LinkedIn users seeking to verify their identities are unknowingly sharing highly personal data with the professional networking site and a network of partner companies, including numerous U.S.-based artificial intelligence firms. The revelation, initially reported by privacy researcher Brian Krebs and detailed in a post by Mike Pedrick, raises concerns about the extent of data collection and potential misuse of sensitive information.
The process, intended to signal authenticity and build trust through a verification badge, requires users to submit a scan of their passport, a selfie and other identifying details to Persona Identities, Inc., a San Francisco-based company contracted by LinkedIn. According to Persona’s privacy policy, the data collected includes full name, passport photo, selfie, facial geometry, NFC chip data from passports, national ID number, date of birth, email address, phone number, postal address, IP address, device information, and geolocation. The company also tracks “hesitation detection” and “copy and paste detection” during the verification process.
LinkedIn states that verified members see, on average, 60% more profile views and 50% more engagement. The company offers identity verification in the U.S., Canada, and Mexico through CLEAR, a third-party identity verification service. However, the data isn’t solely retained by LinkedIn or CLEAR. Krebs’s research identified at least 17 companies that may receive and process the submitted data, with a significant number being AI-focused organizations.
Pedrick questioned whether users would still opt for verification if they were explicitly informed that major AI companies and their partners would have access to their passport scans. “If you were told UP FRONT that all of the major AI companies (and their partners) were getting that scan of your passport from LI, would you still do it?” he wrote in a LinkedIn post.
Although Persona claims to comply with the EU-US Data Privacy Framework, concerns remain regarding the potential for data misuse. Martin Ojala, commenting on Pedrick’s post, noted that legally, subprocessors are not permitted to use the data for purposes beyond providing the contracted service. However, he added that practical control over adherence to data protection agreements is often lacking, and the risk of data breaches increases with each additional entity having access to the information.
LinkedIn’s verification process currently allows users to verify their identity, workplace, and educational institution. The company’s help documentation states that verification badges are designed to help users signal authenticity and build trust, and that these badges are visible to other logged-in LinkedIn members. LinkedIn did not respond to requests for comment regarding the specific data-sharing practices with its partners.
