I wanted the blue checkmark on LinkedIn. The one that says “this person is real.” In a sea of fake recruiters, bot accounts, and AI-generated headshots, it seemed like a smart thing to do.

So I tapped “verify.” I scanned my passport. I took a selfie. Three minutes later — done. Badge acquired. I felt a tiny dopamine hit of legitimacy.

Then I did what apparently nobody does. I went and read the privacy policy and terms of service.

Not LinkedIn’s. The other company’s.

Wait, What Other Company?

When you click “verify” on LinkedIn, you’re not giving your passport to LinkedIn. You get redirected to a company called Persona. Full name: Persona Identities, Inc. Based in San Francisco, California.

LinkedIn is their client. You are the face being scanned.

I had never heard of Persona before this. Most people haven’t. That’s kind of the point — they sit invisibly between you and the platforms you trust.

So I downloaded their privacy policy (18 pages) and their terms of service (16 pages). Here’s what I found.

Everything I Gave Them

For a three-minute identity check, this is what Persona collected:

• My full name — first, middle, last
• My passport photo — the full document, both sides, all data on the face of it
• My selfie — a photo of my face taken in real-time
• My facial geometry — biometric data extracted from both images, used to match the selfie to the passport
• My NFC chip data — the digital info stored on the chip inside my passport
• My national ID number
• My nationality, sex, birthdate, age
• My email, phone number, postal address
• My IP address, device type, MAC address, browser, OS version, language
• My geolocation — inferred from my IP

And then there’s the weird stuff:

• Hesitation detection — they tracked whether I paused during the process
• Copy and paste detection — they tracked whether I was pasting information instead of typing it

Behavioral biometrics. On top of the physical biometrics. For a LinkedIn badge.

They Also Called Their Friends

Persona didn’t just use what I gave them. They went and cross-referenced me against what they call their “global network of trusted third-party data sources”:

• Government databases
• National ID registries
• Consumer credit agencies
• Utility companies
• Mobile network providers
• Postal address databases

I scanned my passport for a checkmark. They ran a background check.

My Face Is Training Data

Here’s something I almost missed. Buried in a table on page 6 of the privacy policy, under “legitimate interests”:

They use uploaded images of identity documents — that’s my passport — to train their AI. They’re teaching their system to recognize what passports look like in different countries. They also use your selfie to “identify improvements in the Service.”

The legal basis? Not consent. Legitimate interest. Meaning they decided on their own that it’s fine. Under GDPR, they’re supposed to balance their “interest” against your fundamental rights. Whether feeding European passports into machine learning models passes that test — well, that’s a question worth asking.

I came for a badge. I stayed as training data.

Where Does My Face Go?

Once Persona has your data, here’s who gets a copy:

LinkedIn receives:

• Your full name
• Your birth year
• Government ID type and issuing authority
• Verification result
• A blurred version of your ID (everything redacted except your name and portrait)

Also with access:

• Persona’s service providers — vendors working on their behalf
• Their “global network of data partners” — those third-party databases work both ways
• Affiliates and subsidiaries — related companies that share “common data systems”
• Anyone who buys Persona — in a merger, acquisition, or bankruptcy, your data goes with the deal
• Law enforcement — and this is where it gets really interesting

And then there’s the subprocessor list. Persona publishes who else touches your data. I wish I hadn’t looked.

The 17 Companies That Touch Your Face

Persona maintains a public list of subprocessors — third-party companies that process your personal data on their behalf. Here’s the full list:

Count them. 17 companies. 16 in the United States. 1 in Canada. Zero in the EU.

Let that sink in. You scanned your European passport for a European professional network, and your data went exclusively to North American companies. Not a single EU-based subprocessor in the chain.

And look at who’s doing “Data Extraction and Analysis” — Anthropic, OpenAI, and Groqcloud. Three AI companies are processing your passport and selfie data. Your government-issued identity document is being fed through the same companies that build large language models and AI systems.

AWS handles “Image Processing.” That’s your face going through Amazon’s infrastructure. FingerprintJS — a company literally named after the thing it does — handles “Device Analysis.” They’re fingerprinting your device while Persona fingerprints your face.

Remember when the privacy policy said data is stored in the “United States and Germany”? The Germany part is technically true — maybe some data sits there. But every single company that processes your data is American. The CLOUD Act doesn’t just apply to Persona. It applies to all 16 of these US subprocessors too.

The CLOUD Act: Why Frankfurt Doesn’t Protect You

Persona has data centers in the United States and Germany. If you’re in Europe, you might think: great, my data is probably sitting on a German server, protected by GDPR, safe from American reach.

It’s not.

