81 comments

[ 3.4 ms ] story [ 143 ms ] thread
Is there a news site that actually shows the leaked list of clients?
Breach consumer trust at your own peril.

At some tipping point I could see HIPAA-style mandates come into force for general data.

It'll take a few libel suits for false accusations first. Plus a court willing to award meaningful damages.
I would like to say you are right, but the pendulum seems to swinging in the direction of rendering HIPAA toothless. Breaking point may cone, but I have zero idea what it will be given the breaches we already saw.
The largest effect of data privacy regulations is on self-policing behavior. Every person at every hospital in the US knows what HIPAA is and is at least aware of it and potential impacts. There is training, consideration is given to it with respect to IT decisions, etc.

It is a very different set of behaviors than pre-HIPAA.

Same with GDPR, you very clearly see large corporations at least asking: "Do we need this data?" and there's a patchwork of state privacy laws (CCPA being the most prominent) that are in effect.

Case in point: Illinois has really stringent biometric data laws that include facial recognition and I would not be surprised at all if they were right now preparing for legal action against Clearview for violations.

I'd hope to see something like this at the national level, but state level is a good start.
Maybe it’s petty but I kind of like the idea of it being a morass of 50 different privacy laws so that a company has to tiptoe through a global minefield to sell data about me.
Perhaps you haven't been paying attention recently to how things go in the US. If there is any kind of regulation, it will be loophole-ridden and only implemented after consulting with the absolute worst offenders to make sure it won't impact their bottom line too much.

Law enforcement's use of this style of abusive technology will never be curtailed or in any way reigned in, but seeing as American law enforcement has never abused their power in the past, I'm sure that will continue to not be an issue.

> I could see HIPAA-style mandates

That would be helpful, but let's not forget that HIPAA isn't exactly some sort of gold standard. It's reasonably weak and full of loopholes.

(comment deleted)
So it was just a list of customers that was leaked? Sounds like a CRM hack or something.
I presume the NBA learned that from China? Oh, wait...

/sarcasm

Are there any examples so far around gross mis-use of this data? Building a large list of potential suspects and/or getting some direction for further study based on a face match sounds very useful, but sending a swat team to someone's house and ruining their lives based on a terrible match on a crappy picture is a whole other side of the scale.

I understand why a company collecting this information is annoying / frustrating, but it was also inevitable, was it not? EDIT: Example, LinkedIn just got told by a court that they must allow crawling. A quick crawl of profiles and photos would yield a beginning of one of these types of databases, etc - one it's on the web, you have to assume it can be used for facial recognition.

Either way I am happy that people are recognizing the import of what they post online - even if it's just a picture.

I think I'd refer to it more as "terrifying" and "unpreventable without regulation" more than annoying myself.
I agree it is terrifying. Is it really preventable with regulation though? You can't really put the data back in the box.
> Building a large list of potential suspects and/or getting some direction for further study based on a face match sounds very useful, but sending a swat team to someone's house and ruining their lives based on a terrible match on a crappy picture is a whole other side of the scale.

How do we know they were inputting pictures of suspects?

Could have inputted people they have a beef with, ex-girlfriends/boyfriends, ex-spouses, online dating profiles, annoying non-criminal activists, citizens/politicians that threaten police budgets, etc.

> Are there any examples so far around gross mis-use of this data?

To flip the question: how many databases like this haven't been abused?

When a corporation or government claims new powers over citizens/customers, the burden of proof falls on them to show how they can't/won't abuse it, rather than on the little people to show that it's been abused.

Agreed - I was trying to get a sense of the problem to-date, mostly. It's extremely important to ensure proper controls and I agree the burden of proof falls on the government to ensure they have controls in place to prevent abuses.

Perhaps I am merely surprised this creates so much outrage / surprise in this community. The folks on this website (we) have created so many platforms for sharing personal information publicly on the internet that it of course makes sense that people have been scraping it for years and it's likely stored somewhere and will be used for non-original purposes at some point because of course. As you say, how many data sets have not been abused?

Users have published this data themselves, on purpose, on web platforms meant for sharing.

I don't think this can be put back in the box. I'm not really sure how you regulate it in any effective way. There are some laws on the books and some corporate penalties but I don't see how you stop this if the model works using public data short of making the data so noisy and useless that it stops being effective (which may have to be the end result)

I think it's the same outrage as when someone uses a telephoto lens to takes pictures of the inside of your home from the street. It's all technically possible, legal(ish), and should have been anticipated by anyone who leaves their windows unblocked, but it's still a clear violation of expectations of a home and of the purpose for those windows.

Difference is that we've had hundreds of years to reach consensus on home windows, but barely a decade for social media. Laws are not keeping up with society's expectations, which in turn aren't keeping up with technology.

