3 billion photos - 1 database for sale to anyone interested - 1 artificial intelligence application - 2.200 police authorities and private companies in 27 countries with access
It's like a science fiction script, but it's real.
The know-how has been around for years, that was known. It is now possible to develop an application that, using face recognition technologies, is able to confirm the identity of the person you are looking for. that person is enough be registered in a database1. Police authorities in more and more parts of the world are buying such applications in order to combine the material they collect from cameras with their databases.2. In 2018, Toronto police bought for $ 450,000 from the US NEC such an application, which it linked to the 1.2 million photos in its file. A few days ago posted the impressive history of the investigation of a homicide using this application.
What is missing is a large database. With photos of citizens.
The dangers of such an endeavor have always been obvious. The same goes for objections. How legal or legitimate is it for you to commercially develop such a technology, when it can lead to such a violent and total deprivation of a citizen's privacy? How dangerous can it be when you put such technology at the disposal of authoritarian regimes (if they do not belong to them) who have already developed it) or private companies? How easy is it to access a person's image in a world increasingly covered by video surveillance systems or voluntarily disclosed by social media posts?
All that was needed to "overcome" these concerns was the will. The will of one of the many large companies that are developing this technology and - most importantly - can have access to large databases, proceed with the project. And take on the burden of accountability.
This will did not exist. These companies have assured - and are assuring - that they have no intention of commercially developing such applications, but without missing the opportunity to show us how easy they are.
Facebook has developed for its employees (and then of course withdrew) one application, with which they could, turning their cell phone on a colleague, find out who he is3. At the same time, it proceeds to replace the tags that are inserted in each photo that is posted in the middle, with automatic face recognition. The user who uploads a photo of his company to his profile does not need to get tired to "tag" the people depicted. THE application she recognizes them alone. Amazon does not hide its pride in its exceptional capabilities Rekognition, the face recognition technology he has developed and sells and police forces.
Google already from 2011, has made it clear that it can at any time not only develop such an application, but also create the necessary database, but this would be considered as «Crossing the creepy line».
It took a hare to overcome this "creepy line". A company or a man who would undertake to break the wall of reservations.
This is where the Clearview AI. And Hoan Ton-That.
A random news item
In December 2019, one publication from Florida, USA, talks about the arrest of a young woman by the Tampa police and the Seminole County Police. The woman, who allegedly stole two grills and a vacuum cleaner from a store in Clermont, was identified by a tattoo and identified by comparing an image from the store's cameras with a photo of her on Facebook.
Few may notice a reference at the end of the article: "The Sheriff's Office said it is currently testing a face recognition program called Clearview AI".
And then the ones appear NewYTimes.
The revelation of the application
On 18-1-2020 the newspaper's website uploads an article by Kashmir Hill entitled "The secretive company that can end privacy as we know it". The article is published in front page the print edition of the newspaper the next day with the title "Implementation of face scanning is slowly approaching the end of privacy"
The revelations in the article are impressive.
A once-small start-up from New York, created by 31-year-old Australian-born Hoan Ton-That from Australia, has collected 3 billion photos of citizens from publicly available sources on the Internet and sells them to police by using face recognition has developed.
Ton-That has done what no one has dared to do until then.
He has done the most extensive scraping (Greek: scraping or harvesting) of photos that has ever been known. Simply put, it has found a way to collect and categorize a huge number of publicly available photos circulating on the internet. And he has.
From the first photos that someone uploaded to MySpace 15 years ago, to the photo that was posted on a website for an event attended by the same person, everything can be part of the file. However, the processing of personal data does not end with the collection and storage of these photos.
After scraping, the application undertakes to extract the biometric model from each photo and to match each image of a person, while storing any information about this photo (when it was uploaded, where it was found, etc.).
The company claims that the product is primarily aimed at law enforcement, in order to be an important weapon in the investigation of crimes.
In this context, the company develops and implements for many months an aggressive and extensive marketing policy. It communicates directly with police departments in all US states and informs about the new application that can give better results than ever before, as it is not limited to searching for suspects through the photos of their files.
