Issue link: https://maltatoday.uberflip.com/i/1527639
10 OPINION maltatoday | WEDNESDAY • 9 OCTOBER 2024 Images that are publicly available online can be used by a commercial entity to train a facial recognition algorithm HAVE you ever wondered, while passing through automated passport control at the airport, what the machine is doing as it scans your passport and your face? In a nutshell, the technol- ogy embedded in that machine is able to detect your face, analyse it biometrically, and then recog- nise it. In this use case example the analysis that the machine is car- rying out is called authentication and verification; in other words, it consists of a one-to-one (1:1) comparison of your face to the digital facial image embedded in your passport. The system replaces manual checks with automated ones. Insofar as the technology functions correctly, there appears to be no cause for concern. Would you feel differently about it if the police were able to use the same technology to iden- tify criminal perpetrators? Here the role of facial recognition technology is one of identifica- tion; in other words, it consists of a 1:n comparison of the 'want- ed' face to a database of faces consisting of n number of imag- es, looking for a match. This is the service offered by a compa- ny established in the US, to law enforcement in the US, by the name of Clearview AI. So why is this relevant to us in the EU? There is one way in which in- dividuals in the EU are directly affected, even if they are com- pletely unaware of this! This has got to do with the way a company such as Clearview AI trains its facial recognition al- gorithms. What this company does is that it engages in an ac- tivity commonly referred to as web scraping, whereby it deploys a software program to trawl the web extracting therefrom facial images and related metadata. Metadata is 'data about data', so for example the web address (URL) from where the image was collected will also be recorded. This may reveal further informa- tion about the individual beyond the biometric contours of their face, including for example their place of work or other locations they frequent or have frequented for leisure, or the company they keep. When this web scraping takes place, it trawls 'cyberspace' without territorial restrictions, meaning that our facial images have likely been collected, ana- lysed and used to train Clearview AI's facial recognition algorithm, which is what powers its AI solu- tion. Why would a company devel- oping a facial recognition sys- tem engage in web scraping? The reason is that the web is a ready source of a vast and varied dataset of facial images that can be used to train the most accu- rate facial recognition systems. Historically facial recognition systems were trained on much smaller datasets, and creating such datasets was resource in- tensive. The result was increased costs for the developer, and less accurate systems, resulting in harms ranging from wrongful apprehension to discrimination against minority groups. Should we be concerned or even care that our facial imag- es that are publicly available on the Internet are being collected and used by a company such as Clearview AI to train facial recognition systems? It may be argued that you cannot expect to control that which is in the public sphere. If you left your house this morning, could you control the passerby who looked at you? If you attended a protest last month, could you control the many others in that public space having knowledge of the fact that you also attended the protest? Do your feelings change were the police to have turned up with cameras and appeared to be filming the protestors? The point is that our images that are publicly available online can be used by a commercial en- tity to train a facial recognition algorithm and to develop a sys- tem which can then be deployed by, for example, law enforce- ment authorities in the context of their efforts to solve crimes, or by authoritarian governments to monitor their citizens! Fur- thermore, technologies devel- oped elsewhere may be deployed within the EU. The EU Parliament has been rightly concerned by these de- velopments, and this is reflected in a provision first introduced by the Parliament and that is now a part of the EU AI Act, which entered into force on 1 August 2024. This provision prohibits 'the placing on the market, the putting into service for this spe- cific purpose, or use of AI sys- tems that create or expand facial recognition databases through the untargeted scraping of fa- cial images from the internet or CCTV footage'. This is not to say that prior to the AI Act, web scraping such as that engaged in by Clearview AI was legal in the EU. Indeed several EU Data Protection Au- thorities investigated Clearview AI, found them to be in violation of the EU data protection law, specifically the General Data Protection Regulation (GDPR), and proceeded to issue fines to the company ranging from €20 million - €30 million. The au- thorities held that the process- ing engaged in by Clearview AI without the affected individuals' consent could not otherwise be justified under the GDPR. In- deed, the argument that the data had been 'manifestly made pub- lic' was rejected, in light of the fact that the public availability of one's image online should not mean that it is fair for that im- age to be used in a manner that Publicly available data and the training of facial recognition technologies Dr Mireille M Caruana is Senior Lecturer and Head, Department of Media, Communications and Technology Law Roxanne Meilak Borg is Research Assistant within the Department of Media, Communications and Technology Law Mireille M. Caruana & Roxanne Meilak Borg