email, phone number, address, IP address, device type, MAC address, language, geolocation etc. Unsurprisingly, it seems the biggest recipients are US-based AI companies.

https://thelocalstack.eu/posts/linkedin-identity-verification-privacy/

If you're on LinkedIn and are thinking about verifying your account with them, maybe read this first. It walks through LinkedIn's privacy disclosure to identify 17 companies that may receive and process the data you submit, including name, passport photo, selfie, facial geometry, NFC data chip, national ID #, DoB, email, phone number, address, IP address, device type, MAC address, language, geolocation etc. Unsurprisingly, it seems the biggest recipients are US-based AI companies.

https://thelocalstack.eu/posts/linkedin-identity-verification-privacy/

@briankrebs I wish @thelocalstack had opened up with the clarification that they are in the .EU. I think it's totally valid to center their .EU experience in their blog. But since there is a global audience, it's worth pointing out that in the US, Personna is not used, CLEAR is used. I doubt CLEAR is any better and probably worse. But, I would have liked to see it added to avoide confusion from folks.

@celeste Unless I'm missing something, the post I linked to and cited from was published 4 days before yours. It's not about the reported frontend exposure.

@briankrebs@infosec.exchange mustve misread the timestamp; mb

@kkarhan @briankrebs I am in a dispute with an Irish government department re this exact issue. I am saying that they cannot send personal data to the US and they are being deliberately dumb

@humanhorseshoes @briankrebs nodds in agreement

I just think that the Irish DPA is deliberatly playing stupid…

@kkarhan @briankrebs I am a repeat customer, they don't like me. If they respond at all.

The CEO of Persona responded to this post, saying they wanted to clarify about the identity verification process. They said:

"The only subprocessors (8) used are: AWS, Confluent, DBT, ElasticSearch, GCP, MongoDB, Sigma Computing, and Snowflake

All biometric personal data is deleted immediately after processing.

All other personal data processed is automatically deleted within 30 days. Data is retained during this period to help users troubleshoot.

No personal data processed is used for AI/model training. Data is explicitly used to confirm your identity.

The subprocessors used do NOT include Anthropic, Groqcloud, or OpenAI. The referenced subprocessor list is the superset of subprocessors used across all customers which is unfortunately misleading - we are updating our documentation to make this clearer going forward (thank you for helping us realize this). Our customers select which products are used which determines which subprocessors are used."

If you're on LinkedIn and are thinking about verifying your account with them, maybe read this first. It walks through LinkedIn's privacy disclosure to identify 17 companies that may receive and process the data you submit, including name, passport photo, selfie, facial geometry, NFC data chip, national ID #, DoB, email, phone number, address, IP address, device type, MAC address, language, geolocation etc. Unsurprisingly, it seems the biggest recipients are US-based AI companies.

https://thelocalstack.eu/posts/linkedin-identity-verification-privacy/