You hand over your passport to use a chatbot. Somewhere in a datacenter, a facial recognition algorithm checks if you look like a politically exposed person, your name hits a sanctions list, and a cron job schedules your re-screening for next month. We started with a Shodan query and ended up with the entire TypeScript codebase of a FedRAMP government endpoint, unauthenticated, and sitting wide open.

This talk walks through how passive OSINT exposed the full architecture of a biometric identity surveillance platform: SAR filings to FinCEN, STR filings to FINTRAC with intelligence program tags, facial recognition against PEP databases, 269-step verification pipelines, and 3-year biometric retention. No systems were accessed. No credentials were used. The infrastructure told its own story.