> so far

The really clever ways to abuse this kind of data haven't even been invented yet. We are still fumbling around with these technologies. Most of the currently visible examples of data misuse are "high tech"/"on the internet" variation of the scams and abuses humans have always done.

Current data misuse is a minor concern. The larger concern is that these databases will probably sill exist 20/30/50 years from now when someone invents a really clever way to abuse data. While it isn't possible[1] to predicting how technology will be used in the future, if the trends in technology over the last few decades suggest that this clever new abuse of data will be difficult for the average person to understand, highly disruptive to existing institutions, and the damage will cascade across the interdependencies[2] we've been adding to everything.

> Building a large list of potential suspects ... sounds very useful

Increasing the number of "potential suspects" is a terrible idea, because most of those suspects are innocent. Adding people to the suspect pool lowers S/N (actually-useful-targets/"potential suspects"). The ideal (magic) tool would produce a minimal list that simply identified the actual criminal. Adding more people to that list makes it less useful.

Also, see the Base Rate Fallacy[3] and the Birthday Paradox[4].

[1] https://en.wikipedia.org/wiki/Connections_%28TV_series%29#Co...

[2] http://geer.tinho.net/geer.blackhat.6viii14.txt (section 10, "Convergence")

[3] https://www.schneier.com/blog/archives/2012/05/criminal_inte...

[4] https://en.wikipedia.org/wiki/Birthday_problem

Thanks. This is very informative. I completely agree on future misuse, but I'm also not sure how to put any of this back in the bottle. What regulation are people proposing that would prevent compilation and sale of this kind of data that is accessible publicly on the internet?

Is it the government use of the tech, or the fact that the company exists in the first place that is upsetting?

> What regulation are people proposing that would prevent compilation and sale of this kind of data

Liability!

(with the option of avoiding that liability by explicitly not allowing yourself access to content/personal-data, aka a common carrier)

As Dan Geer said in my previous [2] (section 2, "Net neutrality"):

    Hello, Uncle Sam here.

    You can charge whatever you like based on the contents of what
    you are carrying, but you are responsible for that content if it
    is hurtful; inspecting brings with it a responsibility for what
    you learn.
     -or-
    You can enjoy common carrier protections at all times, but you
    can neither inspect nor act on the contents of what you are
    carrying and can only charge for carriage itself.  Bits are bits.

    Choose wisely.  No refunds or exchanges at this window. 
While he was talking about ISP spying, the general principle can be adapted easily. Inspection (or building databases of the results of other people's inspections) must be tied to liability for the problems and negative externalities produced by that inspection (or database).

Obviously this is a high-level description that ignores the messy details that are important in any actual plan. There is room for negotiation and modification. The goal is to create a situation that disincentives creating tomorrow's problems, just like we do for other types of hazardous technology. Data and spyware needs to be seen as toxic that requires special handling, storage, and disposal procedures.

> This is very informative.

Dan Geer's keynote - "Cybersecurity as Realpolitik" (video: [5], transcript: previous [2]) - is incredibly informative and should be mandatory viewing/reading for anyone interesting in trying to create the "least worst" Grim Meathook Future that technology is pushing us towards.

I also recommend Dan Geer BSides DC 2018 keynote[6][7] as an addendum/update to "Cybersecurity as Realpolitik". In both talks he provides a very concise description of the core problems that are defining our future.

    We have to soon choose what we want to happen when stolen data is,
    for example, not just exposed but also put on a blockchain from
    which it cannot be erased. Put differently, assured data deletion
    is far harder than permanent data retention, yet many civilized
    goals, including but hardly limited to a right to be forgotten,
    require the sealing of records or their outright destruction.
    Which do we give up, the slick usefulness of immutability or
    information crime being unmitigatable? What does consent of the
    governed mean when a technology trumps a Court Order? 
[5] https://www.youtube.com/watch?v=nT-TGvYOBpI

[6] https://www.youtube.com/watch?v=gbDEbfijxNY

[7] http://www.bsidesdc.org/history/geer.html

> Building a large list of potential suspects and/or getting some direction for further study based on a face match sounds very useful

Useful and sensible can be two very different things.

Total surveillance, down to every private space, could be useful to prevent crimes and save lives in accidents, that still doesn't make it sensible.

I'm curious if we're entitled to royalties when our likeness gets used. Anyone know one way or another?
Probably not. Only if it’s a photo that you own the copyright of, and you didn’t divest that copyright when you gave the photo to a site that had a reshare clause in its terms of use.
Didn't Harrison Ford trademark his face? Then they have to pay him to use it on toys and mechanise?
Could I trademark someone else's face and claim royalties? It seems like a legal stretch, or at least indicates a legal reality I can't support. Unless he has secretly had so much plastic surgery he designed it.
> Could I trademark someone else's face and claim royalties?

