how openai, the US government, and persona built an identity surveillance machine that files reports on you to the feds
102 points by kriive
102 points by kriive
This is a bog standard KYC system that basically every single financial institution that has to deal with US laws is required to have. Ask me how I know. 😓
Sure, but is openai required to do KYC? Why would it? They aren't a financial institution and don't have any of their compliance requirements. We should be questioning these powerful tech companies and holding them accountable.
Is OpenAI doing KYC? The blog post describes multiple independent systems:
openai-watchlistdb.withpersona.com; which they assert in section 0x11 is called in Persona’s verification flow… but I don’t see where they presented evidence for that? Moreover, they assert that it does OFAC and FinCEN and such… but again, no evidence? The timeline they present could also be explained by this service being something Persona owns that uses OpenAI; especially since it’s been around for so long. Regardless, AFAICT the service just has a provocative name.
app.onyx.withpersona-gov.com; a KYC and SAR SaaS that relates to OpenAI insofar as it uses their API to provide a chatbot that doesn’t even get PII.
I think it's unanswered whether openai gets PII from users asking the chatbot questions or what is loaded into that chatbot context. I don't think I've ever ironically called any of my services "watchlistdb", but I'll cede I do have some prod dbs with typoed names because someone made a mistake and now we can't fix it because it's not worth the effort, so maybe they started it with one purpose and just kept using it.
No, it isn't. My credit union has a bog-standard KYC system. It mainly features a person and interviews. It consists of notes accumulated in the course of many ordinary transactions. It retains history between the customer and the financial institution. It is built from my candid and repeated insistence that I am not touching Bitcoin or doing crimes. Also, I don't think OpenAI is licensed to operate as a financial institution and I would not expect them to have a KYC workflow.
Yes, it is. And if this is true about your credit union, then I expect them to show up here in due time.
Also, I don't think OpenAI is licensed to operate as a financial institution and I would not expect them to have a KYC workflow.
As I noted more expansively, AFAICT there is no evidence in the post that OpenAI has a KYC workflow.
Maybe this is the actual story? That lots of people wouldn’t like what’s in a bog standard kyc system if they knew. Maybe what’s reported here doesn’t actually matter (they say themselves there’s no known connection to law enforcement aside from a possible connection in the onyx name) but it’s presented scarily and I’m wary of any gov data collection.
In that case, I hope this gets the word out. Businesses are deputised to be invasive in a way that the government (ostensibly) cannot. Worse, the regulatory framework mostly doesn't achieve its (ostensible) goals!
To offer safe AGI, we need to make sure bad people aren’t using our services.
That's actually a direct quote from OpenAI and not a paraphrase, wow. Bold.
edits:
I wonder what the visa status field is supposed to be used for by downstream users.
no, we can’t give you the zip. we know. we want to. believe us, we really want to. but the code is still Persona’s copyrighted property regardless of how monumentally they fumbled serving it to the entire internet.
I really hope someone leaks this. I assume they did the initial recon from their home IP, so they couldn't get away with publishing this under a pseudonym? There's probably a lesson there.
(btw, what's with the diagrams with box drawing characters? they're so weird)
we need to make sure bad people aren’t using our services
You might think the (current) US government are bad people, but you can bet a couple hundred billion dollars Sam Altman doesn't think so.