Consider a new digital privacy fear unlocked.
As Wired reports, a facial recognition search site called PimEyes, which claims to create biometric human “faceprints,” has been using stolen photos of dead people to train its algorithms.
According to the report, Cher Scarlett, a software engineer and writer, made the discovery while searching the site for images of herself.
She found something quite shocking: photos of her mother, her long-dead great-great-great-grandmother, and perhaps most startlingly, her sister, who had died in 2018 at the young age of 30.
All of these photos, Scarlett says, seem to have been taken from images that she and her family have personally uploaded to Ancestry.com, a site that overtly prohibits “scraping data, including photos, from Ancestry’s sites and services as well as reselling, reproducing, or publishing any content or information found on Ancestry” in its terms and conditions.
But this isn’t just a violation of Ancestry’s policy. Scarlett’s deceased family members simply couldn’t have given PimEyes their permission to train their algorithm with these photos.
“My sister is dead,” Scarlett told Wired. “She can’t consent or revoke consent for being enrolled in this.”
This kind of violation seems eerily akin to the story of Henrietta Lacks, whose cells have been used in medical research and drug development for decades — but were gathered, multiplied, and distributed for research postmortem and without her consent. While it may be a different field, the point that your privacy should be respected after your death still stands.
PimEyes didn’t have much to offer in terms of an explanation.
“PimEyes only crawls websites that officially allow us to do so,” company director Giorgi Gobronidze told Wired. “It was … very unpleasant news that our crawlers have somehow broken the rule.”
And though the site technically has an opt-out feature that can allow users to restrict a specific image of themselves from being used in the engine, Gobronidze admitted that the opt-out feature “will not work with 100 percent efficiency always.”
It’s worth noting that this isn’t the first time that PimEyes has been caught up in controversy.
As Wired points out, child privacy has been widely noted as a concern. But while Gobronidze told Wired that PimEyes launched a “multistep security protocol” to protect children starting January 9, some company partners, including a few NGOs, are “whitelisted” and can perform unrestricted searches on the platform.
In other words, the rules don’t always apply.
Elsewhere, both human rights groups and experts have alleged that the site enables stalking and other abuses.
And to that end, experts have further warned that data stolen from sites like Ancestry doesn’t just harm the deceased. It might also be used to stalk, dox, and otherwise harm the living, who are often just a click or so away.
“While I think [Gobronidze’s] correct to say that PimEyes won’t directly through their website give you that person’s identity, you’re a click away from a website that does have their name on it,” Daniel Leufer, a senior policy analyst at digital rights group Access Now, told Wired. “It’s going to give you a load of URLs which in many cases will allow you to identify that person.”
PimEyes’ misdeeds are symptomatic of a future where our online identities and even our faces are anything but protected from prying eyes. And despite the promise of guardrails, both PimEyes and Ancestry have failed in their attempts to protect our privacy.
“I used [Ancestry] for what it’s intended for — to find out where I come from. It was really exciting until it wasn’t,” Scarlett told Wired. “Nobody is uploading photos into Ancestry thinking that they’re going to be enrolled into a biometric identifier for facial recognition software without their knowledge or consent.”
“It just feels incredibly violating,” she added.
READ MORE: A Face Recognition Site Crawled the Web for Dead People’s Photos [Wired]