To get a trademark, the mark you're registering has to be actively used in commerce. There are other laws that come into play if you're using someone else's likeness in commerce.

The entire purpose of trademark is to prevent consumer confusion (for instance, to prevent one company from using another company's logo on their products).

Is the Obey logo trademarked?
Do you give up copyright when you upload photos to Facebook or LinkedIn?
No, you don't. You grant them a perpetual license to use those photos. You aren't granting a license to any companies who scrape those photos to use them. However, copyright only applies to distributing copies -- someone could collect and use photos and not violate copyright as long as they don't redistribute those photos.

Another wrinkle is that in the US the copyright of a photo belongs to the person who took the picture, not the person who appears in it (unless an assignment of copyright was signed).

So, if you posted a picture of yourself that you didn't take then you probably aren't the copyright holder, which would mean that you aren't the one who would have the right to recourse for any misuse of it.

The grey area is if data gleaned from a photo is also under copyright. Clearview could analyze public photos and store facial data from them without storing the photos themselves.
Right, this was what I was alluding to. I am not a lawyer, but I have a solid lay understanding of copyright. By my understanding (which may be wrong!), copyright law does not prohibit this use of the pictures at all. However, if they are providing the pictures themselves as part of the search results, there may indeed be a copyright issue.
I don't see why not. When you post your photos to Facebook, you are giving them a license to it, but that license certainly doesn't extend to companies that scrape Facebook's site. Seems ripe for someone to deal a punishing class-action to Clearview. One caveat is that you might need to register your copyright in order to be able to recover damages.

I also wonder if one might be able to use the DMCA process against Clearview.

They only view and make calculations against publically available data. The DMCA would only be helpful if they were sharing said photo.
No copyright law applies to the copying of a work, not its distribution. If they made any copies of the work (which they would have to if they were loading them into memory for processing) then they need to comply with copyright law.

> "The court determined that a copy of a program made from a hard drive into RAM for purpose of executing the program was, in fact, a copy under the Copyright Act."

see https://en.wikipedia.org/wiki/MAI_Systems_Corp._v._Peak_Comp...

But these are public photos offered by facebook under that license.

Anyone visiting the profile will have a copy of said public photo in there cache. That in itself doesn't trigger a copyright act because the photo is licensed for that act.

Reusing the image would trigger copyright protections as the licease granted to facebook doesn't cover that. It would be the same as downloading a trial program with images. You can use them in the game, you can make calculations on those images (they are this big, they are classifed as tree, face, etc) but you can't include them in your game.

"Reporting this story was surreal. Numerous organizations initially denied that they had ever used Clearview. We then followed up, and those same orgs later found that employees had signed up and used the software without approval from higher ups. This happened multiple times."

https://twitter.com/RMac18/status/1233151964881416192

(comment deleted)
(comment deleted)
I know it's been brought up before, but again, I would love to know the mental gymnastics Peter Thiel has done to rationalize backing this. The same Peter Thiel that sued Gawker for violating his privacy.
It's the difference between liberty and equality. Thiel loves liberty (his) and hates equality (yours).
Why are you surprised by him? He's highly intelligent, and absolutely without scruples. The perfect businessman.

He's a good model for the future of AI, where superintelligence's goals conflicts with basic human values.

> I would love to know the mental gymnastics

Nothing special. Cognitive dissonance is alive and well in the filthy-rich through to the dirt-poor. As we can see - your level of personal agency will be the determining factor in how much the world suffers from it.

Unfortunately we silo our processes in virtual-mental-machines at the expense of good ideas cross-pollinating terrible ones.

Thiel and Rudy Giuliani's pal ¯\_(ツ)_/¯ Here is a quote from a NYTimes story that was published last month, and got updated this month https://www.nytimes.com/2020/01/18/technology/clearview-priv...

>>In addition to Mr. Ton-That, Clearview was founded by Richard Schwartz — who was an aide to Rudolph W. Giuliani when he was mayor of New York — and backed financially by Peter Thiel, a venture capitalist behind Facebook and Palantir.

You are over thinking it. He has no principles as long as he makes money. That's very clear with his support of trump. He sued gawker because they hurt his feelings not privacy.
He does not care about privacy as a principle, he cares about _his own privacy_.

More generally, Peter Thiel is not a good person.

