Russian imageboards found VK profiles of quite a few porn actresses and prostitutes using findface.ru. Of course, they immediately started harrassing them and sending messages to everyone in their friends list.
However, ethics aside, the cat is out of the bag. People can shame the guy into deleting the data, but computing power will only get cheaper and data matchers faster. Sooner or later some will do this again and launch a Tor site with an up-to-date database. We have to adjust to the idea that if you have a social media profile any public images of you will lead people to it sooner or later. And it will be sooner, not later, with every passing year.
Yes, but that shoudln't prevent society to also make those particular use of tech very costly. It should be consider like holding a concealed weapon: you need a permit, or you get jail time.
Permit should not be hard to get, as long as you can justify professional or research need.
But letting this go is creating a society I don't want to live it. I already hate, living my anonymous life, when some stranger take my photo without asking. It happens more and more.
On the other end, people filming the police get in more and more trouble.
If you are already a criminal, you aren't worried about the lack of a permit that much. Especially when you are a cybercriminal separated from your server by multiple cryptocurrency tumblers.
Forward intelligence teams already record the faces of people taking part in peaceful and legal protests. You can bet your ass they cross-ref the feed with their Linkedin and Facebook data dumps. The same tech is now becoming available to everyone.
The USA can prevent its people from putting an M2 on their truck. Mexico can't (in some states). Syria can't (almost anywhere). The internet is closer to Mexico than the US.
This is something so many people do not seem to understand: if you ban something, you only prevent law abiding citizens from using it, it won't stop the law breakers who were going to use it regardless of what the law says. There are people who DDOS video game servers in the US as to not lose the game, even though it's a felony.
I think that probably these things could even get completely prevented if people acted more consciously. It starts with DNS providers and hosters who should be aware of what people are doing with their services and shut them down if they aren't ethically good.
Probably Telcos and especially also CDNs should do the same. I don't talk about any packet inspection. But sometimes it's obvious what people are up to.
Basically everybody in society can do something against this by not looking away. Also more diversity in tech would have prevented a lot of malicious uses I think.
That could be dangerous, though, as social mores change and the things which are "ethically good" become different. I'm already not a big fan of "deplatforming", and this seems like basically the same thing.
How is this possibly enforceable though? The software is already out there and available. In countries that restrict guns, it's often quite hard to get one outside the legal channels (if there are any), so enforcement is pretty effective. But for something you can just download??
Not just download, but write yourself in a short time. And the code could be shared, and I’d guess you can build a decent system to do this in a few hundred lines.
It’s a ridiculous proposition to restrict software access, akin to making it illegal to write on paper.
The two aren't the same thing at all. It's legal to own guns, but illegal to shoot someone with one. It's legal to write software that opens network connections, but illegal to use said software against a target on the Internet that doesn't want said traffic.
Similarly, it's legal to write or download a neural network that is programmed for facial recognition. Same for a basic crawler bot.
The same story about Findface project was big news in Russia several years ago. They scraped the whole vk.com (Russian Facebook copycat with almost entire Russian population in it) and applied some very fine ML to find a person by his/her face.
2ch (4chan ancestor) users identified girls from porn and harassed them, outing them to their families and friends using this service.
Later company discontinued this service and now sells technology to the Russian government to monitor CCTV footage from Moscow subway.
VK kind of fixed data scraping issue (not sure if they actually changed much).
Usually Russia copies everything from the west, interesting to see western news follow Russian lead after a few years. Not saying I am proud of mother Russia in this case, just an observation.
It's things like this that make me think all engineers need more training on the social consequences of the tools they build.
This is an extreme case and I hope most engineers would look at this and understand how awful & damaging it could be; but given our influence on the world nowadays (as a class, if not always as individuals) we really need to be much more aware of what we're doing and how it affects people.
The problem is that engineers are not always the ones in charge of the entire end result. If you want to do something unethical you can just split it up into harmless individual tasks and give it to a dozen engineers and then put it all together. It’s obfuscation.
Some of the greatest atrocities we will see in tech (and we will see them) in the coming century will be the result of combining things created with good intentions.
An engineer can quit if the project is unethical. Just 'enduring' is harmful to yourself, and others. Don't be a coward, at least stand up for your values.
>> An engineer can quit if the project is unethical.
Is creating face recognition software unethical? Your answer is not really important, just the fact that different people will classify this differently. I thought it was creepy as f* when facebook started wanting to automatically tag people in photos. But if that's all the tech was for it may well be ethical, if creepy to some. And yet, face recognition is really all that was used in this case - matching up porn images with social media ones.
A while ago I suggested that engineers could have an ethics code just like lawyers or doctors and the opinion wasn’t very popular (although with no explicitly stated reason). I still don’t see a reason not to have one. If your company is selling your code and software to abusive states and it’s used to persecute journalists (for example) continuing to do that work there is no different than any unethical work from a doctor or lawyer. And software developers have a huge impact on our life these days With their work. It’s reasonable to hold them to higher standards than in the past.
Problem with that is anyone with a little python-fu can hack together something like this without being an "engineer". I could probably do it using "ethical" FLOSS code and I'm pretty far from being employed in the industry. Hell, if I did do something like this and someone complained to my company they'd probably promote me since our IT dept is iffy on the best of days.
Sure, the “home-made” option is hard to regulate in any field. You also can’t stop people from using hone remedies no matter how unethical they are. So you can take it and use it with little recourse.
But I was thinking more at FAANG for example. They could be required to hire “certified ethical” engineers at least on sensitive projects at first. This means that even if the code is out there no coder would implement it in the company’s solution without risking losing the “certification” and the job. Anyone working for the Hacking Team (those guys selling exploits to oppressive governments) should be more or less unhireable especially if all code in a company’s portfolio should be traceable to a specific engineer.
The principle is already in place for other fields. Journalism being the closest probably. It could be made more effective if needed. It’s obvious that something is needed in this direction.
I agree with that sentiment a lot, but that's also easier said than done when one has a family, a mortgage, etc. Standing up for principles might seem worth it when losing a home and potentially screwing up one's family might since, if one quits, there are hordes of young sociopathic engineers who will continue the "disrupting" without you.
That said, a lot of engineers actually are in the position to make demands. The chances of getting fired for saying "I'm not going to do that because it's wrong" are probably very low. Most managers would rather not feel bad, and hiring someone new is usually touted as being a pain in the ass.
But doesn’t this apply to a doctor or lawyer who also have an ethics code to follow? Or basically any other line of work. The difference being that even a single software engineer’s work has a huge impact on society these days. More than any one doctor or lawyer.
There may be some very good reasons that I haven’t thought of not to support this ethics idea. But putting food on the table shouldn’t be it because this one reason applies to any activity that could ever put food on the table, no matter how illegal, immoral, etc.
You do realize that morality and ethics can be drastically different from yours, and what you are proposing really amounts to "let's civilize those savages" ?
What if a convenience store had security video of a clerk being shot and killed. Nobody recognizes the suspect's face in the video, so they want to use this tool to bring the killer to justice. Is that legal? Is it GPDR-complant? Clearly, the killer is not consenting.
Another scenario: a neo-Nazi protest rally occurs, and counter-protesters use this tool to determine who the Nazis are, in order to publicly shame them. Is this OK? Again, the Nazis have not consented to the use of their images to shame or "out" them.
You could go on and on... a vigilant neighbor filming a "porch pirate" stealing packages... someone filming people leaving a gay bar, an abortion clinic, a "massage parlor". Someone constantly running red lights. Who decides what is shaming vs what is "protecting people"?
I agree, but I don’t think education will end up solving the problem. Somewhere out there, there is a sociopathic engineer that will make antisocial choices anyway. Software is so easy to copy that it proliferates too easily.
If a mechanical engineer creates some evil weapon, say a gun that shoots frozen mercury slugs (just to make up a ridiculous example), we don’t really have to worry about the proliferation of cryogenic weapons. When a software engineer pushes some questionable program’s source to github it’s game over.
The bigger problem are not the right matches, but the wrong ones, specially if they are very similar. This should affect far more people than just ex-porn actresses.
While false-positives are definitely a problem, why do you think they are a bigger problem? Do you feel the participants in pornography are "fair game" but the others are innocent? In some ways, the current level of inaccuracy could be considered an advantage, because it makes it more likely that there will be resistance. A 100% accurate system strikes me as more dangerous, as it's less likely for politicians or lawmakers to stand up for the victims.
Despite agreeing with your latter points, there's a reason why shrapnel damage is comparably serious.
Although most people who did some porn are most likely not proffesionals, most porn (by volume) is done by people who might even consider your finding part of their CV. So going by sheer numbers alone, there might be so much more cases of false positives. Now, even if it becomes terribly obvious how inaccurate it is, I don't think that matters much when it comes to weaponising it, because people are easily fooled or don't care. As long as you kind find a vid of a girl that looks just like Clara from accounting, you can spread it as a false rumor. Or not even claim it's her; it's just as embarrassing. And that's even assuming you could tell them appart, because the seed of doubt extends the problem to people who didn't even do porn.
For comparison think of deepfakes. Everybody knows it's not actually Emma Watson, but I bet she isn't particularly happy about it.
If the videos are published, and the social media profiles public, how can it be illegal to match the two? Supposedly if they show their face they already accept the danger of being recognized, unless the video was published illegally.
That said, why would someone, once someone was identified, just go about harassing them and telling all their friends they do porn? Like who does that?
The internet has enabled some people to deploy complex systems into New York datacenters from a beach in Thailand in a matter of seconds.
Unfortunately, it's also enabled a selection of less socially aware and/or socially responsible people to bypass the natural limits and filters that society had in place, to effectively cause suffering on a fairly broad scale.
Harrassing somebody on the other side of the world from the safe anonymity of your bedroom was once logistically very difficult, as was reaching significant numbers of people with a wildly malicious idea if you couldn't first find people in your immediate (physical) social circle and community to vouch for you/it.
Now, we have entire online communities which have embraced this new normal and provided these folk with the tools and an audience.
My guess is there are many that did porn when they were younger (and foolish?) but have since moved on with life and might want to forget that episode or their life. So having it resurface 10 years later would be very uncomfortable.
Bypassing the stupid issue of harassing actresses by likely teenagers, isn't a husband-to-be right to know about the past of his fiancee? Is the moral right of not being outed outweighing the moral right of not being deceived in a very important matter? Where is the line?
If people were honest to each other all the time, we wouldn't need laws. Let's be generous and assume your question is just naive - could you ever envision a situation where an innocent husband-to-be (e.g. a nice, do-no-harm person and with reasonable means) is taken advantage of by a clever woman (with what is perceivably considered shady past in the given era) for her own material benefit? Do you think this never happens (hint: belletry is full of such situations and I'd recommend you to investigate common causes of suicide)? Doesn't husband-to-be have a justified interest in protecting his life, reputation, possessions from the baggage the unvetted fiancee brings? Do you think the fiancee wouldn't lie as much as possible in order to protect her planned future?
If you truly are just naive, please think about the points I mentioned; if not, there is no point to discuss, as your mind is set in stone anyway.
You literally said "everyone". If you're best friend knows, and your Mom knows, and your neighbor knows, and your dog knows, and your boss knows, but you don't? then you're either a fool or no one likes you.
but note: the "you" in that sentence isn't you. I'm not saying you are a fool. Then why did you say I was? "let's be generous and assume the question is just naive"
Again, you've never established a right. And there is also this horrible assumption or belief that once doing porn forever marks or stains you. Well, certainly some people believe that. But I do not, and I challenge it.
I'm not sure I understand the GDPR argument here. Is collecting the facial information from actors and actresses in porn movies illegal? Or was it the access of their social media accounts? Why is the tallying of what is publicly consumable a violation of GDPR?
The doctrine of public view meaning there are no rights to be enforced is not internationally recognised. Google even gave up on Street View in Germany, despite public streets being public.
There are good logical and moral reasons, IMO, why the doctrine is unsound. For example: individual photos are qualitatively different to movies, even though movies are made up of individual photos; the fixed interval conveys speed, which individual photos are quite poor at. Similarly, pervasive photography is different to individual photography: instead of an incident at a single location, someone's whole day may be mapped out, and who they're talking to, etc.
