Hoan Ton-That, the CEO and founder of a face recognition company that he freely admits could help lead to a surveillance “nightmare” and a “dystopian future or something,” says he has a First Amendment right to scrape whatever images he damn well pleases off public websites like Twitter to pad out his company’s supposedly three billion photo database.
Clearview AI has licensed its face surveillance systems to over 600 law enforcement agencies ranging from the FBI and the Department of Homeland Security to local police departments. It operates with virtually next to no oversight, claims it’s exempt from biometric data laws, and marketed its tools to law enforcement as a sort of face recognition free for all while making false claims about its usefulness in cracking cases. Clearview’s database is built off images scraped from public sources on the internet like Facebook, Instagram, Twitter, Venmo, Google, and countless other websites. Late last month, the New Jersey attorney general’s office ordered police to stop using the app, while Twitter sent the company a cease-and-desist demanding it cease scraping data and delete anything it had already collected.
In an interview with CBS This Morning scheduled to air on Wednesday, Ton-That said that “We’ve received a letter, and our legal counsel has reached out to them and are handling it accordingly. But there is also a First Amendment right to public information. So the way we have built our system is to only take publicly available information and index it that way.”
EXCLUSIVE: The founder of a facial recognition company described as both “groundbreaking” and “a nightmare” is speaking out.
— CBS This Morning (@CBSThisMorning) February 4, 2020
“So that’s all I can say on the matter,” Ton-That added.
Hon-That may be correct that scraping the data isn’t currently illegal under federal law, but whether or not his company is exposing itself to civil liability is less clear. The 9th U.S. Circuit Court of Appeals ruled in a case between LinkedIn and data analytics firm hiQ Labs last year that scraping public data isn’t a violation of the 1986 Computer Fraud and Abuse Act (CFAA), the infamously vaguely written federal law that criminalizes hacking. Staff attorney Jamie Lee Williams of the Electronic Frontier Foundation, a nonprofit digital rights group known for its work on privacy cases, wrote in a recent blog post that it would be a mistake to try to ban automated public data scraping via the CFAA, as it would criminalise the many mundane uses of the technique and the act could be abused by corporations looking to stamp out competition. (Notably, while hiQ raised arguments that the case should be thrown out on First Amendment grounds, the court declined to rule on them in its decision.)
Facebook had previously told the New York Times that it was investigating and “will take appropriate action if we find they are violating our rules,” though it didn’t tell the paper whether it had also sent a cease and desist. Stanford Internet Observatory director and former Facebook chief information security officer Alex Stamos told the Times that the 9th Circuit ruling had “eviscerated the legal argument that Facebook used to use on scammers and spammers.” Twitter accused Clearview of violating its policies in its cease and desist letter, but it’s not clear if its terms of service would be sufficient to stop the company in court.
Stamos did tweet, however, that he thought there was a case that Clearview had violated the copyrights of the millions of people the photos originally belonged to by repurposing them without authorization, for profit, and in violation of Facebook’s terms of service. That could result in a class action. Facebook recently settled in a similar case in Illinois, which passed a law in 2008 requiring opt-in consent for biometrics collection, to the tune of $US550 ($817) million.
That leaves state laws. They clearly have the data of Californians and Illinois(ians?), so CCPA and BIPA apply. Anything I'm missing?
— Alex Stamos (@alexstamos) January 18, 2020
As Wired noted, there’s no federal law and only a handful of state laws protecting user data, like the California Consumer Privacy Act and the Illinois law, so in the meantime companies like Facebook have mainly turned to making it hard to scrape their sites with technical barriers. Those include measures like requiring sign-in and/or limiting what search engines can index on the site. That’s not enough, according to Williams.
If the CFAA “is the best we can do to protect our privacy with these very complicated, very modern problems, then I think we’re screwed,” Williams told Wired. “… We need a comprehensive privacy statute that covers biometric data.”