BrianKrebsFeb 20

If you're on LinkedIn and are thinking about verifying your account with them, maybe read this first. It walks through LinkedIn's privacy disclosure to identify 17 companies that may receive and process the data you submit, including name, passport photo, selfie, facial geometry, NFC data chip, national ID #, DoB, email, phone number, address, IP address, device type, MAC address, language, geolocation etc. Unsurprisingly, it seems the biggest recipients are US-based AI companies.

https://thelocalstack.eu/posts/linkedin-identity-verification-privacy/

Show threadBrianKrebsFeb 21

The CEO of Persona responded to this post, saying they wanted to clarify about the identity verification process. They said:

"The only subprocessors (8) used are: AWS, Confluent, DBT, ElasticSearch, GCP, MongoDB, Sigma Computing, and Snowflake

All biometric personal data is deleted immediately after processing.

All other personal data processed is automatically deleted within 30 days. Data is retained during this period to help users troubleshoot.

No personal data processed is used for AI/model training. Data is explicitly used to confirm your identity.

The subprocessors used do NOT include Anthropic, Groqcloud, or OpenAI. The referenced subprocessor list is the superset of subprocessors used across all customers which is unfortunately misleading - we are updating our documentation to make this clearer going forward (thank you for helping us realize this). Our customers select which products are used which determines which subprocessors are used."

Show threadSparrow

@briankrebs I worked heavily with Persona and can say the following:

1. Data is deleted from their servers because it is transferred to "not their server" cold storage, not completely removed from access. I should specify this used to be the case but I have heard they have changed this as of late.

2. They have very poor RBAC capabilities; it's effectively all or nothing for developers, in that you either access all user data or can't use the system to test APIs properly.

3. Persona doesn't actually have any capability to validate if your IDs are valid, such as checking driver license numbers or passport numbers in a valid database. Therefore, the ability to validate an ID is questionable at best, but it does meet the requirements of KYC and KYB.

4. Its default recommended workflow leaks the ID to the account; that ID can be used to push fake data to the Persona flow for another user, which can then be used for social engineering. This is by design, and no, they refused to fix it.

#infosec #privacy

Feb 24 at 1:55amWeb