PimEyes: Extorting Data Subject Rights for Profit

PimEyes: Extorting Data Subject Rights for Profit

Recently, Kashmir Hill wrote a damning expose in the NYT on the deeply disturbing facial recognition service PimEyes. From Kash’s piece:

For $29.99 a month, a website called PimEyes offers a potentially dangerous superpower from the world of science fiction: the ability to search for a face, finding obscure photos that would otherwise have been as safe as the proverbial needle in the vast digital haystack of the internet.

Unlike Clearview AI, a similar facial recognition tool available only to law enforcement, PimEyes does not include results from social media sites. The sometimes surprising images that PimEyes surfaced came instead from news articles, wedding photography pages, review sites, blogs and pornography sites. Most of the matches for the dozen journalists’ faces were correct. For the women, the incorrect photos often came from pornography sites, which was unsettling in the suggestion that it could be them. (To be clear, it was not them.)

PimEyes has a very … loose interpretation of consent. Users are technically only supposed to search for their own photos or those of users who have consented to a search, but it’s not checked. Any user can upload a photo of anyone, and find often undiscovered images of that person on the internet. What makes this service so alarming and creepy (in addition to the obvious) is the fact that they are also marketing it as a ‘privacy preserving’ tool — for the not so low fee of €39.95 a month (to start), users can do a fixed number of searches, discover the links where their images are stored online, and seek to get those removed. If they want to do more, or get support in filing deletion and/or DMCA requests, they can pay up to €3,416.70/yr for the privilege.

For users who refuse to pay, or can’t afford €350 EUR a year, all they get is a string of alarming image thumbnails, obfuscated links they can’t select, and a nagging popup to sign up and pay. This is very much reminiscent of the revenge porn sites in the early 2010s — where pornography (usually of women) was uploaded without consent by aggreived boyfriends, exes, or random others, and then the victims extorted: The sites offered victims the ability to take down the images and videos (often only from a single site), or potentially risk being discovered by friends, employers and loved ones. Some sites even threatened to out women who didn’t pay up. That led to numerous states and countries passing various revenge porn laws.

Nothing Says We Care About Your Privacy Like an Ever-Diminishing Privacy Notice

I was incensed, and as many have discovered, an angry Carey is a scary Carey indeed. I spent most of the day digging into PimEyes (formerly PimEyes sp. z.o.o., based in Poland). The site originally started out as a garden-variety ‘stalk celebrites’ site in 2017, before shifting to a privacy-extortion model sometime in the 2020s.

Doing a little archaeology via their evolving Privacy policies, I traced how they shifted into a platform to extort (or as they would say, empower) data subjects to protect their privacy, and how they gradually got dodgier and dodgier in the process. A good chunk of the legal analysis starts here.

After exhausting what I was able to uncover via notices, I decided today’s task would be filing a data subject access request. Now, I do this for a living over at Castlebridge, and we’re currently in the process of putting out an ebook on the subject, so I know the kind of tricks many controllers are likely to employ to avoid being candid about the data they keep.

Moreover, I expect additional levels of chicanery given how PimEyes moved from establishment in the EU to establishment in Belize (home of tax havens and legally-suspect entities). To ensure a degree of success, I figured I needed to be precise, targeted, and put on my legal hat for this one. And so, I prepared quite the DSAR.

For the sake of others curious about what data PimEyes may have about them, I have decided to share the substance of my DSAR request for others to use for their own purposes. Note: It’s keyed to the GDPR, but could be easily tweaked with some legal modification to the various US state laws in California, Colorado, Virginia, Utah, Illinois, etc.)

I used the PimEyes Contact form here: https://pimeyes.com/en/contact-form to submit the request, but I suspect you could also send a message directly to  contact@pimeyes.com, even though they removed that option in 2021 or so.

Consider this my gift to the internet. And yes, I absolutely will follow up with the DPC (unless they specify their Supervisory Authority, and then I’ll go through both), if/when they ignore or fail to fully address my DSAR.

Via con dios.

Carey’s Targeted DSAR Template

To Whom it May Concern:

I am a data subject located in the European Union. [Include Your Country if you like]

Under Article 15, I am making a data subject access request in relation to any photographs, biometric data (including fingerprints of my biometric data or image data), name, address, IP address information, and any other personal data (direct or indirect, including inferred data) you have about me. 

