Sucking photos up like a vacuum cleaner, from every corner of the internet. And then selling that information on through a database. That’s not allowed, but it still happens. Thanks to Bits of Freedom, action is being taken. Policy adviser Lotte Houwing: “It offers hope of better protection.”

Track down someone’s identity

“At Bits of Freedom we defend internet freedom. Because companies have to follow the rules and safeguard users’ rights online too. But they still regularly manage to evade the law.
For example, we raised the alarm about a well-known AI company. This company is like a vacuum cleaner, sucking up all the photos on the internet and storing them in a database. So how do they make money? They get investigative agencies to pay for access to the information in the database. At the push of a button, users then see all the photos of the person they’re looking for. You can track down someone’s identity based on a photo, so this will put an end to anonymity in public spaces.”

A clear conscience

“’Oh well, I’ve got nothing to hide’, I sometimes hear people say. But even if your conscience is clear, it’s important to be in control of your own data. When you talk to your doctor, you share information that you wouldn’t mention in a job interview. There are some pieces of information about yourself that you want to keep separate.”

“Technology also has a margin of error. For example, people of color, in particular women of color, run the risk of being wrongly identified. Some AI companies ignore these sensitivities or privacy rules.”

Unpaid fines

“In 2024 we discovered that the aforementioned AI company was actively offering the database to customers on the Dutch market and that it was being used in the Netherlands. We already had evidence that Dutch citizens were included in the database, as when we made a request for access I saw my own photos. On the basis of this investigation, we informed the Dutch Data Protection Authority.”

“Other European countries had already issued the company with fines, but because the organization is not registered in Europe it is able to get away without paying them. For this reason, we also advised on other ways of taking action against the company.”

Put to work

“It was good to see that the Data Protection Authority also started exploring the options. Maybe they could hold Dutch customers or organizations cooperating with this company to account? Our investigation also put Dutch policymakers and the regulator to work: this type of facial recognition is not allowed, but how can we make sure it really does stop?”