Candidate customers they don't even have to buy the product. They can try it for free for 30 days, in order to be convinced of its wonderful potential.
In February 2019, the Indiana State Police is one of the authorities taking advantage of the trial use. Through this use, the perpetrator of a homicide, which was videotaped on a citizen's mobile phone, will be arrested. The photo of the perpetrator is not in the police files, but is in the database of the application. Within 20 minutes the perpetrator has been identified and the company has just found the first police authority to buy the product.
In May of that year, New Jersey police officers in Clifton asked their commander to proceed with the purchase of the application, citing e-mail a series of cases that were investigated with its trial use. Among the cases that were investigated was the case of the search for one "Good Samaritan", of the man who immobilized a customer of a store who threatened employees with a knife. Immediately after his heroic act, this man preferred to remain anonymous and disappeared. But no one can hide from Clearview AI. In summary proceedings, the application led police to their Facebook profile and immediately afterwards to verify their details.
According to the NYT article, this policy has begun to pay off. The application has been used by more than 600 law enforcement agencies, and the company also has it for individuals who want to use it for "security reasons".
The first reactions
The newspaper's revelations initially appear to provoke strong reactions on multiple levels.
. In 22-1 Twitter asks from Clearview to interrupt any collection of photos and data from its platform. On the same day, the Privacy Commissioner4 of Australia announces the start of an investigation into the possible collection of personal data of Australian citizens.
. The 23-1 Massachusetts Democratic Senator Ed Markey, member of the Committee on Trade, Science and Transport5 Senate, publishes letter to the company, requesting a detailed list of all prosecuting authorities in which the product has been promoted, as well as information on whether the product is sold to individuals and to whom. His Clearview AI he answers Eight days later, on the one hand, he cannot reveal to her information about the technology she uses or about her customers, on the other hand, it is nothing more than a «publicphotosearchengine» which has access only to public data on the public internet. "It simply came to our notice then software face recognition, we simply form indexes and allow the search for publicly available information ", states characteristically in her answer.
The Senator will characterize the answer "Unacceptable" but will not return until after the following data leak.
. The 24-1 the Attorney General6 of New Jersey, Gurbir Grewal, forbids the use of the application by the police authorities of his State. A key factor leading to this decision is the promotional use by the company of excerpts from a press conference of October 2019, when the Prosecutor is happy announced the arrest of 19 suspects for seducing minors. Clearview informs its prospective customers that the arrest was made thanks to the use of its application! The Prosecutor characterizes the disclosure of research techniques as "irresponsible" and, in addition to the ban, calls for the withdrawal of the material.
The same day, the website ZDNet publish the filing of the first treatment against the company in an Illinois court for violating the Biometric Information Privacy Act7, state legislation to protect biometric data. According to the BIPA, the collection and processing of biometric data of Illinois citizens can only be done with their express consent. Treatment will follow Virginia and New York8.
. In 28-1 the matter is before the European Commission. With Question to the Commission, 8 MEPs of the Renew Europe group ask to be informed whether the Commission is aware of whether the application is being used by EU authorities, whether it includes personal data of EU citizens, and whether it considers the use of such an application compatible with the law. to protect personal data. Similar question Stelios Kouloglou also submits on the same day. Until the time of writing of this [23-4], the Commission has not yet responded.
Europe and Greece are [literally] on the map.
. One week after submitting these questions, to 5-2, For the first time we will be informed that Clearview has also come to Europe. Following a request for access to a public document, Buzzfeed took the company's promotional material to the North Miami Police Department. This material also includes the following map of the expansion of the company's activities:
In addition to this map, with this material (which dates back to November 2019), Clearview informs its prospective customers that it is already active or directly planning its expansion in at least 22 countries, outside the US. What he will not tell them is that in some of these countries there are systematic human rights violations.
From the study of the map, its authors post find out the obvious. Clearview seems to have stepped on the ground of the GDPR. Nine EU countries, including Greece, are among the markets that the application has probably been used for.
