236 comments

[ 15.6 ms ] story [ 7636 ms ] thread
Is it really that surprising, since all the photos are available on public sites? It seems this tool reveals the same a Google search for the name would reveal.
This guy's name is Tom Smith. Go ahead and pop that into Google and let me know how that turns out.

His name is about as generic as you could imagine for a white person. But they returned a bunch of images of HIM, and one Alexey Something-or-other, which could be his troll account.

Edit: the Alexey part is a joke, I'm sorry but I thought it was funny.

TIL generic names (in your geographic region) are good ways to promote privacy.

I always wondered how the Chinese authorities figured that out considering the massive name reuse in China. I can’t watch a Chinese movie or TV show without at least one character sharing the surname (the first part in China) of a Chinese person I know.

Smith would be our classic version in the west.

The Romani people have used it as a general tool to make it difficult to govern them. The local equivalent of "John Smith" gets used by everybody in every official form. Meanwhile, they just call each other what they otherwise would've.
China handles it by making you put your national id # or phone # on everything you do.
The only real concern I see is that it allows someone searching to go from photo to name very quickly.
Ideally we live in a society where not being anonymous is not such a big risk.

But governments change, the data is still around to be abused.

This is what disturbs me. Is how data can be abused in the future.

> not being anonymous is not such a big risk.

the world has always been anonymous because of the lack of capability to track large amounts of data - until recently.

Anonymity allows you safety from any one who seeks to predate you. I think that safety needs to be maintained. People stupidly put photos of themselves online, then face tag their friends. This allows third parties to identify your friends and circles, and that's dangerous. All relationship should be reciprocal.

No, long ago the world was a bunch of small groups of people that knew each other intimately. At the village and tribe level there was little or no anonymity. The offset was that there was also intimacy. The problem now is that we again have no anonymity, but there is none of the intimacy needed to offset the negative aspects of this (and we probably can't, I don't think intimacy scales the same way, but who knows).
I thought about this. Perhaps youtube real videos (not staged mini tv shows like peewee) has opened up people's lives to their world. Perhaps twitch/live coding streaming provide this on some level. Perhaps onlind video games or even social media provide that intimacy into others lives at scale.
The people who left their tribes (or were forced off) were effectively anonymous to any new group of people they might come across. So if you were kicked from your group for a misdeed, sure you could continue your bad deeds in the new group or you could turn over a new leaf without the weight of your past mistakes holding you back.
Ever wonder why places were called the Wild West?

It's an awful dangerous place when you're alone out in the Wild West.

> The people who left their tribes (or were forced off) were effectively anonymous to any new group of people they might come across.

The people who left or were forced out often died. The world is a scary and dangerous place without a support network, which civilization basically is.

> So if you were kicked from your group for a misdeed, sure you could continue your bad deeds in the new group or you could turn over a new leaf without the weight of your past mistakes holding you back.

Outsiders were often viewed with distrust. Why wouldn't they be, when most people can only associate their leaving the safety of the community with at best a foreign way of thinking, but more likely them being forced out for past misdeeds.

It's sort of like interviewing for a job a 35 year old that has no work experience to show for the last decade, and not a very convincing story as to why (or even if it's feasible, you don't really know). Why take the risk?

> the world has always been anonymous because of the lack of capability to track large amounts of data - until recently.

The first data privacy law ("loi informatique et liberté") were introduced in France around 1980, after a controversial government project to create a massive database of people generated a huge scandal.

So it's been possible for quite a while, it's just that it was reserved to state actors.

Privacy laws, much like noise ordinances and pollution regulations, are emergent responses to novel threats and ills.

In a world without the printing press, anti-libel laws didn't exist. In a world without photography, rights to personal image and freedom from invasive shutterbugs didn't esist. Anti-wiretapping and phone-recording restrictions were necessitated by the telephone. The Bork bill protecting the sanctity of ... video store rental records ... was necessitated by videocassette technology, a video rental market, Supreme Court nomination hearings, chatty store clerks, and newspapers interested in publishing such details.

As technologies tear down and penetrate the long-standing barriers to snooping, recording, transmitting, analyzing, and acting on what had always. been personal and private behaviours, societies turn to law to reinstitute those protections.

Privacy is an emergent phenomenon and a direct response to intrusions.

