As a California or EU resident, shouldn't it be illegal for it to be opt-out?
(edit: on further reading it looks like GDPR requires opt in, while CCPA seems to only require opt in for people younger than 16, and requires opt-out for people 16 or older, which is some bullshit)
Regardless, I should be able to say "I'm opting out" and the onus should be on them to figure out how to do it, rather than me submitting enough pictures for them to recognize and exclude me from their crawler. This seems against even CCPA.
(another edit since this pisses me off so much: The page linked says "Alternatively, you can email: privacy-requests@clearview.ai" so I'm just going to email them to tell them I opt out. They can figure out how to comply with my opt out)
The funny thing is that you can't really opt out if the mechanism they use to tell their system to ignore you is in and of itself facial recognition based.
They'd have to crawl all incoming data, and compare it with you (I.e. identifying you) in order to know whether or not that picture they just slurped up was someone who had opted out. Opt-outs don't work by definition when what you are opting out of is a system of identification.
The fact of the matter is, the system shouldn't have been made in the first place,and the mere existence of it guarantees the capability for it to be abused.
> the system shouldn't have been made in the first place,and the mere existence of it guarantees the capability for it to be abused
I casually know the guys who made this, and they're, well, unorthodox thinkers in terms of ethics. I highly doubt that, say, government regulations would've prevented them from building this app (although it may prevent them from using it in certain regions).
It's very hard to put neural network and image recognition tools into public hands and also prevent anyone in the world from building something like this. Such is the Pandora's Box of technology.
Oh absolutely - Considering what clearview did was replicated by a few individual researchers, I'm sure any government or private entity that wants to build s system like this has.
But I think most people here would fight against those systems once discovered, and there's no reason to allow clearview to profit now.
How will laws help against the same thing, but made by unlawful people? I think it's better to accept that privacy in the classic sense is dead and adjust.
Well, you can doubt it, but it is what it is: "efektivní" in Czech means both effective ("successful in producing a desired or intended result") and efficient ("working or operating quickly and effectively in an organized way") combined. Also it seems like that "efficient" in English includes "effective" as well, so there probably was no actual problem with my original comment.
Maybe it is you who should check the thesaurus and get a little more understanding of the world before posting dismissive comments.
That is not the commonly accepted definition of "efficient" in English. It would be more like "making good, thorough, or careful use of resources; not consuming extra."
The distinction is important because one can be very efficient (using resources carefully) while being ineffective (not achieving desired results).
In this context, the distinction is relevant because it is not clear that mass surveillance is a useful tool for preventing unlawful behavior (what most of us consider to be the desired result of law enforcement). Mass surveillance is effective at mass population control (e.g., subverting opposition political movements).
Well if you legally have to be able to opt out, and they can't opt you out without completely reworking their business, then legally it seems like they should have to rework their business if you opt out. I'd call that a functioning opt out, even though I expect I'm being unrealistically optimistic :(
There is a slight problem (i am not sure if this is valid case, just thinking loud), if the data were gathered from public sources like fb, they might argue that those data are public.
Yes, I think this is what they'd argue too. But something to think about: Recently Google was asked (in France[1]) to start paying publishers for including news snippets in search results. That data is also "public" in the sense that it is available for crawling, but it is still owned by creators who can (and did) exercise rights to limit use. Presence of a third platform like Facebook further complicates this (I don't know if you sign off your rights to your photos when you upload them to FB for example).
In raw, mathematical black/white terms, yes, I grant that image with my name next to it is technically public. However, uploading a profile portrait is typically intended for someone who searches for your name to determine whether or not a particular URL represents the person they met offline. I have to walk past a security camera to go through a store checkout - my image is in that camera because I want to buy stuff, not because I want my image to be public - and I might present my ID to the clerk because I want to be identified as of age to legally buy alcohol, not because I want the camera to link my face to my name (and my purchase list) or anything creepy like that.
When a person uploads a profile picture or appears in a security camera feed, they typically have an intent that doesn't match Clearview's use case, and an expectation that the stuff that Clearview.ai is trying to do with the image was humanly impossible. Historically, it has been impossible. True, some people are good with faces, and I'm sure some of them work in law enforcement or advertising, but no one can cross-reference 7 billion profile pictures to every security camera on the planet, and remember who went where at what time.
