![](\"https:\/\/media.wired.com\/photos\/5e2a1bb2123c60000827363b\/master\/pass\/ai-scraping-88622242.jpg\"\/)
<\/p>\n<\/p>\n
Credit to Author: Louise Matsakis| Date: Sat, 25 Jan 2020 12:00:00 +0000<\/strong><\/p>\n Louise Matsakis<\/span><\/a><\/span> <\/span><\/p>\n The facial recognition startup claims it collected billions of photos from sites like Facebook and Twitter. What does the practice mean for the open web?<\/p>\n The internet was designed to make information free and easy for anyone to access. But as the amount of personal information online has grown, so too have the risks. Last weekend, a nightmare scenario for many privacy advocates arrived. The New York Times<\/a><\/em> revealed Clearview AI, a secretive surveillance company, was selling a facial recognition tool to law enforcement powered by \u201cthree billion images\u201d culled from the open web. Cops have long had access to similar technology, but what makes Clearview different is where it obtained its data. The company scraped pictures from millions of public sites including Facebook, YouTube, and Venmo, according to the Times<\/em>.<\/p>\n To use the tool, cops simply upload an image of a suspect, and Clearview spits back photos of them and links to where they were posted. The company has made it easy to instantly connect a person to their online footprint\u2014the very capability many people have long feared someone would possess. (Clearview\u2019s claims should be taken with a grain of salt; a Buzzfeed News<\/a> investigation found its marketing materials appear to contain exaggerations and lies. The company did not immediately return a request for comment.)<\/p>\n Like almost any tool, scraping can be used for noble or nefarious purposes. Without it, we wouldn\u2019t have the Internet Archive\u2019s invaluable WayBack Machine<\/a>, for instance. But it\u2019s also how Stanford researchers a few years ago built a widely condemned<\/a> \u201cgaydar,\u201d an algorithm they claimed could detect a person\u2019s sexuality by looking at their face. \u201cIt\u2019s a fundamental thing that we rely on every day, a lot of people without realizing, because it\u2019s going on behind the scenes,\u201d says Jamie Lee Williams, a staff attorney at the Electronic Frontier Foundation on the civil liberties team. The EFF and other digital rights groups have often argued the benefits of scraping outweigh the harms.<\/p>\n Automated scraping violates the policies of sites like Facebook<\/a> and Twitter<\/a>, the latter of which specifically prohibits scraping<\/a> to build facial recognition databases. Twitter sent a letter<\/a> to Clearview this week asking it to stop pilfering data from the site \u201cfor any reason,\u201d and Facebook is also reportedly examining the matter, according to the Times<\/em>. But it\u2019s unclear whether they have any legal recourse in the current system.<\/p>\n To fight back against scraping, companies have often used the Computer Fraud and Abuse Act<\/a>, claiming the practice amounts to accessing a computer without proper authorization. Last year, however, the Ninth Circuit Court of Appeals ruled<\/a> that automated scraping doesn\u2019t violate the CFAA. In that case, LinkedIn sued and lost against a company called HiQ, which scraped public LinkedIn profiles in bulk and combined them with other information into a database for employers. The EFF<\/a> and other groups heralded the ruling as a victory, because it limited the scope of the CFAA\u2014which they argue has frequently been abused by companies\u2014and helped protect researchers who break terms of service agreements in the name of freedom of information.<\/p>\n The CFFA is one of few options available to companies who want to stop scrapers, which is part of the problem. \u201cIt\u2019s a 1986, pre-internet statute,\u201d says WIlliams. \u201cIf that\u2019s the best we can do to protect our privacy with these very complicated, very modern problems, then I think we\u2019re screwed.\u201d<\/p>\n Civil liberties groups and technology companies both have been calling for a federal law<\/a> that would establish Americans\u2019 right to privacy in the digital era. Clearview, and companies like it, make the matter that much more urgent. \u201cWe need a comprehensive privacy statute that covers biometric data,\u201d says Williams.<\/p>\n Right now, there\u2019s only a patchwork of state regulations that potentially provide those kinds of protections. The California Consumer Privacy Act<\/a>, which went into effect this month, gives state residents the right to ask companies like Clearview to delete data it collects about them. Other regulations<\/a>, like the Illinois Biometric Information Privacy Act, require corporations to obtain consent before collecting biometric data, including faces. A class action lawsuit<\/a> filed earlier this week accuses Clearview of violating that law. Texas and Washington have similar regulations on the books, but don\u2019t allow for private lawsuits; California\u2019s law also doesn\u2019t allow for private right of action.<\/p>\n Some experts argue that empowering consumers is not enough. \u201cWe just can\u2019t be expected to manage every use of our data online,\u201d says Dylan Gilbert, a privacy lawyer at the civil liberties group Public Knowledge. He argues the solution instead is to make some uses of personal data illegal. For example, some cities, including San Francisco<\/a>, have banned facial recognition by city agencies all together.<\/p>\n Another option is to give some power to organizations, rather than only individuals. \u201cCompanies and platforms like LinkedIn or Facebook or Twitter should have the right to protect their users\u2019 privacy downstream,\u201d says Tiffany C. Li, a technology lawyer and visiting professor at Boston University School of Law. A federal law could allow online platforms to sue entities like Clearview on behalf of their users to protect their right to privacy. The risk, though, is that corporations will pursue litigation that mostly serves their own interests. A 2018 article<\/a> in Boston University\u2019s Journal of Science & Technology Law<\/em> found that in 20 years of scraping cases based on the CFAA, \u201ca tremendous number\u201d concerned claims brought by \u201cby direct commercial competitors or companies in closely adjacent markets to each other.\u201d<\/p>\n In the absence of legal recourse, one way companies have blocked people from scraping their sites is by using technical tools. Facebook has been particularly aggressive in this regard. It requires users to sign in to view almost anything on its site, and it uses a lengthy robots.txt<\/a> file to stop Google from indexing many of its pages. That\u2019s why if you Google your name, all of your Facebook activity likely isn\u2019t in the search results. But not all of the social network\u2019s efforts have been popular. Last year, the company blocked<\/a> third-party transparency tools used by nonprofits and journalists, because it said it needed to prevent malicious actors from scraping its site.<\/p>\n Not all companies have the resources, or priorities, to create those kinds of barriers against any would-be scrapers. Venmo, the payment app owned by PayPal, has repeatedly been criticized<\/a> for making all transactions public by default. Several researchers and artists have scraped millions of payments<\/a> from Venmo to demonstrate how it puts people\u2019s privacy at risk. Clearview says it also mined the site for its database. \u201cScraping Venmo is a violation of our terms of service and we actively work to limit and block activity that violates these policies,\u201d a spokesperson said in a statement. While the app, and others like it, could do more to protect users, catching malicious scraping will always be an evolving cat-and-mouse game, and regulatory action could be more effective to stop it.<\/p>\n \u201cWe don\u2019t want to limit access to information and we don\u2019t want to ban web scraping,\u201d Li says. \u201cBut we need to think about other ways to prevent some of the privacy harms we saw with Clearview.\u201d<\/p>\n