Olivia
Online
Rick Song
@rickcsong
@withpersona Co-founder and CEO
San Francisco, CA
Joined June 2019
143 Following
1.6K Followers
335 Posts
Pinned Tweet
With how quickly fraud is evolving due to AI, online identity now collects more data than ever. Privacy feels like an inevitable sacrifice.
We don’t believe it has to be, so we built Relay.
Relay verifies you are human, but keeps your activity private.
Persona never sees who you share this proof with or what you’re doing online, and the website you’re trying to verify with never sees any of your personal information.
Identity and privacy don’t have to be a tradeoff.
🔒 Today, we're launching Relay: a new way to verify who you are while keeping your online activity private.
@x6pnda Apologies for the experience here. Given the experience you shared, I suspect that we had difficulty verifying your first attempt and then subsequent attempts were being flagged for identity theft risk (especially if you were using multiple devices in a short period against the same identity).
I've reached out over DM to help investigate and also learn more about how we can hopefully improve our systems for the future.
With how quickly fraud is evolving due to AI, online identity now collects more data than ever. Privacy feels like an inevitable sacrifice.
We don’t believe it has to be, so we built Relay.
Relay verifies you are human, but keeps your activity private.
Persona never sees who you share this proof with or what you’re doing online, and the website you’re trying to verify with never sees any of your personal information.
Identity and privacy don’t have to be a tradeoff.
🔒 Today, we're launching Relay: a new way to verify who you are while keeping your online activity private.
Who to follow
Persona
@withpersona
Persona offers a flexible identity platform that allows you to craft personalized and automated verification solutions so you can better know & protect users.
Meghan Reynolds
@MeghanKReynolds
Managing Partner & Head of Cap Formation @AltimeterCap. I talk about what I learn from LPs. Mom is what I do best. No Invest Advice Views My Own
Christine Yen
@cyen
cofounder/ceo @honeycombio. misses writing software, loves post-its, says go go go. she/her.
@paper3139 One of the most important parts of Relay’s design is that the your data isn’t shared with the business!
Persona doesn’t know what you are doing.
The business doesn’t know who you are.
And we delete your data immediately after processing.
@vxunderground Just to be clear, we do not verify those!
@TaylorLorenz I know you may not agree with everything here, but would still love your feedback on our approach!
https://t.co/umHZsLuaA2
With how quickly fraud is evolving due to AI, online identity now collects more data than ever. Privacy feels like an inevitable sacrifice.
We don’t believe it has to be, so we built Relay.
Relay verifies you are human, but keeps your activity private.
Persona never sees who you share this proof with or what you’re doing online, and the website you’re trying to verify with never sees any of your personal information.
Identity and privacy don’t have to be a tradeoff.
@senatorshoshana We've been working on it! Would love to get your thoughts.
https://t.co/umHZsLuaA2
With how quickly fraud is evolving due to AI, online identity now collects more data than ever. Privacy feels like an inevitable sacrifice.
We don’t believe it has to be, so we built Relay.
Relay verifies you are human, but keeps your activity private.
Persona never sees who you share this proof with or what you’re doing online, and the website you’re trying to verify with never sees any of your personal information.
Identity and privacy don’t have to be a tradeoff.
We’re working with early partners to help verify that users
1/ are human
2/ are over 18
and 3/ KYC without anyone else touching their personal data
DM me if interested in early access.
Excited to work with folks to keep the internet human and improve privacy.
Relay leverages the Privacy Pass architecture (RFC 9576) to accomplish this.
Read more about how it works
https://t.co/zDLkIR43pH
This is a fair and valid question.
The short answer is because today's CIP regulations effectively makes the service that originally performed KYC liable for any problems that may originate from other services that rely on them.
Effectively, it punishes services from allowing others to rely on them.
The existing framework also limits the "reliance framework" to only be applicable to financial institutions, preventing parties such as Persona who would be better aligned and incentivized to take on the liability.
Source: https://t.co/oj5NSlfqBa
I think this is a really great idea -- and if we were to build this for individuals, we would aim to make it free. I don't think we should ever charge individuals to access data about themselves.
We're about to launch something that will help with parts of this! It's not as ambitious as what you've proposed, but it could lay the foundation for us to build ideas you're sharing here.
One thing that we will want to be very sensitive about though is that any tool that enables individuals to lookup themselves could also be abused by others trying to learn more about them.
I think that securing this and ensuring that only the right person is seeing this data will probably be the trickiest and most sensitive part. Unlike for businesses where we can audit them, opening something up like this for individuals can be risky. We would likely need to scope down how much data would be shared.
There are now more than 70 age verification laws proposed or enforced around the world, all with their own unique requirements.
We built Atlas for:
1/ compliance teams to help stay up-to-date with the dizzying regulatory landscape
2/ the public to track emerging laws and engage with regulators to shape these laws for the better
For the average company, non-compliance is a non-starter. The largest of these fines can be up to 10% of a company’s global revenue or $250,000 per violation per minor.
For the public, an overreaching law mandates overly-intrusive forms of verification from apps and individuals who shouldn’t be impacted, fueling concern and conspiracy around its true motivation.
Today, we’re launching Persona Atlas
As more countries release their own unique laws on age assurance, tracking the requirements has become a nightmare
Persona Atlas is an open database that tracks, translates, and summarizes global identity regulations starting with age laws
@Alph4betSoup That's awesome re: the searchable policy web database!
Would love to explore ways we may be able to collaborate. I'll reach out over DM.
@Alph4betSoup Sorry for my delay!
It's been a busy week... so I didn't have the chance to write back. I wanted to take the time to write something longer too since you had put in the time too.
https://t.co/NRXMrTYg4Y
Really appreciate you taking the time to write this feedback! Couple of immediate thoughts:
Re: Privacy Policy
Our change wouldn’t be so ambitious as to change the policy live as a user is going through a flow. Our flows are versioned so once it starts, there are no subsequent changes.
Instead, the goal is just to split the privacy policy because in practice, most customers only use a small subset of our features. Our policy today needs to encompass all features across all customers, so the policy ends up being overreaching.
To accomplish this though, we need to make sure the policy accurately reflects what features a customer is using, so automating that sync+versioning is still important. That way when a customer starts the flow, the policy will reflect the accurate version of subprocessors they’re using.
Re: Data Processing Summary
I really like the feedback re: capturing the web of downstream processors. As you say though, it is really hard to keep track of that too, especially once it’s multiple degrees of separation away.
Thinking on this, one immediate thing we could at least do is highlight if a processor sends your data to any additional processors.
While scoping this, we were planning to split up the summary by data attribute (e.g. email, name, address, selfie) because the more sensitive data that we handle (e.g. photos) generally do not have any additional downstream processors beyond our hosting provider.
Adding the clarification that some data is processed by systems that may involve additional downstream processors would provide better transparency and more trust. Ideally, we’d be able to track the full web, but this is a start!
Thank you so much again for taking the time to write this up! I’m always down to chat more about privacy too and ways we could be better.
Really appreciate you taking the time to write this feedback! Couple of immediate thoughts:
Re: Privacy Policy
Our change wouldn’t be so ambitious as to change the policy live as a user is going through a flow. Our flows are versioned so once it starts, there are no subsequent changes.
Instead, the goal is just to split the privacy policy because in practice, most customers only use a small subset of our features. Our policy today needs to encompass all features across all customers, so the policy ends up being overreaching.
To accomplish this though, we need to make sure the policy accurately reflects what features a customer is using, so automating that sync+versioning is still important. That way when a customer starts the flow, the policy will reflect the accurate version of subprocessors they’re using.
Re: Data Processing Summary
I really like the feedback re: capturing the web of downstream processors. As you say though, it is really hard to keep track of that too, especially once it’s multiple degrees of separation away.
Thinking on this, one immediate thing we could at least do is highlight if a processor sends your data to any additional processors.
While scoping this, we were planning to split up the summary by data attribute (e.g. email, name, address, selfie) because the more sensitive data that we handle (e.g. photos) generally do not have any additional downstream processors beyond our hosting provider.