. On the same day, CBS informs about a series of out-of-court settlements sent to the company. In accordance with article, Google, YouTube, Venmo and LinkedIn have followed in Twitter's footsteps and sent cease-and-desist letters, urging Clearview to refrain from any illegal behavior and to lift any previous action, ie to stop collect data and delete any data already collected from these platforms. Interestingly, according to the post, Facebook has not followed the same practice, but has only asked for information about its methods and practices. Let us not forget that when we talk about Facebook, we also refer to Instagram, the medium with the largest publicly available photo archive.
In the face of these actions, Ton-That invokes First Amendment9 of the US Constitution and responds that "We have set up our system so that it can only get information that is publicly available and get it indexes». Clearview AI, its founder adds, is just a search engine for faces. "If a piece of information is public, it is out there and can be displayed on its search engine Google, then it will be possible in ours as well ".
Εβδομάδα A week after Buzzfeed's revelation of a possible Clearview activity in Europe, the European Commission's first [and last] response is made public. According publication of her Euractiv 12-2, the Commission is in close contact with the Union's data protection supervisory authorities to assess the issue. "The Commission is aware of the press reports, we are monitoring the case and we remain in close contact with the national data protection authorities and the ESDP.", says a European official, to add: "These technologies do not work in a legal vacuum. The use of personal data falls within the strict rules of the ICCPR, which require a well-defined legal basis and legitimate purpose, to inform the subject of the processing and to have the means to restore and correct it. ".
The agency notes that, according to US sources, Clearview is not a member of the EU-US Privacy Shield agreement, which raises even more questions about the terms of its activity in the European market.
. In 13-2 Toronto police, denying initial denial, confirms that the application has been used by its members. Ten days later, at 23-2, the office of the Federal Commissioner of Canada for information and privacy announces launch an investigation into whether the company's practices comply with privacy laws.
. In 25-2 Homo Digitalis addresses letter to the Minister of Civil Protection for the use of the application by the law enforcement authorities in the Greek territory. The letter, which cites Buzzfeed's information, has not yet been answered.
. The 26-2 publication The Daily Beast reveals the leak of the entire Clearview customer file after an operation on its files. According to the article, the company has informed its customers that an unknown person has gained access to its customer list, the number of accounts of each of them and the number of searches they have made. This information will be made known only 24 hours later, with a publication that will provoke even more reactions.
. Indeed, the details will published the 27-2 at Buzzfeed are impressive.
According to the information provided on the website anonymously:
- the application is used by more than 2.200 law enforcement agencies, public bodies and individuals, in 27 countries. Many of them are not subscribers of the company, but ordinary users of the free trial of the service.
The list of U.S. law enforcement agencies includes: Department of Homeland Security, ICE, Department of Justice, US Secret Service, Drug Enforcement Administration, Bureau of Alcohol, Tobacco, Firearms, and Explosives and FBI. At the state level, among the users are the Attorney General's Office in the Southern District of New York, the Miami, Philadelphia, Indiana, Atlanta and Chicago police. The largest police force in the country, the New York police is the customer with the most searches. The system has recorded 11.000 searches through 30 user accounts.
- But customers are not the only ones. The list includes 50 educational institutions in 24 states, 200 US companies, from Kohl's and Walmart to Wells Fargo and Bank of America or even the NBA and telecommunications providers AT&T, Verizon and T-Mobile.
- The list records 26 countries in addition to the US, whose police authorities have used the application: Australia, Belgium, Brazil, Canada, Denmark, Finland, France, Ireland, India, Italy, Latvia, Lithuania, Malta, the Netherlands, Norway, Portugal, Serbia, Serbia Spain, Sweden, Switzerland and the United Kingdom. Greece, this time, is not on the list.
- The file shows the use of the application by Interpol, while confirming its sale in Saudi Arabia and the UAE.
. On the same day, Gizmodo publishes analysis of the hidden features included in the - not available in the Google Play - app of the application. The app, which has been created for use by android devices, was found on a publicly available Amazon server, from where it was downloaded and installed.
The consequences of the leak.
. In 29-2 the editors of Vice Anna Merlan publishes the material sent to her by Clearview following the exercise of the CCPA's right of access.
