I wish the US took data protections like this as seriously as the EU. Our data is just passed around like a gangbang on a daily basis and the US is just like ¯\_(ツ)_/¯
EU is the same. Maybe slightly better but with the amount of data breaches increasing exponentially, I don't think any amount of "regulations" is going to stop data leaks. The worst thing is, companies are facing lesser and lesser consequences. Look at the recent discord breach, nothing happened after millions of IDs were exposed. They are just blaming it on customer support, who are blaming it back on discord. The only thing we can do is promote E2EE and homophoric encryption
I've often said security doesn't matter anymore. There are no consequences for a security breach. With companies claiming "hey, we followed best practices!" and transferring liability to third parties like Crowdstrike I'm not even sure how one could even prosecute (in the US).
What would you want instead? If a company truly followed best practices and was as secure as was reasonably expected, then was it their fault a zero-day was exploited? And if not what consequence should there be for the actions of a bad actor?
There MUST be consequences for data breaches. It simply can't go on like this. There have to be rules & regulations for how personal data is stored.
How many of you have received notices in the mail your data has been leaked and the only restitution is a free year long credit check? Then maybe a few years down the road you get $20 from a class action lawsuit.
Last year alone, both AT&T and my health care company were breached and all my data was leaked, including details of my personal medical history.
This kind of thing just can't continue. There has to be someone to set standards for how your personal and "private" information is stored or it won't be possible to know who is who going forward in the future. Even state DMV's have been breached.[1] Imagine a point in the future where identity theft has become so rampant that a US ID card or passport can't be trusted because anyone anywhere at anytime can steal another person's identity with ease because everyone's data is out there and available for purchase through some black market.
It's a dystopian thought, but a lot of things from dystopian fiction that I only thought would continue to be fiction seem to be coming to pass on a regular basis these days.
If you're in the EU, you should pressure your legislators to do something about it. As I understand it, there are laws against these data breaches for companies doing business in the EU, correct?
If that is the case & the law(s) aren't being properly followed/enforced then you must speak up about it. Contact your representatives and let them know.
I understand it's easy to be complacent and be apathetic that nothing is being done, but that's how it goes in a representative democracy. At the end of the day, all we have is our voice.
The UK has fined them has fined Clearview AI £7,552,800 in 2022 but they have not paid.
EU data protection authorities did not come up with a way to enforce its fines and bans against the US company, allowing Clearview AI to effectively dodge the law.
> EU data protection authorities did not come up with a way to enforce its fines and bans against the US company, allowing Clearview AI to effectively dodge the law.
This is laughable. You make it illegal for any EU company to do business with them, you imprison leadership as they arrive on EU soil, there's a hundred things you can do. Companies like these that simply ignore the law and seriously damage society need to be treated just like international drug trafficking rings. Never heard a "well they keep ignoring our fines and bans, oh my what do we do" when talking about those.
This is government. If you exceed the speed limit on the autobahn, you’ll be fined immediately. But if you run a multi million Euro fraud, you will get away with it for DECADES.
Why? Because they’ve got no systems in place for that. And to do something out of the ordinary that is hard would require someone with an incentive to do it. That does not fit the profile of your typical government employee. They don’t get paid for taking on difficult cases. They get paid for closing files, or, ideally, finding reasons for not even opening them in the first place.
Laws are like locks. The honest people pay attention to them. The criminals don’t. They look at the enforcement (or lack thereof).
I would assume their leadership simply never enter EU soil. Just like the CIA agents Italy has arrest warrants out for kidnapping Abu Omar, or how Kim Dotcom lived quite happily for a time by not going to the US or any country that would extradite him. It's pretty difficult to prosecute people on foreign soil without the kind of international cooperation that exists for prosecuting drug traffickers
I'm no fan of surveillance technology in general, nor of Clearview specifically, but no American corporation is legally obligated to obey British law. To suggest that Clearview is "dodging" the (British) law falsely implies that Clearview has any legal duty to obey (British) law in the first place.
