Clearview AI fined millions in the UK: No 'lawful reason' to collect Brits' images The UK's data protection body today made good on its threat to fine controversial facial recognition company Clearview AI, ordering it to stop scraping the personal data of residents from the internet, delete what it already has, and pay a £7.5 million ($9.43 million) fine. The company, which is headquartered in New York, …
And keep on doing it until the data is removed.
The problem for Clearview is that this will probably mean re-creating their databases from scratch from the new input datasets (with removed images), which is a huge amount of processing work, assuming they iteratively add new images over time.
And yes, people giving personal images to Google/Facebook does not mean they ever consented to this use which is very different from why people upload to social media.
And also why we shouldn't upload to social media, unless we have locked things down massively, which unfortunately the social media businesses don't want to make easy.
How will the ICO be able to audit that the images have been removed? I doubt Clearview will, it will just move them to some offline backup media to be reinstated later.
The ICO should make it clear to UK organisations that they must not use Clearview services either directly or indirectly through agents or subsidiaries in Clearview friendly countries - and that should include the UK Police and Security Services.
As for "Clearview AI is not subject to the ICO's jurisdiction...." if the US are able to use their laws to chase people across our borders then we should be able to reciprocate.
I'd be interested to know what the US's 3 Alpha organisations do with the data - and I'd not be surprised if they even funded, in some way, Clearview's development, as they would not be allowed to do it themselves directly.
Once they’ve passed the image through their ai to train it they likely don’t need it again.
The real issue is that they trained their ai using your images, they would have to untrain their ai using the same image which is likely impossible.
The only way to make this work will be to delete the trained ai and delete the wrongfully gained images then start the ai training process all over again.
That will set them back years.
Don't need to. Just delete the data for everyone you cannot prove is some other nationality.
The same goes for Google. They do not need to know who I am to delete what they know about me. They can simply delete records for all people they cannot identify. These days, that list must consist almost exclusively of people who do not want to be tracked by Google.
Interesting thought. I opened one of my social media accounts, stating country of residence as UK whilst working abroad. However, future communications were based on the language of the country I was in when I opened the account. I believe after much "shouting" at the company concerned that they have at least altered my preferences (if not the underlying record, which I can't see).
Just because I make a piece of data freely available on the Internet, that does not make it public domain. It can still be legally protected in all kind of ways, even if it's not protected by technical means.
Companies that gather data from the Internet ought to be made painfully aware of this fact: you still need a license to use any data that's not yours, and if it's not clear whether there is a license to be had, that doesn't mean the piece of data is up for grabs; it means that if you grab it you're in an ambiguous situation at best, and could very well land in court.
I cut and pasted your post down below under my name, albeit with a Joke Ahead icon.
I wasn't mocking your argument or sentiment. My serious point was the ICO may not be toothless but it is underfunded and out classed so impotent. It's akin to the serious fraud office - plenty of bite on the statute books, but a kitten in reality.
There is no effective mechanism to make Clearview AI give up our data, the £7.5 million fine is essentially a windfall tax or a slap on the wrist. I'll change my opinion when company directors are extradited here and face prison time, or lists of all their customers are seized and published.
Once someone has your data, they have your data and you hope in vain they don't pass it along. My mum is on a 'suckers list' and gets scam phone calls all the time.
And it's not just private companies. I've been arrested a fair few times without being charged (as a peace protestor mostly), and on the initial arrests they'd swab me for DNA. I asked why they stopped doing that and they said because they already had it. I said they weren't allowed to keep it if I wasn't charged, after an ICO ruling, and they replied, "No, that is just in England." - it is not just in England, same rules apply! Same rules are ignored.
Since what they are doing - collecting images without consent is pretty much illegal in the UK - I'll doubt they'll care. They obviously dont give a stuff about operating in the EU or UK or they would never have gone down this route. BUT EU/UK citizens data will still be used to populate the training sets for their ML models.
Especially if you consider what they'd actually have to do to comply - which is to hard delete both the photos AND the ML models that were generated from them.
Never
Gonna
Happen
So I say again. What actual enforcement actions (that will work!) are open to the ICO? The only one I can think of is get them added to a sanctions list - but that seems tall ask for the ICO to achieve and I'm not sure the framework is in place for it. I think they'd have to write to one of the junior ministers in charge of the UK Treasury.
You downvoters are a bit naive on this one I think.
I like this idea better. The UK still has more allies around the world than clearview has friends. Unless other parts of the UK gov are shielding them, ClearviewAIs employees, backer and assets are fair game.
Not that it's likely, but in the US we have draconian civil asset forfeiture laws that can be damn inconvenient.
Then again Thiel sells the same type of toys, so maybe he wants to pull some strings and cut out the competition stateside...