CCPA10, California State Consumer Protection Act establishes rights for individuals in a manner similar to that of the General Data Protection Regulation. Among these rights, the consumer has the right to request access to the information collected by a company about him as well as their deletion. Following the exercise of these rights, the author has received a file with all her personal information from the application.
From this file he finds that:
- the photos cover the period from 2004 to 2019.
- each photograph is accompanied by the full details of the address at which it was found.
- most of the photos were occasionally posted on the applicant's social media accounts (even the once popular MySpace), but there are many, which refer to random websites with references to strangers in her face
- between the pages from which the material has been "scraped" there are also pages of applications that do exactly the same job, to collect photos. InstaStalker, an online scraping application that collects and archives user photos from Instagram, is typically mentioned.
. In 2-3 Buzzfeed, again, publishes article on application expansion plans and other technologies. According to the publication, the company has already developed, through a subsidiary company called Insight Camera, video surveillance systems using the face recognition applications that the company provides. The cameras appear to have been tested by two prospective clients, one of whom is the United Federation of Teachers (UFT), a teacher union in New York's public schools.
In addition to video surveillance, Clearview appears to be working with two companies to make augmented reality glasses, which could be used.
. In 3-3 Senator Markey returns with a new one question to Clearview, on the occasion of the news of the leak of its information. Among the questions he raises are the question of whether the company intends to expand into live face recognition tools, such as augmented reality glasses. Corresponding letter send two more Senators, members of the Committee on Science, Space and Technology11 of the US House of Representatives.
. In 4-3 the Canadian network CBS reveals that RCMP12, the federal police of Canada, has used the application of Clearview AI, despite its initial denials a month earlier. "With the exception of the use of the application in cases of child sexual exploitation, the use has been investigated on a very limited trial basis.", the body's representative states, to add "RCMP does not use Clearview AI to the public. We use it only in the context of criminal investigations that we carry out, primarily for the identification of victims. ".
. In publication of Philadelphia Inquirer on 5-3, a Philadelphia police spokesman confirmed the use of the app, as revealed by the Buzzfeed list. According to the spokesman, the approximately 1.000 searches in Clearview's database have been piloted, as the authority has not yet drawn up a policy for the use of face recognition applications.
On the same day, the New York Times published an incident that reveals what many suspect and everyone fears. The fact that the company promotes the application to individuals, even to individuals, despite its categorical denials.
In accordance with publication, Greek-American billionaire John Catsimatidis used the app at a Manhattan restaurant to find out the identity of the man who had just appeared in the same place, accompanying his daughter. "I wanted to make sure he wasn't a charlatan.", said the happy father who took care to send the results of the search directly to his daughter's cell phone. Excited, his daughter reportedly said: "I have the ability to do crazy things for my father. He is very familiar with technology. My companion was very impressed ".
. The next day 6-3 This makes it a perfect choice for people with diabetes and for those who want to lose weight or follow a balanced diet. EPIC (Electronic Privacy Information Center), an independent research institute for the protection of privacy, publishes letter to the FBI, requesting information on the basis of the FOIA13.
On the same day, the OneZero website reveals Clearview AI's intentions to add to its databases the famous mugshots, the records of those arrested by the US police. In accordance with publicationAsked by the Wisconsin Green Bay Police Department about their ability to upload to the application and the mugshots they keep in their file, the company said that its intentions are to add them to its database. all mugshots of the country for the last 15 years. After all, as explained in the article, the database already includes photos from publicly accessible files with mugshots, from pages such as Rapsheets.org and Arrests.org,
Also on this day, the Swedish Data Protection Authority Datainspektionen is becoming the first EU supervisory body to announce its decision to investigate the use of the application. According to announcement published on its website, the Authority has no knowledge as to whether the application is used by the Swedish authorities. For this reason, it has sent a series of questions to the police, the port, customs, immigration departments, and a number of other Swedish authorities to find out if they are using the Clearview AI application, and if so, on what legal basis.
As the Authority characteristically points out, the guidelines14 EU cameras make it clear how facial recognition technologies can be used. The basic rule is that their use is not allowed when the purpose is to identify a person. The more specific use of these technologies by police authorities is expected to be regulated by a relevant directive of the NSRF.