In other words, reasoning about privacy is not transitive or scale invariant. You can't say that the end result is ok or moral based on its component parts. Composition changes the thing qualitatively.
In France, we have something called "droit à l'image". It means that if you can't appear on a picture without your authorization, with a few exceptions.
If you give an authorization, it has to be for a specific purpose and not generalized. So just because you gave an authorization to appear in a movie doesn’t mean you gave an authorization for other purposes, such as face matching. Same thing for social media.
There are also copyright issues. If France, you always own copyright (droit d'auteur), you may transfer the exploitation rights but the work is still yours. It means you still retain some level of control, in particular regarding decency.
France is just one European country but that's to show that there are limits to what you can do, even with publicly available data.
How does this work when tourists are taking photographs? For example at the Eiffel Tower where it's almost impossible to take a photo without people being in the shot.
What if your image has been cached by a CDN outside of France, and then downloaded and matched by someone who never interfaced with a French IP? Who is at fault here?
IANAL but I don't think CDNs an IPs matter here. The question would be more among the line of "in the picture taken in France" or "has the matching been done in France or by a company that has a presence in France".
And unless everything happens in France, it would be a huge mess and I don't think anything can be done. GDPR is an attempt to harmonize the rules of different countries and make them enforceable internationally.
I don't know how it is done in other European countries but rules regarding personal data and authorship tend to be stronger than in the US, and freedom of speech is more controlled (ex: hate speech, libel, ...).
I think this is a good question, and I’d like to know too, in specifics, not just “well, there’s personal data involved.” I’ve seen a lot of misunderstanding about GDPR and I’ve read parts of the legal code myself, and while it is clear why this software was a bad idea and how awful it might be for the actors, it’s not immediately clear exactly how this violates that law.
One thought perhaps is that the porn movies, even if it’s public information with consent, often do not identify the actors. The problem may be in connecting “anonymous” public information from one source with personally identifying public information from another source. But, this seems doubly problematic since all the information may be public with consent and since someone’s face might reasonably be considered identifying information. Does GDPR make it illegal to connect any personal data even when from public sources that all have consent?
GDPR deals with processing of personal data, not just collection or canonical records of it. If personal data passes through a system, it’s probably covered by GDPR.
What are the GDPR repercussions for an open source project that does not make money, has no ties to an organization, holds only code, and handles no data?
I'm more focusing on this section of the article where the legal source says 2 interesting things:
"just collecting the data is illegal if the women didn’t consent, according to Börge Seeger, a data protection expert and partner at German law firm Neuwerk. These laws apply to any information from EU residents, so they would have held even if the programmer weren’t living in the EU."
#1 the programmer is implicated (it's possible this is in the context of "the programmer" also being "user in Europe")
#2 even if they weren't living in the EU
#2 is the particularly interesting one and also opens up the general question of "what happens if <external group> collects data but does not handle monetary transactions in Europe or deal with money abroad". GPDR is very much written around how to wrangle companies in financially, what if it's not a company?
Not sure how this relates to GDPR - the arguments are nonsensical. People tend to bump everything under GDPR now like its some form of gods commandment. If I simply sit in the cafe watching someone continuously near me, I am collecting data, and nobody can do anything about it.
When you leave your home, your privacy is gone.
When you make anything public your privacy is gone. Not sure anything is ethically wrong with the software existence, the problem seems to be data usage, just as if somebody found out his neighbors wife is in porn and went to twitter and said it publicly with few pictures as a proof, and people do that.
It's naive to think that this thing can/will go away, if anything, because of this news alone who knows how many more random programmers are retrying this (or even make business plans) at this very moment.
This has everything to do with the GDPR because the GDPR outlines the conditions you need to meet to process data, simply put actually gathering the data and using this tool is not legal within the EU.
>If I simply sit in the cafe watching someone continuously near me, I am collecting data, and nobody can do anything about it.
But the tool is doing more than that as it's also using data gathered from crawling social media profiles and then matching people, you cannot do this without specific consent under the GDPR.
>When you leave your home, your privacy is gone.
>When you make anything public your privacy is gone.
GDPR provides controls on privacy, it does not say you are guaranteed privacy in every situation but that if somebody misuses your data in a way that violates your privacy you have rights to correct this misuse, e.g., the right to opt out and the right to erasure of data among others.
> the right to opt out and the right to erasure of data among others.
Algorythm doesn't have to collect any data on you besides your image which is not considered private data given that you need to carry one. It can have single image and compare it to the porn collection without storing any results anywhere, but just returning 'XXX was a porn star in YYY'.
Tool can also create opt out mechanism which would have to be pretty complex as providing ZZZ in the name blacklist isn't appropriate solution given that many people share this name.
> But the tool is doing more than that as it's also using data gathered from crawling social media profiles and then matching people, you cannot do this without specific consent under
Implementation detail. This can be totally avoided. Tool can accept picture and return the result.
>Algorythm doesn't have to collect any data on you besides your image which is not considered private data given that you need to carry one.
The GDPR doesn't care about 'private' data (for the most part) as it only cares about personal data, and faces absolutely are considered personal data under article 4 point 14. Faces are even in a special category of data which you are prohibited from processing at all unless some conditions are met, although article 9 point 2e allows processing such data if they have been 'manifestly made public'. The GDPR doesn't define what 'manifestly made public' means but the Scottish Parliament[0] suggests that it could mean images purposely uploaded to social media and made public, but note that just because you are not prohibited from processing such images does not mean you have a lawful basis for processing that data in the first place.
>It can have single image and compare it to the porn collection without storing any results anywhere, but just returning 'XXX was a porn star in YYY'.
>Implementation detail. This can be totally avoided. Tool can accept picture and return the result.
This is an implementation detail that I had not considered. The original tool and article talks about crawling both porn sites as well as social media and both are fraught with legal issues, not every video or image on porn sites is going to be legal in the first place (revenge porn, stolen images) never mind the copyright issues involved, and crawling social media for this information is simply not acceptable under the GDPR.
>Tool can also create opt out mechanism
Such a tool would almost certainly need to be opt in from the data subject, article 6 makes this clear, you need specific consent from the data subject or some other conditionals which aren't applicable here. Best case scenario if you want to operate such a tool in Europe is that you argue (in court, mind) that you have a legitimate interest to run such a tool which does not override the fundamental rights and freedoms of the data subject, which does not seem like it would go in your favour at all.
Consider however the variant I proposed (picture 2 result). Would that be penalty according to GDPR and if photo is already public and not used for personal identification ?
Perhaps it could be said that the any algorithm that makes person identifiable is problematic. However, random photo of you doesn't identify you AFAIK and porn star names are also made up, so you are connecting 2 non-identifying things and the end result most also be non-id ?
>Consider however the variant I proposed (picture 2 result). Would that be penalty according to GDPR and if photo is already public and not used for personal identification ?
>However, random photo of you doesn't identify you AFAIK and porn star names are also made up, so you are connecting 2 non-identifying things and the end result most also be non-id ?
I'd say this would still be against the GDPR. The porn image (assuming a professional production and not revenge porn/stolen images) and an image from social media would both be public images of course, but under the GDPR you still need a lawful basis for processing data as defined by article 6 [0], one such basis for this is that the data subject concerned (i.e., the person in the photo being uploaded) gives specific consent for this purpose. The only way I can see such a site being legal is if you're providing a service to allow people to upload their own images to see if porn of them is being uploaded without consent, however you would need to ensure that the person in the image is the one consenting to that use as you would be liable if other people were uploading those images. It may also be legal to run such a tool for purely personal reasons as the GDPR does not apply to personal activities [1], but it would be illegal to make this available to other people and you would still have other legal issues with such a tool (like copyright).
This is a bit of a vague question, but most importantly the GDPR doesn't make a distinction between public/private data except in some niche contexts, the GDPR is more concerned about personal data which can be anything that can identify a natural person, e.g., names, email addresses, location data, IP addresses (in some circumstances, not all), etc. The GDPR mainly concerns processors and controllers of data where a processor or processing of data can include collecting that data, so in this context can mean third parties to a website, for example a company crawling social media for instance would have to follow the GDPR and have a lawful basis for collecting (processing) that data.