Sure, if they don't want to follow British law, Britain has the right to reject Clearview from British markets, but that's about it. The British government does not have jurisdiction over American companies or American citizens outside of Britain's borders, in spite of what British Parliament seems to believe.
> I'm no fan of surveillance technology in general, nor of Clearview specifically, but no American corporation is legally obligated to obey British law.
All the more when what Clearview has done is build an index of publicly available images, and associated URLs, derived from the freely-crawlable open web. Legal rulings in the US -- e.g., in Sorrell v. IMS Health -- consistently show that information aggregation and dissemination are treated as speech, so creating and distributing the Clearview index is protected expression under the First Amendment.
Also, Clearview is far from the only game in town. Lots of tech companies -- including some very large ones -- have facial recognition indexes. I suspect that Clearview is being made an example of, pour encourager les autres. But it seems a little bit exceptional, as though the law isn't being fairly or evenly applied.
Right, but they're scraping photos of people from the whole web, which of course includes photos of British and EU citizens.
So it's not just a normal American company in the American market, it wants to be an international company but without respecting international laws, and that's not going to end up well.
So is your argument that a company must follow laws of any locality they scrape information on the internet from?
Is that decided based on where the public content is hosted, where it was created, or based on the individuals created it or are portrayed in it?
If companies have to follow that then in all likelihood every big tech company would have to follow every law in the world, virtually all of them scrape data from the public internet.
Well yes, that should be self-evident. A company must follow laws of any locality under which it engages with or utilises resources from as a component of its business.
They're previously tried this domestically in every way possible under the purview of things like the MPA and the DMCA. The United States International Trade Commission went so far as to consider electronic transmissions to the U.S. as "articles" so that it could prevent the importation of digital files of counterfeit goods.
In the meantime, AI companies are forgetting when the shoe was on the other foot regarding Russian MP3 websites accessible from the US - with the US trade negotiators warning Russia that allowing AllOfMP3 to continue to operate would jeopardize Russia's entry into the World Trade Organization, and the US copyright lobby subsequently filing a $1.7 trillion lawsuit against them.
"AllofMP3 understands that several U.S. record label companies filed a lawsuit against Media Services in New York. This suit is unjustified as AllofMP3 does not operate in New York. Certainly the labels are free to file any suit they wish, despite knowing full well that AllofMP3 operates legally in Russia. In the meantime, AllofMP3 plans to continue to operate legally and comply with all Russian laws."."
On May 20, 2008, the RIAA dropped all copyright infringement charges against AllOfMP3.com
I have a small business for consulting and occasionally need to use hardware made in a foreign country to search online content created and hosted in another country.
I wouldn't expect buying that foreign hardware or searching foreign content would put me under the jurisdiction of laws from the various foreign countries involved.
It depends on what information is being scraped and what is it used for.
Scraping people's personal photos and biometric information for shady agencies, is not the same as scraping e-commerce prices, social media posts, or blog websites.
The intention is important. And respecting people's privacy and copyrights.
> Scraping people's personal photos and biometric information for shady agencies, is not the same as scraping e-commerce prices, social media posts, or blog websites.
Hard disagree. They both violate people's privacy and copyrights.
> So is your argument that a company must follow laws of any locality they scrape information on the internet from?
i mean… yes? it’s entirely normal for a company to be bound to the laws of jurisdiction it wants to open a store or restaurant in or whatever. why on earth would this be any different?
What if they’re scraping from a US exit IP hitting a local Cloudflare cache node proxying to an origin in the UK? Their scraper only interacts with the US node, and in fact Cloudflare by design doesn’t tell the scraper where the origin node is. So are they subject to UK law in this case? No internet traffic left the US, aside from when the target site sent its data to a US server for publishing.
> I'm no fan of surveillance technology in general, nor of Clearview specifically, but no American corporation is legally obligated to obey British law.
They are if they trade in the UK (which ClearView does).
The actual answer is for governments to just say clearly "You obey our laws when operating here or you don't operate here".
