161 comments

[ 2.4 ms ] story [ 108 ms ] thread
What a sad story. I feel sorry for this person. But it was very naive to put that data up in the first place. I recently tried to open a FB acct so I could connect with local community but within 2 days I was accused of being a bot and asked to start a video interview with a verification bot. That didn't happen, local community can do without me ;)
> If you’ve already verified — like me — here’s what I’d recommend

Did you actually follow through with 1-4 and if so what was the outcome? how long did it take?

LinkedIn locked me out of my account, and wants me to verify via this same Persona company. I didn't read the terms but there's no way I'm giving Microsoft or its minions my govt id.

What this user missed is the affidavit option: you can get a piece of paper attested by a local authority and upload that instead, if you really really need a LinkedIn verified account.

Microsoft can go jump.

The problem is your account is still there and you can't even delete it from linkedin until you verify :(
I wonder what mongo and snowflake are doing with that data. The table is a little vague.

I was under the impression they just make database products. Do they have a side hustle involving collecting this type of data?

Ha. I was reading this and thought "euhhhh, I did not give all of that to verify my account". So I went to LinkedIn to check if I have the shield. I then saw

- that I just have "work email verified" and that there is a Persona thing I was not even aware of

- a post by Brian Krebs at the top of my feed, exactly on that topic: https://www.linkedin.com/posts/bkrebs_if-you-are-thinking-ab...

Yep, I clicked verify experimentally and all they wanted was my work email and a code they sent to it.

Of course, that works probably because my work has a linkedin account so they know what the official domain is for it.

I guess they'll spam that email but it's not like I care. I already receive spam offering me subcontracting services so I guess it's published somewhere.

> that I just have "work email verified" and that there is a Persona thing I was not even aware of

Good to know that work email verification doesn't involve Persona.

That seems like a reasonable middle ground. Work email is a much lighter ask than handing over government ID and biometrics.

Curious, does your verification status persist after you remove the work email (e.g., if you leave that employer)?

You still have a linkedin? Isn't that just all ai slop?
You don't have to browse it. Just make a miniscule change in your profile from time to time, save it, and wait for recruiters to contact you.

Once it's a human contact Ai slop doesn't impact you.

His blog is AI slop.

Previous article: https://thelocalstack.eu/posts/ai-chatbot-gdpr-data-request/

All from a single blog post:

> that’s not just text, that’s biometric data.

> This isn’t a chat log. It’s a structured psychological profile.

> Not raw conversations — processed insights about who I am, how I think, what I fear, and what motivates me.

> They’re not just storing what you said — they’re analyzing who you are.

> They’re not just answering questions — they’re building a map of what you’re curious about, what you’re planning, what you’re worried about.

> Not because I trusted it — but because it was convenient not to think about trust at all.

> A profile this detailed isn’t just a record. It’s a tool.

> The oracle isn’t neutral. The oracle is taking notes.

> Not because I’m paranoid — because it’s true.

> Do it. Not because you need to delete everything — but because you should know what “free” or even “paid” really costs.

While copying and pasting all of this I read this at the end:

> I need to be honest about something: I wrote this post with an AI. Not just edited by AI. Written with it.

Wouldn't fool anyone anyway

How does this work for the myriad banks I've had to prove my identity to in the same way? I'll be attempting steps 1-4 and see what Persona comes back with.
To report back on this, I contacted the various email addresses given in OP's article.

For people with GDPR rights, this link helps make a DSAR (though interestingly the US and many other countries are also available from the country dropdown, maybe they follow these rules everywhere): https://withpersona.com/dsar

This of course brings up the problem of having to verify the ID of the person who's requesting their ID to be deleted from their DB. So I am probably going to stop here.

I also received a separate email stating that my data was already scheduled for deletion if I used Persona through LinkedIn.

> My NFC chip data — the digital info stored on the chip inside my passport

Do we know how they get that? Because my fingerprints are also in there, so...

Highly unlikely they did. Just because it’s in the privacy notice doesn’t mean they actually gather or store this information.

And indeed, fingerprints are only accessible using privileged access. Not even you, the passport holder, has access.

Just wait when next time they ask for your member length and girth or flaps size.
You can verify yourself using company email address - maybe I am being naive to think that it’s much safer, but it’s way better than handing over your ID data.

I never understand why people supply too much info about themselves for small gains.

People at LinkedIn wants you to believe that your career is safe if you play by their games, but ironically they are one of the main reasons why companies nowadays are comfortable with hiring and firing fast.