-> failing to have a lawful reason for collecting it
Why is it lawful for Google to collect this and Clearview not? It seems that the ICO is ignoring the elephant in the room. I have never had much time or respect for the ICO. It is a chair-polishing unit of government.
The distinction is between indexing for search, and capturing/saving process to derive a biometric class of identifier. Google can still do the latter of course, but if they do it's just not public knowledge yet.
Consent. If I put a photo on Google's site, I give consent under Google's terms for its use there. I do not give carte blanche to every random company to take it and use it how they see fit.
And, if Google were to sell that data, they'd still need explicit, informed consent for that particular use too.
unless, usually, you consented to allow you data to be shared "with trusted and carefully selected third parties".
Bit like signing up to virtually any UK government system ... to paraphrase "we will share you data with anyone from any security organisation, local council, pet rescue organisation, private parking mafia and anyone else who knows and will pay us for your data ..."
Precisely this. When sharing said data, especially if it is special category data, they would need to be explicit as to who they were sharing it with, and for what purpose it would be processed. A catch all "we share with others" is not enough under GDPR.
Consent. If I put a photo on public internet, I give consent to everybody and his cat... erm, dog, to see it and do whatever he wants with it.
If you don't like it, don't make the photo available on public internet. Use a private cloud under your control.
Rubbish. Otherwise you could create a news site by just scraping and collating other news sites, for example.
The principle that content on the web can only be consumed in accordance with the license, and not freely copied and republished is well established.
See for example here.
WOOSH!
The principle that content on the web can only be consumed in accordance with the license, and not freely copied and republished is well established.
What did I just said? Well, not in so many fancy words, but the ideea is the same, right?
The flaw with this argument, is that it assumes all photos were knowingly uploaded to the internet and only contain a picture of the person who uploaded the photo.
There will be lots of people who do not even know their photo is on the internet. Ever been in a group photo taken by somebody else? Did the person who uploaded the photo collect consent from all individuals in the photo?
It's a difficult question. As a society, we don't really yet have a universally-accepted consensus on how privacy works on the Internet. And legislation usually trails societal consensus, for good reasons.
In this case, the difference is that while it's fairly obvious that nobody wants other people to be able to run face recognition on them without their consent, it's not obvious at all what exactly people want Google to index - even though a reverse GIS looks a lot like what Clearview is doing. I'm fairly sure that everyone at the ICO is well aware that this distinction is rather nebulous, but what can they do about that? Come up with arbitrary rules that would likely discontent everyone?
Until we, the everyday people of the Internet, get into some kind of agreement on exactly what's acceptable and what isn't, I wouldn't blame governments too much for failing to evict elephants from rooms.
I have never uploaded my image to the internet, but I have been tagged in photo's by friends and family. They are all very aware now that they were out of order for doing that. The damage was done though and cannot be undone.
It's a bit of a stretch for Clearview to consider that all of the images they gouged from the internet had an implicit agreement behind them, as many like me had no say in whether they could be uploaded. They assume too much.
And if they had approached the custodians of the original images offering money for them, I guess £7 million would be a snip. More like £7 billion for that kind of data.
-> I have never uploaded my image to the internet, but I have been tagged in photo's by friends and family.
This point you are raising here is crucial, and it doesn't even occur to many people. Your name and your photo is now in Clearview's database (and other databases which you are unaware of). The surveillance state is built on this. Just because it is a private company that has this data, do not think that the state does not have access to it. At the drop of a hat if the state comes round to Clearview and says 'can you match this photo?', Clearview is not going to say 'we do not do that sort of thing'. They are now party to the surveillance state.
Yup.
I had a FaceMelta account with a pseudonym. A friend published a picture of me and tagged it with both my real name, and my pseudonym, enabling both to be linked. Assuming Clearview stole that, it could now find me in random images that just happen to contain me. I have no idea if those images exist, so cannot have given consent.
It's an interesting legal challenge. I remember years ago, a German fellow was at a motor race with a lady that was not his wife. His wife saw the image, wasn't impressed, and filed for divorce. The man sued the broadcaster, and won for infringing his privacy. From memory, case relied on what's a reasonable expectation of privacy at a public, or semi-public event.
But this is a good step by the ICO. Now it just has to repeat the process against every data slurper and aggregator that thinks privacy is less important than profit. Personally I think there's a couple of quick fixes. Data controllers are legally responsible for data accuracy, so should automatically send their records to data subjects to check. Obviously this would cost them, and reveal the amount of data held. All executives at the slurpers should also be required to maintain public profiles detailing every class of data held and processed. If they think it's ok to spy on our browsing habits, they should have no problem with publishing their own.
Or Linked In harvesting all contacts from address books, contacts etc. I thought it odd a colleague I barely knew wanted to connect on LI, I quizzed him about it, and seems he forgot to untick the box about collecting contact info. He was a bit embarrassed as I wasn't the first to quiz him on it...
