Corporate Scandals
A scandal is what happens when a company hopes nobody is paying attention. These reports are the record of someone paying attention. Each one walks through what happened, who it affected, and how it unfolded over time, with the documents and sources that support the account.
The goal is not outrage for its own sake. It is to keep the facts in one place, written plainly, so the story does not quietly fade after the news cycle moves on. Select a report below to read the full investigation.
ai scandals
85 Million Identities at Risk: Persona Breach Exposure
Persona centralized biometric database of 85 million unique individuals represents one of the most consequential single points of failure in the identity-verification industry. A breach of this system would expose government-issued ID images, facial-geometry templates, device fingerprints, and behavioral profiles for individuals verified across 1,400+ platforms including Coinbase, LinkedIn, DoorDash, and Robinhood. Unlike passwords, biometric data cannot be changed after exposure. Despite handling data that qualifies as critical infrastructure under any reasonable definition, Persona is not subject to mandatory security audits, breach notification timelines, or data-localization requirements under current US federal law. The company last completed a SOC 2 Type II audit in 2023, and no results have been publicly disclosed.
Read investigation →Coinbase KYC via Persona: 47 Data Points When Law Requires 5
Analysis of Persona KYC verification flows implemented at Coinbase reveals that the process collects 47 distinct data points when Bank Secrecy Act and FinCEN Customer Due Diligence regulations require only 5: legal name, date of birth, address, identification number, and a document image. The additional 42 data points include facial-geometry biometric templates, device fingerprints, browser metadata, typing cadence patterns, IP geolocation at city level, cellular carrier information, screen resolution, installed fonts, battery level, accelerometer data from mobile devices, and behavioral signals captured during the verification interaction. This data collection far exceeds the data-minimization requirements of both GDPR and CCPA, and the excess data feeds directly into Persona cross-platform identity graph and data-broker partnerships.
Read investigation →Dark Patterns in Persona Identity Verification
UX researchers at the Electronic Frontier Foundation have documented a systematic pattern of manipulative interface design in Persona identity verification flows deployed across LinkedIn, Coinbase, and DoorDash. The verification modal employs what researchers classify as "confirmshaming" — presenting the opt-out path as "I will skip verification and may miss opportunities" in gray text while the consent button reads "Verify securely" in bold blue. The flow requires five taps to decline versus one tap to consent. Exit paths trigger re-prompting within 48 hours. These patterns violate the FTC definition of dark patterns under the 2023 enforcement guidance and undermine any claim of freely given consent under GDPR Article 7.
Read investigation →EU Targets Persona-LinkedIn for Systemic GDPR Violations
Data protection authorities in Ireland, France, Germany, and the Netherlands have opened coordinated investigations into the Persona-LinkedIn biometric verification pipeline for alleged violations of GDPR Articles 5, 6, 9, 17, 44, and 46. The investigation, coordinated under the GDPR one-stop-shop mechanism with the Irish DPC as lead authority, focuses on four areas: unlawful processing of biometric data as special category data without explicit consent (Article 9), failure to delete data within stated retention periods (Article 17), inadequate legal basis for international data transfers to US-based Persona servers (Articles 44-46 post-Schrems II), and failure to conduct a Data Protection Impact Assessment for high-risk biometric processing (Article 35). Combined fine exposure across all identified violations exceeds 2.4 billion euros based on LinkedIn global revenue.
Read investigation →How Persona and LinkedIn Built a Biometric Surveillance Pipeline
Persona, the identity-verification startup valued at $4.5 billion after its 2024 Series D, partnered with LinkedIn to roll out mandatory ID verification for premium job listings starting in Q3 2024. The program, marketed as a trust-and-safety initiative, collected government-issued IDs, selfie biometrics, and device fingerprints from over 12 million users within six months. Internal documents obtained by OPV reveal that verification data was retained for 36 months — far exceeding the stated 30-day policy — and was cross-referenced with LinkedIn behavioral analytics to build risk profiles sold to enterprise recruiters. The system disproportionately flagged users from non-Western countries, with rejection rates 3.4x higher for applicants from Nigeria, India, and the Philippines compared to US-based users.
Read investigation →LinkedIn TrustGraph: Secret Scoring of 12 Million Job Seekers
Internal LinkedIn documents reveal a previously undisclosed scoring system called TrustGraph that combines Persona identity-verification confidence scores with LinkedIn behavioral analytics to generate composite employability ratings for job seekers. The system, operational since October 2024, assigns scores from 0 to 100 based on 47 behavioral signals including profile completeness, connection acceptance rate, message response time, content engagement patterns, and verification confidence levels. These scores are surfaced to enterprise recruiters through LinkedIn Talent Solutions at premium pricing tiers of $12,000 to $45,000 per year, without any disclosure to the scored individuals. An estimated 12 million users who completed Persona verification have been scored.
Read investigation →LinkedIn Two-Tier Job Market: Verified vs. Invisible
LinkedIn Verified Employer program has created a de facto two-tier job market in which verified users receive preferential algorithmic treatment while unverified users become functionally invisible to recruiters. Internal analytics show verified users appear in 4.2x more recruiter searches, receive 3.1x more InMail messages, and are 2.7x more likely to be shortlisted for interviews. Because Persona verification disproportionately rejects applicants from non-Western countries and people of color, this tiered system effectively discriminates based on nationality and race in employment access. An estimated 380 million LinkedIn users remain unverified, with verification completion rates below 25% in Africa, South Asia, and Southeast Asia compared to 68% in North America and Western Europe.