I'd argue that there's a fundamental difference in whether a right does or does not apply based on scale. A human looking at one data point needs to be approached ethically and legislatively differently from a machine looking at a million identical data points, because the use cases are different.
Clearview.ai is trying to make a land grab on human rights, asserting that because the things that they're trying to do have not yet been prohibited (because they're complicated, and because no one realized they were feasible) that they ought to continue to be allowed to do them.
I imagine scraping Facebook might be similar to the result in the hiQ v. Linkedin case, involving scraping public LinkedIn information. At the time, the EFF and a lot of others celebrated the ruling. For example, the EFF characterized it as a victory for "...the wide variety of researchers, journalists, and companies who have had reason to fear cease and desist letters threatening liability simply for accessing publicly available information in a way that publishers object to."
I feel like there ought to be a line somewhere. Like, maybe you can access the data because it's public, but to (for example) profit off of it or even share it further, you need more than just the fact that it's public.
For some reason open source licenses come to mind. You can use this code (or image) under terms XYZ and this license has to go with it too. That way, me letting github to show my code publicly doesn't give you license to do whatever you want with it. Or me letting linkedin show my picture doesn't give you license to do whatever you want with it. Maybe we need something like that.
If you make your profile available publicly then I'd argue it is indeed public. As far as I'm aware, Clearview doesn't have a relationship with Facebook to access non-public data and instead they just operate a web crawler storing anything that's being served without requiring auth.
An image at the top of a news article on cnn.com is "public" in the sense that anyone can access it. But the company and the photographer still retain rights to that image - you can't take it and use it for whatever you like.
What is confusing here is that everyone imagines that clearview (and google, and fb, ...) are really storing those pictures. In reallity they just train their ai. There is no trace of that picture on their servers once you delete it. But ai is capable of recognizing you, in case of clearview from picture. In case of google and fb from your picture, browsing habits, contacts, gps coordinates, your friends, semantics of your texts, ... The only difference is that google and fb are not so stupid to advertise this. But capability is there.
IANAL but I think the GDPR does not just look at the data in isolation, but considers the data and what it is used for.
Thus if I give a company access to my data it does not give them a carte blanche to use it however they see fit, instead I have allowed usage of the data for a set of purposes.
I think that it can be like how github lets you have public repos that are covered under whatever license you like. Being public doesn't invalidate those licenses. Or if Disney made a movie free on youtube for a day, it doesn't lose legal protection over that movie.
GDPR puts the picture of a person under special protection. They need to ask for your permission if they want to store and process it. Additionally they are required to provide to you a copy of all information they have stored about you. Probably they claim that they deleted the pictures after they completed the training of their neuronal networks. I'd watch court proceedings, that try to figure out if the auto-encoded version of a picture still is under GDPR protection.
> I'd watch court proceedings, that try to figure out if the auto-encoded version of a picture still is under GDPR protection.
That’d be a fascinating case!
If these were people rather than computers, I don’t think you could ask them to forget a face. But they could be asked to destroy notes or derived work.
Should every person start keeping a list of all privacy intrusions and then opt out? That’s never going to work out due to user fatigue, which is what all these opt out platforms depend on (that nobody will go through the trouble of doing it).
(Not exactly the same) Just like Facebook announced a few years ago asking users to send it nude photos just so it could take down nude photos of that person, this also is ripe for abuse. It’s a matter of when, not if, they opt out information also leaks.
What you have said is one thing. Intrusion like this can only be opt-in. But I am having another problem with opt-out with such a fishy company. Who guarantees me that after I send them my ID, they wont just take it, add the data to database and set a flag "hidden" to the records.
Often, these companies will not only do as you suggested, they will turn around and sell your data at a premium (since it's been confirmed) to third-party companies before marking it as hidden.
There are a couple services that opt-out for you. Often times your information will re-appear on the same site months later, too, so they provide monitoring.
I know the media attacked Facebook for that announcement, but everything I can gather suggests that it was just meant to give victims more control and didn't have any nefarious motives (unlike other 'features' offered by Facebook).
