Security researchers uncovered exposed source code from OpenAI's identity verification provider Persona, revealing infrastructure that appears to link user selfies, biometrics, and personal details to U.S. government surveillance systems including references to ICE's ONYX tool* and FinCEN reporting.

The February 2026 findings sparked widespread privacy concerns, with claims that KYC data collected during ChatGPT access verification could enable broad monitoring and risk scoring across social media and financial records. A pro-China account amplified the story on X, warning users against sharing photos or sensitive information with ChatGPT, asserting it would be handed over for secret military use involving the U.S. and Israel.

OpenAI has partnered with the Department of Defense to deploy custom AI models on secure government networks, fueling speculation about deeper data ties despite no confirmed evidence of routine civilian chat handover. Persona and OpenAI have faced accusations but provided limited denials, leaving questions about the extent of government access to user verification data.

*ICE's ONYX is an AI-powered social media surveillance and open-source intelligence (OSINT) analysis tool developed by the company Fivecast, acquired by U.S. Immigration and Customs Enforcement (ICE) through a $4.2 million contract (as reported in early 2026 procurement details and EFF coverage from January 2026).The tool enables automated, continuous, and targeted collection of multimedia data from sources including major social media platforms, news streams, search engines, online marketplaces, and the dark web.ONYX constructs detailed "digital footprints" for individuals by aggregating biographical data across platforms, tracks shifts in sentiment and emotion in online activity, and assigns risk levels or threat assessments to people based on their digital behavior and connections.It forms part of ICE's broader expansion into internet surveillance capabilities amid increased funding for immigration enforcement tools, often used to generate leads without traditional warrants by leveraging publicly available or brokered data.Note that a separate February 2026 leak involving KYC provider Persona featured a government subdomain named "onyx.withpersona-gov.com," but Persona representatives stated this naming was coincidental (inspired by a Pokemon) and unrelated to Fivecast's ONYX tool used by ICE.