Instead they faff around with fines that are largely priced into doing business that get negotiated down endlessly.
The alternative is we allow them to operate with no way to constrain them when they break our laws at all and at that point - what use is government regulation on anything related to data protection.
I think the issue is that people are using personal information to train AI systems.
This is a threat personal integrity and it doesn't really matter how the images were obtained. The threat to people exists despite the fact that they were on the public internet.
Clearview doesn’t have to follow British law, and Britain doesn’t have to allow people associated with Clearview to exist freely on their territory.
This is little different from, say, Russian hackers targeting Americans. Practically speaking there’s nothing to be done unless the perps enter American jurisdiction, but it’s entirely sensible to say that they violated US law and face penalties for it. It might be a little off to say that they’re “dodging” that law, but it’s close enough.
If they do business in the EU they are obligated to follow EU laws, and if they have committed crimes they should be subject to arrest and extradition.
I know you're making a point about Ofcom censorship, and I agree, but we cannot set the precedent that "if you commit your crimes using a company in Delaware, they're not illegal." If you program your AI-drone to murder your enemies, that's fine as long as the control server is offshore?
Should European citizens be subject to the laws of Russia, China, Iran, North Korea, and pals?
Either laws in other countries matter in yours (regardless of how different they are from your own) or they don't.
Picking and choosing which country's laws you do or don't want to consider yourself bound to on moral grounds is not fundamentally very different from picking which of your own country's laws you do or don't want to consider yourself bound to on moral grounds.
> Should European citizens be subject to the laws of Russia, China, Iran, North Korea, and pals?
if they do business in those jurisdictions, yes, of course.
if a new york cpa does business in ohio they need to be licensed in ohio and follow ohio laws. even if their firm and majority of work is based in new york.
It seems clear from the context that what's being discussed is not "can a country enforce it's laws on a foreign citizen within it's borders" but "can a country enforce it's laws on a foreign citizen outside it's borders".
If I were ever to go to North Korea their government could of course arrest me for insulting Kim Jong Un. What they could not do, and absolutely should not be able to do, is have my local police in the US arrest me for doing the same at home. Yes, even if I do it on the internet where a citizen of North Korea might theoretically see, or make use of content I acquired over the internet that originated in that country.
An entity must follow the law of each jurisdiction it conducts business. This is not a novel concept. If an entity wishes to process data of citizens of a particular country, then they must follow the laws and regulations of said country, in those instances.
The entire point of this is that the jurisdictional argument is unclear. As abhorrent as Clearview's business is, businesses should only be subject to the jurisdictions they actually reside in or have employees in or otherwise have a legal nexus in. Otherwise, you end up in a world in which someone says "because citizens of country X can remotely access your website, you are subject to the laws of X", for every single X in the world.
If a country wants to control what its citizens access it can put up its own firewall and deal with the backlash from its own citizens. Let's not help move towards per-country internets.
I wish the US took data protections like this as seriously as the EU. Our data is just passed around like a gangbang on a daily basis and the US is just like ¯\_(ツ)_/¯
EU is the same. Maybe slightly better but with the amount of data breaches increasing exponentially, I don't think any amount of "regulations" is going to stop data leaks. The worst thing is, companies are facing lesser and lesser consequences. Look at the recent discord breach, nothing happened after millions of IDs were exposed. They are just blaming it on customer support, who are blaming it back on discord. The only thing we can do is promote E2EE and homophoric encryption
I've often said security doesn't matter anymore. There are no consequences for a security breach. With companies claiming "hey, we followed best practices!" and transferring liability to third parties like Crowdstrike I'm not even sure how one could even prosecute (in the US).
What would you want instead? If a company truly followed best practices and was as secure as was reasonably expected, then was it their fault a zero-day was exploited? And if not what consequence should there be for the actions of a bad actor?
There MUST be consequences for data breaches. It simply can't go on like this. There have to be rules & regulations for how personal data is stored.
