This investigative article documents privacy violations inherent in LinkedIn's identity verification feature, which outsources biometric and personal data collection to Persona, a US-based third-party contractor. Through detailed analysis of published privacy policies and terms of service, the author demonstrates comprehensive data collection (biometrics, passport scans, behavioral data), sharing with 17 primarily US-based subprocessors, and exposure to US government access via the CLOUD Act regardless of physical server location. The article strongly advocates for privacy protection and user awareness, providing specific action steps (data requests, deletion requests, DPO contact) while the hosting infrastructure itself demonstrates privacy-by-practice (self-hosted EU, zero tracking, no ads).
Ha. I was reading this and thought "euhhhh, I did not give all of that to verify my account". So I went to LinkedIn to check if I have the shield. I then saw
- that I just have "work email verified" and that there is a Persona thing I was not even aware of
I used to have a LinkedIn account, a long time ago. To register I created an email address that was unique to LinkedIn, and pretty much unguessable ... certainly not amenable to a dictionary attack.
I ended up deciding that I was getting no value from the account, and I heard unpleasant things about the company, so I deleted the account.
Within hours I started to get spam to that unique email address.
It would be interesting to run a semi-controlled experiment to test whether this was a fluke, or if they leaked, sold, or otherwise lost control of my data. But absolutely I will not trust them with anything I want to keep private.
I do not trust LinkedIn to keep my data secure ... I believe they sold it.
> Let that sink in. You scanned your European passport for a European professional network, and your data went exclusively to North American companies. Not a single EU-based subprocessor in the chain.
Not sure LinkedIn is a European professional network.
Was forced to verify to get access to a new account. Like, an interstitial page that forced verification before even basic access.
Brief context for that: was being granted a salesnav licence, but to my work address with no account attached to it. Plus I had an existing salesnav trial underway on main account and didn't want to give access to that work.
So I reluctantly verified with my passport (!) and got access. Then looked at all the privacy settings to try to access what I'd given, but the full export was only sign up date and one other row in a csv. I switched off all the dark pattern ad settings that were default on, then tried to recall the name of the company. Lack of time meant I haven't been able to follow up. I was deeply uncomfortable with the whole process.
So now I've requested my info and deletion via the details in the post, from the work address.
One other concern is if my verified is ever forced to be my main, I'll be screwed for contacts and years of connections. So I'll try to shut it down soon when I'm sure we're done at work. But tbh I don't think the issues will end there either.
Why do these services have to suck so much. Why does money confer such power instead of goodwill, integrity and trust/trustless systems. Things have to change. Or, just stay off the grid. But that shouldn't have to be the choice. Where are the decentralised services. I'm increasingly serious about this.
This is the kind of activism in privacy appreciate that we need. I knew I did not want to verify but I did verify on Linkedin recently. The fact that the author also gave an action list if you are concerned about your privacy is just commendable.
A good reminder of how things actually work, but the article could use some more balancing…
> Let that sink in. You scanned your European passport for a European professional network, and your data went exclusively to North American companies. Not a single EU-based subprocessor in the chain.
LinkedIn is an American product. The EU has had 20 years to create an equally successful and popular product, which it failed to do. American companies don’t owe your European nationalist ambitions a dime. Use their products at your own discretion.
Of course an American company is subject to American law. And of course an American company will prioritise other local, similar jurisdiction companies. And often times there’s no European option that competes on quality, price, etc to begin with. In other words I don’t see why any of this is somehow uniquely wrong to the OP.
> Here’s what the CLOUD Act does in plain language: it allows US law enforcement to force any US-based company to hand over data, even if that data is stored on a server outside the United States.
European law enforcement agencies have the same powers, which they easily exercise.
The strange thing about LinkedIn organization verification is that it never seems to be revoked. I have many contacts with verifications from companies they no longer work for - sometimes for a very long time.
On the other hand I see many people posting in official capacity for an organization without verification.
When they actively represent their current company but with a random verification from a previous one it gets pretty absurd.
In its current form LinkedIn verification is pretty worthless as a trust signal.
Somehow the fundamentals of places like linkedin, gmail, google, facebook, etc have eluded people.
1. they are selling you as a target.
2. some people, governments, groups, whatever are willing to pay a lot of money to obtain information about you.
3. why would someone pay good money to target you unless they were going to profit from doing so. are they stupid? no.
4. where does that profit come from? If some one is willing to pay $100 to target you, how are they going to recoup that money?
