News
April 19, 2021, 2:00 pm – 3:00 pm CEST
This webinar, run by the Reclaim Your Face campaign, will feature a conversation with activists/experts Roxanna-Lorraine Witt and Benjamin Ignac. The topic of the webinar will be to explore the connections between Sinti and Roma rights and digital technology and data, in particular the rise of facial recognition. The webinar will likely be of interest to engaged in EU policy, human rights and digital rights, social justice, anti-discrimination or activism.
On 1 April, a coalition of 51 human rights, digital rights and social justice organisations sent a letter to European Commissioner for Justice, Didier Reynders, calling on the Commissioner to prohibit uses of biometrics that enable mass surveillance or other dangerous and harmful uses of AI. The letter comes ahead of the long-awaited proposal for new EU laws on artificial intelligence.
You often hear:
“Facial recognition of whole populations? But that’s just in China. We’re democratic in the EU. It’ll never happen to us.”
Unfortunately, it is already happening. Read below a summary of the extensive evidence we’ve compiled, documenting the rapid spread of biometric mass surveillance in EU countries. The (only) good thing? We can still stop it.
By ReclaimYourFace campaign lead organisation Chaos Computer Club (CCC)
Originally published by noyb here.
In January 2020, two days after the New York Times revealed the existence of the face search engine Clearview AI, Matthias Marx, a member of the Chaos Computer Club (an EDRi member), sent a data subject access request to Clearview AI. He was surprised to learn that the company was processing his biometric data and lodged a complaint to the Hamburg data protection authority (DPA). As a result, the Hamburg DPA has now deemed Clearview AI’s biometric photo database illegal in the EU.
Chronological Review
In order to facilitate the data subject access request, Matthias shared a photo of his face. To confirm Matthias’ identity to guard against fraudulent access requests, Clearview AI additionally requested a government issued ID. Although Matthias ignored the request, Clearview AI sent him search results based on the photo he provided and confirmed deletion of the search photo in February 2020.
Matthias then electronically submitted a complaint to the Hamburg DPA that Clearview AI was processing his biometric data without consent. The DPA first rejected the complaint, arguing that the GDPR is not applicable. After further submissions, the DPA then eventually launched preliminary investigations. At the same time, noyb offered their support.
In May 2020, Clearview AI sent another, unsolicited, response to Matthias’ request and included new search results. Apparently, Clearview AI had not deleted the search photo as promised. While Clearview AI’s first answer only showed two photos of Matthias, this time it also contained eight photos of other people.
In August 2020, the Hamburg DPA ordered Clearview AI to answer a set of 17 questions under threat of penalties. Clearview AI replied in September 2020. In January 2021, Hamburg DPA initiated administrative proceedings against Clearview AI.
Background
The decision acknowledges the territorial scope of the GDPR, which is triggered for entities outside the EU if they monitor the behaviour of data subjects in the EU. Clearview AI had argued against the applicability of the GDPR, saying that they do not monitor the behaviour of individuals but provide only a “snapshot of some photos available on the internet”.
The Hamburg DPA discarded this argument for two reasons. For one, Clearview AI’s results include information that stretches over a period of time. For another, Clearview AI’s database links photos with their source and associated data. As such, it records information in a targeted manner – the definition of monitoring. Moreover, the Hamburg DPA noted that the subsequent use of collected personal data for profiling purposes, as happens with Clearview AI’s results, can be seen as a strong indicator for the existence of monitoring.
Taking into account subsequent use is important because it underlines that downstream processing by other entities can, to a certain extent, be used to classify the nature of the upstream processing. In other words, entities cannot fully launder their data processing by handing off the dirty work downstream.
Despite clearly stating that Clearview AI lacked a legal basis for its biometric profile, the Hamburg DPA unfortunately only ordered the deletion of the complainant’s biometric profile – it neither ordered the deletion of the complainant’s photos already collected, nor did it issue an EU-wide ban on Clearview AI’s processing. noyb had submitted arguments on why the Hamburg DPA could issue an EU-wide ban against Clearview.
In conclusion, this decision is only a first step. Further litigation is necessary. While Europeans now have precedent to rely on, we need decisions that also declare the harvesting of photos for totally incompatible purposes to their initial publication illegal.
By Reclaim Your Face campaign lead organisation Hermes Center
Originally published in Italian here.
The Reclaim Your Face campaign has been investigating and exposing abusive and rights-violating uses of facial recognition tech, and other biometric mass surveillance, since its launch last year. In the latest in a long line of examples that show that these inherently discriminatory technologies are being used to further exclude some of society’s most marginalised people, Hermes Center explain how the Italian Police are deploying dehumanising biometric systems against people at Italy’s borders. Now, more than ever, we need to call for a ban on these biometric mass surveillance practices. The Reclaim Your Face campaign’s major EU petition (European Citizens’ Initiative), launching on 17th February, will gives us the legal means to demand just that.
The introduction of facial recognition systems in Italy continues to show the same symptoms that we denounce in the Reclaim Your Face campaign: lack of transparency, absolute disregard for the respect of human rights and inability to admit that some uses of this technology are too dangerous.
The latest episode concerns the Automatic Image Recognition System (SARI), initially acquired by the Italian police in 2017 and now, as revealed in an investigation by IrpiMedia, at the center of a new public tender with the aim of upgrading the system and employing it to monitor arrivals of migrants and asylum seekers on the Italian coasts and related activities.
“In order to do so, the Ministry of Interior has used two strategies: taking advantage of the European Internal Security Funds and, as shown by some documents obtained by IrpiMedia thanks to a FOIA request, ignoring the questions of the Italian Data Protection Authority (DPA) that has been waiting for two years to close an investigation on the facial recognition system that the police wants to use,” reads the article.
In our Reclaim Your Face requests, we ask the Ministry of the Interior to publish all the evaluations of the algorithms used, the numbers on the use of the system, and all the data on the type of faces in the database used by SARI.
This information is fundamental in order to understand the effects of the algorithms that act on a database that is already strongly unbalanced and discriminatory: as revealed almost two years ago by Wired Italia, 8 out of 10 people in SARI’s database are foreigners. It is not clear how many of these are migrants and asylum seekers.
The biometric and digital identity processing of migrants and refugees in Italy has been studied in a Data&Society report carried out in 2019 by researcher Mark Latonero in partnership with Reclaim Your Face partner CILD, an Italian NGO. The field analysis uncovered an entire ecosystem composed of NGOs, government, researchers, media, and the private sector that collects, analyses, and manages digital information about migrants and refugees to provide them with support, regulate them, and study their behaviors. Collecting this data can lead to varying degrees of discrimination due to existing biases related to the vulnerability of migrants and refugees. Mindful of this study, we imagine how pervasive and unprotected a facial recognition system adopted on precisely one specific category of people could be. An additional level of scrutiny that we do not want to be normalised and become part of the daily lives of us all.
While requests on transparency of the algorithm and the database are not met and even the DPA is still waiting for an impact assessment of the system, the Ministry is also exploiting European money from the Internal Security Fund.
IrpiMedia details the subject of the contract as follows: “The budget allocated for the enhancement of the system is 246000€ and the enhancement includes the purchase of a license for a facial recognition software owned by Neurotechnology, one of the best known manufacturers in the world, able to process the video stream from at least two cameras and the management of a watch-list that includes up to 10 thousand subjects. In addition, the hardware and software configuration must be of small dimensions, to be inserted in a backpack and allow to carry out ‘strategic installations in places that are difficult to access with the equipment provided,’ reads the technical specs of the public tender of the Ministry of Interior.”
Biometric surveillance dehumanises us into lifeless bits of data, depriving us of our autonomy and the ability to express who we are. This is even more dangerous when applied to people who reach our countries escaping from violence, economic disasters, and environmental catastrophes. Meeting human beings with biometric surveillance technologies destroys our humanity.
The story is shocking, but it is not inevitable. Brutal technologies that amplify already persecurtory anti-migration strategies are the latest tool that show the extent of these structural problems. Banning biometric mass surveillance means not only stopping the use of such tools, but addressing the underlying inequalities and discrimination of our societies. You can support Reclaim Your Face’s campaign against discriminatory and intrusive biometric mass surveillance.
By RYF leads Homo Digitalis and Bits of Freedom
On 23 November, Dutch broadcasting station BNR did a morning show on facial recognition in publicly-accessible areas. In the Netherlands, these so called ‘smart’ cameras are used more and more in supermarkets, companies and football stadiums. In the 2-hour radio show, Lotte Houwing from Bits of Freedom put forward the case for a ban and more effective enforcement against biometric surveillance technologies in publicly-accessible spaces.
Later in the show the vice-president of the Dutch data protection authority (DPA), the Autoriteit Persoonsgegevens, was interviewed. She explained that the increase in the use of facial recognition technologies in the Netherlands is because of the abuse of the legal ground of “substantial public interest”. The explanatory memorandum which accompanies Dutch privacy laws gives the example of the security of a nuclear power plant as a possible justification for the use of such technologies. This means that you cannot use these technologies against petty thieves.
The Dutch DPA thinks that part of the problem of these harmful deployments is caused by misunderstanding and lack of knowledge about what is a legitimate use of facial recognition and other biometric surveillance technology. To tackle illegitimate uses, the DPA has now sent directed guidelines to explain the law to the different industry associations that have been the biggest users of this invasive technology. So far, there has not been a direct promise regarding enforcement measures against illegitimate deployments to follow this phase of targeted information. However, the vice-president was very clear about the DPA’s perspective on biometric surveillance in public space: “It is as if somebody is following you around with a camera and a notebook throughout the whole day. That’s a surveillance society we do not want.”
We embrace these statements of the DPA and encourage them to take concrete action for our fundamental rights and freedoms in publicly-accessible spaces. Reclaim Your Face and BanThisBS!
In Greece, the work of EDRi member Homo Digitalis has started to bear fruit. In June 2020 the Greek watchdog submitted two strategic complaints before the Hellenic DPA against a centralised biometric database of the Hellenic Police. The database contains fingerprints and facial images of all Greek passport holders. However, based on the EU laws on passports (namely, Regulation 2252/2004 & Regulation 444/2009) as well as the set case-law of the Court of Justice of EU (for example, the Willems case and the Schwarz case), biometric data shall be stored in the storage medium of the passport itself – the document we carry in our pockets and bags. More precisely, the EU laws neither prohibit nor allow for national central databases of biometric data to exist at Member State’s level. So, the EU countries that are interested in establishing such biometric databases must take their own legislative initiatives on this matter.
However, as Homo Digitalis claims, this is not the case for Greece. Specifically, there is no Greek law in place providing in detail all the necessary safeguards about this centralised database, such as its functions, the rules for the related data processing activities, as well as the security and organisational measures that shall be in place. It is crucial to remember that based on EU law -Article 10 of the Law Enforcement Directive – processing of biometric data is allowed where it is strictly necessary, subject to appropriate safeguards, and authorised by the European Union or Member States law. So, the lack of such national legislation clearly violates European data protection laws.
In August 2020, the Hellenic DPA launched an official investigation regarding this centralised database following Homo Digitalis’ complaints. But, the positive news from Greece does not stop here! Do you remember the actions of Homo Digitalis in March 2020, described in a previous EDRi-gram, against a smart-policing contract of the Hellenic Police? It related to smart devices enabling facial recognition and automated fingerprint identification during police stops. In August 2020 the Hellenic DPA started an official investigation regarding this complaint, as well! Stay tuned for related developments and closely follow the ReclaimYourFace campaign for more.
