top | item 47102992

(no title)

aylmao | 8 days ago

I'll note that Persona's CEO responded on LinkedIn [1] pointing out that:

  - No personal data processed is used for AI/model training. Data is exclusively used to confirm your identity.
  - All biometric personal data is deleted immediately after processing.
  - All other personal data processed is automatically deleted within 30 days. Data is retained during this period to help users troubleshoot.
  - The only subprocessors (8) used to verify your identity are: AWS, Confluent, DBT, ElasticSearch, Google Cloud Platform, MongoDB, Sigma Computing, Snowflake

The full list of sub-processors seems to be a catch-all for all the services they provide, which includes background checks, document processing, etc. identity verification being just one of them.

I have I've worked on projects that require legal to get involved and you do end up with documents that sound excessively broad. I can see how one can paint a much grimmer picture from documents than what's happening in reality. It's good to point it out and force clarity out of these types of services.

[1]: https://www.linkedin.com/feed/update/urn:li:activity:7430615...

discuss

frm88|7 days ago

Persona Identity, Inc. is a Peter Thiel-backed venture that offers Know Your Customer (KYC) and Anti-Money Laundering (AML) solutions that leverage biometric identity checks to estimate a user’s age that use a proprietary “liveliness check” meant to distinguish between real people and AI-generated identities.

Once a user verifies their identity with Persona, the software performs 269 distinct verification checks and scours the internet and government sources for potential matches, such as by matching your face to politically exposed persons (PEPs), and generating risk and similarity scores for each individual. IP addresses, browser fingerprints, device fingerprints, government ID numbers, phone numbers, names, faces, and even selfie backgrounds are analyzed and retained for up to three years.

There are so many keywords in there that should raise a red flag, but funded by Peter Thiel should probably be enough.

https://www.therage.co/persona-age-verification/

y-c-o-m-b|8 days ago

All of which is meaningless if it's not reflected properly in their legal documents/terms. I've had interactions with the Flock CEO here on Hacker News and he also tried to reassure us that nothing fishy is/was going on. Take it with a grain of salt.

shimman|8 days ago

Why anyone would trust the executives at any company when they are only incentivized to lie, cheat, and steal is beyond me. It's a lesson every generation is hellbent on learning again and against and again.

It use to be the default belief, throughout all of humanity, on how greed is bad and dangerous; yet for the last 100 years you'd think the complete opposite was the norm.

jeffybefffy519|8 days ago

Yup exactly, if this is the truth then put it on the terms/privacy policy etc... exec's say anything these days with zero consequences for lieing in a public forum.

nashashmi|8 days ago

Can a ceo's word on linkedin and X be used to make claims against them?

majormajor|8 days ago

But why believe that when their policy says any of it may not be true, or could change at any time?

Even if the CEO believes it right now, what if the team responsible for the automatic-deletion merely did a soft-delete instead of a hard delete "just in case we want to use it for something else one day"?

BorisMelnik|8 days ago

I dont believe that for one second. I can think of many examples of times CEO's have said things publicly that were not or ended up being not true!

torginus|7 days ago

My favourite 'thing' in the modern world is that 'we don't process and store your data' has taken to mean - 'we don't process and store your data - our partner does'.

Which might not even be stated explicitly, it might be that they just move it somewhere and then pass it on again, at which point its outside the legal jurisdiction of your country's ability to enforce data protection measures.

Even if such a scheme is not legal, the fact that your data moves through multiple countries with different data protection measures, enforcing your rights seems basically impossible.

mikkupikku|7 days ago

"We don't sell your data" translates to "we sell OUR data about you".

They would never admit the data belongs to you while selling it. When they sell it, they declare themselves the owners of that data, which they derived from things you uploaded or told them, so they're never selling your data according to their lawyers.

Another thing they like to do is sell the use or access to this data, without transferring the legal rights to the data, so they can say with a straight face they never sold the data. Google loves this loophole and people here even defend it.

vinay_ys|8 days ago

> that require legal to get involved and you do end up with documents that sound excessively broad

If you let your legal team use such broad CYA language, it is usually because you are not sure what's going on and want CYA, or you actually want to keep the door open for broader use with those broader permissive legal terms. On the other hand, if you are sure that you will preserve user's privacy as you are stating in marketing materials, then you should put it in legal writing explicitly.

pyrale|8 days ago

> pointing out that

Certainly, you mean: "claiming that".