"I have never uploaded my image to the internet, but I have been tagged in photo's by friends and family. They are all very aware now that they were out of order for doing that. The damage was done though and cannot be undone."
That was your 1st mistake. What you should of done was get a total random picture of a person (preferable deceased) then upload it to as many sites as possible attached to your name. You could even ask your nearest and dearest to add some photoshopped images of them with your avatar.
It may not be possible to beat the man, but you can at least confuse the hell out of hime
Fun for a while, but then you get flagged because of the false ID.
Spam attacks are no panacea, there are too many other places for them to get both a positive ID and an alternate picture. You could expect get turned away at the border for suspected visa/passport fraud, or run into trouble at the DMV etc, or end up linked to your cover ID's criminal record.
An alternate and still totally not serious method would be to go full Juggalo for all of your ID and public appearances. If you use temp tats and henna they can't make you wash it off and will have to take your picture. Be prepared to be harassed at every security checkpoint in every country till you die though, even if it fades after a week or two.
Or just embrace your new identity and live the ICP life. They will appreciate your commitment to sticking it to the man.
To bad sticking it to the man usually involves sticking yourself in the eye first.
What you should of done was get a total random picture of a person (preferable deceased) then upload it to as many sites as possible attached to your name.
Better still, if you want to poison the well, upload a selection of different images with your name attached, and also upload your own image several times with different names attached. Not too many, in either case, or your ploy will become too easily apparent.
If your data are to be monetized, all you can do is act to reduce their value.
I don't understand the thumb downs but it's a free world I guess...
"DO I NEED PERMISSION TO TAKE PICTURES FOR COMMERCIAL PURPOSES?
In order to sell your photos to a media library or to use your photos to promote or sell products or services, you will often be required to obtain a signed model release form from any identifiable person featuring in the image. Although it is not illegal in the UK to take an identifiable photo of a person in a public place, media libraries and agencies often require you to have had permission to take the photos regardless."
https://www.pauldavidsmith.co.uk/photographers-rights/
No, you don't. Otherwise there would be no pictures of celebs doing things they don't want pictured in the newspapers.
Picture of a footballer coming out of a restaurant with his mistress, sorry no permission. Picture of him beating up some bloke on the street because he looked at him funny, sorry no permission. ETC.
That sounds like a clear case of harassment.
Why would they feel harassed? I think we should crowd fund some private investigators to do this, and publish the results in near-realtime. Sure, it might be considered stalking, but it's not really any different to what these scumbags do. If they're concerned about their privacy being violated, stop violating ours.
Just because I make a piece of data freely available on the Internet, that does not make it public domain. It can still be legally protected in all kind of ways, even if it's not protected by technical means.
Companies that gather data from the Internet ought to be made painfully aware of this fact: you still need a license to use any data that's not yours, and if it's not clear whether there is a license to be had, that doesn't mean the piece of data is up for grabs; it means that if you grab it you're in an ambiguous situation at best, and could very well land in court.
The article says one of the reasons for the fine is "failing to have a lawful reason for collecting it". ICO's own article actually says "failing to have a lawful reason for collecting people’s information".
It is not 100% clear whether this is a reference to: (a) failing to have any valid/defined legitimate purpose(s) (GDPR Article 5(b)), or (b) failing to have any valid defined lawful bases/conditions (GDPR Articles 6(1) and 9(2)).
I assume the ICO is referring to GDPR Article 5(b) "legitimate purpose(s)".
You'd expect the ICO to use the correct legal terminology in their press release so as to be clear as to which of these they were referring to. Then again it is the ICO...
"Clearview AI is not subject to the ICO's jurisdiction, and Clearview AI does no business in the UK at this time."
"My company and I have acted in the best interests of the UK and their people by assisting law enforcement in solving heinous crimes against children, seniors, and other victims of unscrupulous acts."
Those two statements contradict each other
Assuming that they gave their assistance for free, that doesn't constitute "doing business" in the UK. Then again, even if the statement is true this judgement is still a problem if they ever want to start (*) doing business in the UK.
(* Or restart. I note the phrase "at this time" and wonder if ClearView have done business in the UK in the past.)
Actually, no, take it straight to the maximum permitted under the law.
Then charge the directors for contempt of court - that response is not "we're appealing", it's straight-up contempt.
Note that it's also illegal everywhere within the EU, and as the UK is no longer a member, an EU member state can bring a separate GDPR action and fine them the maximum too...
Hoan Ton-That is a fascist on record saying that future governments could use clearview's face recognition to "round up undesirables".
Clearview is a company that should be outlawed in the UK, and pressed to be outlawed everywhere as its stated goals are basically to round up various ethnic groups etc into death camps.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