(comment deleted)
I used to have a LinkedIn account, a long time ago. To register I created an email address that was unique to LinkedIn, and pretty much unguessable ... certainly not amenable to a dictionary attack.

I ended up deciding that I was getting no value from the account, and I heard unpleasant things about the company, so I deleted the account.

Within hours I started to get spam to that unique email address.

It would be interesting to run a semi-controlled experiment to test whether this was a fluke, or if they leaked, sold, or otherwise lost control of my data. But absolutely I will not trust them with anything I want to keep private.

I do not trust LinkedIn to keep my data secure ... I believe they sold it.

This is a good example of why it's insane that nobody at Mozilla cares that they hire CEOs that have only a LinkedIn page. If you want to visit the website of the Mozilla CEO, you have to create an account and log in. No big deal if it's a CEO of a plastics manufacturing company, but when the mission is fighting against the behavior of companies like LinkedIn, it makes me wonder why Mozilla exists.
ofc it's sold. Take a look at this: https://www.rb2b.com/

It identifies users that visit your site and then shows their email, phone number and living place based on their Li profile ;))

You can replace LinkedIn in your post with every social media etc company and it will ring as true as your current post
A LinkedIn account's sole purpose is publishing, dissemination, and advertising information about you and your company. Anything that you badly want to keep private certainly does not belong there, much like it does not belong to a large roadside billboard.

Otherwise, LinkedIn can be quite useful in searching for a job, researching a company, or getting to know potential coworkers or hires.

Email spam is, to my mind, an inevitability. You should expect waves of spam, no matter what address you use; your email provider should offer reasonable filtering of the spam. Using a unique un-guessable email address, like any security through obscurity, can only get you so far.

It’s definitely not a fluke. I was getting between 20 and 30 spam emails per day. Simply out of curiosity I deleted my linkedin account and the spam abated. After a week the spam reduced to a trickle and now after a few months I only get a few spam emails per week. Shortly after discovering that LinkedIn was the problem I deleted Indeed as well. Indeed has a fairly robust data deletion program.
This seems to be exactly the opposite of what I was describing.

While I had a LinkedIn account I was not receiving spam.

When I deleted my account, the spam started, and continues to this day.(+)

(+) Which is not a surprise ... once an email address has been leaked it gets onto lists and the spam will never end.

This is precisely why I give each website an alias such as website@example.com. If I start receiving spam to that address, I revoke the alias and name and shame the website online whenever I get the chance. Not that I would use LinkedIn anyway.
It could be, but I think it's also as likely it was the scrapers treating that as a trigger event of some type. eg you got a job and might have regrets.

I also saw... not sure what to call them, but honeypot friend requests? I used to get regular requests from profiles I didn't recognize with a generic pretty woman (I'd assume stock photography). Since I ignored them, they would re-request on intervals that were exactly 90 or 180 days. I occasionally glanced at them and there seemed to be no rhyme nor reason to their friends. I'd assume this was also some type of scraping, probably for friends-only profile data.

LinkedIn definitely sells/shares/leaks email address. I'm not sure which but I also have the same problem. I created my account with a unique email I've only used for LI. I occasionally get B2B and recruiter spam sent to that email.
I don't remember where I got this from, but I've heard long ago about a company which TOS stated vehemently that they would never sell the contacts of their customers... Only to sell them once the accounts are closed because, well, technically those were no longer customers.

So maybe that's what happened?

From the article:

> Let that sink in. You scanned your European passport for a European professional network, and your data went exclusively to North American companies. Not a single EU-based subprocessor in the chain.

Not sure LinkedIn is a European professional network.

>Let that sink in

That's a hallmark of GPT spam, so it's not surprising there's hallucinations.

Since some job offers require a linked in link, I maintain an empty page explaining why maintaining a LI account is a privacy and security hole. It turns out it works.
On EU data sovereignty:

The OP is right. For that reason we started migrating all of our cloud-based services out of USA into EU data centers with EU companies behind them. We are basically 80% there. The last 20% remaining are not the difficult ones - they are just not really that important to care that much at this point but the long terms intention is a 100% disconnect.

On IDV security:

When you send your document to an IDV company (be that in USA or elsewhere) they do not have the automatic right to train on your data without explicit consent. They have been a few pretty big class action lawsuits in the past around this but I also believe that the legal frameworks are simply not strong enough to deter abuse or negligence.