This nails it. It's not the present view of you that someone might get, but it's the fact that they can roll back the clock on you and re-interpret anything you did or said or anywhere you went. Digging up some ancient tweet is somewhat analogous to it, but it cuts way deeper when you start thinking about every moment of your life. On the flip side, if you're just living your life OpSec feels overkill...
Yep. "I trust this entity with my data" is absolutely not an argument to be lax with your privacy.

Take Pebble for example. They had a very invasive privacy policy and reserved the right to upload pretty much anything from your phone via the companion app, but they were a cool hacker-friendly hardware startup and a lot of people trusted them.

Years down the track they ran out of runway (the ugly side of "unicorn or bust" venture capital but that's another rant) and were bought out by Fitbit. Meh, Fitbit seemed pretty good with privacy too so that's alright, I guess?

Now Google's bought Fitbit and potentially has a bunch of very personal, private data on everyone who originally trusted Pebble.

Why were Pebble and Fitbit more trustworthy? Because they were "cool"?
Whether the really were or not is another question. Personally, I didn't trust them any more, but a lot of people did.
And because they had only one source of data, namely their watch/armband, and were not cross referencing it with search queries, YouTube views, etc. Unlike Google, needless to say.
> This is what disturbs me. Is how data can be abused in the future.

The general 1984 style dystopia vision is that there’s a gov’t change for the worst and you could be SWAT’d out of the blue.

The most probable one is that this kind of tool would be used in far less obvious, if at all visible, ways.

In that situation some kind of honeypot/canary strategy would be nice to reveal shady use but I can’t seem to come up with a realistic one.

Exactly. Very current affairs: governments are looking into getting location data from phone networks, apps, phone manufacturers to determine whether people are sticking to the curfews. And this change in perspective happened real fast.

Does the end justify the means? A pandemic like this is the ideal chance for a government to set up emergency measures like martial law, while the people themselves are too busy trying to look out for themselves and their family to be able to protest it.

Of course, anyone with half a brain already knew that unlimited data gathering, including location or personal information, was a bad thing.

I’m pretty sure ICE is already using that to find potential targets that are not residents.

Most non technical people don’t understand how powerful technology is.

This website does some crazy redirect loop between medium at the sub domain when opened without JS. How is that even possible?
Server side redirect after tracking cookies aren't set by JS. Advertising.com blogs (AOL?) do the same thing.
It didn't for me. (It did, however, make the content of the page load roughly two orders of magnitude faster.)
Also running into this issue.
Potentially done with an http-equiv meta tag hidden inside a noscript tag

    < meta http-equiv=refresh content=0; url=http://example.com/ >
Nothing magic, they're just sending a HTTP 302 redirect if they don't see a cookie. If you hit it with wget you'll see two 302s, one of them with the old "Moved Temporarily" text and the other with "Found". I'm not sure why you only get two with wget, possibly user-agent sniffing. Tracing with firefox's dev tools I see an initial JS redirect, but that may be a bug since I've got javascript disabled for medium. Alternatively it's a bug in NoScript and that's not good. Either way they'll toss a 302 with no js at all.
I had the same issue. Found it was because I had set Firefox to block all cookies for medium.com (probably to get around the article limit).
I used to think some of my peers were being overly cautious by purposely trying to obfuscate their online profile. Back in the day, I couldn’t care less about putting in effort to try to protect my online privacy. I have slowly but surely come to see the light. Now it’s at the forefront of my mind at all times.

Learning about this company (and I imagine other unknown entities are doing the same) has encouraged me to get more aggressive.

I think I will start to try some shenanigans I learned from a friend. I plan on replacing my online profile pics to a random grab from https://www.thispersondoesnotexist.com/. Might not make much of a difference for the old stuff, maybe I can successfully request a data deletion as the article suggests. At least it will introduce a little bit of noise to the AI overloads :)

Starting in the early 90's, 'everyone's a dog on the internet', so my profile pics were dogs. One buzzed evening, I changed a few to Fabio. Good luck, Fabio,
"I miss the good ole days of the Internet -- back when the men were men, the women were men, and the kids were FBI agents."
I too am extremely opposed to any and all non-consenting invasions of digital privacy (i.e., the problem isn’t the known-known of what you upload, but the hidden implications of it), but on the contrary, I make a disciplined effort to make my digital fingerprint reflect my actual views and identity. Whatever time capsule my digital identity ends up in, I want to be as accurate and beautiful as possible.

