In November, news spread across the internet about a company that uses facial recognition technology. Find out why it wasn't talked about and why it started in this article.
Clearview AI
Clearview AI is an American facial recognition company founded in 2017. The company provides an app that allows users to upload a photo of an individual's face and find other photos of that individual that have been collected on the internet. The user then receives a link to the locations where the photos appeared so that the person can be identified.
The company's database contains 3-10 billion (sources vary in number) photos of faces that have been collected from social networks (Facebook, Instagram, LinkedIn, YouTube, Venmo, etc.).
Clearview AI sells its technology to federal and state law enforcement agencies, which use it to identify perpetrators of crimes such as theft, identity theft, credit card fraud, murder, and cases involving child sexual abuse. It can also be used by some companies for security purposes, universities, and individuals.
Not much has been said about this company so far, given its radical violation of privacy. The San Francisco Police Department and Google have been opposed to its use since the app was first launched. Further problems arose after the app underwent a trial period in several countries.
Ongoing investigations into the company
In July 2020, the UK Information Commissioner's Office (ICO) and the Australian Information Commissioner's Office (OAIC) launched a joint investigation into Clearview AI's processing of personal data. The two authorities worked together to gather evidence. However, any findings are being assessed separately, as both data protection authorities operate under their own legislation. In addition, both authorities independently investigated the use of the technology by law enforcement agencies. The joint investigation has been concluded and both countries have proposed further steps that would be appropriate under their respective laws.
What were the findings?
The Australian OAIC found breaches of the Australian Privacy Act 1988, specifically relating to:
- collecting sensitive information without consent;
- collecting personal information by unfair means;
- failure to take reasonable steps to ensure that personal information disclosed was accurate, having regard to the purpose for which it was disclosed;
- failure to take reasonable steps to implement practices, processes and systems to ensure that they comply with the requirements of the Australian Personal Information Protection Act.
Based on the findings, the OAIC ordered Clearview AI to stop collecting and destroy the photos and biometric templates of Australian residents it had already collected.
The OAIC's decision highlights the lack of transparency surrounding the company's photo collection practices, the monetization of individuals' data for a purpose that goes well beyond reasonable expectations, and the risk of adverse effects on people whose photos are included in their database. Such collection of sensitive information is undesirable and unfair. The Australian Commissioner justified her decision by stating that the processing of (sensitive) personal data poses a significant risk of harm to individuals, including vulnerable groups such as children and victims of crime, whose photos may be searched for in the company's database. Biometric data, in principle, cannot be changed and can be replicated and used for identity theft. The Commissioner also emphasized that the impact of the biometric system developed by the company on individuals' privacy is not necessary, legitimate, or proportionate, considering any benefits in the public interest.
"When Australians use social media or professional networking sites, they do not expect their photos to be collected without their consent by a commercial entity to create biometric templates for completely unrelated identification purposes. The random collection of photos of individuals, only a fraction of whom would ever be linked to a criminal investigation, can adversely affect the personal freedom of all Australians who feel they are under constant surveillance," said Commissioner Falk.
Between October 2019 and March 2020, Clearview AI provided some Australian police forces with a trial period for its facial recognition software. During this period, several Australians were searched using the database for the purposes of ongoing investigations. The OAIC is currently finalizing an investigation into the use of facial recognition software by the Australian Federal Police. The investigation focuses on whether the use of this technology complies with the requirements of the Australian Government Agencies Privacy Code for assessing and mitigating personal information risks.
More information about the investigation can be found at this link (EN version).
Based on its investigation, which found that the company had seriously breached several laws relating to personal data protection, the ICO proposed a fine of £17 million. The investigation is still ongoing and the company currently has the opportunity to comment on the findings. The proposed fine and the preliminary notice of enforcement may still be subject to change, or it may be decided that no further action will be taken.
The ICO's investigation found that there were breaches of several laws relating to personal data protection, specifically:
- personal data was not processed for the purpose that the data subject would reasonably expect;
- no processes were in place to prevent data from being stored indefinitely;
- no legal basis was chosen for the processing of personal data;
- the higher standards for personal data protection required for the processing of biometric data (as this is a special category of personal data) were not met;
- the data subjects were not informed about what was happening to their data; and
- the company requested additional personal information, including photographs, which discouraged persons who wished to object to the processing of their personal data.
We will continue to monitor the situation and keep you informed of any new developments.
SOURCES:
https://ico.org.uk/about-the-ico/news-and-events/news-and-blogs/2021/11/clearview-statement/
https://www.oaic.gov.au/updates/news-and-media/clearview-ai-breached-australians-privacy
https://www.nytimes.com/2020/01/18/technology/clearview-privacy-facial-recognition.html
https://techcrunch.com/2021/11/29/clearview-ai-ico-view-to-fine/