That being said, everyone reading this must realise that with large datasets it is practically very likely to miss-label data and it is hard to prove that this is not happening at scale. At the end of the day it will be a query running against a database and with huge volumes it might catch more than it should. Once the data is selected for training and trained on, it is impossible to undo the damage. You can delete the training artefact after the fact of course but the weights of the models are already re-balanced with the said data unless you train from scratch which nobody does.

I think everyone should assume that their data, be that source code, biometrics, or whatever, is already used for training without consent and we don't have the legal frameworks to protect you against such actions - in fact we have the opposite. The only control you have is not to participate.

This process will be done in a way that you won’t even have to do it in 3min, it will be part of you phone wallet, and whenever you sign up you will be required to verify it there, essentially, all big tech will be having a copy of your biometric, and consequently, all three letter agencies too. Welcome to the tyranny of big tech!
I really appreciate this write-up.

Was forced to verify to get access to a new account. Like, an interstitial page that forced verification before even basic access.

Brief context for that: was being granted a salesnav licence, but to my work address with no account attached to it. Plus I had an existing salesnav trial underway on main account and didn't want to give access to that work.

So I reluctantly verified with my passport (!) and got access. Then looked at all the privacy settings to try to access what I'd given, but the full export was only sign up date and one other row in a csv. I switched off all the dark pattern ad settings that were default on, then tried to recall the name of the company. Lack of time meant I haven't been able to follow up. I was deeply uncomfortable with the whole process.

So now I've requested my info and deletion via the details in the post, from the work address.

One other concern is if my verified is ever forced to be my main, I'll be screwed for contacts and years of connections. So I'll try to shut it down soon when I'm sure we're done at work. But tbh I don't think the issues will end there either.

Why do these services have to suck so much. Why does money confer such power instead of goodwill, integrity and trust/trustless systems. Things have to change. Or, just stay off the grid. But that shouldn't have to be the choice. Where are the decentralised services. I'm increasingly serious about this.

> Why do these services have to suck so much.

They can do what they please. Its due to the network effects. The tie-ins of tech are so strong, I'd wager that %99 of why they succeed has nothing to do with competency or making a product for the user, just that people are too immobile to jump ship for too many reasons. Its staggering how much stronger this is than what people give credit for. Its as if you registered all your cells with a particular pain medication provider, and the idea of switching pills makes one go into acute neurosis.

Let’s not forget Persona is linked to Peter Thiel. When Thiel and his friends support the government snatching citizens off the streets, there is unacceptable risk with forcing job seekers and the like to create accounts on LinkedIn.
Great article, thank you.

Hiding all this very important info (which literally affects the users life) behind an insignificant boring click! Even the most paranoid user will give up in certain use cases, (like with covid 19 which even though didn´t agree, you needed to travel, work making it compulsory). Every company that uses deciving techniques like this should be banned in Europe.

This is the kind of activism in privacy appreciate that we need. I knew I did not want to verify but I did verify on Linkedin recently. The fact that the author also gave an action list if you are concerned about your privacy is just commendable.
I hate LinkedIn but need it for a few things, mostly accessing certain clients and projects as a freelancer. Last October my ISP (Vodafone UK) assigned me a datacenter-classified IPv6 address with 80+ abuse reports on reputation databases, for bots, DDoS, crawlers. Before I realized this I started getting locked out, suspended, restricted from just about every web service I use, having to solve captchas for simple Google searches, etc.

I resolved everything except LinkedIn. They required Persona verification to restore access, but I'd already recently verified with Persona, so clicking the re-verification links just returned a Catch-22 "you've already verified with us." LinkedIn support is unreachable unless you're signed into an account. I tried direct emails, webforms, DMs to LinkedIn Help on Twitter, all completely ignored.

Eventually some cooldown timer must have expired, because Persona finally let me re-verify last week. Upon regaining access, I was encouraged me to verify with Persona AGAIN, this time for the verified badge.

I now have a taste of what "digital underclass" means, and look forward to the day when no part of my income depends on horrible platforms that make me desperate for the opportunity to give away my personal data!

The nasty part of that is also that you can't even delete your account without getting back into it so you need to doxx yourself to even delete it :(
A good reminder of how things actually work, but the article could use some more balancing…

> Let that sink in. You scanned your European passport for a European professional network, and your data went exclusively to North American companies. Not a single EU-based subprocessor in the chain.