This includes my avid support of corporations which make good faith efforts to defend natural rights and freedoms, and my vehement opposition to corporate/political nonsense that does not represent, in good faith, the interests of humanity and nature. “A reasonable amount” of surveillance is an essential aspect of society, but it SHOULD be considered invasive, and should never be invisible. I suspect that there will be BS metrics to evaluate how “consenting” a given individual is to NSA/Clearview type behavior, and I would hope that I am casting a shield of protection. I feel bad about the fact that an element of bitterness is necessary to be resilient. I know no other way than truth.

I truly act as if AI is learning from me, and believe that there are long reaching and metaphysical effects to all actions.

Thank you for sharing this viewpoint. Your end goals are admirable. I will seriously consider adopting your strategy.

Obviously, I'm using a nym. Because I've wanted to my life to be faceted. I've lived very publicly before (ran for office). But in geekdom, I didn't want people to casually correlate my politics (activism) with my open source efforts.

Again, thank you.

Replacing pictures wont help (they already have them), GDPR request for deletion might work better but on the other side you also give them your confirmed identity. With companies as shady as this one, they might just set a flag in their database and add your documents data to them.

As you have figured out on your own, public should listen to some people warning about this for more than decade instead of making fun from them (tin foil hat,...).

And if anyone thinks that google and facebook are not having their own versions of clearview, think again. Any form of online presence under real name has to be minimized and it is doable but this would mean that all personal narcissistic pushes would need to be stopped (or should I say - cured) and refrain yourself from using any personal information (no, you wont secure my account by having my phone number, provide me TOTP if the security is really the reason) on the internet while avoiding it beeing stolen by apps (application firewalls, sending back fake data and not using any google applications including removing their preinstalled spyware by rooting the phone).

I can guarantee you that you wont be missing anything relevant (I am doing it for more than decade). But. Will you do that? Can you do that? Do you want to do that? Most people just rather take blue pill.

> With companies as shady as this one, they might just set a flag in their database and add your documents data to them.

This is exactly my fear. If they were more legitimate, I wouldn't be worried about sending an ID card. Thinking if it makes sense to fake an ID with my real picture on it so they can give me the data and 'delete' it but with a fake name to make sure I'm at least not feeding the troll.

GDPR request for deletion might work better

Dumb question - how can anyone be sure that companies actually delete the data? What about the backups, what happens to the data there? How do these govt enforcers verify this? Also, what about Clearview's employees abusing the data? what stops them from snooping on someone they are interested in?

It's pretty easy to check whether or not they are still selling a profile of John Q Deleted to customers, since anyone be a customer.
It is actually not stupid. Nothing stops them except a liability for a hefty fine if they are cought. In same manner as nothing stops criminal from stealing your car. But there might be a jail sentance that deters him from doing it. Some cars will be stolen, some criminals cought and jailed. Sure, car has locks. It is preventive measure. Same as not uploading your personal data/pictures/... to "public" servers.
Just for the record, the journalist who broke the story on Clearview noted that Clearview AI has specifically demonstrated it isn't fooled by thispersondoesnotexist.com:

https://twitter.com/kashhill/status/1218542846694871040?s=20

You won't be giving them any info on you, but you won't be confounding them either.

True, but at least it prevents them from linking accounts. It is equivalent to no profile picture, which you might not want to keep up appearances.
You may be surprised to learn that your face is your least identifying trait online. You network of friends/followers/likes identifies you far more readily—even if you use a random username.[1]

Managing your privacy is a lot like CPU side channel attacks. It forces you to re-evaluate your fundamental assumptions about what information can be exploited.

[1] http://www.vldb.org/pvldb/vol7/p377-korula.pdf

I'm not sure what is not working-as-intended here?

Run facial recognition against computer generated face, got no matches. Surely that is the expected and intended result from both parties?

Or is it expected to match against a different face?

