According to a recent report by Canada’s privacy commissioner Daniel Therrien and three provincial counterparts, Clearview AI has broken Canada’s privacy laws. Therrien told reporters that the company’s technology and actions amounted to an illegal mass surveillance of Canadians. While Clearview AI no longer operates in Canada, its recent activities indicate the challenges that Canada faces in regulating facial recognition technologies to protect the private data of its residents.
Clearview AI tech in Canada
In recent years, New York-based Clearview AI has come under scrutiny for ‘scraping’ public and social media sites in Canada and the United States. The startup now has a database of more than 3 billion images of individuals, garnered without their consent or knowledge. This information has been sold to companies and law enforcement agencies in more than 26 countries.
Until mid-2020, Canada was Clearview AI’s largest foreign market. Canada’s privacy commissioner is now investigating how the Royal Canadian Mounted Police used its facial recognition technology.
Canadian privacy laws prohibit data scraping, but Clearview AI claims that these laws do not apply to it because it does not have a “real and substantial connection to Canada” and that it can legally collect publicly available images.
As Toronto Star reporter Alex Boutilier noted recently on Twitter, Facebook made a similar argument after the Canadian and British Columbia privacy commissioners released a report in 2019 that revealed that information of Canadians was illegally harvested from Facebook by Cambridge Analytica and used for political purposes. Also like Clearview AI, Facebook was unwilling to come into compliance with Canadian regulations. Despite clear evidence to the contrary, Facebook argued that no Canadian data had been harvested.
Using information collected by other companies and through user-downloaded phone applications, these companies create databases that they then resell to commercial enterprises and law enforcement agencies.
However, earlier this year, Facebook was found guilty of breaking Illinois law for collecting facial recognition data of Illinois residents without their consent. Facebook will be paying $340 dollars to 1.6 million of its users in Illinois. As Kate Cox notes in Ars Technica, the Illinois Biometric Information Privacy Act is one of the strongest in the United States.
What all this reveals is that different jurisdictions have varying regulations on data privacy. This patchwork currently allows tech companies to seek out the most permissive regulatory environments in which to operate.
For example, thousands of third-party data brokers are believed to operate in countries with weak data-protection requirements. Using information collected by other companies and through user-downloaded phone applications, these companies create databases that they then resell to commercial enterprises and law enforcement agencies.
Facial recognition tech: No consent given
One key point made by Canadian privacy commissioners and other privacy advocates is that individuals who share private data on public sites have NOT consented to the use of that data in biometric databases. However, as University of Ottawa law professor, Teresa Scassa, notes there are still concerns that some interpretations of Canada’s proposed update to privacy law will leave provisions that companies could try to use in regards to that consent.
Another critical concern is that harvested biometric data is being used NOW, in ways that would worry many unwitting and possibly unwilling participants. For example, information of individuals who have committed no crimes can be found on police databases.
Dealing with challenges
Strong, consistent global regulations do not yet exist. For now, individuals must try to protect themselves by employing caution in sharing personal data.
But individuals can only do so much. Greater privacy protections and data sharing arrangements are needed at all levels of jurisdiction, from the municipal to the international.
A particular recommendation for Canada would be to explore data protection and sharing arrangements with the United States. Many technologies and tech companies span the two countries. U.S. companies are the dominant collectors of the data of individual Canadians. As well, the two countries should have a mutual interest in protecting the private data of their citizens from third-party data brokers and in limiting the ability of foreign entities and governments from tracking their citizens.
Ultimately, because of the dangers of misusing facial recognition technology, some privacy advocates are calling for it to be banned. Not only in Canada, but in a growing number of countries. Clearview AI should be seen as a warning sign of what is yet to come. The need for regulation of facial recognition technology is clear yet governance responses continue to lag.