As online facial recognition search engines become more pervasive and accurate, a biometric security firm has raised privacy questions about their use at a Sydney fun run.
Blair Crawford, chief executive of Sydney-based firm Daltrey, was shocked to find photos of himself from this year’s City2Surf had been catalogued through German-based photo provider Sportograf.
The company is run by two athletes, Tom Janas and Guido Holz, and uses facial recognition technology as a means to help participants track down shots from events.
While Sportograf initially allowed City2Surf participants to search for themselves – or, potentially others – through uploaded “selfies”, it switched to photos via webcam only more than a week after the event was held in Sydney on August 14.
The change followed a months-long IT development process. City2Surf participants have to include their registered email address as a verification test.
But what struck Mr Crawford was how the facial recognition technology was “passively integrated” into the run, without participants necessarily realising it.
He argues it’s a “slippery slope”.
“The scope has to be explicit and clear for what the data will be used for … (and there needs to be the) ability to then deploy the appropriate cybersecurity controls around that data,” Mr Crawford told AAP.
Biometric data collected by Sportograf is anonymous and unable to be attributed to individuals, its co-founders told AAP.
It takes data protection seriously and will later this year introduce full two-factor authentication using encrypted emails, so the company can’t trace them.
The authentication will also apply to events where participants search for their photos via their bib numbers, where – in some cases – users can currently search for someone else’s.
Participants generally give consent for Sportograf to use their data through an event’s terms and conditions, but they can opt out if they want their data to be deleted, the co-founders said.
The City2Surf event has so far prompted two such requests.
City2Surf organisers said it was the first year Sportograf has been the event’s photo provider and they will be looking further into issues around participants’ privacy.
“We have high standards in this regard, and work with all providers associated with the event to also meet these standards,” a City2Surf spokesperson said.
About 20 Australian sports events use Sportograf each year.
However, University of Melbourne senior cybersecurity lecturer Dr Shaanan Cohney says platforms like Sportograf aren’t the real issue when it comes to facial recognition technology.
While he agrees there’s room for Sportograf to improve, there are other tools that “scrape” the internet for people’s photos using facial recognition.
PimEyes, for example, lets people upload photos to search for internet matches, although under the terms of service users can only search for a picture of themselves.
Clearview AI, which is sold to law enforcement agencies among others globally, allows users to identify who someone is, throwing up photos of them along with links to where images appear.
The Information Commissioner and Privacy Commissioner last year found it breached Australians’ privacy by collecting and disclosing their sensitive information without consent.
“When we’re talking about cyberstalking, if you can get a set of images that span a period of time, then you can find patterns in someone else’s movements,” Dr Cohney said.
“At the same time, PimEyes also does have a legitimate use … people do have a real interest in being able to find (images) of themselves and have them taken down.
“The caveat is that a number of these businesses operate in a kind of a grey area where they’re responsible for both the problem and the solution.”
Online facial recognition has recently become more pervasive and accurate thanks to technological advancements, and tools becoming cheaper and more broadly available, Dr Cohney said.
The information commissioner recommended a broad ban on scraping personal information from online platforms in a submission to the Privacy Act review.
PimEyes and Clearview AI have been contacted for comment.
(Australian Associated Press)