Adding the clarification that some data is processed by systems that may involve additional downstream processors would provide better transparency and more trust. Ideally, we’d be able to track the full web, but this is a start!
Thank you so much again for taking the time to write this up! I’m always down to chat more about privacy too and ways we could be better.
I'd like us to continue investing in building resources for the public to learn more about these legislations and make them easier to digest!
It may be strange for me to say this especially in my position, but I don't think we should rely on company heads to preserve best practices.
Even if it works well in the short term, I think it's a shortcut that the public may rely on (rather than engaging with policy) and also potentially sets a bad precedent that inevitably will be abused.
Even if you can't vote on the legislation, a call to a local representative can still have a significant impact! I know this sounds overly-idealistic... but I think its actually much more unfortunate that pervasive cynicism has led many to believe too much that politicians don't care (many genuinely do, especially local/state ones)
I think especially as folks are using us for unanticipated use cases, we need to evolve our product to better fit things as they change!
TBH, I think there's a lot we can do to make things better. We are working on some now, and I am pretty excited about some of our work we'll be launching soon:
1/ better privacy portal for end users for subject access requests
2/ user-controlled way to share data for humanness/age verification use cases
3/ improve our data processing/privacy policy to make it more transparent what is happening per-customer
This is not age verification. It’s just ID verification for account security.
In the past, you’d email your government ID to a support team who manually looked at it.
We built Persona because we think this is bad.
Your data used to be indexed in a CRM that wasn’t built to secure sensitive personal data, and often that CRM or even support team would be the source of the next data breach.
With Persona, your data is uploaded to a platform built explicitly to manage personal data with better security, access controls, and retention policies.
Companies choose us not because of how we verify, but because of our focus on how personal data is secured.
Despite the media attention, Persona’s primary use case is not age verification, but rather account security and fraud prevention. The majority of our use cases are exactly like this.
We have a simple business. We verify your identity securely, retain it for only as long as necessary on behalf of the company, and then delete it as soon as we can.
Amazon is emailing many users for "unusual ordering activity" and are asking for ID age verification. Surprise surprise, their age verification vendor is Persona.
I agree with a lot of what you said here, and also agree that interchanging the terminology is bad.
I pushed the distinction more because for many of our use cases, identity verification is requested for account security when there's a strong suspicion that the underlying email and/or other available credentials that an account is associated with have all been compromised.
For example, if a major change (e.g. a large transaction to a new address or changing a target bank account for deposits) is made on a new device from a high-risk IP immediately after password recovery.
In these cases today, there's unfortunately not many great options. Usually, these types of use cases escalate to a live call even after verification.
Btw, thank you for what you wrote re: https://t.co/KBcQJ08mFS
I thought your name looked familiar and realized I had come across it when I saw your blog post!
As someone who also is not a lawyer, but did read through most of the 300+ pages... I felt what you put together is incredibly comprehensive. You've helped many by pulling out the most important parts of a slog of a read.
Last Seen Users on Sotwe
Most Popular Users
Elon Musk
@elonmusk
240.1M followers
Barack Obama
@barackobama
119.3M followers
Donald J. Trump
@realdonaldtrump
111.6M followers
Cristiano Ronaldo
@cristiano
108.7M followers
Narendra Modi
@narendramodi
106.9M followers
Rihanna
@rihanna
97.2M followers
NASA
@nasa
92.1M followers
Justin Bieber
@justinbieber
90.5M followers
KATY PERRY
@katyperry
86.7M followers
Taylor Swift
@taylorswift13
80.5M followers
Lady Gaga
@ladygaga
72.1M followers
Kim Kardashian
@kimkardashian
69.3M followers
YouTube
@youtube
68.6M followers
Virat Kohli
@imvkohli
68.4M followers
Bill Gates
@billgates
63.3M followers
The Ellen Show
@theellenshow
62.5M followers
CNN
@cnn
61.9M followers
Neymar Jr
@neymarjr
60.9M followers
X
@x
60.9M followers
CNN Breaking News
@cnnbrk
59.9M followers