Don't spy on me

Here's how to fight back against surveillance capitalism, one f*****g facial recognition system at a time.

The one immutable rule I have learned in my 3,297 years of writing about technology is this: There's always a trade-off.

Yes, laptops + Internet allow us to work from anywhere at any time, freeing us from the constraints of working in an office. But they also enable us to work everywhere, all the time. [1]

Yes, smartphones are amazing devices that let us carry our lives and friends in our pockets. But they also suck brain cells and shorten our attention spans.

Yes, biometric devices like facial recognition cameras help locate missing children and catch more criminals. But they also allow the authorities to spy on everyone at once, 24/7/365, obliterating what little privacy we have left.

Last week I wrote about the enormous surge in law enforcement using AI-driven license plate readers to predict who might be engaged in criminal activity. But that's small potatoes compared to the threat of universal facial recognition.

We are on the verge of living in the world predicted by Mr. Orwell in 1948. But we're not there yet. And instead of giving in, it's time to push back.

Your face is the place

Here's the key thing to remember about facial recognition: It needs to know who you are before it knows who you are. In other words, if a CCTV camera using facial recognition captures your face, it can only recognize you if your face is already in its database. Otherwise, you're just another face without a name.

A catchy little tune by Aussie post-punk band Kisschasy. But if they don't stop spinning that camera I'm gonna puke.

If you're in the military, your face has already been inducted into its recognition database. Or your face might be one of the 640 million+ stored by the FBI, which obtained many of its photos from state DMVs.

Unfortunately, if you've ever posted images of yourself to social media, you might also be in, thanks to a company called Clearview AI, which has spent the last few years compiling a database of 30 billion faces scraped from social media. [2]

(I shall now refer to Clearview by a more accurate moniker: Those Evil Motherf*****s.) [3]

My colleague & friend Kashmir Hill wrote a great story for the New York Times a few years back revealing how TEMs hoovered up people's faces off the Internet, running recognition software to generate "face vectors," and then selling it to law enforcement agencies and private businesses.

Source: Forbes/Getty.

Since then, the company has been sued by the ACLU and others, which claimed that TEMs violated the Illinois Biometric Information Privacy Act (BIPA) by not obtaining the permission of the people whose faces it captured. The ACLU won the suit, preventing TEMs from selling its tech within the state, or to private businesses nationally.

That same Illinois law thwarted Facebook's attempt at using facial recognition, costing the company a $650 million settlement, and persuading it to kill off its grand plans to implement the technology retroactively across the social network. BIPA also forced similar (though smaller) settlements with TikTok, Six Flags amusement parks, and Shutterfly, among others.

In other words, privacy laws work. We just need more of them.

Six ways to fight back

The best time to stop posting photos of yourself (or your loved ones) on the Internet was 20 years ago, before Facebook was invented. The second best time is today. But at this point, it's a little hard to stuff the toothpaste back into the tube. Your photos are probably already out there, and once anything touches the Internet it's out of your hands forever. So here are the next best things you can do.

You can opt out. Thanks to state privacy laws, Clearview (aka TEMs) now lets you remove any photos from its database — but only if you are a resident of one of the following states: California, Colorado, Connecticut, Illinois, Virginia. [4] You have to fill out a form and (ironically) upload a photo of yourself, which they pinky swear promise they won't use to identify you later.

You can 'poison' your photos. If the idea of keeping your lovely mug off the Internet is too unbearable to contemplate, the clever folks at the University of Chicago's SAND Lab have an alternative. You can download their free image-cloaking app, Fawkes 1.0, that makes tiny pixel-level changes in your images that humans can't see but completely borks the face recognition software. It takes about a minute per photo. And then you can share them freely, without worrying about TEMs, the Feds, & assorted other snoops.

Can you tell which one of these images is "cloaked"? (Sadly, the technology is completely useless for cloaking my hair.)

You can pretend it's Halloween 24/7/365. There are a number of ways you can thwart facial recognition in real time. One disturbing but effective way is to wear an "adversarial' mask featuring an image of another face [5], which is roughly 30X more effective at fooling the software than a normal mask. A Chicago company called Reflectacles sells reflective and infrared-blocking sunglasses that completely confuse recognition systems. Milan-based designer Cap_able is marketing a line of brightly colored patterned clothing that fools algorithms into thinking you're an animal, not a human.

Fine for strolling through airports, but I wouldn't recommend visiting the zoo. Source: Cap_able.

You can support state privacy legislation. If you still live in a place that isn't determined to turn the clock back to the early 19th century, you may be able to persuade your state legislature to pass a comprehensive digital privacy law. Right now there are nine states with these in place — the five mentioned above, plus Iowa, Indiana, Tennessee, and Montana. [6]

Source: Bloomberg Law.

As the Illinois example shows, this tactic works. Attacking this at the state level is a far easier lift than getting anything done at the federal level, and typically ensures more effective and comprehensive protections, given our dysfunctional and lobbyist-enthralled Congress.

You can apply pressure on companies. All the negative publicity TEMs received after Kash's story went public has made other tech companies a little queasy when it comes to storing people's faces. Google, Meta, Microsoft and others have backed away from their initial plans to broadly deploy face recognition for fear of a public backlash.

You can support groups fighting the good fight. The ACLU and the Electronic Frontier Foundation have led the way in doing battle with the surveillance industrial complex — and sometimes they actually win. The EFF recently persuaded Marin County, California, to give up its automated license plate readers, prompting this unhinged Tweet from former California Assemblyman and current Sacramento County Sheriff Jim Cooper:

When you manage to get assholes like this pissed off at you, you must be doing something right.

How many cameras do you pass by each day on your way to work or the store? Count em, and let me know how many you come up with in the comments below.

[1] If you've ever felt required to answer your boss's 'urgent' email at 11 pm, you know what I mean.

[2] They're shooting for 100 billion, enough to ensure that "almost everyone in the world will be identifiable," per a private company pitch deck obtained by the Washington Post.

[3] Its early investors include Peter Thiel (fascist-loving billionaire) and Charles Johnson (notorious alt-right troll who owns the SF Giants baseball team), whose photos can be found on Wikipedia under the "Evil MoFos" entry.

[4] Or at least claim to be one. I have no idea if they actually check.

UPDATE 27 July: I submitted a request as a citizen of Illinois (which I am not) and it worked. So have at it, people.

[5] Per BiometricUpdate.com: "The pattern used looks a little like the lower half of Cinco de Mayo skull designs, but with bright colors against the skin tone." Probably not the best choice for a job interview or a first date.

[6] I know. I was surprised too.