Claude now wants your passport

Anthropic just became the first major US AI lab to require a government ID from consumer users of Claude. 1 Starting July 8, 2026, Anthropic can ask Free, Pro, and Max subscribers to submit a photo ID, a selfie, and a facial geometry template — data it self-classifies as potentially "biometric" under some jurisdictions. 1 Enterprise, Team, and API customers are exempt. 2

This isn't a routine privacy update. It's the product-layer consequence of a geopolitical crisis that unfolded two weeks ago — and a preview of where all frontier AI access is heading.

On June 12, the U.S. Commerce Department issued an emergency order under the Export Control Reform Act (ECRA) requiring Anthropic to block all foreign nationals from accessing Fable 5 and Mythos 5, its two newest frontier models. 3 The trigger: Amazon CEO Andy Jassy reportedly alerted Treasury Secretary Scott Bessent about a jailbreak discovered by Amazon researchers, and the Commerce Department acted the same day. Sen. Mark Warner (vice chair, Senate Intelligence Committee) said NSA Director Gen. Joshua Rudd told him Mythos had cracked "almost all of our classified systems" within hours — though the NYT later clarified this was a controlled red-team exercise, not a live intrusion. 3

The problem Anthropic hit was architectural: it had no real-time way to verify user nationality. The only compliant option was a global shutdown — Fable 5 and Mythos 5 went dark for everyone, including U.S. users. 4 Geoffrey Mattson, CEO of identity security firm SecureAuth, put it bluntly: "The only way — because we actually don't know who is using the model — was to completely shut it down." 4 Identity infrastructure is now operational infrastructure.

Anthropic spokesperson Michael Aciman told TechCrunch the policy currently applies to "a small percentage of users" — framing it as an appeals mechanism for flagged accounts rather than a blanket onboarding requirement. 5 The policy language, however, grants broader discretion with no disclosed trigger conditions or data retention timelines. 5

Anthropic chose Persona Identities as its verification provider — a San Francisco KYC (Know Your Customer) platform backed by Peter Thiel's Founders Fund (which also holds Anthropic shares). 7 Government ID images and selfie data are stored on Persona's servers, not Anthropic's. 1 In February 2026, security researchers found Persona's government dashboard codebase exposed on a FedRAMP-authorized endpoint — 2,456 files, 53MB, no exploit required. The exposure revealed Persona can run 269 verification checks including counterterrorism watchlist screening, adverse media monitoring across 14 categories, and filing Suspicious Activity Reports with FinCEN. 7 Discord ended its Persona partnership within weeks of that disclosure. 7

The community response has been swift. The r/ClaudeAI thread (1,923 points, 783 comments, 94.3% upvoted) shows users recommending DeepSeek, GLM, and Mistral Vibe as alternatives, with the auto-generated thread summary noting the top sentiment as "an overwhelming 'absolutely not.'" 8 One user framed the brand damage directly: "You couldn't design a better way to destroy the one differentiator that justified paying a premium if you tried." 8

Privacy attorney Jodi Daniels (Red Clover Advisors) flagged that undisclosed retention timelines create Illinois BIPA exposure — the Illinois Biometric Information Privacy Act requires written consent and disclosed retention periods before biometric collection begins. 9 Anthropic says it has contractually restricted Persona from using verification data for ads, marketing, or model training — but has not published those retention timelines. 5

As of June 25, 2026, no other major U.S. consumer AI product requires identity verification. ChatGPT and Gemini have no equivalent consumer-tier requirement. 6 OpenAI does require verification for API organizations, but not for ChatGPT's consumer product. 10

That gap is not necessarily durable. The Five Eyes alliance (U.S., U.K., Canada, Australia, New Zealand) published a joint statement in May warning that frontier AI models are expected to "fundamentally transform both offensive and defensive cybercapabilities" on a timeline of "months, not years." 3 The U.K. has already announced bans on under-16 social media use and an 18+ minimum age for AI companion chatbots, effective spring 2027. 7 The regulatory tailwinds point toward KYC becoming table stakes — Anthropic is first, not last.

If your product is built on Claude's consumer API: The API tier is explicitly exempt today. 2 But the Fable 5 shutdown showed that export control directives can force global service interruptions with no notice. Lumiera Loop's post on June 25 makes the operational risk concrete: "Any organization building agentic workflows or production applications tied solely to a single, closed-API provider risks immediate operational failure if that provider faces an injunction, a cyberattack, or an export control directive." 11 Single-provider dependency is a product architecture risk, not just a cost question.

If your product serves non-U.S. users: The Fable 5 shutdown hit all users globally — not just foreign nationals — because Anthropic lacked per-nationality enforcement capability. 4 International users responding to the ID policy are naming CLOUD Act (a U.S. law requiring American companies to provide data to law enforcement regardless of where it is stored) and FISA Section 702 concerns — even if Anthropic complies perfectly, the jurisdiction of the underlying vendor matters to users in regulated markets. 8 If your product routes data through Anthropic for users in the EU or UK, your privacy policy may need to be updated regardless of whether your users hit the verification prompt.

If you're doing competitive analysis on the Claude vs. GPT-4o vs. Gemini decision: "No ID required" is briefly a differentiator for OpenAI and Google. It also may not hold for long. Mattson's read on the next 12 months: the AI companies that win enterprise trust will be the ones that "take the security concerns of using their models completely off the customer's plate" through built-in KYC, scoped agent authorization, and certified human oversight. 4 Watch for whether OpenAI or Google make a KYC-free stance a public commitment — or quietly follow Anthropic's lead.