The same Peter Thiel who was buying blood transfusions from young people for himself . . . like a vampire. Whether it's milking the blood of young people or milking the privacy of anyone . . you can bet Thiel will be there.
It's called greed. It's like how zuckerburg loves spying on people but is paranoid about being spied on ( covering his laptop webcam and mic and putting up walls around his hawaiian estate). Privacy and money for me, nothing for thee.
(comment deleted)
....mental gymnastics Peter Thiel...

He'll donate $10 Million to EFF and get a badge.

This is not an equivalency.

You freely put photos of yourself on the internet and they use them. Don't like it, don't publish it. This is 95% of what's going on here.

Gawker took private information on Peter Thiel that he did not want public, and had not made public.

Hulk Hogan was worse - "at trial he claimed that the videotaping was without his knowledge or consent"

I think it's great a company is doing this openly. Do you think the TLA aren't? We also know private Russian companies have been doing this for years. This is a good move towards privacy.

I don’t believe publicly posted photos are the privacy issue at hand here. Facebook tracks your activity online and sell it to advertisers regardless of your consent, even if you’ve never created an account in your life. That’s the privacy issue (amongst other things).
Uh, not so much. Hogan’s situation was worse, to be sure. But Thiel’s PROFILE PICTURE on a couple of sites was him, shirtless, on gay cruises. Saying that “he wanted that private, not public” flies in the face of pure common sense.

Apropos of that, courts have long held that billionaires have reduced rights to privacy due to their “overwhelming influence on public affairs and events”.

That’s why Thiel backed Hogan’s lawsuit (and to my mind, interfered unfairly), and was not able to sue Gawker.

At what point are end users responsible for data they publish globally, such as instagram images?
So much for "our only customers are law enforcement"
The amount of retail and mundane consumer businesses on here is really disturbing:

Best Buy, Equinox Gym, Rite Aid Pharmacy, Home Depot, Kohls Department store?

What is going on? What possible use cases do these companies have that require facial recognition searches?

For retail businesses, it's likely related to loss-prevention and shoplifting.
Could you walk me through how that would work in practice though. Aren't these searches manual? How would this be an effective tool in something concerned with real time like loss prevention?
It doesn't really take a stretch of the imagination to come up with something. Ever seen Minority Report? They used retinal scans to ID shoppers to provide them with targeted ads, just replace that with facial recoginition. For the security/loss prevention aspect, stores have cameras on all of the entrances. The facial recognition systems could ID known shoplifters/return scammers/etc and alert security for "closer" scrutiny.
But it's not a real time system. You have to have a target and do a search. From Clearview's homepage:

"Clearview is an after-the-fact research tool. Clearview is not a surveillance system and is not built like one. For example, analysts upload images from crime scenes and compare them to publicly available images."

Do you imagine Rite Aid and Equinox Gym which are not exactly bastions of technology are developing sophisticated Minority Report type systems?

I think these systems would be applied less toward real-time shoplifting and more toward investigating and preventing repeat or systematic fraud, e.g. "hot exchanges"

(https://consumerist.com/2016/11/23/three-return-scams-retail...)

(https://consumerist.com/2017/04/18/man-steals-11000-in-stuff...)

Using Home Depot as a retail example, more and more, when you walk into their stores you may find cameras with signs boldly stating that "you're on camera" in aisles, at self-checkout registers, and at customer service desks (i.e. return desks).

These are meant to be a basic deterrent, but can also be used for investigation related to returns abuse/fraud. Many retail stores have allowed customer returns without a proof of purchase.

In some cases, they provide cash refunds, below a certain dollar amount. Most stores now issue gift cards/store credit, which can still be resold on card exchange marketplaces, ebay, etc for most of the card value ~90%.

That NPR story on this is very informative. Clearview actually has a list of all journalists and they programmed th journalist's photos into their application flow. They automatically block and even take away the license of the individual that is talking to the reporter.
Stop using your real names, use pseudonyms and drop random incorrect pieces of information. These companies can detect you based on writing style alone!
I buy groceries at my local Walmart neighborhood market and they recently replaced the self checkout kiosks with NCR systems that video your face while checking out.

Seems to me that I need to use a spare bag to cover the camera, or wait in line for a human next time I go shopping.

You don't think the human-operated registers will eventually also have cameras next to them?
I don’t know, but I certainly hope not. If this happens I don’t know how I can shop.
(comment deleted)
The only relevant response to this is to remove all pictures from Linkedin, Github and social sites - and only publish pictures on sites we control our self where we claim 100% copyright for all pictures. May be we could offer these pictures for sale to 3rd party use, for a small fee of few hundred million euros per picture. If someon scrape them and use that information commerially, and we somehow discover that, it's just to send them an invoice and see them in court.
But but China. America really needs a mirror sometimes. Maybe the VP copying the Chinese health care PR handbook should be another warning.