Clearview AI fined millions in the UK: No 'lawful reason' to collect Brits' images

Notorious selfie-scraper must pay $9.43 million – less than half of predicted fine – says data regulator


Updated The UK's data protection body today made good on its threat to fine controversial facial recognition company Clearview AI, ordering it to stop scraping the personal data of residents from the internet, delete what it already has, and pay a £7.5 million ($9.43 million) fine.

The company, which is headquartered in New York, claims to have over 20 billion facial images on its databases, mostly culled from YouTube, Facebook, and Twitter. Clearview AI has developed a facial recognition tool – which it is attempting to patent – that is trained on these images. The tool attempts to match faces fed into its machine learning software with results from its enormous image database, which it claims is the largest of its kind "in the world" and which it sells (to law enforcement bodies, among other clientele) across the globe.

The move from the Information Commissioner's Office (ICO) comes after an investigation launched in 2020 in conjunction with the Australian Information Commissioner to see if Clearview had breached the Australian Privacy Act or the UK Data Protection Act 2018.

Handing down a fine that is less than half of the £17 million+ ($21.3 million+) originally envisaged, the ICO also said it was not impressed that the company had no "process in place to stop the data being retained indefinitely."

In addition to the fine, the selfie-scraper was also slapped with an enforcement notice ordering it to stop collating the data and delete all information of British residents from its systems.

In defense of its business model, Clearview AI's boss has previously said that the images, mostly uploaded by the data subjects themselves, were publicly available, and that it didn't see why it couldn't collate and search them, comparing its actions to that of web search giant Google. CEO Hoan Ton-That remarked at the time: "If it's public and it's out there and could be inside Google's search engine, it can be inside ours as well."

John Edwards, UK Information Commissioner, said of the action:

Clearview AI Inc has collected multiple images of people all over the world, including in the UK, from a variety of websites and social media platforms, creating a database with more than 20 billion images. The company not only enables identification of those people, but effectively monitors their behavior and offers it as a commercial service. That is unacceptable. That is why we have acted to protect people in the UK by both fining the company and issuing an enforcement notice.

The ICO found it had had breached UK's GDPR by "failing to meet the higher data protection standards required for biometric data" (classed as "special category data" under the GDPR and UK GDPR); failing to use the info in a way that is "fair and transparent"; failing to have a lawful reason for collecting it; and failing to have a process in place to stop the data being kept "indefinitely."

Finally, the ICO said the company had illegally requested "additional personal information" (including photos), when members of the public approached it to ask if they were on their books – presumably to check against images it already has. "This may have acted as a disincentive to individuals who wish to object to their data being collected and used," noted the regulator.

Privacy and cyber lawyer James Castro-Edwards, of law firm Arnold & Porter, said of the ation: "The GDPR (and the UK GDPR), which will be four years old this week, includes a number of specific requirements in relation to new technologies such as AI, which process personal data.

"As with any other processing activity, companies must ensure these systems comply with the principles, such as lawfulness, fairness and transparency, as well as those of privacy by design and by default."

We have asked Clearview AI to comment and will update when it responds. ®

Updated to add at 15:00 UTC on May 23:

Clearview AI provided a statement from Lee Wolosky, a partner at Jenner and Block, who said: "While we appreciate the ICO's desire to reduce their monetary penalty on Clearview AI, we nevertheless stand by our position that the decision to impose any fine is incorrect as a matter of law.

"Clearview AI is not subject to the ICO's jurisdiction, and Clearview AI does no business in the UK at this time."

The company's CEO, Hoan Ton-That, also provided a statement, saying he was "deeply disappointed that the UK Information Commissioner has misinterpreted my technology and intentions. I created the consequential facial recognition technology known the world over. My company and I have acted in the best interests of the UK and their people by assisting law enforcement in solving heinous crimes against children, seniors, and other victims of unscrupulous acts."