Persona is a US company. Incorporated in California. This means they’re subject to the US CLOUD Act — the Clarifying Lawful Overseas Use of Data Act, signed in 2018.

Here’s what the CLOUD Act does in plain language: it allows US law enforcement to force any US-based company to hand over data, even if that data is stored on a server outside the United States.

Your passport scan can be sitting in a data center in Frankfurt. A US court issues a warrant. Persona has to comply. The physical location of the server doesn’t matter. What matters is the legal location of the company.

And Persona’s privacy policy confirms it. Their exact words:

We will access, disclose, and preserve personal data when we believe doing so is necessary to comply with applicable law or respond to valid legal process, including from law enforcement, national security, or other government agencies.

“National security.” Those two words do a lot of heavy lifting. Under US law, national security requests — like FISA court orders or National Security Letters — can come with gag orders. Persona couldn’t tell you they handed over your data even if they wanted to.

“But There’s the Data Privacy Framework!”

Yes, Persona says they comply with the EU-US Data Privacy Framework (DPF). They certified with the US Department of Commerce. They follow the principles. It’s all very official.

Here’s the thing about the DPF: it’s the replacement for Privacy Shield, which the European Court of Justice killed in 2020. The reason? US surveillance laws made it impossible to guarantee European data was safe.

The DPF exists because the US signed an Executive Order (14086) promising to behave better. But an Executive Order is not a law. It’s a presidential decision. It can be changed or revoked by any future president with a pen stroke.

Privacy activists — including noyb, the organization behind the original Schrems rulings — have already challenged the DPF. The legal foundation your data is “protected” by is, at best, temporary.

So the reality looks like this:

1. You scan your passport in Madrid, Berlin, or Dublin
2. Persona stores it — maybe in Germany, maybe in the US
3. The CLOUD Act gives US authorities access regardless of where it sits
4. The DPF is supposed to protect you, but it’s built on sand
5. A national security request could grab your biometric data without you ever knowing

Your European passport is one quiet subpoena away from a US government system.

The Biometrics Time Bomb

Let me be clear about what “biometric data” means here.

Persona extracts the mathematical geometry of your face from your selfie and from your passport photo. This isn’t just a picture — it’s a numerical map of the distances between your eyes, the shape of your jawline, the geometry of your features. It’s data that uniquely identifies you. And unlike a password, you can’t change your face if it gets compromised.

Their policy says this scan data is destroyed “upon completion of Verification or within six months of your last interaction.” Good.

But there’s an exception: “unless Persona is otherwise required by law or legal process to retain the data.”

That exception, combined with the CLOUD Act, means a US legal process could force Persona to keep your biometric data indefinitely. The six-month clock means nothing if a court says “hold onto this.”

The $50 Safety Net

Now let’s talk about what happens if things go wrong. Say there’s a breach. Say your passport scan, your facial geometry, and your national ID number end up in the wrong hands.

Persona’s Terms of Service cap their liability at $50 USD.

Your passport. Your face. Your biometric data. Your national ID number. Fifty dollars.

They also include mandatory binding arbitration — no court, no jury, no class action. You can only bring claims individually. Through the American Arbitration Association. Even if you’re in Europe and the dispute is about European data.

For EU/EEA residents, the ToS says Irish law governs the contract. Which sounds better until you remember: Irish law governs the contract, but US law governs the company. The CLOUD Act doesn’t care what your contract says.

What You Should Do

If you’ve already verified — like me — here’s what I’d recommend:

1. Request your data. Email [email protected] or [email protected]. Under GDPR, they have 30 days to respond.

2. Request deletion. The verification is done. LinkedIn already has the result. There is no reason for Persona to keep your passport scan and facial geometry on their servers. Ask them to delete it.

3. Contact their DPO. [email protected] — that’s their Data Protection Officer. If you want to object to them using your documents as AI training data under “legitimate interests,” this is where you do it.

4. Think twice before verifying. That blue badge might not be worth what you’re trading for it. A checkmark is cosmetic. Biometric data is forever.

Three Minutes

The whole thing took three minutes. Scan, selfie, done.

Understanding what I actually agreed to took me an entire weekend reading 34 pages of legal documents.

I handed a US company my passport, my face, and the mathematical geometry of my skull. They cross-referenced me against credit agencies and government databases. They’ll use my documents to train their AI. And if the US government comes knocking, they’ll hand it all over — even if it’s stored in Europe, even if I’m European, and possibly without ever telling me.

All for a small blue checkmark on a professional networking site.

I’m not telling you to skip verification. But I am telling you to know what you’re trading. Because Persona does. LinkedIn does. The only person in the dark is the one holding their passport up to the camera.

Sources: