Have the UK and AUS just killed remote verification?

Nigel Morris-Cotterill

Clearview AI Inc. is a company that collects facial images from a disparate range of sources and makes them available to its customers.

The UK's data protection department, the Information Commissioner's Office, has banned the practice within the UK. The UK acted in concert with the Office of the Australian Information Commissioner. The investigations focused on Clearview AI Inc’s use of people’s images, data scraping from the internet and the use of biometric data for facial recognition.

What effect might that have on remote verification?

It is increasingly common for applications that run on mobile phones to require those wanting to sign up to take a selfie from within the application.

What happens to it next is a mystery to users but in practice, if it is to have value, the image needs to be compared to known images of the identity that the applicant is claiming.

This is where Clearview AI Inc's service, and others like it, come into play.

The UK's ICO explains Clearviews services as follows:

Clearview AI Inc has collected more than 20 thousand milion images of people’s faces and data from publicly available information on the internet and social media platforms all over the world to create an online database. People were not informed that their images were being collected or used in this way.

The company provides a service that allows customers, including the police, to upload an image of a person to the company’s app, which is then checked for a match against all the images in the database.

The app then provides a list of images that have similar characteristics with the photo provided by the customer, with a link to the websites from where those images came from.

There's an interesting aspect to this: it seems to extend the "right to privacy" argument. If a person sits in a public place, his right to privacy is eroded. The ICO appears to be saying that the internet, including social media, is not a public place. It is, one might argue, difficult to think of a more public place than a Facebook page, for example.

Clearview had withdrawn its services from the UK but the ICO said that the database "is likely to include a substantial amount of data" relating to residents of the UK, much of which had been gathered without their knowledge.

John Edwards, UK Information Commissioner, said "The company not only enables identification of those people, but effectively monitors their behaviour and offers it as a commercial service..... People expect that their personal information will be respected, regardless of where in the world their data is being used."

Australia, too, required Clearview to cease and desist from collecting data and to destroy all existing data containing images of individuals in Australia. In Australia, the company said that it "currently" offers its service to government customers for law enforcement and national security purposes only. That's as maybe: the principle goes far beyond Clearview.

Australia's determination includes the following:
The Facial Recognition Tool has a broader capability. The respondent’s US and international patent applications describe ways to apply its facial recognition software to the private sector, including:
• to learn more about a person the user has just met, such as through business, dating, or other relationship
• to verify personal identification for the purpose of granting or denying access for a person, a facility, a venue, or a device

Where, then, does this leave the question of remote verification? At its simplest, it leaves companies that require a facial image for registration in a quandary: they can collect the data but unless they already have, in their own records, an image for comparison, it's useless for verification purposes.

But it's not entirely useless because that image can be used for comparison when it is necessary to confirm e.g. in a phone call that the person on the phone is the person who opened the account (which is not to say that it verifies that person initially).

By way of extension, we must consider whether this relates to image data taken at ATMs? Do customers willingly (even knowingly) consent to the taking of their image? Even if they do, do they agree to it being stored simply in case of an investigation relating to the transaction? Do they agree to it being used in any facial recognition program for any purpose? If not, then banks are not, it seems, allowed to build a database of the images of its customers and to use them for on-line verification.

So, is online verification by photographs dead in the UK and Australia? Probably not but it is severely wounded until the questions of consent to obtaining, storing and analysing data are resolved.


The ICO listed the various contraventions as follows -

failing to use the information of people in the UK in a way that is fair and transparent, given that individuals are not made aware or would not reasonably expect their personal data to be used in this way;
failing to have a lawful reason for collecting people’s information;
failing to have a process in place to stop the data being retained indefinitely;
failing to meet the higher data protection standards required for biometric data (classed as ‘special category data’ under the GDPR and UK GDPR);
asking for additional personal information, including photos, when asked by members of the public if they are on their database. This may have acted as a disincentive to individuals who wish to object to their data being collected and used.

The Australian determination is here: https://www.oaic.gov.au/__data...

The UK's determination is here: https://ico.org.uk/about-the-i...

The UK's announcement of the penalty of GBP7,552,800 is here: https://ico.org.uk/about-the-i... The ICO has also issued an enforcement notice, ordering the company to stop obtaining and using the personal data of UK residents that is publicly available on the internet, and to delete the data of UK residents from its systems.