As you are likely not the controller of all of this data, I also wish to have specific details on 

  1. Where personal data relating to me is collected from, including the URLs for all source images (i.e., the controllers of those images); 
  2. The recipients or categories of recipients of my personal data, including images requested about me, if any;
  3. Details on the countries where my personal data is stored, notably, where you store fingerprint and image data, and any sub-processors you use for that purpose (e.g., cloud providers, hosting services, CDNs);
  4. Details on the nature of any onward transfers made outside of the EEA that have occurred, including the legal basis for those transfers, and any supporting documents (e.g., SCCs, BCRs) detailing the suitable safeguards and technical and organizational measures employed to secure those transfers; 
  5. The identity and the contact details of these controllers and, where applicable, of the controllers’ representatives. 

Additionally, to the extent you are the controller of personal data that is about or relates to me, I seek information on: 

  1. The identity and the contact details of your organization, and where applicable, your legal representative in the EEA (if you have one);
  2. The name and contact information of your DPO. I’ll note that at one point, this was listed on your website, and was later removed (https://web.archive.org/web/20200712000343/https://pimeyes.com/en/privacy-policy);
  3. Details on the competent supervisory authority responsible for enforcement against PimEyes (this detail is not included in your most current privacy policy); 
  4. The purposes for using my personal data; 
  5. The lawful basis you are relying on as it relates to processing my personal data, particularly special categories data under Article 9. I’ll note that barring the initial image I uploaded to scan for results, I have not provided any form of consent (much less explicit consent as is required under Article 9), for you to store, process or otherwise use my personal data, and I have not consented to the use of that personal data by third parties, for any development of machine learning algorithms designed to uniquely identify me, nor for the development of any other tools or other uses. Nor is this information considered “public” for any of those purposes;
  6. Whether my consent is being recorded (Article 6 and 9), and if I choose to revoke my consent, the process you will undertake to ensure my data is no longer being processed by you, or any sub-processors you engage with;
  7.  If the basis for processing is legitimate interest (Article 6(1)(f), whether a balancing test has been performed, and any details on that analysis; 
  8. The security measures you employ to protect my personal data (e.g., encryption, pseudonymization, etc.), and more details on the ‘proxy’ mentioned in your most recent privacy policy; 
  9. Your retention policy, details on what constitutes an ‘unidentified entity’, and the rationale on why you store ‘unidentified entities’ photos’ for two years, as stated by your privacy policy: 

“Face images along with the “fingerprint” of face of unregistered Users are stored for 48 hours from the moment the User sends the photo in order to process the search query. Data of unidentified entities is stored for 2 years.

  1. Any criteria describing your rationale for storing data for this length and period; 
  2. Whether any automated decision-making, including profiling, as referred to in Article 22(1) and (4) of the GDPR is undertaken on my personal data, as well as  meaningful information about the logic involved, and the envisaged consequences of such processing;
  3. Any further processing you do with my personal data (e.g., using fingerprint or image data to further develop your AI models, sharing data with authorities, etc,); 

I have attached the image I uploaded to perform the initial search. As you required no additional information to obtain my consent for that search in the first place, you do not need any additional information to ‘verify’ my identity. 

As noted in Article 12 GDPR, “where the controller has reasonable doubts concerning the identity of the natural person making the request … the controller may request the provision of additional information necessary to confirm the identity of the data subject.” However, a controller is not permitted to make requirements for identity a burden that acts as a barrier or undue restriction to the exercise of rights under the GDPR, particularly in cases where identity of the data subject is not really in question. 

I point you to the DPC v Groupon International Limited issued by the Irish Data Protection Commission. In Groupon, the DPC confirmed that requests for identity documentation must be necessary and proportionate and grounded in addressing reasonable doubts about the data subject’s identity. Verification data must also be kept for no longer than is necessary. See: Article 12 GDPR,  DPC v. Groupon International Limited, DPC Final Decision, 16 December 2020 at: https://www.dataprotection.ie/sites/default/files/uploads/2021-02/16.12.2020_Decision_Complaint_GrouponInternationalLimited.pdf.

I await your response to my data subject access request, and expect that absent voluminous records, I will receive a response with my data within thirty days. 

If you have any questions, please feel free to contact me. 

[Your name Here]

Previous post I Filed a DSAR with NoybEU. Here’s Why.
Next post I Think I Have Third Party Transfers Maybe Kinda Sorted?