I’m sort of a privacy nut. As such, I try to practice good digital hygiene and leave as few traces as I can on the Internet. The traces I do leave, I want to be deliberate, not accidental. That philosophy clashes heavily with uploading my ID to American services.
But first things first.
The other day, as thousands upon thousands of tech workers do, I was compulsively browsing LinkedIn. After having had enough of the whole pulling bullshit KPIs out of one’s ass thing, I checked my account’s security settings.
Buried underneath some menu, I saw the option to enable a login passkey. Being the paranoid obsessive that I am, I cheerfully gasped, and enabled that bad boy right away! After that, I did some more of the good old soul-crushing for a few minutes, and then I dipped.
In case you don't know what passkeys are: They're a new sort of password-less password that uses math to securely log you into a given service, if supported. They get stored in a separate app on your phone or computer and you as the user never interact with them directly. It's much safer and pretty cool!
The next day or so, I was ready to self-inflict pain again, and navigated to the blue hellhole platform. But instead of being greeted by my feed, and the random business mumbo jumbo I longed for, I just saw this:
What the fuck? I’m adding security measures to my account and get locked out? That makes zero sense! I’m verified by workplace email, I have 2FA set up, I wasn’t accessing the platform from a new location or device, and then… this?
On top of that: The only way I can regain access is by providing a passport or government ID, not even to LinkedIn or Microsoft themselves, but a third party called Persona with a privacy policy that is highly problematic at best.
Hell no! I don’t want Persona to:
- Use my passport or ID card to train their AI with.
- Aggregate information about me by cooperating with and obtaining additional data from further third parties about me.
- Retain said data set for longer than necessary for “business purposes.”
- Process any of it in the US, or literally “any other country […]” that may be “not as protective” as my home jurisdiction.
And for sure I don’t want them to share it with their “Service providers,” “Global network of data partners,” “Affiliates,” or “third party vendors!”
So let me summarize. If you make your account more secure, you get locked out of it. If you then want to regain access, you have to provide highly sensitive information to a plethora of third parties, most of them undisclosed and scattered across the globe. That’s fucked up!
What about contacting me through my primary, recovery, or work email, and then making me input a TOTP? What about a security question, or even my 2FA recovery codes? Oh, I guess those are all not secure enough. So you’d rather make me extremely vulnerable to a potential data breach at one of possibly hundreds of partners of Persona, who then probably resell chunks of that data to others and make a quick buck off of it.
Got it, checks out.
For as long as I have to go through the proposed verification process, I won’t be joining you all in the corporate humblebragging and ego stroking sessions again.
But hey, maybe that’s better for my mental health, anyway…