In the terms of Mandy Rice-Davies [1], "well he would, wouldn't he?" Especially, his claim that the data isn't used for training by companies that are publicly known to have illegally acquired data to train their models doesn't look very serious.

[1]: https://en.wikipedia.org/wiki/Well_he_would,_wouldn%27t_he%3...

egorfine|8 days ago

A KYC provider is a company that doesn't start with neutral trust. It starts with a huge negative trust.

Thus it is impossible to believe his words.

jcheng|8 days ago

Can you say more? Why isn't it neutral or slightly positive? I would assume that a KYC provider would want to protect their reputation more than the average company. If I were choosing a KYC provider I would definitely want to choose the one that had not been subject to any privacy scandals, and there are no network effects or monopoly power to protect them.

flumpcakes|8 days ago

What does the (I assume) acronym KYC mean?

saghm|8 days ago

I'm not convinced there's any significant overlap between "people who are worried about which subprocessors have their data" and "people who don't think that eight subprocessors is a lot"

__float|8 days ago

I mean, two of them are cloud vendors. The rest just seem like very boring components of a (somewhat) modern data pipeline.

godelski|8 days ago

  > - All biometric personal data is deleted immediately after processing.

The implication is that biometric data leaves the device. Is that even a requirement? Shouldn't that be processed on device, in memory, and only some hash + salt leave? Isn't this how passwords work?

I'm not a security expert so please correct me. Or if I'm on the right track please add more nuance because I'd like to know more and I'm sure others are interested

wholinator2|8 days ago

I'm not an expert but i imagine bio data being much less exact than a password. Hashes work on passwords because you can be sure that only the exact date would allow entry, but something like a face scan or fingerprint is never _exactly_ the same. One major tenant that makes hashes secure is that changing any singlw bit of input changes the entirety of the output. So hashes will by definition never allow the fuzzy authentication that's required with biodata. Maybe there's a different way to keep that secure? I'm not sure but you'd never be able to open your phone again if it requires a 100% match against your original data.

barryhennessy|8 days ago

As an industry we really need a better way to tell what’s going g where than:

- someone finally reading the T&Cs

- legal drafting the T&Cs as broadly as possible

- the actual systems running at the time matching what’s in the T&Cs when legal last checked in

Maybe this is a point to make to the Persona CEO. If he wants to avoid a public issue like this then maybe some engineering effort and investment in this direction would be in his best interest.

keepamovin|8 days ago

This is not the concern for me. I thought the risk was obvious to everyone. Tho I've been tempted because it means I'll "have more interactions" or whatever LinkedIn pitches with, I didn't want to put a public signal out there with yes: "This is my real name, real job, real city" - to me it's like a pre-vetted database of marks for identity theft criminals or whatnot. You know?

I thought everyone, at least in security would be somewhat concerned about this, but they're not. I get the benefits, and I want to enjoy those benefits too. I'd much prefer if I could privately confirm my name using IDs (zero problem with that) but then not have to show it or an exact profile photo. I'm sure there's a cryptographic way for my identity to be proven to any who I chose to prove it to who required such bona fides. I dislike the surface of "proven identity for everyone". You know?

This to me is the far more important thing than: "security focused biometric company processed my data, therefore being rational and modern I will now have a meltdown." Everytime you drive, use a payment method linked to your name, use your plan phone, your laptop, go to a venue that ID scans, make a rental, catch a flight, cross a border, etc, your ID (or telemetric equivalents sufficient to ID you) is processed by some digital entity. If you will revolt against the principle of "my government issued and not-truly-mine-anyway ID documents, or other provided bona fides are being read by digital entities contracted to do that", it seems nonsensical.

I think the bigger risk is always taking a photo of your passport and putting it on the internet, which is basically what the current LI verification means. Casual OSINT on a verified profile likely reveals the exact birthday (or cross-referenced on other platforms), via "happy birthday" type posts. How old am I type image AI can give you rough years.

the_nexus_guard|7 days ago

> I'm sure there's a cryptographic way for my identity to be proven to any who I chose to prove it to

There is. The pattern is: generate a keypair locally, derive a DID (decentralized identifier) from the public key, and then selectively prove your identity to specific verifiers using digital signatures. No central authority ever holds your private key.