How many of you have received notices in the mail your data has been leaked and the only restitution is a free year long credit check? Then maybe a few years down the road you get $20 from a class action lawsuit.
Last year alone, both AT&T and my health care company were breached and all my data was leaked, including details of my personal medical history.
This kind of thing just can't continue. There has to be someone to set standards for how your personal and "private" information is stored or it won't be possible to know who is who going forward in the future. Even state DMV's have been breached.[1] Imagine a point in the future where identity theft has become so rampant that a US ID card or passport can't be trusted because anyone anywhere at anytime can steal another person's identity with ease because everyone's data is out there and available for purchase through some black market.
It's a dystopian thought, but a lot of things from dystopian fiction that I only thought would continue to be fiction seem to be coming to pass on a regular basis these days.
[1] Account compromise leads to crash records data breach https://www.txdot.gov/about/newsroom/statewide/account-compr...
If you're in the EU, you should pressure your legislators to do something about it. As I understand it, there are laws against these data breaches for companies doing business in the EU, correct?
If that is the case & the law(s) aren't being properly followed/enforced then you must speak up about it. Contact your representatives and let them know.
I understand it's easy to be complacent and be apathetic that nothing is being done, but that's how it goes in a representative democracy. At the end of the day, all we have is our voice.
Been going on since 2021.
The UK has fined them has fined Clearview AI £7,552,800 in 2022 but they have not paid.
EU data protection authorities did not come up with a way to enforce its fines and bans against the US company, allowing Clearview AI to effectively dodge the law.
https://ico.org.uk/about-the-ico/media-centre/news-and-blogs...
A shit company
> EU data protection authorities did not come up with a way to enforce its fines and bans against the US company, allowing Clearview AI to effectively dodge the law.
This is laughable. You make it illegal for any EU company to do business with them, you imprison leadership as they arrive on EU soil, there's a hundred things you can do. Companies like these that simply ignore the law and seriously damage society need to be treated just like international drug trafficking rings. Never heard a "well they keep ignoring our fines and bans, oh my what do we do" when talking about those.
This is government. If you exceed the speed limit on the autobahn, you’ll be fined immediately. But if you run a multi million Euro fraud, you will get away with it for DECADES.
Why? Because they’ve got no systems in place for that. And to do something out of the ordinary that is hard would require someone with an incentive to do it. That does not fit the profile of your typical government employee. They don’t get paid for taking on difficult cases. They get paid for closing files, or, ideally, finding reasons for not even opening them in the first place.
Laws are like locks. The honest people pay attention to them. The criminals don’t. They look at the enforcement (or lack thereof).
I would assume their leadership simply never enter EU soil. Just like the CIA agents Italy has arrest warrants out for kidnapping Abu Omar, or how Kim Dotcom lived quite happily for a time by not going to the US or any country that would extradite him. It's pretty difficult to prosecute people on foreign soil without the kind of international cooperation that exists for prosecuting drug traffickers
I did mention another measure. Does not a single EU company work with Clearview? Even EU subsidiaries of US companies? I doubt it.
> imprison leadership as they arrive on EU soil
I think that's the step that's being taken (or attempted at least) here.
> you imprison leadership as they arrive on EU soil
It's in the article, Austria might issue a criminal warrant for the company executives.
The other measure is more important IMO. I doubt that zero EU companies, including EU subsidiaries of US companies, do business with these companies.
I'm no fan of surveillance technology in general, nor of Clearview specifically, but no American corporation is legally obligated to obey British law. To suggest that Clearview is "dodging" the (British) law falsely implies that Clearview has any legal duty to obey (British) law in the first place.
Sure, if they don't want to follow British law, Britain has the right to reject Clearview from British markets, but that's about it. The British government does not have jurisdiction over American companies or American citizens outside of Britain's borders, in spite of what British Parliament seems to believe.
> I'm no fan of surveillance technology in general, nor of Clearview specifically, but no American corporation is legally obligated to obey British law.
