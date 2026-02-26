Recently a hacker group called “vmfunc” exposed a major backdoor from Persona to the U.S. and Canadian governments through its age-verification services.

vmfunc’s original disclosure is somewhat technical and a lot of the online reporting on this issue has been unnecessarily sensationalised. Unnecessarily, because the facts seem to be alarming without any embellishment. This is my attempt to summarise their findings.

Persona is primarily an age-verification platform with a reported USD 2 billion valuation and its shareholders include (inevitably!) Peter Thiel’s Founders Fund.

Persona acts as a third-party service provider to OpenAI (which runs Chat GPT) to screen new and existing users. Notably, Substack also uses the services of Persona. For most new users ChatGPT’s verification process is largely invisible. The new user signs up with their name, a date of birth and a verified e-mail address. Persona then performs checks to verify the user’s age and to see if he or she is included on the Office of Foreign Assets Control (OFAC) sanctions list.

In most cases the process ends there however, if red flags are triggered, additional checks take place. These additional checks are also required if a user wishes to access advanced ChatGPT features, for example, the creation of an interface between ChatGPT and another programme via API.

vmfunc’s key finding was that the “sanctions compliance” check is much more than the name suggests. In fact users are checked across hundreds of databases and, even more worryingly, there is a two-way process between OpenAI and the government, whereby OpenAI is able to file Suspicious Activity Reports on its user directly with the U.S. government.

Under-age users

Users who are assessed to be under-age are required to undergo age verification procedures before he or she can use ChatGPT. The user must submit a picture of a government-approved identification document (ID) and a picture of themselves. The verification programme reads the date of birth on the government-issued ID and matches the ID photo with the picture provided. The purpose of the user’s photo is used to confirm the identity of the person who submitted the ID and that the user is present and alive.

Sanctioned users

If red flags are raised in relation to sanctions compliance, Persona checks across much more than just the sanction lists maintained by the U.S. Office of Foreign Assets Control (OFAC). According to vmfunc, those users will undergo a whopping 269 checks, of which only 23 relate to confirming the identity of the person against the ID provided. The remaining checks use dozens of databases to check:

for a politically exposed person (PEP),

for certain crypto-wallet addresses,

against various media reports.

vmfunc produced the flowchart below to illustrate this process:

As well as disclosing the enormous size of the net that these users are checked against, vmfunc discovered that OpenAI has the ability to file suspicious activity reports (SARs) on its users to U.S. and Canadian money laundering authorities (FinCEN and FINTRAC respectively). ChatGPT doesn’t handle financial transactions, so one assumes that these reports would be created and filed based on the type of questions the user is asking and the answers they received. Note that FinCEN will only investigate a small proportion of these and other SARs using AI and algorithms to rank them into risk categories. Remember when you are being interrogated by your bank, that despite the SAR reporting system 98.9% of the proceeds of crime according to a 2016 Europol estimate are not being confiscated. Although a paltry 2.2% of the proceeds of crime are being frozen, only around half of this amount (1.1%) is actually being confiscated.

vmfunc also revealed that a lot of the data collected by Persona as part of this process will be placed on a server that can be access by the government and retained for anything up to three years. The hackers also disclosed that, in line with most of Big Tech’s general contempt for the individual, OpenAI’s decision is spat out at the end of the process and, in the case of a refusal to provide access to their service, there is no explanation and no right of appeal.

I am sure that many people have horror stories of these “computer says no” situations. I had one hiring a car at a rental company in Heathrow where the computer decided that I didn’t have sufficient connection with the address on my driving license, despite the fact that I have lived there on and off for forty years. Although I had hired from this location in the past, the branch manager claimed that he was unable to override the decision generated by his computer, in spite of the fact that my documents proved my connection with the address. Perhaps I should consider myself lucky because it could have been worse compared to the Hertz customers who were arrested for grand theft auto!

The silver lining was that I stopped using this large chain and have since then hired cars from a long-established local firm which is run by some very nice chaps whom you can not only hire from, but also chat with.

Conclusion

It is clear that the digital drag net is being widened, even for access to something as harmless as ChatGPT. vmfunc have performed a great service by disclosing that Persona’s verification system has been designed to offer two-way communication with the state and has built-in an ability for ChatGPT to file suspicious activity reports. It represents the merger of state and big business that is envisaged under Italian fascism.

(this quote is not literal, see note at end)

Large tech corporates are willingly cooperating with the state to spy on citizens. Whilst this cooperation can partly be justified for banks, it is worrying that this monitoring is being created for OpenAI. We saw during COVID how these unhealthy links between social media platforms and the U.S. government were used to shut down the social media accounts of dissidents (see video here).

A screen shot of ThinkingSlow videos deleted by YouTube during COVID

With the likely roll-out of teenage-by-default policies, ALL users will be required to undergo age verification. It is clear that the Internet will become an increasingly hostile environment for those who value privacy or who want to express an opinion. Yet, as I discussed in my last note, X (Twitter) has already created a de facto social credit score through its Hidden_Reputation_Score (HRS) which is based solely on a person’s opinions. People expressing views of which X disapproves (such as non-establishment views) achieve low HRS scores. It doesn’t take much imagination to see how access to multiple applications could well be restricted due to a low HRS (or equivalent). In addition, it is easy to see that all applications may at some stage have backdoors where they can report their users’ activities directly to government authorities. If you can be guilty of WrongThink on ChatGPT, you can be guilty of WrongThink anywhere.

It is good to know that there are so-called “white hat hackers” out there who are able and willing to expose the nefarious means by which Big Tech works with governments to monitor their users. A number of people have made the decision to exit this platform and X. Probably more will follow as these forums seem to be increasingly hostile to anyone challenging the approved narrative.

Thanks again to Mark Halliday Sutherland for suggestions and edits.

Alex Kriel is by training a physicist and was one of the first people to highlight the flawed nature of the Imperial COVID model. He spent his career in consultancy and fund management including a long stint in Russia. His last job was in one of the world’s largest pension funds where he handled corporate governance issues and shareholder voting over a portfolio of 2,300 equity investments. He is a founder of the Thinking Coalition which comprises a group of citizens who are concerned about government overreach and are developing practical solutions to protect inalienable individual liberties (www.thinkingcoalition.org)

Note on quote attributed to Mussolini

Like a lot of quotes available for izquote.com this one is not accurate and there is no record of Mussolini making this statement. He did express ideas similar to the ones in the quotation in his document The Political and Social Doctrine of Fascism (1934) “The Fascist State has drawn into itself even the economic activities of the nation…” There is no doubt that the state rules supreme in his doctrine where “The Fascist State …leaves a sufficient margin of liberty to an individual; the latter is deprived of all useless and possibly harmful freedom, but retains what is essential.” I suspect opinions will differ about what is meant by “essential”!