Know your data 48: selling faces

In the last post about Clearview AI's face recognition database, I asked the rhetorical question:

Have you heard a peep from Facebook/Instagram, Twitter, Google, etc. about Clearview illicitly taking images from their properties?

I didn't expect an answer to appear in the same week!

The FTC has "settled" with OKCupid, which is a dating app owned by the Match group, on giving data to a face recognition company (Clarifai, a competitor of Clearview) without proper notification to its users (link).

I put "settled" in quotes because throughout the story of the data belonging to Americans, the meaning of many words has been warped beyond recognition. This is, as Ars Technica pointed out in its header, a "settlement" without any financial penalty. The company just swore on its pinky that it would behave in the future.

We can learn several bits of interesting information from this news though.

Firstly, despite being allowed to hide questionable behavior behind obnoxiously long, pugnaciously vague, and presumably unread privacy policies, these tech companies still have to engage in activities that they simply could not afford to put down in writing.

Secondly, the word "sharing" has also lost any meaning. Does anyone – except the FTC enforcers – seriously believe that OKCupid gave 3 million photos to Clarifai for free? And, as an act of charity, would you also take our users' location and their demographic data?

The FTC claimed it knew what happened: based on the passage quoted by Ars Technica, it appeared that they merely repeated the story told by OKCupid, Match, and Clarifai. They claimed that no formal agreement existed but disclosed that the founder of OKCupid and the CEO of Match were both "financially invested" in Clarifai. These parties somehow believed that this cover story gave them a get-out-of-jail card, a rationale to support their use of the word "sharing". In fact, this is even more troubling than if a straightforward commercial agreement were to exist.

For one, this story proves that user data at tech companies are at the hands of individuals. (We already sort of knew from some past actions e.g. by Elon Musk.) It also shows that these individuals – none of whom face any kind of sanctions – will sell out their users for personal financial gain. When no agreement exists, it's harder to trace where, when and what data have left the building.

Thirdly, this settlement stemmed from actions that took place in 2014, so it took 12 years for regulators to uphold the law by a friendly handshake with the offenders.

Fourthly, let's read the terms of the settlement carefully, shall we? Hold on to your seat belts, this is truly scary:

OKCupid and Match... agreed to a permanent prohibition barring them from misrepresenting how they use and share personal data.

Wait, so businesses are heretofore not prohibited from "misrepresenting how they use and share personal data"? It takes 12 years and a negotiated settlement to confirm to Americans that our businesses are in fact free to misrepresent how they use and share personal data – unless the FTC imposes a specific "permanent" ban from lying?

Fifthly, apparently Clarifai has done absolutely nothing wrong in this matter, even though it is the entity that sought out the people's data, and exploited the data to build a product that sometimes might send them to jail for months because of errors (See prior post). For good measure, they even told us that they sell to "foreign governments, military operations and police departments".

Last but not least, this news resolves the mystery of how companies like Clearview AI and Clarifai build out their enormous databases of people's images associated with their personally-identifiable data. They may not even need to "scrape" the data; they simply get them "for free" via secretive "data sharing."