All the more when what Clearview has done is build an index of publicly available images, and associated URLs, derived from the freely-crawlable open web. Legal rulings in the US -- e.g., in Sorrell v. IMS Health -- consistently show that information aggregation and dissemination are treated as speech, so creating and distributing the Clearview index is protected expression under the First Amendment.
Also, Clearview is far from the only game in town. Lots of tech companies -- including some very large ones -- have facial recognition indexes. I suspect that Clearview is being made an example of, pour encourager les autres. But it seems a little bit exceptional, as though the law isn't being fairly or evenly applied.
It is very amusing to suggest that your amendments matter outside of the US.
It's very amusing to suggest EU laws matter outside of the EU.
Right, but they're scraping photos of people from the whole web, which of course includes photos of British and EU citizens.
So it's not just a normal American company in the American market, it wants to be an international company but without respecting international laws, and that's not going to end up well.
So is your argument that a company must follow laws of any locality they scrape information on the internet from?
Is that decided based on where the public content is hosted, where it was created, or based on the individuals created it or are portrayed in it?
If companies have to follow that then in all likelihood every big tech company would have to follow every law in the world, virtually all of them scrape data from the public internet.
Well yes, that should be self-evident. A company must follow laws of any locality under which it engages with or utilises resources from as a component of its business.
They're previously tried this domestically in every way possible under the purview of things like the MPA and the DMCA. The United States International Trade Commission went so far as to consider electronic transmissions to the U.S. as "articles" so that it could prevent the importation of digital files of counterfeit goods.
In the meantime, AI companies are forgetting when the shoe was on the other foot regarding Russian MP3 websites accessible from the US - with the US trade negotiators warning Russia that allowing AllOfMP3 to continue to operate would jeopardize Russia's entry into the World Trade Organization, and the US copyright lobby subsequently filing a $1.7 trillion lawsuit against them.
"AllofMP3 understands that several U.S. record label companies filed a lawsuit against Media Services in New York. This suit is unjustified as AllofMP3 does not operate in New York. Certainly the labels are free to file any suit they wish, despite knowing full well that AllofMP3 operates legally in Russia. In the meantime, AllofMP3 plans to continue to operate legally and comply with all Russian laws."."
On May 20, 2008, the RIAA dropped all copyright infringement charges against AllOfMP3.com
https://en.wikipedia.org/wiki/AllOfMP3
> engages with or utilises resources
This phrase does a lot of heavy lifting.
I have a small business for consulting and occasionally need to use hardware made in a foreign country to search online content created and hosted in another country.
I wouldn't expect buying that foreign hardware or searching foreign content would put me under the jurisdiction of laws from the various foreign countries involved.
It depends on what information is being scraped and what is it used for.
Scraping people's personal photos and biometric information for shady agencies, is not the same as scraping e-commerce prices, social media posts, or blog websites.
The intention is important. And respecting people's privacy and copyrights.
> Scraping people's personal photos and biometric information for shady agencies, is not the same as scraping e-commerce prices, social media posts, or blog websites.
Hard disagree. They both violate people's privacy and copyrights.
I don't believe privacy rights can be violated when the information is available publicly.
Copyrights are a separate issue and one that LLM companies almost certainly violated.
I disagree that those two cases are really all that ethically different, personally. They're both harmful practices. A pox on both their houses.
> So is your argument that a company must follow laws
in principal, yes
Bad luck. They don't have to scrape, you know.
> So is your argument that a company must follow laws of any locality they scrape information on the internet from?
i mean… yes? it’s entirely normal for a company to be bound to the laws of jurisdiction it wants to open a store or restaurant in or whatever. why on earth would this be any different?
What if they’re scraping from a US exit IP hitting a local Cloudflare cache node proxying to an origin in the UK? Their scraper only interacts with the US node, and in fact Cloudflare by design doesn’t tell the scraper where the origin node is. So are they subject to UK law in this case? No internet traffic left the US, aside from when the target site sent its data to a US server for publishing.
that’s a lot of “what if” wild hypotheticals.
clearview knows for absolute certain they’ve been operating in the eu.