The GDPR also generally applies to everybody (within the EU or serving EU customers) except 'a natural person in the course of a purely personal or household activity', it's important to note that non-profits still have to comply with the GDPR. Generally there's a lot of legal ways to process data as a legitimate business, the law is mostly concerned with giving individuals a means to opt out or to give them some rights with regards to their data, like the 'right to be forgotten' or the right to access the data a company may have on them.
* Photos of a person is personal data, particularly those that are scraped from social networks. This is pretty much the whole point of GDPR.
* Screwing up someone's life, as it is extensively desribed in the article, fits well into the definition of "vital interest".
I find it quite baffling how someone posting on HN is oblivious to the link between GDPR and the need to punish those who abuse data collected from social networks against the wishes and best interests of the users to screw up their lives.
We are talking here about the law, not about ideal world to live in.
The question is if photograph is personal data according to GDPR. Here is what I found [1]:
Under GDPR Article 9, biometric data is among the special categories of personal data that is prohibited from being processed at all unless certain exceptional circumstances apply, and the definition of biometric data specifically refers to "facial images".
Any images collected, whether via photos or videos, will only constitute biometric data if “specific technical means” are used to uniquely identify or authenticate an individual.
GDPR makes an important distinction between facial-recognition data and photographs. Recital 51 of the GDPR states the distinction as follows:
The processing of photographs should not systematically be considered to be processing of special categories of personal data as they are covered by the definition of biometric data only when processed through a specific technical means allowing the unique identification or authentication of a natural person.
Why should pornography actors not have responsibilities for what they do? I don’t agree with this part where people who 1) put their faces in pornography and 2) put their faces in social media should not expect the two things to be correlated. Especially since the technology has already existed for some time and it cannot be stopped. Are we looking for regulation here? Is that exactly what we want, going back to cryptography export laws?
You're in a relationship with someone you trust. It's enough trust that you one day let them (or maybe even ask them to) photograph or film you having sex with them (or even just nude photographs, the level of explicitness really doesn't matter.) Days, months, even years later, things end badly.
Your ex posts the photos/videos of you on Pornhub, or 4chan, or anywhere.
Someone uses facial recognition to match the photos to your social media profiles. And then you get doxxed, outed, and the photos are shared with all your friends and family.
A) Are you a "pornography actor" in this scenario, or someone who trusted the wrong person? Is everyone who has ever had nude photos or videos taken of them a "pornography actor"?
B) Just because something is technically possible, does that mean it should be legal? Do the ethics or the thing ever come into play?
C) Do you believe that that laws/regulations are only effective if they prevent someone from doing something, and not effective if they only punish after-the-fact? Are deterrent laws useless?
How is the right to privacy being violated though?
Imagine you were a stripper or porn actress, your right to privacy wouldn't preclude someone recognizing you at the strip club or video.
Or suppose you went to the strip club or watched a video and then also happened to be on Facebook and saw the profile of someone you saw stripping at a strip club or in the video, matching the face and name in your head.
How is the slow case different fundamentally from the case where programming is used and throughput and speed is much higher and faster?
I mean would it be illegal for someone to just start going through Facebook profiles by hand trying to find an actress they just saw?
The right of privacy is violated if someone that wanted to stay anonomous is defamed. Doing searched automatically is also very different from doing it manually. But even if it's done manually, defaming someone still goes against their right to privacy.
What if we're not talking about strippers or porn actresses. What if we're talking about some random person who let a partner take photos/videos of them, in confidence and in private?
In my opinion, if you let your partner do that, you deserve it. If you do that, and later come surprised if such situation happens, you are literally an idiot, not knowing in what age you live in.
So, understand what your fetish means and how it can backfire. Any age will have its own problems like that.
However, ethics aside, the cat is out of the bag. People can shame the guy into deleting the data, but computing power will only get cheaper and data matchers faster. Sooner or later some will do this again and launch a Tor site with an up-to-date database. We have to adjust to the idea that if you have a social media profile any public images of you will lead people to it sooner or later. And it will be sooner, not later, with every passing year.