5. From you.
There is simply no other way this can have worked for this long without this being true.
It is a long causal change, so it is fair to ask whether there is any empirical evidence. If this is true we would expect to see ...? Well how about prices going up? Well how about in general people are less able to afford housing, food, cars, etc.
I'm speculating here, but perhaps it is predictability. There is a common time warp fantasy about being able to go back and guess the future. You go back and bet on a sports game. If I can predict what you are going to do then I can place much more profitable bets.
Do the corporations that participate in this scheme provide mutual economic benefit? Do they contribute to the common wealth or are they parasitical?
No one likes to think they have parasites. But we all do these days.
I work in this space for a competitor to Persona, so take my opinion as potentially biased, but I have two points:
1. just because the DPA lists 17 subprocessors, it doesn't mean your data gets sent to all of them. As a company you put all your subprocessors in the DPA, even if you don't use them. We have a long list of subprocessors, but any one individual going through our system is only going to interact with two or three at most. Of course, Persona _could_ be sending your data to all 17 of them, legally, but I'd be surprised if they actually do.
2. the article makes it sound like biometric data is some kind of secret, but especially your _face_ is going to be _everywhere_ on the internet. Who are we kidding here? Why would _that_ be the problem? Your search/click behavior or connection metadata would seem a lot more private to me.
Wow that is insane. Persona is even linked to Peter Thiel.
If LinkedIn asks me to verify then I'll just leave. I'd be very happy for it to fall over anyway so there is space for a new more ethical platform. Especially since Microsoft acquired it, all bets are off.
Good write up I guess, but I'm just so tired of all the AI-isms in every damn thing.
"Your European passport is one quiet subpoena away"
Why does the subpoena need to be quiet? If I search my chats with ChatGPT for the word "quiet", I get a ridiculous number of results. "Quietly this, quietly that". It's almost like the new em dash.
There's many others all over this blog post I won't bother calling out.
"Understanding what I actually agreed to took me an entire weekend reading 34 pages of legal documents."
Yeah I'll bet it did. Or it took an hour of back and forth with ChatGPT loaded up with those 34 pages.
I get it, we all use AI, but I'm just so tired of seeing the unmistakable mark of AI language all over every single thing. For some reason it just makes me think "this person is lazy". The CEO of a company my friend works for used Claude to write an important letter to business partners recently and we were all galled at her lack of awareness of how AI-sloppified the thing was. I guess people just don't care anymore.
LinkedIn is Tiktokified social media brainrot disguised as serious work. „Hey - you‘re not wasting time, you‘re building your network and gather industry knowledge!“
LinkedIn is full if so called professionals who make a living by leveraging their brand. If you‘re not one of them, leave
I've been getting "Emails aren’t getting through to one of your email addresses. Please update or confirm your email." -- even tho I get messages from them every day. When you press the button to confirm the (working) email it states "Something went wrong".
It happened last week too, I was able to fix it via their chat-help (human). Yesterday, their chat-help (human) was not able fix it and has to open a ticket. I pay for LinkedIn-Premium. So maybe this is just a scam to route me into Verification. Their help documents (https://www.linkedin.com/help/linkedin/answer/a1423367) for verifying emails doesn't match the current user experience.
Then, in a classic tech-paradox, their phone support person told me they would email me -- on the same address their system reports emails are not getting through to. It felt like 1996 levels of understanding.
I'll note that Persona's CEO responded on LinkedIn [1] pointing out that:
- No personal data processed is used for AI/model training. Data is exclusively used to confirm your identity.
- All biometric personal data is deleted immediately after processing.
- All other personal data processed is automatically deleted within 30 days. Data is retained during this period to help users troubleshoot.
- The only subprocessors (8) used to verify your identity are: AWS, Confluent, DBT, ElasticSearch, Google Cloud Platform, MongoDB, Sigma Computing, Snowflake
The full list of sub-processors seems to be a catch-all for all the services they provide, which includes background checks, document processing, etc. identity verification being just one of them.
I have I've worked on projects that require legal to get involved and you do end up with documents that sound excessively broad. I can see how one can paint a much grimmer picture from documents than what's happening in reality. It's good to point it out and force clarity out of these types of services.
It seems to me that if you let Persona verify your identity you're essentially providing data enrichment for the US government. In exchange for what? A blue tick from a feeder platform like LinkedIn, Reddit or Discord? No thanks.
