Privacy campaign group Big Brother Watch has filed a complaint to the ICO that the face recognition search engine PimEyes may be unlawful and could enable surveillance and stalking.
PimEyes is a search engine that uses facial recognition technology to provide a reverse image search tool and a photo search mechanism so that users can search for any face they upload and find which websites publish images of their faces to protect their privacy. It can also be used to assist investigative journalists. PimEyes only searches images posted publicly.
Big Brother Watch has made a complaint about PimEyes to the UK’s data protection watchdog, the Information Commissioner’s Office (ICO). The privacy campaign group’s complaint is based on suggestions that:
– The online facial recognition website is “unlawful” and enables surveillance and stalking “on a scale previously unimaginable” and is “deeply privacy-intrusive”.
– PimEyes is a threat to the privacy of millions of UK citizens because it is allegedly unlawfully processing their biometric data. For example, PimEyes could be processing the facial images of millions of UK citizens, which are regularly searched without the knowledge or consent of those citizens.
– It could enable people to “surveil, harass and stalk” others because it allows anyone on the internet to upload a photo of any person’s face (including a child’s), search billions of faces, find matches, and track them across the internet. This could include, for example, finding a person’s place of work and finding a person’s photos in any media articles, personal blogs, dating websites, employment profiles, and other publicly available websites.
– PimEyes could be used to discover the identity of an unknown individual seen in revenge porn or child sexual abuse material.
– Although PimEyes asks customers to use the technology ethically, it doesn’t appear to place limits on the type of images that may be used for search or have any safeguards to prevent people from using the service to extract a library of photos of someone other than themselves.
Madeleine Stone, Legal and Policy Officer at Big Brother Watch, highlighted their concerns saying that “PimEyes enables privacy intrusion and stalking on a scale previously unimaginable” and “lawlessly scans billions of our photos without our knowledge or permission”. She also said of PimEyes: “Images of anyone, including children, can be scoured and tracked across the internet. This extraordinary power is available to anyone at the click of a button and could be secretly used by potential employers, university admissions officers, domestic abusers or stalkers.”
PimEyes is reported to have said that its search engine is not intended to be used for surveillance of others and that it is in talks with law enforcement agencies in several countries, including the UK, about using PimEyes to combat crimes against children, human trafficking, and terrorism.
Big Brother Watch has highlighted the similarity between the business model of PimEyes and Clearview AI Inc, another facial recognition company. Clearview AI Inc had a database of over 20 billion facial images and was fined £7.5 million and ordered to delete all UK data by the ICO earlier this year for violating data protection law by unlawfully processing the biometric data of UK citizens.
It is possible to see how there are useful aspects to the PimEyes search engine when used responsibly and ethically, e.g. people using it to protect their privacy or journalists using PimEyes as part of their work. However, if, as Big Brother Watch has pointed out, the business model is very similar to Clearview AI Inc, which has already been fined, and if it is acting unlawfully in relation to UK data protection laws, things may not go well for PimEyes. It is worrying that anyone could misuse the search engine and gather photos and an information trail about anyone else without their knowledge or consent. It is particularly concerning that this apparent lack of privacy and ease of misuse could potentially endanger children. It remains to be seen what action (if any) the ICO takes. This story is also a reminder to all other businesses and organisations that data protection laws do cover images as well as other data. Consent is an important part of data protection laws to consider.