alt Hacker NewsI Verified My LinkedIn Identity. Here's What I Handed Over
Comments
I used to have a LinkedIn account, a long time ago. To register I created an email address that was unique to LinkedIn, and pretty much unguessable ... certainly not amenable to a dictionary attack.
I ended up deciding that I was getting no value from the account, and I heard unpleasant things about the company, so I deleted the account.
Within hours I started to get spam to that unique email address.
It would be interesting to run a semi-controlled experiment to test whether this was a fluke, or if they leaked, sold, or otherwise lost control of my data. But absolutely I will not trust them with anything I want to keep private.
I do not trust LinkedIn to keep my data secure ... I believe they sold it.
I really appreciate this write-up.
Was forced to verify to get access to a new account. Like, an interstitial page that forced verification before even basic access.
Brief context for that: was being granted a salesnav licence, but to my work address with no account attached to it. Plus I had an existing salesnav trial underway on main account and didn't want to give access to that work.
So I reluctantly verified with my passport (!) and got access. Then looked at all the privacy settings to try to access what I'd given, but the full export was only sign up date and one other row in a csv. I switched off all the dark pattern ad settings that were default on, then tried to recall the name of the company. Lack of time meant I haven't been able to follow up. I was deeply uncomfortable with the whole process.
So now I've requested my info and deletion via the details in the post, from the work address.
One other concern is if my verified is ever forced to be my main, I'll be screwed for contacts and years of connections. So I'll try to shut it down soon when I'm sure we're done at work. But tbh I don't think the issues will end there either.
Why do these services have to suck so much. Why does money confer such power instead of goodwill, integrity and trust/trustless systems. Things have to change. Or, just stay off the grid. But that shouldn't have to be the choice. Where are the decentralised services. I'm increasingly serious about this.
It seems to me that if you let Persona verify your identity you're essentially providing data enrichment for the US government. In exchange for what? A blue tick from a feeder platform like LinkedIn, Reddit or Discord? No thanks.
On the other hand it can be hard to escape if it's for something that actually matters. Coursera is a customer. You might want your course achievements authenticated. The Canada Media Fund arranges monies for Canadian creators when their work lines up with various government sponsored DEI incentives. If you're in this world you will surely use Persona as required by them. Maybe you're applying for a trading account with Wealthsimple and have to have your ID verified. Or you want to rent a Lime Scooter and have to use them as part of the age verification process.
KYC platforms have a place. But we need legal guarantees around the use of our data. And places like Canada and Europe that are having discussions about digital sovereignty need to prioritize the creation of local alternatives.
Persona do not seem to be competent guardians of such a trove of private information.
LinkedIn is Tiktokified social media brainrot disguised as serious work. „Hey - you‘re not wasting time, you‘re building your network and gather industry knowledge!“
LinkedIn is full if so called professionals who make a living by leveraging their brand. If you‘re not one of them, leave
Somehow the fundamentals of places like linkedin, gmail, google, facebook, etc have eluded people.
1. they are selling you as a target.
2. some people, governments, groups, whatever are willing to pay a lot of money to obtain information about you.
3. why would someone pay good money to target you unless they were going to profit from doing so. are they stupid? no.
4. where does that profit come from? If some one is willing to pay $100 to target you, how are they going to recoup that money?
5. From you.
There is simply no other way this can have worked for this long without this being true.
It is a long causal change, so it is fair to ask whether there is any empirical evidence. If this is true we would expect to see ...? Well how about prices going up? Well how about in general people are less able to afford housing, food, cars, etc.
I'm speculating here, but perhaps it is predictability. There is a common time warp fantasy about being able to go back and guess the future. You go back and bet on a sports game. If I can predict what you are going to do then I can place much more profitable bets.
Do the corporations that participate in this scheme provide mutual economic benefit? Do they contribute to the common wealth or are they parasitical?
No one likes to think they have parasites. But we all do these days.
The deeper issue here is that centralized identity verification creates honeypots. You hand over real identity data to verify yourself, and now that data lives in LinkedIn's systems indefinitely. The alternative direction is zero-knowledge proofs for identity — prove you're a real person without revealing which person. Projects like World ID are going this direction. The irony is that for AI agents, none of this matters: they don't have identities to verify, which is actually a feature.
I've been getting "Emails aren’t getting through to one of your email addresses. Please update or confirm your email." -- even tho I get messages from them every day. When you press the button to confirm the (working) email it states "Something went wrong".
It happened last week too, I was able to fix it via their chat-help (human). Yesterday, their chat-help (human) was not able fix it and has to open a ticket. I pay for LinkedIn-Premium. So maybe this is just a scam to route me into Verification. Their help documents (https://www.linkedin.com/help/linkedin/answer/a1423367) for verifying emails doesn't match the current user experience.
