Who owns your face? You might think that you do, but consider that Clearview AI, an American company that sells facial recognition technology, has amassed a database of ten billion images since 2020. By the end of the year, it plans to have scraped 100 billion facial images from the internet. It is difficult to assess the company’s claims, but if we take Clearview AI at face value, it has enough data to identify almost everyone on earth and end privacy and anonymity everywhere.
As you read these words, your face is making money for people whom you’ve never met and who never sought your consent when they took your faceprint from your social media profiles and online photo albums. Today, Clearview AI’s technology is used by over 3,100 U.S. law enforcement agencies, as well as the U.S. Postal Service. In Ukraine, it is being used as a weapon of war. The company has offered its tools free of charge to the Ukrainian government, which is using them to identify dead and living Russian soldiers and then contact their mothers.
It would be easy to shrug this off. After all, we voluntarily surrendered our privacy the moment we began sharing photos online, and millions of us continue to use websites and apps that fail to protect our data, despite warnings from privacy campaigners and Western security services. As so many of us sympathize with Ukraine and are appalled by Russia’s brutality, it is tempting to overlook the fact that Ukraine is not using Clearview AI to identify dead Ukrainians, which suggests that we are witnessing the use of facial recognition technology for psychological warfare, not identification. Some people will be fine with the implications of this: if Russian mothers have to receive disturbing photos of their dead sons, so be it.
To understand why we might want to rethink the use of facial recognition technology in conflict, consider the following thought experiments. First, imagine that it was Russia that had scraped Ukrainian biometric data from the internet to build a facial recognition technology tool which it was using to identify dead Ukrainians and contact their mothers. Liberal democracies would likely condemn these actions and add them to its growing list of Russia’s barbaric actions. Second, imagine a conflict in which the United States was fighting against an opponent who had taken American faceprints to train its facial recognition technology and was using it to identify dead American soldiers and contact their mothers. This would almost certainly cause howls of protest across the United States. Technology executives would be vilified in the press and hauled before Congress, where lawmakers might finally pass a law to protect Americans’ biometric data.
We do not need to wait for these scenarios to occur; Congress could act now to protect Americans’ biometric data. If taking inspiration from the European Union (EU) General Data Protection Regulation (GDPR) seems a step too far, Congress only needs to look to Illinois, whose Biometric Information Privacy Act (BIPA) requires that companies obtain people’s opt-in consent before capturing facial images and other biometrics. Clearview AI is currently fighting multiple lawsuits in federal and state courts in Illinois for failing to obtain users’ consent. These lawsuits highlight a troubling aspect of facial recognition technology in the United States: Americans’ privacy, civil liberties, and rights over their biometric data vary from state to state, and even within states, and are not protected by federal law.