They might have already scraped all of the faces on that site. They aren't generated on demand so you conceivably scrape the entire database of fake people and tell the algorithm to ignore anything matches them. Then, the algorithm would just treat any photos of a person that doesn't exist that it finds in the wild as it would if you have no profile pic. It might fool a person or an AI not trained on those pictures. Another option is to generate your own people that do not exist and use those images. This could work as long as Clearview isn't doing some sort of image analysis to look for telltale signs of AI-generated faces. You could start photoshopping fake faces onto your real pictures in an effort to blur the line between AI generated pictures and real pictures.
It's the fact that it returned no matches, that indicates it isn't fooled. If it were fooled, it would have associated those faces with the accounts that use them (assuming anyone is using the, which they probably are).

By returning no accounts, it demonstrates their AI isn't using those faces for identification.

He thought giving them a fake face would gum up their search quality and ability to resolve him. I'm saying it would basically be a null-photo to Clearview.
In that case, how about the opposite strategy? Take your own picture and a GAN with a latent space feature (i.e. a thispersondoesnotexist that lets you decide age, gender, etc.). Then set the parameters so that you get a picture of yourself. Upload this picture to social media and watch Clearview ignore it, while you still look like you to humans.
I was thinking something similar. Maybe with some randomization to it, so different profiles across (social) media wouldn't link together through Clearview et al. but still all look like you to humans.
But, that sounds like it is fooled, in this context.
I grew up with the "don't use your real name on the internet" in the back of my head, this was before kids got internet safety classes.

5-10 years later, Facebook came up with their real name policy and started asking people to snitch on their friends if they used a fake name. Google, and mainly Youtube, came with a real name policy as well, on the one hand for Google+, but on the other to try and fight comment abuse - theory being people are more hesitant to be a dick on the internet if they use their real name.

But people got used to that real fast, and since there was little consequences anyway, it didn't work.

People have valid reasons to use a fake name on the internet; government and business surveillance is a big one. Abusive / stalker exes are another. Having an alternate persona (e.g. entertainers, authors) which people are trying to hide from their un-understanding or abusive family, or society at large.

Your peers were being rational, but it's a drop in the bucket. I've come to the conclusion that privacy can only be protected with legislation. There is too much surface area to protect for the average person to police their own data trail online. Even experts have a tough time doing it. You'd have to abstain from virtually everything, and even then you can't keep other people from posting you, tagging you, etc.

This isn't a technical issue. It's a political issue.

The article is missing a link to the Clearview forms to request a copy of the data or request deletion: https://clearview.ai/privacy/requests
Its absolutely wild that for anyone that's not a resident of California or EU/UK -- there isn't a way for you to request anything other than specific images/links.
> there isn't a way for you to request anything other than specific images/links.

And you can't even do that unless you've already managed to remove the image from the internet:

https://clearview.ai/privacy/deindex:

> This tool will not remove URLs from Clearview which are currently active and public. If there is a public image or web page that you want excluded, then take it down yourself (or ask the webmaster or publisher to take it down). After it is down, submit the link here.

At least for GDPR reasons (as far as I understand it) you can forbid the use of your data. They then are not allowed to use your data in any way. Even data already public or put on the internet by you in the future.

If they do they are in "deep shit" (pardon my french) legally. I actually hope they do this - and somebody can catch them in the act. I believe they will be gone soon then.

Also I would advise anyone under GDPR legislation to also request exactly with whom the data was shared and go on to also request deletion and usage information from them. It is a pain that one has to jump all these hoops. I would love for the GDPR to have a way of forcing such a company to also do the information and deletion requests on your behalf and prove that to you.

Sadly this was not included I believe.

Even more incredible is that the opt out link requests a clear view of your face to proceed.
Even more incredible that it requires a picture of your ID
It makes sense to me. This is a database keyed by facial images. They don't know your name with certainty. The only way to look you up in the database is by face. Then presumably they need the ID to make sure it's you who's requesting the info. Hard to imagine how else to do it, given the nature of the technology.
Exactly. Otherwise, this is just a vector for any person to exploit the process and freely play cop by uploading a photo of someone they're trying to track.
But isn't that whole value of their service?
Yes, but the value is to provide that in exchange for money, and ostensibly only to law enforcement agencies and similar organizations. (If you try to sign up on their website, it says "Clearview is available to active law enforcement personnel" and that you need to apply for access.) If you're a random citizen and can get the same data, especially for free, the value proposition breaks. And the privacy implications would be worse.

So, I get why they ask for ID, even though I also get the reluctance to give them your ID since it could help tune their system.