Then, in a classic tech-paradox, their phone support person told me they would email me -- on the same address their system reports emails are not getting through to. It felt like 1996 levels of understanding.
We need to get back to de-centralised.
From the article:
> Let that sink in. You scanned your European passport for a European professional network, and your data went exclusively to North American companies. Not a single EU-based subprocessor in the chain.
Not sure LinkedIn is a European professional network.
Linkedin is the sleaziest thing I’ve seen on the internet since it was invented. The sight of it makes my skin crawl. The way they have desperately tried to onboard you via data that they seem to have that they shouldn’t. The way users even present themselves, posting updates that probably make them want to vomit themselves and shower in disgust even tho it’s not their fault, we need to find work. The bloody badge that you have to wear on your forehead to say you are available for work. The thought of the money they are raking in from recruiters and corporations. The way they try to be a little bit more like Facebook to make it look a little more ‘fun’. I hate it.
Well they made it. They conquered the recruitment scene and I can’t think of a company I’d wish had gone out of business sooner.
Am I wrong?
I am about to talk about "vibes" and "feelings" so please take this with a grain of salt:
Does anyone else get the impression that they feel like the nefarious surveillance state is now real and definitely not for their benefit?
It's been a long running trope of the men in black, and the state listening to your phone calls, etc. Even after Snowdon's leaks, where we learned that there are these massive dragnets scooping up personal information, it didn't feel real. It felt distant and possibly could have been a "probably good thing" that is it was needed to catch "the real bad guys".
It feels different now. Since last year, it feels like the walls are closing in a bit and that now the US is becoming... well, I can't find the words, but it's not good.
This is the kind of activism in privacy appreciate that we need. I knew I did not want to verify but I did verify on Linkedin recently. The fact that the author also gave an action list if you are concerned about your privacy is just commendable.
I don't get the whole idea of treating identity verification as a private enterprise problem. I realize it's easy to just blame LinkedIn or Microsoft here, but the core issue is architectural. We are trying to solve a public utility problem by building private honeypots.
The government should provide an API or interface to validate a user, essentially acting just like an SSO. Instead of forcing users to upload raw passport scans to a third-party data broker, LinkedIn should just hit a government endpoint that returns an anonymized token or a simple boolean confirming "yes, this is a real, unique person." It gives platforms the sybil resistance they need without leaking the underlying PII.
Wow that is insane. Persona is even linked to Peter Thiel.
If LinkedIn asks me to verify then I'll just leave. I'd be very happy for it to fall over anyway so there is space for a new more ethical platform. Especially since Microsoft acquired it, all bets are off.
Ha. I was reading this and thought "euhhhh, I did not give all of that to verify my account". So I went to LinkedIn to check if I have the shield. I then saw
- that I just have "work email verified" and that there is a Persona thing I was not even aware of
- a post by Brian Krebs at the top of my feed, exactly on that topic: https://www.linkedin.com/posts/bkrebs_if-you-are-thinking-ab...
A good reminder of how things actually work, but the article could use some more balancing…
> Let that sink in. You scanned your European passport for a European professional network, and your data went exclusively to North American companies. Not a single EU-based subprocessor in the chain.
LinkedIn is an American product. The EU has had 20 years to create an equally successful and popular product, which it failed to do. American companies don’t owe your European nationalist ambitions a dime. Use their products at your own discretion.
Of course an American company is subject to American law. And of course an American company will prioritise other local, similar jurisdiction companies. And often times there’s no European option that competes on quality, price, etc to begin with. In other words I don’t see why any of this is somehow uniquely wrong to the OP.
> Here’s what the CLOUD Act does in plain language: it allows US law enforcement to force any US-based company to hand over data, even if that data is stored on a server outside the United States.
European law enforcement agencies have the same powers, which they easily exercise.
This is a little unnerving because I know I've had to provide similar ID verification somewhere online, but I can't remember where. And based on everything here, it was almost certainly Persona.
I guess I'll just be in the corner crossing my fingers none of it is found in a hostile foreign land or used against me.
The strange thing about LinkedIn organization verification is that it never seems to be revoked. I have many contacts with verifications from companies they no longer work for - sometimes for a very long time.
On the other hand I see many people posting in official capacity for an organization without verification.
When they actively represent their current company but with a random verification from a previous one it gets pretty absurd.
In its current form LinkedIn verification is pretty worthless as a trust signal.
So basically 'Their “global network of data partners”' means once you submit that information, it's a free for all.
There's so many angles of grind with this kind of thing that big tech has gradually normalised.
Last year, someone’s experience when LinkedIn required interacting with Persona:
Apollo is one of many. The broader pattern is the same across the industry — companies collect data with one set of promises and then the data ends up accessible through channels users never consented to.
