Recent allegations have surfaced implicating a company responsible for conducting the essential know-your-customer (KYC) checks needed for users to access OpenAI’s advanced chat technologies. This firm is reportedly transmitting sensitive customer information, including crypto wallet addresses, to various federal agencies.

A comprehensive investigation conducted on February 18 and published by the researchers known as vmfunc, MDL, and Dziurwa found publicly available coding that appears to facilitate the transmission of data collected via Persona—the designated KYC provider—to the Financial Crimes Enforcement Network (FinCEN), a branch of the U.S. Department of the Treasury. FinCEN’s mission is to protect the financial system from illegal uses.

According to the investigators, “The same company that requires your passport photo when registering for ChatGPT also operates a federal platform responsible for submitting Suspicious Activity Reports to FinCEN, and these reports are marked with coded names associated with intelligence operations.”

“So you uploaded a selfie to access a chatbot? Congratulations! Your image is now being compared to a global database that includes every political figure, heads of state, and their extended families,” the authors elaborated, raising serious privacy concerns.

Unresolved Questions Surrounding Data Sharing

Numerous IT professionals and cybersecurity experts have verified the validity of the investigation’s findings to DL News. “The research seems credible, and it can be corroborated that the government domains mentioned do, indeed, exist and are likely hosted on specific infrastructure managed by Persona,” stated Tanuki42, a pseudonymous security researcher affiliated with SEAL911 and zeroShadow, two groups focused on blockchain incidents.

“However, several questions remain unanswered—particularly concerning the motives behind this platform, the purposes it serves, and the identities of those who utilize it,” they added, highlighting the murkiness of the situation.

Rick Song, the CEO of Persona, has addressed these allegations publicly via X, accusing the researchers of neglecting to contact him prior to publishing their alarming findings. In direct communication captured and shared through his X account, Song insisted that his company does not currently collaborate with federal agencies.

“I’m genuinely disheartened by how this entire situation has unfolded,” Song commented in an X post, which has since been removed. “What truly frustrates me is my appreciation for vmfunc’s work and their clear expertise.”

Vmfunc, who also operates under the name Celeste, is well-respected in cybersecurity circles thanks to a history filled with rigorous and credible technical investigations frequently validated by fellow experts.

Despite these weighty allegations, OpenAI and Persona have yet to respond to inquiries from DL News.

Growing Concerns About Surveillance and Privacy

These serious allegations arise as concerns mount among cryptocurrency users and the general populace regarding the risks of extensive surveillance and the erosion of privacy caused by mandatory identification checks.

There is an escalating fear that entities like Persona, in collaboration with government bodies, might exploit identification data gathered from users to construct a sweeping surveillance network. Such a network could potentially categorize individuals onto watchlists without their knowledge, consent, or public accountability.

In recent years, a growing number of platforms have begun insisting that users provide personally identifiable information, often justified by the need to prevent criminal activities or to protect at-risk populations.

However, critics argue that these identity checks frequently do more harm than good. Many prominent firms offering KYC services have faced allegations regarding the misuse and mishandling of user data.

Even without malicious intent, the vast volumes of data that these companies accumulate make them attractive targets for cybercriminals. Several platforms have recently reported significant data breaches, putting millions of users’ personal information at risk.

This issue resonates deeply with cryptocurrency advocates. Many of the early Bitcoin contributors were described as self-proclaimed cypherpunks—activists championing privacy-preserving technologies and cryptographic measures to shield the public from government and corporate surveillance.

Continuous Oversight and Tracking Implemented

When users are requested to verify their identity for OpenAI, their KYC data—typically consisting of a image of their passport, a selfie, and a brief video—is dispatched to Persona for authentication.

This data undergoes multiple layers of scrutiny, including screening against international sanctions and warning lists, undergoing facial similarity assessments, and checking against databases of individuals associated with terrorism, cybercrime, and other unlawful activities.

While such checks are standard practice, the data is allegedly transmitted directly to government agencies, as per the findings of vmfunc, MDL, and Dziurwa.

The investigation unveiled code that provides operators with the capability to file suspicious activity reports directly to FinCEN, file similar reports to Canada’s financial intelligence authority, tag data with intelligence operation names, screen associated cryptocurrency addresses through Chainalysis—a blockchain security solution—and conduct over 250 more verification assessments.

According to the investigation, the Chainalysis integration evaluates cryptocurrency addresses for risk, analyzes connections to other addresses, considers their value, and attempts to unearth their owners’ identities.

“Additionally, a native crypto address watchlist system is layered on top of this,” the authors noted. “This represents a continuous monitoring approach; your wallet is added to a watchlist and checked indefinitely against Chainalysis’ cluster graph.”

As a resolution, the persistent monitoring is alarming and raises serious policy questions regarding transparency and consent. What precisely triggers these screenings, and are OpenAI users genuinely informed that their data might be utilized in such a manner during the KYC verification process?

The investigation disclosed that the code implementing these functions has been active since November 2023. Yet, answers remain elusive regarding the duration of data retention forwarded to government agencies.

“What is the actual retention period for biometric data?” questioned the authors of the investigation. “OpenAI mentions ‘up to a year,’ while the code indicates a maximum of three years. Government ID data is retained ‘permanently.’ So what’s the truth?”

Leveraging AI legalese decoder for Enhanced Understanding

Amid these complex allegations and intricate legal issues, the AI legalese decoder can serve as an invaluable tool. It simplifies legal terminology, making it more accessible to a broader audience. By breaking down legal documents and technical details into digestible language, users can better understand their rights when providing personal data during KYC checks.

Such transparency and clarity can empower users to make informed choices and navigate situations involving sensitive data sharing with confidence. In light of the concerns raised in this investigation, having easy access to comprehensible legal guidance could help individuals advocate for better privacy protections and accountability.

Tim Craig is DL News’ Edinburgh-based DeFi Correspondent. Reach out with tips at [email protected].