Comment by jsrozner
14 days ago
It's time for regulation that no images of people may be retained for any commercial purpose without explicit permission of the person whose image is retained. Facial recognition performed on any person who has not granted explicit permission (or, in the case of government, against whom a search warrant has not been obtained) should be illegal. Nor shall any compressed version, broadly defined, of the data be retained (i.e., no training on any sort of facial or pose data without explicit permission of all whose images are used in training).
Penalties should be in the %s of revenue or company assets. Whistleblowers should receive large sums for identifying violations.
In a broader vein, it's time for regulation forbidding the retention or aggregation of any person's data for any commercial purpose other than the one most proximal to the actual transaction in which the person engaged, unless they explicitly opt in.
What would the latter mean? Among other things, targeted ads and recommendation systems would become illegal. Cross-user aggregation (or e.g., a company engaging in any user-longitudinal data analytics) would be illegal. In SQL language, ideally the only time you could do any query with a user ID returning multiple rows for further use would be to serve data directly back to the user. In the long run, such queries should be impossible by requiring something like a) per-user encrypted storage, b) user owned data, c) non-correlatable per-user IDs across transactions.
It will never happen because -- as noted in the article -- many folks in SillyCon valley and government are technofascists, but it should, because our current situation violates all reasonable notions of privacy.
Even if it were to happen, there would be a carve out for the state.
The DHS is collecting a massive database of facial geometry at the moment in preparation for nationwide constant realtime facial recognition, just China has.
The cameras are up and collecting data at every airport, as well as every traffic intersection in Las Vegas (and presumably other cities).
The taliban actually have a fascinatingly (philosophically) based law where it’s illegal to photograph a living thing. I’m not sure about the reason. Maybe derived from the not being okay to depict Mohammed. But I kind of dig the concept especially for living things that can’t consent to be captured in images
> have a fascinatingly (philosophically) based law
Is neither fascinating nor philosophically based. It's a long-running islamic tradition that gets broken and bent all the time. See https://en.wikipedia.org/wiki/Aniconism_in_Islam
both of my claims were subjective and thus not really refutable. As an outsider I think it is interesting, too. And think the flexibility is similar to many laws akin to what we have in the US via prosecutorial discretion
I should’ve included a source to where I read about it initially and that’s below
https://apnews.com/article/afghanistan-taliban-media-moralit...
> only time you could do any query with a user ID returning multiple rows for further use would be to serve data directly back to the user
What do you mean by that?
I'm saying we should not allow per-user analytics. Currently companies build a profile of each user and correlate that with all the other similar users. Then they target other users who are hypothesized to be similar.
I'm arguing that no per-user analytics should be able to be conducted. A store can track how many times product A is purchased, but not that product A and B were purchased by the same user. Using the latter info for anything other than providing a summary of what the user has purchased (to the user) should be illegal.
Yeah it would be complicated. But you could do it by creating a new obfuscated user ID for each transaction.
Or even better, by having each person store their own data and mandating that companies delete all records. The company can provide a signature on the transaction record (a receipt!) that the user keeps to prove the purchase if there's a conflict later on. But the company cannot keep a copy of any per-user info, the receipt, or the transaction info; nothing beyond the fact that product A was purchased on a certain date.
> In a broader vein, it's time for regulation forbidding the retention or aggregation of any person's data for any commercial purpose other than the one most proximal to the actual transaction in which the person engaged, unless they explicitly opt in.
This is basically GDPR
> It's time for regulation that no images of people may be retained for any commercial purpose
And we know exactly how such a regulation will be met by both companies and the tech crowd. See GDPR, AI Act etc.