LinkedIn is an American product. The EU has had 20 years to create an equally successful and popular product, which it failed to do. American companies don’t owe your European nationalist ambitions a dime. Use their products at your own discretion.

Of course an American company is subject to American law. And of course an American company will prioritise other local, similar jurisdiction companies. And often times there’s no European option that competes on quality, price, etc to begin with. In other words I don’t see why any of this is somehow uniquely wrong to the OP.

> Here’s what the CLOUD Act does in plain language: it allows US law enforcement to force any US-based company to hand over data, even if that data is stored on a server outside the United States.

European law enforcement agencies have the same powers, which they easily exercise.

> American companies don’t owe your European nationalist ambitions a dime. Use their products at your own discretion.

As a fairly vociferous eu person....I fully agree.

However, gdpr covers all eu residents, so if US companies don't want to obey eu law, that'sa fine, too.

(comment deleted)
>The EU has had 20 years to create an equally successful and popular product, which it failed to do. American companies don’t owe your European nationalist ambitions a dime. Use their products at your own discretion.

I can see not everybody here will agree with me, but I find this take absolutely reasonable. The European space has the capacity and the resources to create a product that replaces something as trivial as Linkedin, and yet it takes the lazy approach of just using American products.

It's the same thing with China's manufactured products, at some point the rest of the world just accepted that everything gets done in China and then keep complaining about how abusive China can be.

The most recent issue is the military question. Europe relied for decades on the "cheap" protection of the USA. Now the USA gave the middle finger to Europe and Europe acts shocked, but Europe is not so shocked when it comes to the military budget it did not spend on self defense during all the time the Americans provided protection.

> The EU has had 20 years to create an equally successful and popular product, which it failed to do. American companies don’t owe your European nationalist ambitions a dime.

So true.

There's a lot of passive-aggressive anti-US rhetoric and fearmongering on HN at the moment, while America is simply doing what it's always done - innovating and thriving.

As a European, I wish our continent was able to be more like America, as opposed to jealously coveting its outcomes.

The content is of course 100% true and needs to be repeated over and over, every single day.

The straight-from-LLM writing style is incredibly grating and does a massive disservice to its importance. It really does not take that long to rewrite it a bit.

I hope at least he wrote it on his local Llama instance, else it's truly peak irony.

> Here’s the thing about the DPF: it’s the replacement for Privacy Shield, which the European Court of Justice killed in 2020. The reason? US surveillance laws made it impossible to guarantee European data was safe.

> The DPF exists because the US signed an Executive Order (14086) promising to behave better. But an Executive Order is not a law. It’s a presidential decision. It can be changed or revoked by any future president with a pen stroke.

This understates the reality: the DPF is already dead. Double dead, two separate headshots.

Its validity is based on the existence of a US oversight board and redress mechanism that is required to remain free of executive influence.

1. This board is required to have at least 3 members. It has had 1 member since Trump fired three Democrat members in Jan 2025 (besides a 2-week reinstatement period).

2. Trump's EO 14215 of Feb 2025 has brought (among other agencies) the FTC - which enforces compliance with the DPF - under presidential supervision. This is still in effect.

Of course, everyone that matters knows this, but it doesn't matter, as it was all a bunch of pretend from day 1. Rules for thee but not for me, as always. But what else can we expect in a world where the biggest economy is ruled by a serial rapist.

Even the title is AI slop. Surprised these slop posts do so well on HN of all platforms but I guess they're just high volume. AI-ese is becoming its own dominant language group at this point
LinkedIn support will also blatantly lie to you when you ask them whether Persona is GDPR compliant and needed to activate your account.

Last year I was trying to setup a business LinkedIn page for SEO purposes, which meant I also had to create a personal account. After being told several times that I absolutely need to scan my ID card with that dodgy app I simply replied that I can't do it due to security concerns. After several weeks they unlocked my account anyway, but I suspect this would not happen if algorithms determined that I actually needed that account to find a job and pay my bills.

The strange thing about LinkedIn organization verification is that it never seems to be revoked. I have many contacts with verifications from companies they no longer work for - sometimes for a very long time.

On the other hand I see many people posting in official capacity for an organization without verification.

When they actively represent their current company but with a random verification from a previous one it gets pretty absurd.

In its current form LinkedIn verification is pretty worthless as a trust signal.

> The legal basis? Not consent.

> The reason? US surveillance laws […]

This slop in every blog post? Fucking tiresome.