Clearview AI has created one of the broadest and most powerful facial recognition databases in the world. Their application allows a user (law enforcement we hope) to upload a photo of an individual into the application. Once the photo is analyzed within the app, it shows the requestor all the public photos of that same individual found in their database of more than 3 billion images; along with links to where those images may rest online (often in social media sites but many other places as well). The application has been used by more than 600 law enforcement agencies since 2019, to help solve shoplifting, identity theft, credit card fraud, murder, and even child sexual exploitation cases.
The New York Times analyzed the computer code underlying the application and found that Clearview AI code includes programming language to pair it with augmented-reality glasses; meaning users would potentially be able to identify every person they saw. The application claims real-time identification; will the police now be seen wearing fancy new identity glasses or video identification monitors in their vehicles? While the Clearview AI application is proving to be a valuable law enforcement tool, what is the cost to the privacy of citizens around the world? Canada, for one, has ruled this tool illegal.
Canada’s Response
Canadian authorities determined that the gathering of facial recognition data by Clearview AI is illegal because it violates federal and provincial privacy laws. The case represents a win for an individual’s privacy and sets a precedent for other legal challenges to the controversial technology. A joint investigation of privacy authorities led by the Office of the Privacy Commissioner of Canada came to this conclusion in early February 2021, claiming that the New York-based company’s scraping of billions of images of people from across the Internet represented mass surveillance and violates the privacy rights of Canadians, according to a release the Office posted online.
The investigation found that Clearview was collecting highly sensitive biometric information without people’s knowledge or consent. They used and disclosed the personal information for inappropriate purposes that would not be appropriate even if people had consented. Canada’s Privacy Commissioner Daniel Therrien responded in a statement:
“It is completely unacceptable for millions of people who will never be implicated in any crime to find themselves continually in a police lineup. The company continues to claim its purposes were appropriate, citing the requirement under federal privacy law that its business needs be balanced against privacy rights.”
Is The US Next?
In the summer of 2020, US lawmakers proposed legislation that would indefinitely ban the use of facial recognition technology by law enforcement nationwide. The new bill comes after months of public concerns surrounding facial recognition’s implications for data privacy, government surveillance, and racial bias. While as of now, it’s not a federal ban on the software, many cities have started taking action themselves. The larger cities that have implemented the ban are Pittsburgh, PA, Madison, WI, and Boston, MA; as well as a number of smaller municipalities surrounding Boston. It’s a step in the right direction for citizen privacy as there’s been a number of lawsuits against Clearview AI for falsely identifying people for committing crimes.
Could CCPA, GDPR, or Other Legislation Help?
The passing and enforcement of the California Consumer Protection Act (CCPA) has gotten businesses in the US thinking and talking about what data they collect, how they use it, how they protect it, report on it, and delete it. CCPA requires businesses to provide consumers with the following rights:
- Right to my Data: businesses must provide a summary of the data collect and what sharing practices they follow;
- Right to be Forgotten: a process to request that one’s data be deleted (all privacy policies should now spell this out);
- Right to Stop Sharing: a process for individuals to opt-out of the sale or sharing of their personal information; and
- Right of an underage Person: businesses are prohibited from selling personal information of consumers under the age of 16 without explicit consent
Both CCPA and GDPR include biometric identifiers, such as facial recognition, within the definition of personal information. This means businesses will need to inform consumers of their rights as outlined above and to communicate those rights through their website’s privacy policies. Additionally, businesses must get serious about their privacy processes and consider appointing a Data Protection Officer (DPO) to handle privacy inquiries. When an individual makes a privacy rights request, the DPO would be responsible for validating the individual’s identity and fulfilling the request.
California isn’t the only state that has adopted privacy requirements like these. Nevada has recently implemented legislation similar to the CCPA. The states of Colorado, Massachusetts, New York, and Washington are also working on legislation that will try to protect their residents’ privacy. It is important that these states include biometric information within the definition of personal information, allowing people to opt-out of having their information sold to companies such as Clearview AI.
What Can I Do To Protect Myself?
You can reach out to companies like Clearview AI via their Privacy Page and request that your data be deleted, although every user request we reviewed on Reddit stated Clearview AI could not find any personal information for the individual in question. CyberHoot wonders who is supervising their data privacy request processes?
You could also write to your congressional delegate or Senator, asking them to pass comprehensive privacy reform legislation federally. Federal legislation is needed to protect all US citizens equally anywhere in the US instead of each state creating and adopting their own unique privacy legislation. This would have a beneficial side effect of enabling businesses to better meet one standard instead of 50.
Technology is rapidly outstripping our ability to regulate under existing laws. A holistic approach to privacy protection is needed. Stay informed, delete your data where you don’t want it stored, and fight for your privacy rights to protect our anonymity and security.