Feb 25, 2026 08:00:00

Where does the passport and photo data that I submit to get a verified badge on LinkedIn go?

LinkedIn, a business social networking site operated by Microsoft, has

a verification badge that shows that a user's identity has been verified. To obtain a LinkedIn verification badge, users must submit ID such as a passport and a photo. The technology blog THE LOCAL STACK reported on the results of an investigation into what happens to the data submitted to LinkedIn.

I Verified My LinkedIn Identity. Here's What I Actually Handed Over. | THE LOCAL STACK
https://thelocalstack.eu/posts/linkedin-identity-verification-privacy/

Mr. Rogi, who runs THE LOCAL STACK, said that LinkedIn is overflowing with fake recruiters, bot accounts, and AI-generated photos, so he decided to get a verified badge that proves he is real. Mr. Rogi said he was able to get a verified badge in just three minutes by scanning his passport or sending a selfie.

After carefully reading the privacy policy and terms of use for the verified badge, Rogi says he understood where the data he submitted to LinkedIn went and how it was processed.

First, the data submitted to LinkedIn is not processed directly by LinkedIn, but is sent to an identity verification company called ' Persona Identities ' in San Francisco, California, USA. In other words, LinkedIn is a customer of Persona, which provides identity verification services, and it is Persona that actually performs the identity verification process.

According to Rogi, in just three minutes of identity verification, Persona will collect various personal information, such as 'full name,' 'passport photo and front and description,' 'selfie taken in real time,' 'face shape data extracted from face photo,' 'NFC chip data built into passport,' 'national ID number,' 'nationality, gender, date of birth, age,' 'email address, telephone number, postal code,' 'IP address, device type, MAC address , browser, OS version, language,' and 'location information inferred from IP address.' It also collects behavioral data, such as whether the identity verification process was paused or whether copy and paste was performed.

Persona doesn't look up this data on its own, but instead checks it against trusted third-party databases, such as government databases, national ID registries, consumer credit bureaus, utility companies, mobile network providers, and postal code databases. So, the process of getting your verified badge on LinkedIn essentially involves a background check.

Persona's

privacy policy also states that it uses photos of IDs uploaded by users to train its system to recognize IDs from various countries. Persona claims that this is a legitimate interest, but Rogi questioned whether this is valid under the EU General Data Protection Regulation (GDPR) .

The data obtained by Persona via LinkedIn can also be accessed by third-party subprocessors that partner with the service. Persona's official website lists 17 subprocessors, including AI developers such as Anthropic and OpenAI, as well as Amazon Web Services (AWS) and Google Platform. Sixteen of these are based in the United States, and one in Canada. This means that if a European user provides various data to connect with local business contacts, that data will be sent to a North American company.

Furthermore, Rogi pointed out that because Persona is a US company, it is subject to the US Cloud Act , which was enacted in 2018. The Cloud Act allows companies to request data disclosure even if the data is stored overseas. Persona has servers not only in the US but also in Frankfurt, Germany, but if US law enforcement requests it, Persona would be forced to hand over the data.

'I gave them my passport, my face, and the geometry of my skull. They'll run it against credit bureau and government databases, and they'll use my documents to train an AI,' Roggi said. 'And if the US government comes calling, they'll hand it all over, even though the data is stored in Europe, even though I'm European, and probably without telling me.'

The blog was shared on LinkedIn by security expert Brian Krebs, and Persona co-founder and CEO Rick Song commented:

LinkedIn Verification Data Disclosure: 17 Companies Involved | Brian Krebs posted about this topic | LinkedIn

https://www.linkedin.com/feed/update/urn:li:activity:7430615492442091520

According to Song, personal data processed via LinkedIn will not be used for AI or model training, but will be used only for identity verification. Furthermore, biometric personal data will be deleted immediately after processing, and other personal data will be automatically deleted within 30 days.

Furthermore, the subprocessors with which Persona shares data vary by service, and for identity verification services, the list includes only eight companies: AWS, Confluent, DBT, ElasticSearch, Google Cloud Platform, MongoDB, Sigma Computing, and Snowflake. The list does not include AI developers such as OpenAI and Anthropic. 'We will add a note to the list to clarify this point,' Song said.