PimEyes positions itself as a tool for people to monitor their online presence. The company charges users $20 to find the websites where their photos have been found, upwards of $30 a month for multiple searches, and $80 to exclude specific photos from future search results.
The company, which has trawled social media for images but now says it scrapes only publicly available sources, has been criticized for collecting images of children and accused of facilitating stalking and abuse. (Gobronidze, who took over PimEyes in January 2022, says that this criticism predates his tenure at PimEyes, and that the company’s policies have since changed.)
“They are clearly crawling all sorts of random websites,” says Daniel Leufer, a senior policy analyst at digital rights group Access Now. “There’s something very grim, especially about the obituary ones.”
The dead aren’t generally protected under privacy laws, but processing their image and data isn’t automatically fair game, says Sandra Wachter, a professor of technology and regulation at the Oxford Internet Institute. “Just because the data doesn’t belong to a person anymore does not automatically mean you are allowed to take it. If it’s a person who has died we have to figure out who has rights over it.”
The European Convention of Human Rights has ruled that pictures of dead people can have a privacy interest for the living, according to Lilian Edwards, professor of law, innovation, and society at Newcastle University in the UK, who says that using photos of the living mined from the web without consent can also be a potential violation of the EU’s General Data Protection Regulation (GDPR), which prohibits the processing of biometric data to identify people without their consent.
“If in some way the picture of the dead person … could lead to someone living being likely to be identified, then it could be protected under the GDPR,” says Edwards. This can be done by putting two bits of information together, she adds, such as a photo from PimEyes and information from Ancestry. PimEyes makes itself available in Europe, so it is subject to the legislation.
Scarlett worries that PimEyes’ technology could be used to identify people and then dox, harass, or abuse them—a concern shared by human rights organizations. She says her mom’s name, address, and phone number were just a reverse image search and three clicks away from the family photo scraped from Ancestry.
While it positions itself as a privacy toolthere are few barriers stopping PimEyes users from searching any face. Its home screen gives little indication that it’s intended for people to search only for themselves.
Gobronidze tells WIRED that PimEyes launched a “multistep security protocol” on January 9 to prevent people from searching multiple faces or children; PimEyes’ partners, however, including certain NGOs, are “whitelisted” to perform unlimited searches. PimEyes has so far blocked 201 accounts, Gobronidze says.
However, a WIRED search for Scarlett and her mother—conducted with their permission—retrieved matches unchallenged. WIRED also found evidence of online message-board users with subscriptions taking requests from others to identify women with pictures found online.