How much would you worry about your ID being leaked, if/when Clearview AI is hacked into? What can be done with the info?
How else would they know what images to remove?
Thank you. I was having a hard time finding this.
This is a case of 'never click "opt-out" on spam'. Clearview is not to be trusted. One should not go through their process. They are not likely to delete the data, and if they have none, they are likely to create a profile for you.
I wonder what would happen if I were to issue them a $5000/mo/piece retroactive license invoice for any/all use of my name/likeness/etc for their profit.

I wonder what would happen if everyone did.

I’d love to see a successful copyright case along these lines.

I wonder if this can be combined with adding a “terms of service” to your FB profile.

Corporations have perverted contract law to the point where their terms of service are binding even if you never read them, or are even aware of them.

Turnabout is fair play, right?

In OP’s case, his profile includes pictures scraped from a privately hosted blog, where adding such terms would be a simple matter.
Wouldn’t the new terms and conditions only apply to the pictures after the TnC have been added? So any already scraped picture could still be used.
CFAA enforcement is only for large corporations. Try to get an AUSA to enforce CFAA violations against a big company as an individual person with a website and they will probably laugh in your face.

Remember: there are two sets of laws in the US: ones that apply to you, and another set for large corporations that cooperate with the police and military.

A class-action suit that would probably last for a couple years and end in a settlement where the claimants - assuming they fill(ed) in forms x, y and z, would be entitled to at best a few hundred dollars.

See also the Equifax settlement. I'd say Equifax is the best / most recent example about something like this.

> Equifax is the best / most recent example about something like this

Equifax’s credit-data provenance is enshrined in law. Their mistake was in improperly distributing legally-owned data.

Clearview does not have legal claim to individuals’ or Facebook‘s copyrights. Its mistake is more fundamental than Equifax’s.

Bit of a rub that to request your messy, potentially erroneous, public profile, you have to give private, authenticated identification and contact information - basically the most valuable information they could want, dramatically increasing the value of your profile that you were so concerned about in the first place.
> Bit of a rub that to request your messy, potentially erroneous, public profile, you have to give private, authenticated identification and contact information - basically the most valuable information they could want, dramatically increasing the value of your profile that you were so concerned about in the first place.

The concept of being opted-in by default and being forced to authenticate yourself to opt out is getting more and more ridiculous by the day.

These systems need to be opt-in, and that requirement needs to be enforced by some kind of powerful government agency with the power to arrest and jail non-compliant operators. Anything less feels like it would end up being a complete surrender to companies like Clearview AI.

I've been thinking about this for a while. A fairly simple solution would be to turn the incentives around. In the EU, people are already the rightful owners of their data, so that needs to be applied world wide. But that's not enough.

To really flip the table, we need to make it mandatory to pay people for use of their data. If a company is exploiting[ß] someone else's property, the owner must be compensated for the privilege. Take a page from SaaS companies' nickel-and-diming ("pay per use") billing strategy, too. Just turn it around: forbid blanket permissions and consents.

The idea is to ensure that other people's data needs to be universally treated as a toxic liability, not an asset.

ß: in economic sense, although other meanings apply equally well.

The governments are the customers of such products. We can't expect them to protect us.
> The governments are the customers of such products. We can't expect them to protect us.

So you're saying we should just surrender to companies like Clearview AI? I don't agree with your fatalism.

I think you're making a mistake in assuming that governments are unaccountable and cannot be prevented from pursuing interests that against those of the people. That's clearly not the case. If you were right, we'd already have unchecked police surveillance (isn't government is the consumer of surveillance products?), but we don't. That's only the case in non-democracies like China. In democracies, society (and the government itself) is capable of putting significant constraints on government action.

I suppose it depends on the definition of government. I was thinking of the executive branch (maybe I confused the terms). Parliament legislation would be the branch that has the responsibility to protect from such things.
I came here to make the same comment. I don't like what this company is doing, but the information is already public. People should know that anyone can read your public data and assemble it. It is not very different to living in a town. In a town everyone knows public, and no so public, information about everyone. Police, or a private investigator, can always go and interrogate the butcher or the hairdresser and ask information about you. They can also read the local gazette. The difference now, and it is not minor, is that the town is global.