Consider the absurdity of the request. Send us a nude so we can play a better game of whack a mole. Also, consider the mental state of the person being asked to submit such a photo.
I mean good grief.
And this is before we even get into the fact that we’re talking about Facebook.
Did FB provide the option to just take them all down in the case where there does not exist a nude photo of someone? Or just take them all down unconditionally?
If not, was it too difficult for them to think of this option?
I think people should probably stop using what we cutely call “the open web” when really it’s just another closed social network of financial interests distracting people from their lives
It’s essentially a filter bubble for finance ideas
You’re all doing it again, making “too big to fail” ideas that filter the benefits towards a minority (aka TV, and religion to an extent; utilitarian value aside, bubbles controlled by a minority, rent seeking on attention at scale)
Stop being a market for human rights abuse at scale
Name ONE facet of human existence Facebook has improved? Or Instagram? Other than generating wealth for a minority?
Did we have a huge problem organizing birthdays before?
I for one am excited to have front row seats from my cushy biotech job as the attention economy collapses
I don’t owe society my time in promise of a future it can’t honestly guarantee
Still waiting on my nuclear powered car, personal helicopter, and AI that does my job for me
You needn't use your real name of course, but for HN to be a community, users need some identity for others to relate to. Otherwise we may as well have no usernames and no community, and that would be a different kind of forum. https://hn.algolia.com/?sort=byDate&dateRange=all&type=comme...
For anyone with more legal knowledge than I have, how does scraping and processing social media and other image sources deal with copyright license, especially ones forbidding commercial use.
I feel like there's a meaningful legal difference between a totally public, open to be downloaded image of you from the internet, even storing it forever, and then using that in a product.
It would be like taking something with a GPL license - totally legit to download and use and modify and repost, with the original license/copyright attached - and using it in a closed source commercial product.
I've been wondering the same thing. The photo either belongs to the user or to Facebook, just because it's viewable on the site doesn't give Clearview the right to use it. It must be a violation of the terms of service and I'm surprised we haven't heard anything from Facebook about it.
They say they scraped the open web - so for example this would include many of our personal sites, many of which have profile pictures.
For myself, I took the picture on my site, and it's under a: Attribution, NonCommercial, NoDerivatives CC license. I'd argue that
1. Using my/anyone's profile picture in an AI system for profit is commercial use.
2. A neural network is a derivative work of all images used to train that network.
So on point 1 I agree with you. I think point 2 is pretty iffy though. Unless there has been some recent legal proceeding that I am unaware of, point 2 isn't true.
Oh yeah, I'm not sure either are true legally as I'm not a lawyer - just my opinion.
The reasoning I follow for point 2 is:
That if a neural network is not derivative of its inputs, and given a sufficiently large gan, you could "launder" inputs into copy-write free outputs. That's also not been done as far as I know, but I know it's starting to be an issue in NLP.
Re: 2 - Legally no. Like a search engine’s index it is not a derivative work but a “transformative” one and therefore not subject to copyright restrictions.
There's something very wrong about some random company being able to collect lots of data about you where the only way to stop it is to _somehow_ know about the company and opt out _after_ it collects that data.
I suspect things will have to get worse before they get better. But then again we have the 3 big credit reporting agencies, and they don't seem to be going anywhere.
And they collect and process this data even if you're a member of the EU - surely this is against the GDPR? I realise the photos they have are publicly available, but that only means I've consented for them to be displayed on Github, Facebook or wherever - it doesn't mean I've consented for some scummy startup to hoover up all my data, process it and index it.
And you have to send them a clear photo of yourself to opt-out... there is something very wrong with that. I don't believe for one second that they don't have, for example, my email address.
I made a request for data access on February 12, and I still haven't heard a word from these asshats. Don't hold your breath on them actually honoring the request. I realllllly can't wait for CCPA enforcement to start this summer, though I know privacy invasive tech companies are lobbying to have enforcement delayed.
Given their justification for their product, I wonder what they'd think of someone crawling images on the web and sending automated opt-outs for all crawled images that contain a face...