Other stories you might like

  • Clearview AI wants its facial-recognition tech in banks, schools, etc
    I get knocked down but I get up again, Italy, Canada, UK, ACLU, Facebook, Google, YouTube, Twitter... are never gonna keep me down

    Clearview AI is reportedly expanding its facial-recognition services beyond law enforcement to include private industries, such as banking and education, amid mounting pressure from regulators, Big Tech, and privacy campaigners.

    The New York-based startup's gigantic database contains more than 20 billion photos scraped from public social media accounts and websites. The database was used to train Clearview's software, which works by performing a face-matching algorithm between input images and ones stored on its database to identify individuals.

    These images were downloaded without explicit permission from netizens or companies. Although Clearview has been sent numerous cease and desist letters from Twitter, YouTube, Google, Facebook and more, it continued to collect more images and grow its database. The demands to stop scraping public-facing webpages, however, were not legally binding, unlike the settlement agreement Clearview entered into to end its lawsuit against the American Civil Liberties Union.

    Continue reading
  • Clearview AI promises not to sell face-recognition database to most US businesses
    Caveats apply, your privacy may vary

    Clearview AI has promised to stop selling its controversial face-recognizing tech to most private US companies in a settlement proposed this week with the ACLU.

    The New-York-based startup made headlines in 2020 for scraping billions of images from people's public social media pages. These photographs were used to build a facial-recognition database system, allowing the biz to link future snaps of people to their past and current online profiles.

    Clearview's software can, for example, be shown a face from a CCTV still, and if it recognizes the person from its database, it can return not only the URLs to that person's social networking pages, from where they were first seen, but also copies that allow that person to be identified, traced, and contacted.

    Continue reading
  • Did ID.me hoodwink Americans with IRS facial-recognition tech?
    Senators want the FTC to investigate "evidence of deceptive statements"

    Democrat senators want the FTC to investigate "evidence of deceptive statements" made by ID.me regarding the facial-recognition technology it controversially built for Uncle Sam.

    ID.me made headlines this year when the IRS said US taxpayers would have to enroll in the startup's facial-recognition system to access their tax records in the future. After a public backlash, the IRS reconsidered its plans, and said taxpayers could choose non-biometric methods to verify their identity with the agency online.

    Just before the IRS controversy, ID.me said it uses one-to-one face comparisons. "Our one-to-one face match is comparable to taking a selfie to unlock a smartphone. ID.me does not use one-to-many facial recognition, which is more complex and problematic. Further, privacy is core to our mission and we do not sell the personal information of our users," it said in January.

    Continue reading
  • Research finds data poisoning can't defeat facial recognition
    Someone can just code an antidote and you're back to square one

    If there was ever a reason to think data poisoning could fool facial-recognition software, a recently published paper showed that reasoning is bunk.

    Data poisoning software alters images by manipulating individual pixels to trick machine-learning systems. These changes are invisible to the naked eye, but if effective they make the tweaked pictures useless to facial-recognition tools – whatever is in the image can't be recognized. This could be useful for photos uploaded to the web, for example, to avoid recognition. It turns out, this code may not be that effective.

    Researchers at Stanford University, Oregon State University, and Google teamed up for a paper in which they single out two particular reasons why data poisoning won't keep people safe. First, the applications written to "poison" photographs are typically freely available online and can be studied to find ways to defeat them. Second, there's no reason to assume a poisoned photo will be effective against future recognition models.

    Continue reading
  • Ukraine uses Clearview AI facial-recognition technology
    Controversial search engine being used to identify dead and Russian operatives

    The Ukrainian government is using facial recognition technology from startup Clearview AI to help them identify the dead, reveal Russian assailants, and combat misinformation from the Russian government and its allies.

    Reuters reported yesterday that the country's Ministry of Defense began using Clearview's search engine for faces over the weekend.

    The vendor offered free access to the search engine, which Ukraine is using for such tasks as identifying people of interest at checkpoints and identifying people killed during Russia's invasion, the news organization wrote, citing Lee Wolosky, who currently advises Clearview and formerly worked as a US diplomat under Presidents Barack Obama and Joe Biden.

