Facial recognition website PimEyes recently got under fire for scraping photos of dead people for their facial data. The website reportedly took photos from Ancestry, which is not allowed to begin with. But what makes this case extra disturbing is that they used photos of people who can’t give their consent.
[Related reading: Are your social media photos ending up in a law enforcement database?]
Softer engineer Cher Scarlett made the concerning discovery when she was checking PimEyes. As she told WIRED, she does it regularly to ensure that some of her old non-consensual explicit photos don’t resurface, as they did in February 2022. She also uses Ancestry, and in January this year, she noticed something weird was going on. Some photos of children that PimEyes was returning looked like they came from Ancestry. She decided to do a little experiment, and the results were pretty shocking.
She started by searching a black & white photo of her on PimEyes, and a photo of her mom as a baby popped up, with her grandparents holding her. Digging deeper, she ended up with other images of her relatives, all of them apparently sourced from Ancestry. They included a photo of her great-great-great-grandmother from the 1800s and one of Scarlett’s sister, who passed away in 2018. “My sister is dead,” Scarlett told WIRED. “She can’t consent or revoke consent for being enrolled in this.”
PimEyes and Ancestry’s reactions
Speaking with WIRED, Acestry spokesperson Katherine Wylie said that the site’s customers “maintain ownership and control over their data, including family trees.” She added that the website’s terms and conditions “prohibit scraping data, including photos, from Ancestry’s sites and services as well as reselling, reproducing, or publishing any content or information found on Ancestry.”
PimEyes’ director Giorgi Gobronidze old WIRED that PimEyes only crawls websites that officially allow them to do so. “It was … very unpleasant news that our crawlers have somehow broken the rule.” I read this pretty much as “whoopsie.” Gobronidze said that PimEyes is “now blocking Ancestry’s domain and indexes related to it are being erased.”
When PimEyes was first introduced, it was free, with premium versions available at €9.19, €13.99, and €18.99 per month. There is no free or demo version any longer, and the pricing ranges between €35 and €350 a month for monthly subscriptions. Ironically, it markets as a “privacy tool,” but apparently it’s violating people’s privacy, both dead and alive.
Who owns dead people’s data?
Generally, I’m not too familiar with this topic, and I believe it’s regulated differently in different parts of the world. Sandra Wachter, a professor of technology and regulation at the Oxford Internet Institute, explains that privacy laws generally don’t protect the deceased. However, “Just because the data doesn’t belong to a person anymore does not automatically mean you are allowed to take it,” she says. “If it’s a person who has died we have to figure out who has rights over it.”
“If in some way the picture of the dead person … could lead to someone living being likely to be identified, then it could be protected under the GDPR,” says Lilian Edwards, professor of law, innovation, and society at Newcastle University.
Other than finding her deceased relatives, Cher Scarlett also fears that cases like this can expose entire families to privacy violations:
“I used [Ancestry] for what it’s intended for—to find out where I come from. It was really exciting until it wasn’t. Nobody is uploading photos into Ancestry thinking that they’re going to be enrolled into a biometric identifier for facial recognition software without their knowledge or consent … It just feels incredibly violating.”