Recently (9th November 2021) the Australian Information Commissioner produced a ruling against Clearview AI Inc for its usage of the images of Australians scrapped from Social Media sites and found them to have failed to comply with the requirements of the Australian Privacy Principle and hence interfered with the privacy of Australian individuals, as follows:
collect sensitive information about an individual only where the individual consented to the collection (and the information was reasonably necessary for one or more of the entity’s functions or activities) (APP 3.3) in circumstances where no other exceptions applied to permit the collection (APP 3.4)
collect personal information only by lawful and fair means (APP 3.5)
take such steps (if any) as were reasonable in the circumstances to notify individuals of the collection of personal information (APP 5)
take such steps (if any) as were reasonable in the circumstances to ensure that the personal information it used or disclosed was, having regard to the purpose of the use or disclosure, accurate, up‑to‑date, complete and relevant (APP 10.2).
The ruling declared that Clearview AI Inc, must:
a. must not repeat or continue the acts and practices that I have found are an interference with the privacy of one or more individuals
b. must cease to collect Scraped Images, Probe Images, Scraped Image Vectors, Probe Image Vectors and Opt-out Vectors (see paragraphs 5 and 11) from individuals in Australia in breach of APPs 3.3, 3.5 and 5
c. within 90 days of the date of this determination, must destroy all Scraped Images, Probe Images, Scraped Image Vectors, Probe Image Vectors and Opt-out Vectors it has collected from individuals in Australia, and
d. within 90 days of the date of this determination, must provide written confirmation to my Office that the respondent:
i. is no longer collecting images and vectors as required in paragraph 2(b)
ii. has destroyed images and vectors as required in paragraph 2(c).
Now on the ‘face’ of it, this might be seen as sufficient, as ClearView would be required to remove all images and associated derived image recognition and collation datums. Although I think this ruling is missing an important part, namely deleting the contextual relationship data associated with the image and ‘who’ (in a naming relationship sense) was in the image(s) in question. Or in other words, going forwards ClearView will be not allowed to collect or match an Australian ‘Mr Smith’ in an image, but it says nothing about knowledge of which prior images contained ‘Mr Smith’. Further, it also says nothing about if social media account relationships are being tracked as well. If this is the case it then becomes easy to track someone who was on social media prior to this ruling well after the ruling came into effect.
Also, thinking about it, given people tend to operate in groups on social media, you can easily track a ‘new’ person going forwards based on their groups containing people already known in ClearView…
I think ClearView should be required to remove all derived data collated from an Australian being in an image they scrapped, it should be as if that the person was never in an image scanned by ClearView. To me, that’s preserving true privacy, otherwise, ClearView is only being slightly disadvantaged in its ability to track Australians going forwards. At the moment it appears they are left with a ‘named’ hole in their data set when instead there should be nothing at all.
Remember, you only have one face, so once the ‘meta data’ on that face is harvested and put into services like ClearView, you can be tracked. We know China use extensive face recognition technology to enforce limits on movement and social scoring, where does this end?
BTW this is not a storm in a teacup, this is getting international media coverage, see the video below from Russell Brand for an example.
Do we really want to be seen in such a light? Questions should be asked as to why this trial with the Police was allowed to start in the first place, was the Australian Information Commissioner consulted on this trial prior to its start?
From a security point of view, I can see facial recognition playing a part in ensuring security as part of an access control system, for instance controlling access to a secure area or confirming your identity at a border crossing, those are clear and specific usage cases. The greater widescale ‘state surveillance’ usage of facial recognition is truly scary and needs specific legislation to prevent, for two reasons:
- Maintaining privacy – as mentioned before, you only have the one face, its a unique fingerprint that identifies you. Usage of such a marker needs tight control to ensure privacy.
- It’s not perfect – although not mentioned, over dependence on one mechanism of identification creates an opportunity for manipulation and false identification to occur. Such systems are not perfect and need to be corroborated before actions are taken against anyone identified by such systems.
BTW ClearView is going to appeal the ruling to the Administrative Appeals Tribunal, and they are currently used by over 2,000 law enforcement agencies globally (source The Guardian).
I have written to the Australian Information Commissioner pointing out what I believe to be an oversight on their part on what should be deleted. Hopefully, I’ll get a response soon.