A startup: Face classification and person tracking via photo scraping social media, as a service, offered to law enforcement agencies, and they keep getting hacked.
Could I just say I'm a resident of CA or the EU? Clearview supposedly doesn't have any info other than public images, so how would they know the difference?
I also wonder this. Further, what if you built a bot that simply scraped photos of people and submitted all of them to Clearview? Are they legally able to refuse ANY of the submissions?
Permission isn't needed; fascists don't ask for consent.
If it really riles you up, which it should, you should go and pressure your legislators into creating legislation that prevents them from doing what they're doing.
Agreed. Depending on which option you choose, this could further improve their model. For example, they could use it to confirm your identity and improve recognition of you. Even if they never disclosed your id, they could use it reject subjects that would otherwise have a possibility of being you.
I would hope the state of California would care. I have no idea how you're meant to try to enforce your rights under CCPA other than by hiring a lawyer.
I filed a complaint with my local data protection authority a couple of years back. We had to integrate a credit reporting API and I noticed that it required no authentication other than a username. I also observed that who was preforming the check was a field we could specify in the request and it was not validated (I did a check on myself with the SoapUI default of '?'). I did not receive a response. So unfortunately I think our options for actually enforcing our rights are probably limited.
Still, I guess we'll find out if Clearview takes GDPR any more seriously than CCPA.
Their opt out system is driven by typeform.com. I'm not familiar with this service, but it seems to have caps of at most 10k opt out requests per month and 4GB of uploaded images. They might be on an enterprise contract with different caps though. I know one way to find out...
Are there legal implications if you cannot submit an opt out request because of their technical choices?
> "This tool will not remove URLs from Clearview which are currently active and public. If there is a public image or web page that you want excluded, then take it down yourself (or ask the webmaster or publisher to take it down). After it is down, submit the link here."
The current law in a few areas allows them to collect all your data, then offer you to opt-out. There's no requirement for them to not collect private data, and there's no requirement most places for them to offer you an opt-out.
My question is how do we get people to stop working for places like clearview and google and facebook that all work against the public good?
You're totally right. The sky-high salaries + options + bonuses make it a hard sell to get devs to follow their values in choosing employers. I just found it telling how grudgingly this complies with the law, but you could say privacy violation is their core service so obviously they need to protect that.
> There's no point acting all surprised about it; the plans and demolition orders have been on display at your local planning department in Alpha Centauri for fifty of your earth years. If you can't be bothered to take an interest in local affairs, that's your own lookout.
My massive level of cynicism on this subject makes things like this seem completely unsurprising. I generally feel that the Binney and Snowden revelations served to normalize knowledge of being systematically monitored by big brother. This common knowledge of being watched is absolutely necessary for a surveillance state to function as intended. The gold mine of private data made available to them via National Security Letters and other such mandates to provide access. Surveillance capitalism is not really about capitalism at all but thats just my cynical side again.
My understanding is no, only current individuals with current residency. However - it's probably harder for them to figure that out than to just take your word for it.
They require a photo of a government issued ID for some stuff, so if you have an old ID that may work.
"If your company receives a request from an individual who wants to exercise their rights, you should respond to this request without undue delay and in any case within 1 month of receiving the request. This response time may be extended by 2 months for complex or multiple requests, as long as the individual is informed about the extension. Requests should be dealt with free of charge. If a request is rejected, then you must inform the individual of the reasons for doing so and of their right to file a complaint with the Data Protection Authority."
It's directly in the GDPR itself, which everyone should take them time and read in full anyway. It's not very complex. And I mean everyone, including people from non-GDPR countries!
(edit: on further reading it looks like GDPR requires opt in, while CCPA seems to only require opt in for people younger than 16, and requires opt-out for people 16 or older, which is some bullshit)
Regardless, I should be able to say "I'm opting out" and the onus should be on them to figure out how to do it, rather than me submitting enough pictures for them to recognize and exclude me from their crawler. This seems against even CCPA.
(another edit since this pisses me off so much: The page linked says "Alternatively, you can email: privacy-requests@clearview.ai" so I'm just going to email them to tell them I opt out. They can figure out how to comply with my opt out)