. In 10-3 the Attorney General of the State of Vermont announces the exercise treatment at the expense of Clearview AI for violating state legislation on consumer protection15 and for illegal data collection for mediation purposes16. At the same time, it is submitted application Motion for Preliminary Injunction, which requires immediate action against the company.
In its introduction to the case file, G.E. mentions features:
"Our fundamental freedoms: to express ourselves, to come together, to go out and to walk in the city, are based on a fundamental right: privacy. Our daily activities often require a degree of anonymity, which we do not appreciate, until we lose it, like any celebrity can confirm. The opposite of privacy is monitoring, the situation in which we are monitored, monitored and analyzed continuously. Technology, for better or worse, has made monitoring cheap, efficient and, in some cases, widespread. Monitoring is also profitable. As our lives, more and more, shift to a linear presence, monitoring in the form of controlling our web browsing, our search history, and our consumer habits has become a given. We are aware of hundreds of businesses, advertisers and in some cases government authorities from the moment we connect.
However, we still have the option to shut down the computer, go out and enjoy our anonymity as we spend our time. This limited but critical degree of privacy, this boundary between normality and an Orwellian dystopia, which is already a reality in some parts of the world, is in danger of disappearing.
Face recognition technology, the ability to create a visual biometric "footprint" of each person, gives the theoretical possibility to instantly recognize anyone, anywhere. It has the ability to eliminate the privacy of anonymity once and for all.
For that to happen, technology would have to be combined with a huge treasure trove of identifiable photos, such as those circulating on the Internet. There is the ability to do that - but companies with the ability to create a mass-recognition face recognition application have refused to do so. They know that this will exceed the limit. It would be immoral. It would be wrong.
The defendant ClearviewAI […] Did what no other company wanted to try. He posted billions of photos on the Internet, allegedly stealing them from social media and more. sites. He extracted the biometric data of specific individuals from these photographs to create a huge monitoring database. He examined us, mapped us and sold us.
Its implementation Clearview It has been made available to hundreds or possibly thousands of individuals and entities, including foreign countries. Its customers have been large businesses, from shops to casinos and health centers, who were more than willing to use the app, as long as no one knew they were doing it. THE Clearview He now claims that he is restricting the use of the law, but has not provided any basis for us to trust this policy as true or that it will continue to apply when Clearview get out of the spotlight.
An undetermined number of Vermont residents are in this database. None of them have agreed to be there. Even worse, their children have been caught in this net, with no chance of escape. We have been forced to stand on the recognition of suspects without our consent, every time a ruthless person or company searches its database Clearview.
With this request, the Vermont Attorney General says "So far".
Η answer Clearview AI's claims will come on the same day: "Clearview AI works in a similar way to search engines like Google and Bing. Clearview AI, however, collects much less data than Google and Bing because Clearview AI only collects public photos and their webaddress. That's all", will state the company's press release, adding that "Google, Bing and Facebook collect much more data, including names, addresses, financial and health information and consumer habits".
Clearview in the corona era.
The thoughts of the Attorney General of Vermont are interesting and, if nothing else, move those who oppose the violation of privacy. But it is just one of the few exceptions to the rule.
And the rule is that most competent authorities remain apathetic against the huge scraping of data and the extraction of biometric samples made by the company. This prolonged silence, even after the previous revelations, could, unfortunately, be interpreted as confirmation of the company's allegations of the usefulness of its implementation.
The rule will be confirmed a few days later, on 17-3, with one publication of the Wall Street Journal, which comes to restore the impressions. The U.S. government, according to the article, is in contact with the company in order to use its database to identify patients with the virus. The purpose sanctifies the means, extraordinary conditions require extraordinary measures, and so the collection of photographs and the processing of biometric data can ultimately be useful.
Concerns about the opposite, however, will continue to come up.
. The 24-3, OneZero will become the second medium publish the results of the application for access to the company's database.
. In 7-4 HuffPost will reveal the connections of Clearview AI executives with the American far right, with a very extensive and detailed research.
. In 15-4 AFP, Australia's federal police, will become another police force agree use of the application, despite its initial denials.