On the other hand it can be hard to escape if it's for something that actually matters. Coursera is a customer. You might want your course achievements authenticated. The Canada Media Fund arranges monies for Canadian creators when their work lines up with various government sponsored DEI incentives. If you're in this world you will surely use Persona as required by them. Maybe you're applying for a trading account with Wealthsimple and have to have your ID verified. Or you want to rent a Lime Scooter and have to use them as part of the age verification process.
KYC platforms have a place. But we need legal guarantees around the use of our data. And places like Canada and Europe that are having discussions about digital sovereignty need to prioritize the creation of local alternatives.
Subprocessor usually just means that you use their products in a way that your personal data passes through them. For example, let's say you are using cloudflare and aws to host a site, then your subprocessors would be cloudflare and aws.
It can be some more nefarious use, but it can also just be that they (persona in this case) use their services to process/store your data.
I think the author was talking about their own professional network being based in Europe, as opposed by LinkedIn, the platform that they're using to contact said network.
Their use of LinkedIn is for local and semi-local professional networks. It's like if you use Nextdoor for your street.
And of course those Europeans use LinkedIn for the network effect (even though LinkedIn is just a pathetic sad dead mall now, so most are doing so for an illusion), because other prior waves of Europeans also used LinkedIn, and so on. Domestic or regional alternatives falter because everyone demands they be on the "one" site.
The centralization of tech, largely to the US for a variety of reasons, has been an enormous, colossal mistake.
It's at this point I have to laud what China did. They simply banned foreign options in many spaces and healthy domestic options sprouted up overnight. Many countries need to start doing this, especially given that US tech is effectively an arm of a very hostile government that is waging intense diplomatic and trade warfare worldwide, especially against allies.
> Was forced to verify to get access to a new account. Like, an interstitial page that forced verification before even basic access.
I'm forced to verify to access my existing account.
I cannot delete it, nor opt out of 'being used for AI content' without first handing them over even more information I'm sure will be used for completely benign purposes.
Remember when LinkedIn was condemned because they copied Gmail’s login page saying “Log in with Google”, then you entered your password, then they retrieved all your contacts, even the bank, the mailing lists, your ex, and spammed the hell out of them, saying things in your name in the style of “You haven’t joined in 5 days, I want you to subscribe” ?
> European law enforcement agencies have the same powers.
No they don’t, not in the way that is implied here. A German court can subpoena German companies. Even for 100% subsidiaries in other European or non-European countries, one needs to request legal assistance. Which then is evaluated based on local jurisdiction of the subsidiary, not the parent. Microsoft Germany as operator is subject to US law and access. See Wikipedia “American exceptionalism” for further examples.
I understand, and even agree, that how this is being handled has some pretty creepy aspects. But one thing missing from the comments I see here and elsewhere is: How else should verification be handled? We have a real problem with AI/bots online these days, trust will be at a premium. How can we try to assure it? I can think of one way: Everyone must pay to be a member (there will still be fraud, but it will cost!). How else can we verify with a better set of tradeoffs?
The "pull yourselves up by your bootstraps" advice has more weight when the person saying it hasn't taken control of all bootstraps for a good 75 years. This is this toxicity in the toxic relationship between the US and EU. Foot in our faces telling us to pick ourselves up. Ditto South America.
But I have such low faith in the platform that I would readily believe that once they think you're not going to continue adding value, they find unpleasant ways to extract the last bit of value that they reserve only for "ex"-users.
They can do what they please. Its due to the network effects. The tie-ins of tech are so strong, I'd wager that %99 of why they succeed has nothing to do with competency or making a product for the user, just that people are too immobile to jump ship for too many reasons. Its staggering how much stronger this is than what people give credit for. Its as if you registered all your cells with a particular pain medication provider, and the idea of switching pills makes one go into acute neurosis.
> Somehow the fundamentals of places like linkedin, gmail, google, facebook, etc have eluded people.
LinkedIn is slightly different, as it's fundamentally framed as a job board and recruiting platform. The paying customers are recruiters, and the product is access to the prospective candidates. Hence, LinkedIn offering for free services such as employee verification, work history verificarion, employee vouching, etc.
Yep, I clicked verify experimentally and all they wanted was my work email and a code they sent to it.
Of course, that works probably because my work has a linkedin account so they know what the official domain is for it.
I guess they'll spam that email but it's not like I care. I already receive spam offering me subcontracting services so I guess it's published somewhere.
Because it should still be my choice as to what you do with it, which data you associate with it, and how you store it. Removing that choice is anti-privacy.