Privacy starts from us not revealing our private information. That's why we have curtains at home. It is us who put the curtains on windows.

Its probably because for clearview its the only way to know that it is indeed you who is asking for information on yourself.
I asked this in a sibling comment to yours but couldn’t the government, who issued your ID in the first place, make requests on your behalf to enforce the privacy laws they’ve created?
Came here to say this. Do any of the privacy laws allow for deleting your profile without proving to the company who you are? Could you have the government make the request on your behalf? Sending Clearview your license sounds like confirming your credentials in a haveibeenpowned-like honeypot. Seems irresponsible for the author to even suggest that to readers. There should be other ways.
When it comes to information gathering, I have always assumed if it is technically possible to do, then some agency in the government is doing it. So even if people were able to shame all of Clearview's customers into not using them, that wouldn't stop this type of information gathering form going on.
Just because the government has nukes, doesn't mean citizens should have them. The government shouldn't have them, either, but there's not much citizens can do about that outside of revolt.

Meanwhile this company has been nothing but privacy abuses and lies to the public. If it isn't broken up by law, it will be interesting to see what the people do.

Is it me or did anyone find the availability of photos to be less than I would have expected.

It is worrisome but a facebook could produce a lot more privacy related connections from private photos no one knows existed. I guess I was expecting that.. perhaps in the future facebook will offer this service.

Almost all of those photos were from the guys personal blog and one wasn't even him.

I'd be way more worried if it was finding stuff like me in the background of someone else's photo in a crowded city or something like that.

To my knowledge, only 1 photo of me exists online (I've never even taken a selfie), in a concert crowd that showed up in our online newspaper. Feeling pretty secure about that.
It's interesting how collecting or distributing files with music is a grave crime and corporations can take down anything they don't like with a half-assed DMCA request, with no repercussions for "mistakes", but a person's face image doesn't belong to that person and the same corporations can safely collect and distribute these images for profit.
It goes even further than corporations being able to request things from being taken down. Kim Dotcom's house was raided by the FBI in New Zealand over this. He isn't even an American!
>Kim Dotcom's house was raided by the FBI [...]

Source? The US asked for his extradition and the NZ authorities raided his home, as far as I know.

raided at the request of the FBI (which was at the request of the MPAA) might be more accurate.
Actually, in Europe it is illegal to collect personally identifiable information of people without their consent. GDPR and all that.

I am surprised they haven't been fined out of existence yet.

Probably because nobody in the EU currently has this company on their screens. Or because those who are critical of this company and its practices have not yet reported it to the relevant authorities.

In Germany not only the GDPR regulation but also the so-called "right to the own picture" applies here.This means that no one may use/sell pictures of a person without explicit consent. Therefore, photographers must also have an explicit release of the person for the respective context of use.

There has been recent activity (article in german).

The article claims you could ask for deletion of your data without uploading your ID.

https://www.golem.de/news/gesichtserkennung-datenschuetzer-r...

Clearwater did not obtain consent, so the data shouldn't be there in the first place. Each and every data protection Behörde here in Germany should be investigating this.
Well I would advise everybody to file a complaint to their local DPA. Even if you can oppose the processing, they rely on legitimate interest (doubtful their balancing act is acceptable) and they acquired the data in a legal way, they failed to inform the user of a second-hand data collection[1].

So If they have data on you, that is older than a month, and did not contacted you to inform you of it, you can file a complaint!

[1]https://github.com/LINCnil/Guide-RGPD-du-developpeur/blob/ma... (In French sorry)

Google and Facebook are still around, so the GDPR is an absolute joke of a law that nobody cares to enforce.
You might be surprised: https://www.enforcementtracker.com/
Search for how many of those enforcements came from Ireland. Now look up what country's GDPR authority Google and Facebook and most American companies are choosing to be subject to. It's not a coincidence that the place that hosts all US company's remote headquarters isn't participating in GDPR enforcement.
Just a correction - consent isnt the only legal basis. Thought it was important to correct you here so others reading the comment wouldn't get the impression that no consent = illegal
YouTube takes this one step further to the ridiculous extreme that if you are live streaming a DJ set, it censors your stream in realtime whenever it detects a copyrighted song, i.e. a good 1/3 of your stream. It doesn't need a DMCA request, it does it willingly.