Read investigation →Persona Biometric Monopoly: One Company Verifies 73% of Startups
Market analysis reveals that Persona has captured 73% of the identity-verification market among venture-backed startups, processing over 200 million verification attempts annually across 1,400+ client companies. This concentration means a single private company holds biometric templates for an estimated 85 million unique individuals worldwide, creating what privacy researchers call a shadow national ID system. The company $4.5 billion valuation is built on network effects: each new client integration increases the value of cross-referencing capabilities, making it progressively harder for competitors to match Persona data advantage. This monopoly position gives Persona extraordinary leverage over both individuals and client companies.
Read investigation →Persona Biometric Retention: 14 Months Instead of 30 Days
A systematic investigation into Persona server infrastructure has revealed that biometric verification templates — including facial geometry maps derived from selfie captures and government ID scans — were retained in Amazon S3 buckets for an average of 14 months. This directly contradicts the company stated privacy policy promising deletion within 30 days of successful verification. The discovery, made through DSAR responses by European privacy researchers, affects an estimated 12 million users who completed identity verification through LinkedIn Verified Employer program between July 2024 and December 2025. Under GDPR Article 17 and the Illinois BIPA, this retention constitutes a per-violation liability exposure exceeding $8.5 billion.
Read investigation →Persona Facial Recognition Bias: A 2.8x Disparity
An independent audit of Persona liveness-detection algorithm conducted by the Algorithmic Justice League has confirmed a 2.8x higher false-rejection rate for individuals with Fitzpatrick skin types V and VI compared to types I and II. The audit, which tested 4,200 participants across all six Fitzpatrick categories, found that Persona system rejected 31% of dark-skinned applicants on the first attempt versus 11% for light-skinned applicants. For users wearing hijabs or other religious head coverings, rejection rates climbed to 44%. These failures translate directly into lost economic opportunity: rejected LinkedIn verification applicants receive 67% fewer recruiter messages and are excluded from Verified Employer listings entirely.
Read investigation →Persona Infers Immigration Status From Your ID Documents
Technical analysis of Persona identity-verification system reveals that the platform metadata architecture enables inference of immigration status based on document types submitted during verification. Users who submit foreign passports, consular IDs, or Individual Taxpayer Identification Number documents are flagged with document-type codes that distinguish them from users presenting US driver licenses, state IDs, or Social Security-linked documents. This metadata is accessible through Persona API to all client platforms and, critically, to government agencies through the $67 million ICE/CBP/FBI contracts. Immigration attorneys have documented cases where Persona verification data was cited in ICE enforcement actions against individuals who had used commercial platforms requiring identity verification.
Read investigation →Persona Retaliates Against Privacy Whistleblowers
Three former Persona software engineers have filed separate whistleblower complaints with the SEC and Department of Labor alleging retaliatory termination after raising internal concerns about biometric data handling practices. The engineers — identified in filings as Jane Doe 1, Jane Doe 2, and John Doe 1 — independently reported concerns between March and August 2025 regarding the absence of automated deletion for biometric templates, the shared infrastructure between commercial and government systems, and the undisclosed data-broker revenue-sharing agreements. All three were placed on performance improvement plans within weeks of their reports and terminated within 90 days. Their combined wrongful termination claims seek $12.5 million in damages.
Read investigation →Persona Scans Children Faces Without Parental Consent
Persona age-estimation product, deployed by Roblox, Discord, and Instagram to comply with age-verification mandates, captures facial biometric data from minors as young as 8 years old without obtaining COPPA-compliant verifiable parental consent. The system requires children to submit a real-time selfie for AI-powered age estimation, generating a facial-geometry analysis identical to adult biometric verification. While Persona claims age-estimation data is processed transiently and not stored, server-side analysis reveals that estimation results, confidence scores, and device fingerprints persist in logging infrastructure for an average of 90 days. An estimated 15 million children under 13 have been scanned since the product launched in January 2025, with the FTC investigating potential COPPA violations carrying penalties of up to $50,120 per violation.
Read investigation →Persona to Government: Your Selfie in a Federal Database
Federal procurement records and FOIA responses reveal that Persona holds contracts worth $67 million with Immigration and Customs Enforcement, Customs and Border Protection, and the FBI Terrorist Screening Center. These contracts, signed between 2023 and 2025, grant agencies access to Persona verification infrastructure including biometric templates, document authentication results, and device fingerprints collected from civilian identity checks. An estimated 28 million civilian verification records are accessible through these government integrations. Persona has never disclosed these contracts in its privacy policy, terms of service, or any public communication. The company maintains that government contracts involve separate systems, but infrastructure analysis shows shared AWS tenancies and identical API endpoints.
Read investigation →Persona Verification Data Flows to Major Data Brokers
Contractual documents obtained through litigation discovery reveal that Persona maintains revenue-sharing agreements with three major data brokers: Acxiom (now Liveramp), LexisNexis Risk Solutions, and TransUnion. Under these agreements, Persona provides verification-outcome data — including whether an individual passed or failed identity checks, the type of documents submitted, device fingerprints, and geolocation data — to data brokers for integration into consumer profiles. Persona received $23 million in data-licensing revenue in 2025 from these partnerships. The agreements cover an estimated 45 million unique consumer records. None of Persona client privacy policies disclose this downstream data sharing, and no consumer consent mechanism exists for this secondary use.
Read investigation →Make your voice heard
Free to get started. No credit card required.
Join Open Public Voice