Why not show a summary of who actually received the data? It should be easy to implement. You could also add what data is retained and an estimate of how long it is kept for. It could be a summary page that I can print as a PDF after the process is complete.
I'd consider that a feature that would increase trust in such a platform. These platforms require trust, right?
Beautifully written, I saved your post to send the next friend or relative who asks me why I am so hard-over on privacy. I enjoyed working at Google hears ago as a contractor, and they are my ‘favorite’ tech company - the only mega-tech company who’s services I regularly use, but I am constantly mindful of their business model as I use YouTube, GCP, and their various dev APIs.
>The EU has had 20 years to create an equally successful and popular product, which it failed to do. American companies don’t owe your European nationalist ambitions a dime. Use their products at your own discretion.
I can see not everybody here will agree with me, but I find this take absolutely reasonable. The European space has the capacity and the resources to create a product that replaces something as trivial as Linkedin, and yet it takes the lazy approach of just using American products.
It's the same thing with China's manufactured products, at some point the rest of the world just accepted that everything gets done in China and then keep complaining about how abusive China can be.
The most recent issue is the military question. Europe relied for decades on the "cheap" protection of the USA. Now the USA gave the middle finger to Europe and Europe acts shocked, but Europe is not so shocked when it comes to the military budget it did not spend on self defense during all the time the Americans provided protection.
This is a good example of why it's insane that nobody at Mozilla cares that they hire CEOs that have only a LinkedIn page. If you want to visit the website of the Mozilla CEO, you have to create an account and log in. No big deal if it's a CEO of a plastics manufacturing company, but when the mission is fighting against the behavior of companies like LinkedIn, it makes me wonder why Mozilla exists.
> Or it took an hour of back and forth with ChatGPT loaded up with those 34 pages.
That's exactly what I was thinking when I read that line. And there's nothing necessarily wrong with using AI to help decipher large legal documents, just be honest about it.
Kind of. I've had a strict policy since LinkedIn launched of only connecting with people I've actually met and had at least some meaningful conversation with. Most of my contacts are former work colleagues. I think this makes my feed and audience a bit less spammy and grifty.
Let’s not forget Persona is linked to Peter Thiel. When Thiel and his friends support the government snatching citizens off the streets, there is unacceptable risk with forcing job seekers and the like to create accounts on LinkedIn.
I also find AI trope-ification articles exhausting to read, there's a reason I've fine tuned my system prompts to wipe all of it away. This reads like "Hey Gemini, I verified my passport on LinkedIn, write an impassioned exposé on Persona's privacy policy".
When people leave in things like staccato language and Blogspot era emphasis, I feel like I might as well copy the Persona privacy policy and prompt my own AI(s) on the topic and read that instead.
Here’s the problem I have with your take (even if I agree): LinkedIn has a product to sell. You’re not supposed to be the product, because companies pay to advertise job postings, they sell career tools, sales tools, etc.
At what point is that not enough for them to stop doing data brokerage or sharing?
Central focus of entire article. Extensively documents privacy violations through detailed enumeration of collected data, unauthorized sharing with 17 subprocessors, use of data for AI training under 'legitimate interests' without explicit consent, and exposure to US government access via CLOUD Act. Advocates strongly for privacy protection with specific action steps: data requests, deletion requests, DPO contact, and informed choice.
FW Ratio: 55%
Observable Facts
Article documents comprehensive data collection: 'My full name, My passport photo, My selfie, My facial geometry, My NFC chip data, My national ID number, My nationality, sex, birthdate, age, My email, phone number, postal address, My IP address, device type, MAC address, browser, OS version, language, My geolocation.'
Article lists 17 subprocessors: 'Anthropic Data Extraction and Analysis San Francisco, USA; OpenAI Data Extraction and Analysis San Francisco, USA; Groqcloud Data Extraction and Analysis San Jose, USA' plus 14 others, with '16 in the United States. 1 in Canada. Zero in the EU.'
Article states: 'They use uploaded images of identity documents — that's my passport — to train their AI' citing 'legitimate interests' basis rather than consent.
Article quotes Persona's policy: 'We will access, disclose, and preserve personal data when we believe doing so is necessary to comply with applicable law or respond to valid legal process, including from law enforcement, national security, or other government agencies.'
Article provides four actionable recommendations: 'Request your data. Email [email protected]'; 'Request deletion'; 'Contact their DPO. [email protected]'; 'Think twice before verifying.'