● Another blow to the reliability of the company's security measures, publication of TechCrunch on 16-4 will reveal that SpiderSilk, a cybersecurity company from Dubai, gained access to the company's files, including the source code of its application.
Where are we today?
Exactly where we were when we first learned about the existence of Clearview AI.
Three months ago, one of the largest US newspapers revealed that an unknown company had collected personal data of millions of citizens and used it as a source to extract biometric data in order to market a face recognition application.
In the aftermath of this revelation, we also learned that the company has its application not only in the United States, but also in the rest of the world, not only to police authorities, but also to private companies or even individuals.
We also learned that the company is planning to expand its application to video surveillance systems, but also to identify individuals using augmented reality glasses. The user of these technologies will be able in real-time to identify any person within the range of the camera or pass in front of him, the moment he wears the glasses.
Against this storm of revelations, no one has reacted.
In the United States, Clearview AI is being called upon by the federal government to put its implementation into action to curb coronation. Face recognition technologies are the pre-eminent field in which "purpose sanctifies the means."
In Europe, where one would expect stronger reactions and more immediate intervention, only the Swedish authorities have dealt with the issue.
The European Commission has unofficially leaked that it is monitoring the issue and has been silent ever since. It is perhaps to be expected, after all, that we must not overlook the violent transfer of priorities caused by the pandemic.
On the other hand, one of the most important concerns that has emerged in trying to limit the spread of the virus - and perhaps most importantly those that will concern us the next day - is the expediency, necessity and extent of the decline of fundamental individual rights. in the name of protecting the public interest. And In the case of Europe, this crisis can be summed up perfectly if and to what extent "the end sanctifies the means."
Especially in the case of Clearview AI, the problem the Union has to deal with is, perhaps, more complex than any other case we have encountered in the past. With a new, stricter than ever and extremely popular legal framework for the protection of its citizens' personal data, the European Union is called upon to respond to a very complex activity, with many distinct activities - processing operations.
To promote its commercial goals, Clearview AI:
A. has collected and stored personal data of millions of European citizens.
This is an independent activity that should not be overlooked. After all, it's not the first company to do this. A few years ago, an also unknown company, hiQ, was involved in litigation with LinkedIn, for the scraping of resumes he did, in order to resell them to employers.
Creating mass databases for commercial use is an extremely profitable and very easy activity.
But there are many questions.
Can an American interest company collect personal data from European citizens in order to set up databases for commercial purposes? Such an activity is part of the territorial scope of the General Regulation and what opportunities European citizens have to protect their rights.17;
B. has processed biometric data of these persons.
Many will argue that processing biometric data for crime purposes is legal and even necessary. Not coincidentally, proponents of using the Clearview application point to how many cases of child victims have been clarified, thanks to the possibilities it offers.
However, this is not an application that allows prosecutors to process biometric data. The biometric identification is done by Clearview itself and is offered ready to anyone interested and in any possible way. Even with a simple mobile app.
In this sense, the legitimacy of biometric data processing should be judged on the same basis regardless of whether the user is John Catsimatidis or Interpol.
C. has created a, commonly accepted, state-of-the-Article application for face recognition, which it sells along with its database, both in Europe and in markets around the world.
We must not forget that face recognition technologies tend to become an existential issue for human rights Europe. After its initial leak information that the 5-year ban on the use of these technologies in public places is being considered, the Commission has finally removed the relevant wording from text of the "white book" on Artificial Intelligence published on 19-2-2020. Europe does not seem to be sure how privacy and privacy rights can be reconciled with the unlimited possibilities of these technologies.
As has been eloquently stated by Union officials, if Europe does not move forward with these technologies, it risks becoming the backbone of technological developments, against giants that bend little (US) or not at all (China) from similar dilemmas.
"These technologies do not operate legally" A spokesman for the commission said on February 12, commenting on Clearview AI's practices. "The use of personal data falls within the strict rules of the ICCPR, which requires a well-established legal basis and legitimate purposes."
In the theoretical approach we all agree, but in practice how sure are we that this is the case?
How optimistic can we be that Europe has a response to practices like Clearview AI?