    Continue reading
  • 1,000-plus AI-generated LinkedIn faces uncovered
    More than 70 businesses created fake profiles to close sales

    Two Stanford researchers have fallen down a LinkedIn rabbit hole, finding over 1,000 fake profiles using AI-generated faces at the bottom.

    Renée DiResta and Josh Goldstein from the Stanford Internet Observatory made the discovery after DiResta was messaged by a profile reported to belong to a "Keenan Ramsey". It looked like a normal software sales pitch at first glance, but upon further investigation, it became apparent that Ramsey was an entirely fictitious person.

    While the picture appeared to be a standard corporate headshot, it also included multiple red flags that point to it being an AI-generated face like those generated by websites like This Person Does Not Exist. DiResta was specifically tipped off by the alignment of Ramsey's eyes (the dead center of the photo), her earrings (she was only wearing one) and her hair, several bits of which blurred into the background. 

    Continue reading
  • Face Off: IRS kills plan to verify taxpayers with facial recognition database
    Uncle Sam takes security, privacy concerns seriously, it says here

    Updated The Internal Revenue Service has abandoned its plan to verify the identities of US taxpayers using a private contractor's facial recognition technology after both Democrats and Republicans actively opposed the deal.

    US Senator Ron Wyden (D-OR) on Monday said Treasury Department officials informed his office that the agency has decided to move away from using the private facial recognition service ID.me to verify IRS.gov accounts.

    "The Treasury Department has made the smart decision to direct the IRS to transition away from using the controversial ID.me verification service, as I requested earlier today," Wyden said in a statement. "I understand the transition process may take time, but I appreciate that the administration recognizes that privacy and security are not mutually exclusive and no one should be forced to submit to facial recognition to access critical government services."

    Continue reading
  • IRS doesn't completely scrap facial recognition, just makes it optional
    But hey, new rules on deleting your selfies

    America's Internal Revenue Service has confirmed taxpayers will not be forced to use facial recognition to verify their identity. The agency also set out rules for which images will be deleted.

    Folks setting up an online IRS account will be given the choice of providing biometric data to an automated system, or speaking with a human agent in a video call, to authenticate. Those who are comfortable with facial recognition tech can upload a copy of their photo ID and then be authenticated by their selfie, and those who aren't can talk to someone to prove they are who they say they are. An online IRS account can be used to view tax documents and the status of payments among other things.

    "Taxpayers will have the option of verifying their identity during a live, virtual interview with agents; no biometric data – including facial recognition – will be required if taxpayers choose to authenticate their identity through a virtual interview," the IRS said in a statement on Monday.

    Continue reading
  • Sri Lanka to adopt India’s Aadhaar digital identity scheme
    Biometric IDs for all, cross-border interoperability not on the table

    Sri Lanka has decided to adopt a national digital identity framework based on biometric data and will ask India if it can implement that nation’s Aadhaar scheme.

    The island nation had previous indicated it would work with the Modular Open Source Identity Platform (MOSIP), an organisation based in India that offers tools governments can use to create and manage digital identities.

    But a list of Cabinet decisions published on Tuesday, Sri Lanka’s government announced its intention to ask India for a grant of its scheme, which has been widely interpreted as meaning India share Aadhaar technology.

    Continue reading
  • UK police lack framework for adopting new tech like AI and face recognition, Lords told
    Governance structure is 'a bush, not a tree' – whatever that means

    UK police forces have no overarching rules for introducing controversial technologies like AI and facial recognition, the House of Lords has heard.

    Baroness Shackleton of the Lords' Justice and Home Affairs Committee said the group had found 30 organisations with some role in determining how the police use new technologies, without any single body to guide and enforce the adoption of new technologies.

    Under questioning from the Lords, Kit Malthouse, minister for crime and policing, said: "It is complicated at the moment albeit I think most [police] forces are quite clear about their own situation."

    Continue reading

Biting the hand that feeds IT © 1998–2022