Domain explicitly states: 'Self-hosted · Zero cloud · Zero tracking' demonstrating privacy-by-practice.
Inferences
The itemization of 17 data processors—predominantly US-based—demonstrates systematic documentation of privacy violations across supply chain.
The criticism of 'legitimate interests' basis suggests advocacy for explicit informed consent as privacy standard.
The emphasis on CLOUD Act access regardless of storage location implies advocacy for effective data protection rather than false reassurances.
The actionable recommendations empower readers to exercise rights, demonstrating article's pro-UDHR advocacy orientation.
The site's actual privacy architecture (no tracking, self-hosted, EU) reinforces that privacy protection is both a right to defend and a practice to implement.
Article exemplifies and advocates for freedom of expression and information. Author conducts independent investigative research of public documents, publishes findings without corporate or governmental constraint, provides transparent sourcing, and operates on independent infrastructure. Exercise of this right is central to the article's purpose and value.
FW Ratio: 75%
Observable Facts
Article is published on independently owned and operated website with no corporate affiliation stated.
Author provides explicit sourcing: 'Persona IDV Privacy Policy (Last Updated: May 8, 2025)', 'Persona Subprocessors (Last Updated: September 8, 2025)'.
Author analyzes publicly available legal documents with full transparency about methodology.
Inferences
The investigative approach demonstrates full exercise of freedom of expression to inform the public about data practices without intermediaries.
Article implicitly advocates for human dignity and respect for persons in context of data exploitation. Key framing: 'I came for a badge. I stayed as training data' emphasizes violation of autonomy and dignity.
FW Ratio: 50%
Observable Facts
Article frames the core issue as a dignity violation: 'I came for a badge. I stayed as training data.'
Inferences
The framing invokes fundamental human dignity as the basis for concern about non-consensual data collection and use.
Article indirectly advocates for security of person through discussion of biometric data as permanent personal identifier. Emphasizes vulnerability created by biometric collection.
FW Ratio: 50%
Observable Facts
Article states: 'you can't change your face if it gets compromised' when discussing facial geometry biometrics.
Inferences
The article implies that bodily security (protection of biometric data) is foundational to personal security and autonomy.
Article critiques international data protection frameworks as inadequate. Frames EU-US Data Privacy Framework as built on unstable foundation—dependent on Executive Order rather than law, subject to unilateral revocation, and already challenged by privacy advocates.
FW Ratio: 75%
Observable Facts
Article states: 'The DPF is supposed to protect you, but it's built on sand.'
Article explains: 'It's a presidential decision. It can be changed or revoked by any future president with a pen stroke.'
Article notes: 'Privacy activists — including noyb, the organization behind the original Schrems rulings — have already challenged the DPF.'
Inferences
The framing of international frameworks as inadequate suggests skepticism about their capacity to protect European rights.
Article criticizes replacement of fair trial/judicial process with forced binding arbitration. Advocates for right to court hearing and jury trial as superior to corporate arbitration mechanisms.
FW Ratio: 67%
Observable Facts
Article emphasizes: 'mandatory binding arbitration — no court, no jury, no class action.'
Article notes arbitration occurs through American Arbitration Association despite European jurisdiction and subject matter.
Inferences
The article's extended critique of arbitration structures versus judicial process implies advocacy for traditional fair trial mechanisms.
Article documents severe inadequacy of remedies. Criticizes $50 USD liability cap for biometric data breaches and absence of meaningful legal recourse through mandatory binding arbitration. Advocates for stronger remedy mechanisms.
FW Ratio: 75%
Observable Facts
Article quotes directly: 'Persona's Terms of Service cap their liability at $50 USD.'
Article states: 'They also include mandatory binding arbitration — no court, no jury, no class action.'
Article notes that compensation ceiling applies to 'Your passport. Your face. Your biometric data. Your national ID number.'
Inferences
The sustained critique of liability caps and arbitration mechanisms suggests the article advocates for adequate compensation and judicial remedies as fundamental rights.
Website demonstrates privacy commitment through actual practice: self-hosted in EU, zero tracking, no ads, privacy-first architecture. Editorial advocacy is reinforced by structural alignment.
build 1ad9551+j7zs · deployed 2026-03-02 09:09 UTC · evaluated 2026-03-02 11:31:12 UTC
Support HN HRCB
Each evaluation uses real API credits. HN HRCB runs on donations — no ads, no paywalls.
If you find it useful, please consider helping keep it running.