The key difference from the LinkedIn model: you never hand biometric data to a third party. Instead, you hold a cryptographic identity that you control. If someone needs to verify you, they check a signature — not a database. You can prove you're the same entity across interactions without revealing anything about who you are in the physical world.

This is exactly the approach behind things like W3C DIDs and Verifiable Credentials. The crypto has been solved for years; the adoption problem is that platforms like LinkedIn have no incentive to give users self-sovereign identity when the current model lets them be the middleman.

I've been building an open implementation of this for AI agents (where the identity problem is arguably even worse — there's no passport to scan): https://github.com/The-Nexus-Guard/aip. But the same cryptographic primitives apply to human identity too.

whatever1|8 days ago

Facebook at some period was pushing users to enable 2fa for security reasons, and guess what they did with the phone numbers they collected.

lysace|8 days ago

All of those statements require trust and/or the credible threat of a big stick.

Trust needs to earned. It hasn't been.

The big stick doesn't really exist.

paulnpace|8 days ago

Whelp, so long as the CEO says it's fine, we've no reason to worry about what's in the legal verbiage.

mdani|8 days ago

I am wondering what the 'sub-processor' means here. Am I right in assuming that the Persona architecture uses Kafka, S3 data lake in AWS and GCP, Elastic Search, MongoDB for configuration or user metadata, and Snowflake for analytics, thus all these end up on sub-processle list as the data physically touches these company's products or infra hosted outside Persona? I hope all these aren't providing their own identity services and all of them aren't seeing my passport for further validation.

wackget|7 days ago

"The only subprocessors used to verify your identity are"... some of the biggest data mining companies on the planet. Excellent.

hansmayer|8 days ago

Right, because as seen over the last several years, the Big Tech CEOs should totally be trusted on their promises, especially if it is related to how our sensitive personal data is stored and processed. This goes even wtihout knowing who is one of the better known "personas" investing in Persona.

SilverElfin|8 days ago

Why would we believe they are deleted after processing and not shared with the government?

astura|8 days ago

What's the government going to do with a picture of the ID they, themselves issued to you?

singleshot_|8 days ago

Why would anyone believe this?

rawgabbit|8 days ago

This reads like their entire software stack. I don’t understand the role ElasticSearch plays; are people still using it for search?

Infrastructure: AWS and Google Cloud Platform

Database: MongoDB

ETL/ELT: Confluent and DBT

Data Warehouse and Reporting: Sigma Computing and Snowflake

m463|7 days ago

> what's happening in reality

that's the thing... excessively broad might not reflect reality TODAY but can be an opportunity in the future.

dataflow|8 days ago

If he's really so confident these assurances will stand scrutiny then why doesn't he put them in the agreement and provide legal assurance to that effect?

gib444|6 days ago

Man, a top-voted, white-knight comment on each post involving FAANG gets really tiring

kwar13|8 days ago

this is just "trust me bro" with more words. even if true, the point is not what they do right now, the point is what they CAN do, which clearly as pointed in terms is a lot more than that.

smw|8 days ago

What possible use legitimate use is Snowflake in verifying your identity? ES?

rawgabbit|8 days ago

It's probably used to aggregate all their data sources to compile profiles. They then match the passport against their database of profiles. To say, yup, this passport is for real person; not a deceased person whose identity was stolen for example.

corry|7 days ago

I mean...

1) This is 'trust me bro' with more details

2) 'After processing' is wide enough to drive a truck through. What if processing takes a year? What if processing is defined as something involving recurring checks?

3) You have no contract with Persona or even LinkedIn beyond the fact that you agreed to LinkedIn's TOS (but didn't even read).

4) The company that acquires or takes-private Persona might have a very different of how it handles this.

5) What does verifying do for you, the user? I understand its value to LinkedIn and their ability to sell your attention to advertisers, but what do YOU gain?

YorickPeterse|8 days ago

Ah yes, because companies never lie about how they process your data...