Big Brother Watch complaint against facial recognition search engine
Facial recognition – a kind of biometric processing allowing individuals to be identified through mathematical representations of their facial features – continues to be a controversial use of digital technology. In July we worked with Big Brother Watch (‘BBW’) to highlight how live facial recognition was being used in private sector retail environments, in ways we believe are unlawful.
Since then, BBW have continued to track how facial recognition is being used in the UK. And they came across PimEyes, which describes itself a “facial recognition search engine”. BBW again asked us at AWO to step in and examine the tool and whether it complies with data protection law, which (in theory) significantly constrains biometric processing.
PimEyes has created a database of biometric representations of – they claim – every facial image available on the open web. That would include millions of UK citizens. That allows a user to upload a facial image and search for any matches to that face from the open web. PimEyes returns all the matches, including the urls where the images are hosted. These could include things like local news sites, blogs, and company websites.
PimEyes claims that its service is only for individuals to search for their own face. But there are no controls around this. Anyone can use the service to search for anyone else’s face. In their response to press inquiries about our work, PimEyes themselves listed ‘assisting investigative journalists’ as a benefit of the tool, directly contradicting their own claim that the service is only for self-search.
The risks of offering this service in this way can scarcely be overstated. With a paid account, someone could easily locate a stranger’s place of work or approximate address with just a photo of their face. A search of someone’s face will turn up images of them online that they probably weren’t even aware of themselves. And this all happens without the searched person knowing anything about it.
We say the way the service operates is unlawful. There’s no legal basis for the processing, and there’s no exemption for the biometric processing that it involves. We’ve brought these issues to the attention of the UK’s data regulator – the ICO – via submissions that set out our legal analysis in full. We think PimEyes could be breaching the data rights of a huge number of UK citizens, and we hope the ICO takes swift action to investigate the service and uphold those rights.
We welcome your thoughts on the submissions, and would love to hear from you if you think you may have been affected by the use of PIMEYES or similar services. Reach out to alex.lawrencearcher@awo.legal