YouTube is so horrible now for content creation, I don't understand how content creators are able to post anything anymore without it being smashed by the copyright automation.

Unfortunately, the EU adopted law which will force all social media to do something like what YouTube does.
It's because you haven't shown a dollar value of damages.
> but a person's face image doesn't belong to that person

Copyright applies there too, and if you sued them for it, it's not inconceivable you might win.

I'd need to prove it, they'd skillfully dodge the request, I'd have to hire expensive lawyers (500/hr) and make a more formal request that's harder to dodge, they'd say the data is distributed across the globe in multiple jurisdictions in a very complex form, I'd have to hire an entire law company that works with international cases (1M/month?), they'd drag their feet and mud the discovery requests as much as possible and at the end of the day it'll be about who runs out of money first and who has better connections. The copyright law is made to resolve disputes between big companies.
> but a person's face image doesn't belong to that person and the same corporations can safely collect and distribute these images for profit.

The irony is that companies like Facebook, Twitter, etc are really bothered when another business scrapes profiles to mine data uploaded to those sites.

I wouldn't be surprised to find out that one of these companies gets sued by them for "stealing" content they host and violating the licenses for user content they grant themselves via their ToS.

Private companies can do whatever immoral garbage they want, and in exchange for access to the data or the product they developed in an unethical manner, the government slaps them on the wrist, or does nothing, allowing it to get worse and worse and allowing them to assert more control over us.

Imagine the story when people find out this or another company started skimming the porn sites with facial recognition, starts gaining access to surveillance footage from Nest or Ring, or maybe even gets access to state and federal DOT cameras and real time feeds from body cameras!

Facial recognition is going to need some regulation, ASAP.

> starts gaining access to surveillance footage from Nest or Ring, or maybe even gets access to state and federal DOT cameras and real time feeds from body cameras!

https://www.engadget.com/2020-03-04-banjo-ai-utah-law-enforc...

> The agreement gives the company real-time access to state traffic cameras, CCTV and public safety cameras, 911 emergency systems, location data for state-owned vehicles and more. In exchange, Banjo promises to alert law enforcement to "anomalies," aka crimes, but the arrangement raises all kinds of red flags.

> Banjo relies on info scraped from social media, satellite imaging data and the real-time info from law enforcement. Banjo claims its "Live Time Intelligence" AI can identify crimes -- everything from kidnappings to shootings and "opioid events" -- as they happen.

(comment deleted)
They should be in prison, instead of making money on violating people's privacy.
Excerpt:

"What does a Clearview profile contain? Up until recently, it would have been almost impossible to find out. Companies like Clearview were not required to share their data, and could easily build massive databases of personal information in secret.

Thanks to two landmark pieces of legislation, though, that is changing. In 2018, the European Union began enforcing the General Data Protection Regulation (GDPR). And on January 1, 2020, an equivalent piece of legislation, the California Consumer Privacy Act (CCPA), went into effect in my home state.

Both GDPR and CCPA give consumers unprecedented access to the personal data that companies like Clearview gather about them. If a consumer submits a valid request, companies are required to provide their data to them. The penalties for noncompliance stretch into the tens of millions of dollars. Several other U.S. states are considering similar legislation, and a federal privacy law is expected in the next five years."

They are using copyrighted images. What if 1000 of copyright owners decide to sue them asking $100 000 each?
One thing you should be very careful about is licensing. If you post photos on Facebook or Instagram, you automatically grant them a license to redistribute the photo and share it with others. And these "others" can include Clearview. So, Clearview could have a contract with Facebook which legally allows them to get and save those photos. So, you are still the copyright owner, but due to licensing Clearview can legally store and use the photos.

About suing them if they would break copyrights: not sure about the US, but in Germany it wouldn't be that easy to actually sue them for such a high sum. You could argue that the company makes money by offering the search service, but there must be evidence that Clearview made that specific sum just with your photo(s), which is very unlikely.

At least if it is a photo in a news story or from a private homepage I would believe they are in trouble. I doubt they have licensing agreements from every news source. And I am sure they do not have them for private homepages.
They would have to be able to prove that in a lawsuit first. Do they have similar agreements with the alumini magazine? The python coder's meetup group? The personal blog?

Just one of those pictures would be enough for a lawsuit.

Of course, if someone were to sue, they would be heavily pushed to settle out of court. I suspect there's a lot more legal activity going on about things like this, but everyone that starts to make some noise is quickly silenced with a lump sum and a binding contract to shut up about it. If they don't, they're threatened with spending the next 5-10 years in court. Because if there's anything corporate lawyers are good at, it's stalling and making sure the suing party, especially if it's a random consumer, spends years and hundreds of thousands in court fees.

What we need is more rich people suing businesses. Or a massive public defense fund supporting the average joe's case.

But right now it's in the rich people's interests to support shady businesses, and if they don't they'll be offered massive financial incentives on the golf course.

Compiling profiles like this without consent is subject to massive fines under GDPR.

I find it extremely surprising that they would be responding to GDPR subject access requests, given that they appear to be ignoring the rest of it.

Not replying would get them in trouble even faster. So probably they hope to appease the one requesting the data.
Do the founders of this company have their profiles in the database? What about the other executives and investors? Do those profiles contain all of the same personally identifiable information as any other randomly sampled user? Does it show photos, social media posts, personal contacts, school teachers, addresses, family member data etc? If not, this sort of blunt assault on privacy would make Orwell toss in the grave.
30 Top HTML Templates

HTML Templates; When you think you need a good website for promoting your service or good then you will need to research for picking good HTML Templates, but if you the lucky person then it’s for you, just because we will help you to take a good HTML Templates for your dream website.

https://www.electronthemes.com/html-templates/

#30TopHTMLtemplate #TopHtmlTemplate #BestHtmlTemplate #TopFreeHtmlTemplate #BestFreeHtmlTemplate

So will we see a new normal that if you delete your data, you’re considered suspicious as it looks like you might be hiding something.

Personal data may soon become the same as a credit score. No data, high risk.

This is already here with Google if you use oBlock or uMatrix. Endless Captchas...

"We detected suspicious blah blah blah"

Wow that last photo doesn't even remotely look like him. I'm more surprised by how bad their facial recognition is than by the data have.
Given the „right to be forgotten“ shouldn‘t he be able to request all his data be deleted?
From the article:

> And remember that once you receive your data, you have the option to demand that Clearview delete it or amend it if you’d like them to do so.

I'm not entirely sure what's so shocking about public data, shared willingly by the person to the public, being used to identify the person. If the data weren't/hadn't been shared willingly, I'd definitely see that as a problem. Same thing as if the data were to have been gleaned from non-public sources e.g the person's private belongings or secured digital realms like private forums, password encrypted backups, private profiles, etc.
It's about trust and permission. If I give e.g. a local news website permission to use my portrait, I do NOT implicitly give permission to Clearview, Google, Facebook, etc to use it for their own purposes.

I mean it's implicitly known that anything you post on the internet is public property, but legally that is not the case. Portrait law (at least in my country). You can't just take someone's portrait and use it for your own gains.

Are they actually using it, though? Or are they just a search engine presenting public links that are hosting the photos of your face? Is linking to something covered by GDPR?

Couldn't this same argument be made for Google reverse image search? Reverse image search someone's face and you're likely to get links to places that photo is located; potentially including links to different photos of their face, as well.

They're likely mirroring local copies of the photos as well when they show you the link (in case a link later 404s or changes), but so is Google reverse image search, I believe.

If your position is that both things are wrong, that's fine, but would Google then basically have to remove the entire feature? Or prevent searches for any photo containing any faces?

Actually you do, because scraping is considered legal in the US and your information is on a public site which makes scraping the information legal.
Alright, I’ll go there. This is like claiming all German citizens were complicit with the Nazi movement, because it was legal.
Legal _in the US_ is an interesting point. We often see the US trying to overreach and apply US standards when US-owned material is hosted on sites outside of the US (Richard O'Dwyer), or arguing that accessing a server in the US makes you subject to US law (Gary McKinnon). Why would similar arguments not apply here? It may be legal in the US, but that doesn't necessarily place the actions outside the jurisdiction of the other country. Naturally, _enforcement_ may be an issue, but that doesn't make it legal. At the very least, I don't see how it can be seen as OP giving permission - it's effectively another country taking that decision away from him.
I submitted an info request about 2 months ago now, and I haven't heard a word from these jackasses
Keep going. They risk being fined by not answering.