Skip to content

Archives

Persona identity verification is a GDPR nightmare

Published February 24, 2026

  • Persona identity verification is a GDPR nightmare

    LinkedIn are using a Peter Thiel-linked company called Persona as an identity-verification service. (Discord also tried them out for age verification, but are now apparently ditching them.) This is all a bit of a nightmare for EU based users, however:

    "When you click “verify” on LinkedIn, you’re not giving your passport to LinkedIn. You get redirected to a company called Persona. Full name: Persona Identities, Inc. Based in San Francisco, California."

    For a three-minute identity check, this is what Persona collected:

    • My full name — first, middle, last
    • My passport photo — the full document, both sides, all data on the face of it
    • My selfie — a photo of my face taken in real-time
    • My facial geometry — biometric data extracted from both images, used to match the selfie to the passport
    • My NFC chip data — the digital info stored on the chip inside my passport
    • My national ID number
    • My nationality, sex, birthdate, age
    • My email, phone number, postal address
    • My IP address, device type, MAC address, browser, OS version, language
    • My geolocation — inferred from my IP

    And then there’s the weird stuff:

    • Hesitation detection — they tracked whether I paused during the process
    • Copy and paste detection — they tracked whether I was pasting information instead of typing it

    Behavioral biometrics. On top of the physical biometrics. For a LinkedIn badge.

    Persona didn’t just use what I gave them. They went and cross-referenced me against what they call their “global network of trusted third-party data sources”:

    • Government databases
    • National ID registries
    • Consumer credit agencies
    • Utility companies
    • Mobile network providers
    • Postal address databases

    They use uploaded images of identity documents — that’s my passport — to train their AI. They’re teaching their system to recognize what passports look like in different countries. They also use your selfie to “identify improvements in the Service.”

    The legal basis? Not consent. Legitimate interest. Meaning they decided on their own that it’s fine. Under GDPR, they’re supposed to balance their “interest” against your fundamental rights. Whether feeding European passports into machine learning models passes that test — well, that’s a question worth asking.

    I came for a badge. I stayed as training data.

    The whole thing took three minutes. Scan, selfie, done.

    Understanding what I actually agreed to took me an entire weekend reading 34 pages of legal documents.

    I handed a US company my passport, my face, and the mathematical geometry of my skull. They cross-referenced me against credit agencies and government databases. They’ll use my documents to train their AI. And if the US government comes knocking, they’ll hand it all over — even if it’s stored in Europe, even if I’m European, and possibly without ever telling me.

    It seems they are also linked to Roblox and Reddit as an age verification provider, which is worrying -- this level of deeply-intrusive background check is massive overkill for a simple age verification process.

    ORG are calling for regulation of the age verification industry, BTW: https://www.openrightsgroup.org/press-releases/online-safety-act-org-calls-for-regulation-of-age-assurance-industry/

    Tags: age-verification discord reddit roblox linkedin tech peter-thiel org persona gdpr privacy data-protection data-privacy