> I'm no fan of surveillance technology in general, nor of Clearview specifically, but no American corporation is legally obligated to obey British law.
They are if they trade in the UK (which ClearView does).
The actual answer is for governments to just say clearly "You obey our laws when operating here or you don't operate here".
Instead they faff around with fines that are largely priced into doing business that get negotiated down endlessly.
The alternative is we allow them to operate with no way to constrain them when they break our laws at all and at that point - what use is government regulation on anything related to data protection.
I think the issue is that people are using personal information to train AI systems.
This is a threat personal integrity and it doesn't really matter how the images were obtained. The threat to people exists despite the fact that they were on the public internet.
Clearview doesn’t have to follow British law, and Britain doesn’t have to allow people associated with Clearview to exist freely on their territory.
This is little different from, say, Russian hackers targeting Americans. Practically speaking there’s nothing to be done unless the perps enter American jurisdiction, but it’s entirely sensible to say that they violated US law and face penalties for it. It might be a little off to say that they’re “dodging” that law, but it’s close enough.
If they do business in the EU they are obligated to follow EU laws, and if they have committed crimes they should be subject to arrest and extradition.
I know you're making a point about Ofcom censorship, and I agree, but we cannot set the precedent that "if you commit your crimes using a company in Delaware, they're not illegal." If you program your AI-drone to murder your enemies, that's fine as long as the control server is offshore?
Should European citizens be subject to the laws of Russia, China, Iran, North Korea, and pals?
Either laws in other countries matter in yours (regardless of how different they are from your own) or they don't.
Picking and choosing which country's laws you do or don't want to consider yourself bound to on moral grounds is not fundamentally very different from picking which of your own country's laws you do or don't want to consider yourself bound to on moral grounds.
> Should European citizens be subject to the laws of Russia, China, Iran, North Korea, and pals?
if they do business in those jurisdictions, yes, of course.
if a new york cpa does business in ohio they need to be licensed in ohio and follow ohio laws. even if their firm and majority of work is based in new york.
i’m really surprised people find this confusing.
The https://en.wikipedia.org/wiki/Helms%E2%80%93Burton_Act tried to enforce the US embargo on Cuba on everyone trading with Cuba, American or not.
Yes? Of course? Have you ever traveled and thought their laws didn't apply to you?
It seems clear from the context that what's being discussed is not "can a country enforce it's laws on a foreign citizen within it's borders" but "can a country enforce it's laws on a foreign citizen outside it's borders".
If I were ever to go to North Korea their government could of course arrest me for insulting Kim Jong Un. What they could not do, and absolutely should not be able to do, is have my local police in the US arrest me for doing the same at home. Yes, even if I do it on the internet where a citizen of North Korea might theoretically see, or make use of content I acquired over the internet that originated in that country.
> Should European citizens be subject to the laws of Russia, China, Iran, North Korea, and pals?
Are these EU citizens operating/running businesses in the above countries?
Are they even inside the above countries?
How are you even comparing a company which operates in the EU to an EU citizen who is residing in the EU?
An entity must follow the law of each jurisdiction it conducts business. This is not a novel concept. If an entity wishes to process data of citizens of a particular country, then they must follow the laws and regulations of said country, in those instances.
The entire point of this is that the jurisdictional argument is unclear. As abhorrent as Clearview's business is, businesses should only be subject to the jurisdictions they actually reside in or have employees in or otherwise have a legal nexus in. Otherwise, you end up in a world in which someone says "because citizens of country X can remotely access your website, you are subject to the laws of X", for every single X in the world.
If a country wants to control what its citizens access it can put up its own firewall and deal with the backlash from its own citizens. Let's not help move towards per-country internets.
UK fining them is hilarious. UK is a joke in terms of upholding any form of privacy for it's citizens
Maybe so, but it's so much better than the US at this that it's not even funny.