Lawsuit Says Clearview's Facial Recognition App Violates Illinois Privacy Laws

Privacy

from the OR-DOES-IT-[dramatic-side-eye] dept

Clearview has gathered a whole lot of (negative) attention ever since its exposure by Kashmir Hill for the New York Times. The facial recognition app developed by Hoan Ton-That (whose previous app was a novelty that allowed users to transpose President Trump’s distinctive hairdo on their own heads) relies on scraped photos to perform its questionable magic. Rather than limiting themselves to law enforcement databases, cops can upload a photo and search a face against pictures taken from dozens of websites.

The company’s marketing materials claim cops have access to 3 billion face photos via Clearview — all pulled from public accounts linked to names, addresses, and any other personal info millions of unwitting social media users have uploaded to the internet.

Its marketing materials also claims it has been instrumental in solving current crimes and generating suspect lists for cold cases. So far, very few of these claims seem to be based on fact. That’s only one of the company’s issues. Another is the heat it’s drawing from companies like Twitter and Facebook who claim photo scraping violates their terms of service. That’s one for the courts and it’s only a matter of time before someone sues.

Someone has sued, but it’s not an affected service provider. It’s some guy from Illinois trying to fire up a class action lawsuit against the company for violating his home state’s privacy laws. Here’s Catalin Cimpanu of ZDNet with the details:

According to a copy of the complaint obtained by ZDNet, plaintiffs claim Clearview AI broke Illinois privacy laws.

Namely, the New York startup broke the Illinois Biometric Information Privacy Act (BIPA), a law that safeguards state residents from having their biometrics data used without consent.

According to BIPA, companies must obtain explicit consent from Illinois residents before collecting or using any of their biometric information — such as the facial scans Clearview collected from people’s social media photos.

“Plaintiff and the Illinois Class retain a significant interest in ensuring that their biometric identifiers and information, which remain in Defendant Clearview’s possession, are protected from hacks and further unlawful sales and use,” the lawsuit reads.

Hmm. This doesn’t seem to have much going for it. And, believe it or not, it’s not a pro se lawsuit. Whether it’s possible to violate a privacy law by scraping public photos remains to be litigated, but it would seem the word “public” is pretty integral here. Unless Clearview found some way to scrape photos not published publicly, the lawsuit is dead in the water.

It shouldn’t take too long for a judge to declare public and private legally contradictory. This lawsuit was composed by a member of the bar, but it reads more like a Facebook note the lawyer published accidentally. From the lawsuit [PDF]:

Without obtaining any consent and without notice, Defendant Clearview used the internet to covertly gather information on millions of American citizens, collecting approximately three billion pictures of them, without any reason to suspect any of them of having done anything wrong, ever.

Wat? Just because Clearview is aggressively pitching LEOs doesn’t mean Clearview can only scrape photos of people it suspects of wrongdoing. Yes, it’s disturbing Clearview has decided to make its stalker-enabling AI available to people who can hurt, maim, jail, and kill you, but there’s nothing on any law book that says collecting pictures of faces can only be done if the people are probably criminals — even if the targeted end users of this software are people who go after criminals.

Putting it in a sworn document doesn’t make it any less ridiculous. But it does get more ridiculous.

[A]lmost none of the citizens in the database has ever been arrested, much less been convicted. Yet these criminal investigatory records are being maintained on them, and provide government almost instantaneous access to almost every aspect of their digital lives.

Facebook is collecting photos of people, almost none of which have been criminally charged. They reside in Facebook’s database. Facebook is publicly searchable, and public profiles can be searched for photos, even by law enforcement officers. Is Facebook breaking state law by “collecting” photos of innocent people? No rational person would argue that it is. And yet, this is the same argument and it’s no less stupid just because an actual lawyer is involved.

Look, I also don’t want Clearview pushing this “product,” much less to people with the power to do incredible amounts of damage to anyone the AI mistakes for a criminal. But this isn’t going to fix anything. The lawsuit makes better points about Clearview’s end of the deal, which makes it easier for it to look over law enforcement’s shoulder. Since Clearview hosts all the pictures on its own servers, it can see what cops are looking for and do its own digging into the personal lives of anyone cops might be thinking about targeting. That’s an ugly byproduct of this service and Clearview hasn’t said anything about siloing itself off from government queries.

The claims in this suit are almost certain to fail. Clearview streamlines processes cops can perform on their own, like reverse image searches and browsing of social media accounts. Actions you can perform one person at a time without violating the Constitution (or state law), you can most likely do in bulk. For now. A more realistic approach would be to take edge cases to the Supreme Court, which has been more receptive to expanding the boundaries of citizens’ expectations of privacy in the digital era. This lawsuit may raise limited awareness about Clearview (and discovery could be very interesting) but it’s not going to end Clearview’s scraping or deter law enforcement from using it. And it’s certainly not going to earn a payout for the plaintiff.

Filed Under: facial recognition, illinois, privacy, privacy law
Companies: clearview, clearview ai