I've been documenting this pattern in AI apps specifically. The number of companies shipping to production with Firebase rules set to "allow read: if true" or Supabase databases with no Row Level Security is staggering. The identity data people hand over during verification often ends up in databases with zero access controls.
LinkedIn at least has a security team. Most AI startups shipping verification flows don't.
I almost fell for a very sophisticated phishing attack last December and most of the "verifiable" information was from my LinkedIn account.
For each role I had described some of the tasks and accomplishments and this was used in the phishing message.
Since then, I removed my photo, changed my name only to initials and removed all the role-specific information.
It's a bit of a bummer as I'm currently in the process of looking for a new job and unfortunately having a LinkedIn profile is still required in some places, but once I find it, I'll delete my profile.
I've never used linkedin and have been more than fine, I feel that like with most social media that noise makes it seem more important than it is
Good write up I guess, but I'm just so tired of all the AI-isms in every damn thing.
"Your European passport is one quiet subpoena away"
Why does the subpoena need to be quiet? If I search my chats with ChatGPT for the word "quiet", I get a ridiculous number of results. "Quietly this, quietly that". It's almost like the new em dash.
There's many others all over this blog post I won't bother calling out.
"Understanding what I actually agreed to took me an entire weekend reading 34 pages of legal documents."
Yeah I'll bet it did. Or it took an hour of back and forth with ChatGPT loaded up with those 34 pages.
I get it, we all use AI, but I'm just so tired of seeing the unmistakable mark of AI language all over every single thing. For some reason it just makes me think "this person is lazy". The CEO of a company my friend works for used Claude to write an important letter to business partners recently and we were all galled at her lack of awareness of how AI-sloppified the thing was. I guess people just don't care anymore.
This is a good write-up and useful content, but edit-wise it could be simplified significantly. Additionally, phrases like "let that sink in" are characteristic of poor LinkedIn content, which is a bit of an irony :)
Here's what I found the most frightenting:
> Hesitation detection — they tracked whether I paused during the process
> They use uploaded images of identity documents — that’s my passport — to train their AI.
> Persona’s Terms of Service cap their liability at $50 USD.
> They also include mandatory binding arbitration — no court, no jury, no class action.
the Persona CEO response addresses the AI training concern but totally sidesteps the CLOUD Act issue. doesn't matter where data is stored -- if Persona or any of their US-based subprocessors get a US national security letter, that data is accessible. "deleted within 30 days" also means it exists for up to 30 days, which is plenty of time for a legal demand.
> If you’ve already verified — like me — here’s what I’d recommend
Did you actually follow through with 1-4 and if so what was the outcome? how long did it take?
Seeing some of my colleagues verify through Persona on LinkedIn, and I can't quite figure out what they're getting out of it.
Every hiring process I've been through already requires proof of identity at some point. Background checks, I-9s, whatever it may be. So you're essentially handing your ID to a third party just to get a badge that doesn't skip any steps you'd have to do anyway.
>The legal basis? Not consent.
You read and agreed with the terms explicitly stating the data would be used to do those things, and it was not at all necessary for you to do that. What else do you want? It seems like consent isn't the issue. You just don't like what this company does, and still volunteer your data for them to do just that. Now you regret it and write a blog post?
One thing is to be tricked or misled, or for a government to force your face to be scanned and shared with a third party. Another is to have terms explicitly saying this will be done, requiring explicit agreement, and no one forcing you to do it.
I wonder what mongo and snowflake are doing with that data. The table is a little vague.
I was under the impression they just make database products. Do they have a side hustle involving collecting this type of data?
I work in this space for a competitor to Persona, so take my opinion as potentially biased, but I have two points: 1. just because the DPA lists 17 subprocessors, it doesn't mean your data gets sent to all of them. As a company you put all your subprocessors in the DPA, even if you don't use them. We have a long list of subprocessors, but any one individual going through our system is only going to interact with two or three at most. Of course, Persona _could_ be sending your data to all 17 of them, legally, but I'd be surprised if they actually do. 2. the article makes it sound like biometric data is some kind of secret, but especially your _face_ is going to be _everywhere_ on the internet. Who are we kidding here? Why would _that_ be the problem? Your search/click behavior or connection metadata would seem a lot more private to me.
How does this work for the myriad banks I've had to prove my identity to in the same way? I'll be attempting steps 1-4 and see what Persona comes back with.
The content is of course 100% true and needs to be repeated over and over, every single day.
The straight-from-LLM writing style is incredibly grating and does a massive disservice to its importance. It really does not take that long to rewrite it a bit.
I hope at least he wrote it on his local Llama instance, else it's truly peak irony.
> Here’s the thing about the DPF: it’s the replacement for Privacy Shield, which the European Court of Justice killed in 2020. The reason? US surveillance laws made it impossible to guarantee European data was safe.
