OpenAI KYC provider accused of sharing user data with US agencies

A security investigation has accused Persona, the company handling know-your-customer checks for OpenAI, of sending user data including crypto addresses to federal agencies like FinCEN. Researchers found code that enables monitoring and reporting of suspicious activities. Persona denies current ties to federal agencies.

On February 18, security researchers vmfunc, MDL, and Dziurwa published an investigation revealing publicly accessible code in Persona's system that appears to transmit data collected during OpenAI's KYC process to the Financial Crimes Enforcement Network (FinCEN), a US Treasury bureau. This data includes passport photos, selfies, and videos submitted by users verifying their identity to access advanced ChatGPT features. The code, in place since November 2023, also integrates with Chainalysis to screen associated crypto addresses for risks, analyze interactions, and enable persistent monitoring via a watchlist system.

The researchers highlighted the platform's capabilities, stating, “The same company that takes your passport photo when you sign up for ChatGPT also operates a government platform that files Suspicious Activity Reports with FinCEN and tags them with intelligence programme codenames.” They added, “So you uploaded a selfie to use a chatbot? Congratulations! It’s now being compared against a database of every politician, head of state, and their extended family tree on earth.”

Multiple security experts, including Tanuki42 from blockchain incident response groups, confirmed the findings' credibility, noting that the cited government domains exist and are likely hosted by Persona. However, questions remain about motives, usage, and exact criteria for triggering screenings or reports.

Persona CEO Rick Song responded on X, expressing disappointment and claiming the researchers did not contact him beforehand. In emails shared by Song, he stated that his company does not work with any federal agency today, though he did not directly address the code's implications. A post from Song read, “I am genuinely disappointed in how all of this has been handled,” and praised vmfunc's talent. OpenAI and Persona did not respond to requests for comment from DL News.

The revelations raise concerns amid growing unease over KYC requirements, which screen against sanctions, terrorism links, and financial crimes but also expose users to potential data misuse or breaches. Retention periods are unclear, with discrepancies between OpenAI's stated one-year limit and code indicating up to three years or permanent storage for government IDs.

Articoli correlati

Illustration of Meta's data leak involving employee tracking program, showing a computer with data spilling out.
Immagine generata dall'IA

Meta pauses employee tracking program after data leak

Riportato dall'IA Immagine generata dall'IA

Meta has paused its Model Capability Initiative after sensitive employee data was exposed internally. The program tracks workers' keystrokes and mouse movements to train AI models. Company officials said they are investigating the incident.

OpenAI is facing an investigation by a coalition of state attorneys general after receiving a subpoena on June 12 seeking documents on its operations and user impact.

Riportato dall'IA

OpenAI plans to release its upcoming ChatGPT 5.6 model first only to customers approved by the US federal government. The staggered rollout follows a recent executive order on voluntary AI model reviews.

Sulla scia del lancio da parte di Anthropic del suo potente modello di IA Claude Mythos, in grado di rilevare e sfruttare le vulnerabilità del software, il Segretario al Tesoro degli Stati Uniti ha convocato i vertici bancari per sottolineare la crescente minaccia di attacchi informatici guidati dall'intelligenza artificiale. L'iniziativa evidenzia le crescenti preoccupazioni, dato che l'accesso all'IA è limitato a una coalizione tecnologica tramite il Project Glasswing.

Riportato dall'IA

Germany's financial regulator BaFin has warned banks about risks from Anthropic's Claude Mythos AI model, following US Treasury alerts. The model autonomously detects IT vulnerabilities at scale, potentially accelerating cyberattacks. US banks are testing it amid restrictions.

Questo sito web utilizza i cookie

Utilizziamo i cookie per l'analisi per migliorare il nostro sito. Leggi la nostra politica sulla privacy per ulteriori informazioni.
Rifiuta