The watchers, pt. 2: the correspondence
3 days ago
- #Biometrics
- #Transparency
- #Privacy
- Persona's CEO, Rick Song, reached out directly to the researcher, Celeste, within 24 hours of the publication of their findings, offering to discuss the issues raised.
- The initial findings included the exposure of source maps on a government endpoint, the naming of a deployment 'Onyx' coinciding with an ICE surveillance tool, and the discovery of 'openai-watchlistdb', a dedicated service for OpenAI.
- Rick addressed the source maps as an oversight, clarified that 'Onyx' was named after a Pokémon, and provided explanations for the watchlist database, stating it was stateless and only screened against OFAC/SDN lists.
- Celeste emphasized the importance of transparency and public accountability, refusing private discussions in favor of written, publishable answers to ensure verifiability.
- The correspondence revealed that Persona does not send OpenAI user data to FinCEN or FINTRAC, and the 'openai-watchlistdb' service does not include biometric processing.
- Despite the productive exchange, several questions remain unanswered, including specifics about experimental ML models, 'suspicious entity' detection, and user notification practices.
- The exchange between Celeste and Rick was notable for its lack of legal threats or NDAs, focusing instead on direct communication and transparency.
- The situation underscores the broader issues of privacy, surveillance, and the ethical responsibilities of companies handling sensitive biometric data.