> The DPF exists because the US signed an Executive Order (14086) promising to behave better. But an Executive Order is not a law. It’s a presidential decision. It can be changed or revoked by any future president with a pen stroke.
This understates the reality: the DPF is already dead. Double dead, two separate headshots.
Its validity is based on the existence of a US oversight board and redress mechanism that is required to remain free of executive influence.
1. This board is required to have at least 3 members. It has had 1 member since Trump fired three Democrat members in Jan 2025 (besides a 2-week reinstatement period).
2. Trump's EO 14215 of Feb 2025 has brought (among other agencies) the FTC - which enforces compliance with the DPF - under presidential supervision. This is still in effect.
Of course, everyone that matters knows this, but it doesn't matter, as it was all a bunch of pretend from day 1. Rules for thee but not for me, as always. But what else can we expect in a world where the biggest economy is ruled by a serial rapist.
Off topic -- the design for that blog is really slick. Added it to my "design swipe file."
Less off topic -- there are some black hat marketers that (I think) buy or create verified profiles with attractive women, then they use the accounts for b2b sales through linkedin DMs. I find that amusing. Neutered corpo bois are apparently big poon hounds. Makes sense when you think about it -- that type of guy is craving female attention and probably does not have the balls to do anything in real life, so a polite DM from a fake linkedin thot would be appealing.
This is only going to become more common. Companies are implementing checks using similar services (a) to prevent employment scams (where the person who interviews is not the person who works; usually the latter is a low-paid offshore individual) and (b) basic security authentication. It won’t be long before this sort of biometric validation starts showing up to authenticate users on regular websites and similar services, if it hasn’t already. I think the last one I had to do was to authenticate when activating a bank card.
Great article, thank you.
Hiding all this very important info (which literally affects the users life) behind an insignificant boring click! Even the most paranoid user will give up in certain use cases, (like with covid 19 which even though didn´t agree, you needed to travel, work making it compulsory). Every company that uses deciving techniques like this should be banned in Europe.
My ISP and my bank decided they needed my biometrics to have an account, same sort of thing
> Persona extracts the mathematical geometry of your face from your selfie and from your passport photo. This isn’t just a picture — it’s a numerical map of the distances between your eyes, the shape of your jawline, the geometry of your features. It’s data that uniquely identifies you. And unlike a password, you can’t change your face if it gets compromised
Is there anything special about a passport photo, or can that be done from any photo of your face?
I believe OpenAI used Persona during the verification step that you must complete to use their SOTA models in the API. Not sure if it's still the case now.
Anyway, I found that too much of a hassle and switched to other LLM providers.
More interesting that LinkedIn use fingerprinting everywhere and connect your personal data to every device you are using and connect to other services connected to their network.
Thank you for doing and sharing what I was hesitant to do. Now I know with good reason why.
everyone on linkedin sounds like chatgpt / claude.
The privacy concerns are real.
The need / demand for some verification system might be growing though as I’ve heard fraudulent job application (people applying for jobs using fake identities… for whatever reason) is a growing trend.
As a European citizen I hope it becomes law to have this data processed in the EU rather than the US.
I'm glad the absurdity of verification is getting attention. I was "forced" to verify by Linkedin to unlock my account. It was last year, and I had left my previous job, but I had not yet lined up a new job. So one of the only times in my career I might actually get value from Linkedin, they locked me out, removed my profile, and told me if I wanted back in, I'd have to verify. I felt helpless and disgusted.
I gave in and verified. Persona was the vendor then too. Their web app required me to look straight forward into my camera, then turn my head to the left and right. To me it felt like a blatant data collection scheme rather than something that is providing security. I couldn't find anyone talking about this online at the time.
I ended up finding a job through my Linkedin network that I don't think I could have found any other way. I don't know if it was worth getting "verified".
---
Related: something else that I find weird. After the Linkedin verification incident, my family went to Europe. When we returned to the US, the immigration agent had my wife and I look into a web cam, then he greeted my wife and I by name without handling our passports. He had to ask for the passport of our 7 month old son. They clearly have some kind of photo recognition software. Where did they get the data for that? I am not enrolled in Global Entry nor TSA PreCheck. I doubt my passport photo alone is enough data for photo recognition.
> My NFC chip data — the digital info stored on the chip inside my passport
Do we know how they get that? Because my fingerprints are also in there, so...
I'll note that Persona's CEO responded on LinkedIn [1] pointing out that:
The full list of sub-processors seems to be a catch-all for all the services they provide, which includes background checks, document processing, etc. identity verification being just one of them.I have I've worked on projects that require legal to get involved and you do end up with documents that sound excessively broad. I can see how one can paint a much grimmer picture from documents than what's happening in reality. It's good to point it out and force clarity out of these types of services.
[1]: https://www.linkedin.com/feed/update/urn:li:activity:7430615...