Big Brother Watch complaint against facial recognition search engine
Big Brother Watch is a non-profit organisation based in the UK. They run campaigns and produce investigative reports designed to inform the public and lawmakers on the risks of surveillance technology deployment by private companies and the state.
Big Brother Watch (BBW) had been investigating the use of facial recognition technology by PimEyes, a facial recognition search engine. PimEyes claims to have a biometric representation of every face on the open web. The search engine allows a user to upload a photograph of a person, and be shown other photos of that person that exist on the web, and URLs to their locations. According to PimEyes, this service is for personal use only, so people can see if there are any images of their own face online that they weren’t aware of. However there are no controls in place to ensure that this remains the case; anyone can access the service and search for photos of other people.
BBW asked AWO to examine how the service works, and to find out if PimEyes is in breach of the GDPR, which restricts the processing of biometric data to certain purposes.
AWO’s litigation team conducted a comprehensive examination of the service in order to determine whether or not it complied with data protection laws. Our analysis raises serious concerns that PimEyes are processing biometric data unlawfully, and we raised those concerns in a submission to the Information Commissioner’s Office on behalf of BBW. Findings included:
- PimEyes say that crawling the open web to build a database of images is lawful under GDPR, because those images are not identify the subjects of the images by name — however Article 9 of the GDPR does not require an individuals name as a mean of personally identifying them. The images themselves constitute personal data under the GDPR.
- The way PimEyes processes data is not in line with the reasonable expectations of the data subjects; the way they build their database is opaque, and anyone who has never used the service would be unaware of it even existing
- Anyone can access the service and upload images of other people, making it a deeply intrusive tool. The images returned in searches may not even be known to the people who are in them; PimEyes could very easily be used to track people down against their will, or as a means of uncovering revenge porn
Further reading/resources: