This is a bog standard KYC system that basically every single financial institution that has to deal with US laws is required to have. Ask me how I know. 😓
Sure, but is openai required to do KYC? Why would it? They aren't a financial institution and don't have any of their compliance requirements. We should be questioning these powerful tech companies and holding them accountable.
Is OpenAI doing KYC? The blog post describes multiple independent systems:
openai-watchlistdb.withpersona.com; which they assert in section 0x11 is called in Persona’s verification flow… but I don’t see where they presented evidence for that? Moreover, they assert that it does OFAC and FinCEN and such… but again, no evidence? The timeline they present could also be explained by this service being something Persona owns that uses OpenAI; especially since it’s been around for so long. Regardless, AFAICT the service just has a provocative name.
app.onyx.withpersona-gov.com; a KYC and SAR SaaS that relates to OpenAI insofar as it uses their API to provide a chatbot that doesn’t even get PII.
I think it's unanswered whether openai gets PII from users asking the chatbot questions or what is loaded into that chatbot context. I don't think I've ever ironically called any of my services "watchlistdb", but I'll cede I do have some prod dbs with typoed names because someone made a mistake and now we can't fix it because it's not worth the effort, so maybe they started it with one purpose and just kept using it.
I'm not a ChatGPT subscriber but the post mentions OpenAI requiring verification via identity for access to GPT-5, which I would assume is a KYC thing.
They do require you to validate yourself with a photo ID to use GPT-5. It was not a requirement to use previous models (and is why I stopped using OpenAI).
No, it isn't. My credit union has a bog-standard KYC system. It mainly features a person and interviews. It consists of notes accumulated in the course of many ordinary transactions. It retains history between the customer and the financial institution. It is built from my candid and repeated insistence that I am not touching Bitcoin or doing crimes. Also, I don't think OpenAI is licensed to operate as a financial institution and I would not expect them to have a KYC workflow.
Maybe this is the actual story? That lots of people wouldn’t like what’s in a bog standard kyc system if they knew. Maybe what’s reported here doesn’t actually matter (they say themselves there’s no known connection to law enforcement aside from a possible connection in the onyx name) but it’s presented scarily and I’m wary of any gov data collection.
In that case, I hope this gets the word out. Businesses are deputised to be invasive in a way that the government (ostensibly) cannot. Worse, the regulatory framework mostly doesn't achieve its (ostensible) goals!
To offer safe AGI, we need to make sure bad people aren’t using our services.
That's actually a direct quote from OpenAI and not a paraphrase, wow. Bold.
edits:
I wonder what the visa status field is supposed to be used for by downstream users.
no, we can’t give you the zip. we know. we want to. believe us, we really want to. but the code is still Persona’s copyrighted property regardless of how monumentally they fumbled serving it to the entire internet.
I really hope someone leaks this. I assume they did the initial recon from their home IP, so they couldn't get away with publishing this under a pseudonym? There's probably a lesson there.
(btw, what's with the diagrams with box drawing characters? they're so weird)
quad | 16 hours ago
This is a bog standard KYC system that basically every single financial institution that has to deal with US laws is required to have. Ask me how I know. 😓
Halkcyon | 8 hours ago
Sure, but is openai required to do KYC? Why would it? They aren't a financial institution and don't have any of their compliance requirements. We should be questioning these powerful tech companies and holding them accountable.
quad | 8 hours ago
Is OpenAI doing KYC? The blog post describes multiple independent systems:
openai-watchlistdb.withpersona.com; which they assert in section 0x11 is called in Persona’s verification flow… but I don’t see where they presented evidence for that? Moreover, they assert that it does OFAC and FinCEN and such… but again, no evidence? The timeline they present could also be explained by this service being something Persona owns that uses OpenAI; especially since it’s been around for so long. Regardless, AFAICT the service just has a provocative name.app.onyx.withpersona-gov.com; a KYC and SAR SaaS that relates to OpenAI insofar as it uses their API to provide a chatbot that doesn’t even get PII.Halkcyon | 7 hours ago
I think it's unanswered whether openai gets PII from users asking the chatbot questions or what is loaded into that chatbot context. I don't think I've ever ironically called any of my services "watchlistdb", but I'll cede I do have some prod dbs with typoed names because someone made a mistake and now we can't fix it because it's not worth the effort, so maybe they started it with one purpose and just kept using it.
msfjarvis | 4 hours ago
I'm not a ChatGPT subscriber but the post mentions OpenAI requiring verification via identity for access to GPT-5, which I would assume is a KYC thing.
jcd | 3 hours ago
They do require you to validate yourself with a photo ID to use GPT-5. It was not a requirement to use previous models (and is why I stopped using OpenAI).
Corbin | 6 hours ago
No, it isn't. My credit union has a bog-standard KYC system. It mainly features a person and interviews. It consists of notes accumulated in the course of many ordinary transactions. It retains history between the customer and the financial institution. It is built from my candid and repeated insistence that I am not touching Bitcoin or doing crimes. Also, I don't think OpenAI is licensed to operate as a financial institution and I would not expect them to have a KYC workflow.
quad | 5 hours ago
Yes, it is. And if this is true about your credit union, then I expect them to show up here in due time.
As I noted more expansively, AFAICT there is no evidence in the post that OpenAI has a KYC workflow.
nolanvoid | 7 hours ago
Maybe this is the actual story? That lots of people wouldn’t like what’s in a bog standard kyc system if they knew. Maybe what’s reported here doesn’t actually matter (they say themselves there’s no known connection to law enforcement aside from a possible connection in the onyx name) but it’s presented scarily and I’m wary of any gov data collection.
quad | 7 hours ago
In that case, I hope this gets the word out. Businesses are deputised to be invasive in a way that the government (ostensibly) cannot. Worse, the regulatory framework mostly doesn't achieve its (ostensible) goals!
dzwdz | 19 hours ago
That's actually a direct quote from OpenAI and not a paraphrase, wow. Bold.
edits:
I wonder what the visa status field is supposed to be used for by downstream users.
I really hope someone leaks this. I assume they did the initial recon from their home IP, so they couldn't get away with publishing this under a pseudonym? There's probably a lesson there.
(btw, what's with the diagrams with box drawing characters? they're so weird)
gerikson | 14 hours ago
You might think the (current) US government are bad people, but you can bet a couple hundred billion dollars Sam Altman doesn't think so.
danlamanna | 9 hours ago
Really? We're doing autoplay music on websites
nowagain?veqq | 20 hours ago
Awesome presentation
Halkcyon | 8 hours ago
Sometimes I open a website and feel like the Internet still has magic.
rebeca | 5 hours ago
I intended to read it all, but then got distracted playing with the kitten/mouse xD
ki9 | 6 hours ago
I couldn't read it. Its like 5pt font, gray on a gray background.
thisalex | 3 hours ago
Alas, "maximize" button doesn't work 😢
dubiouslittlecreature | 19 hours ago
This is existentially terrifying
rooneymcnibnug | 4 hours ago
Wondering if adding some of these subdomains to the blocklist at https://github.com/RooneyMcNibNug/pihole-stuff/blob/master/SNAFU.txt will help, but its kind of a balance of deny-listing this garbage vs. breaking usability.
rooneymcnibnug | 3 hours ago
Added some stuff from section 0x06 (integration stack) to that blocklist for now :shrug:
rplacy | 10 hours ago
RSS is broken, how do i point that to the author?
dz4k | 9 hours ago
ident.txt accessible from the "start menu" has some contact info.
kwas | 9 hours ago