Complicity or Security Breach: The Clarifai Case

Sometimes, legal cases seem stranger than life. Once example is Stein v. Clarifai, Inc., filed in February 2020 and, as of the date of this writing in early 2021, remains pending. In the Clarifai case, the plaintiffs alleged that investors in Clarifai, founders of the dating site OKCupid, used their access to OKCupid’s database of profile photographs to transfer the database to Clarifai. Clarifai then supposedly used the photos to train its algorithms used for analyzing images and videos, including for purposes of facial recognition. The complaint further alleged that Clarifai failed to inform OKCupid users about the use of their pictures and failed to obtain their written consent to such use in violation of the Illinois Biometric Information Privacy Act’s notice and consent requirements. The complaint implied that the OKCupid founders, as investors in Clarifai, were attempting to enrich themselves by transferring OKCupid data to Clarifai in order to bolster its business prospects and thus increase the value of their investments.

However, it was not clear whether the plaintiffs were alleging that OKCupid was complicit by authorizing the sharing with Clarifai (formally or informally), or whether the OKCupid founders transferred the database without OKCupid’s authorization. If OKCupid’s management was complicit and permitted the transfer of the database, then OKCupid has potentially costly liability of its own and would potentially take a big hit to its reputation for unethical conduct. On the other hand, if OKCupid’s management was unaware of the transfer and allowed the founders to take the database without authorization, then OKCupid essentially sustained a data breach. If the events did constitute a data breach, then OKCupid would have potentially costly liability for not protecting the database and would potentially take a big hit to its reputation for failing to maintain reasonable security controls. Either way, OKCupid would be in a bad situation.

Two privacy issues that concern people are what I call “bridging context” and lack of control over their personal data. “Bridging context” refers to a situation in which a company collected data from an individual for one purpose but then used the data for another purpose that would be a surprise to the individual.  Moreover, when data from one database is used in combination with another database, then the intrusiveness of the data use increases exponentially.

The Clarifai case raises both bridging context and lack of control issues. Clarifai may have had its own data, but when it was allegedly able to combine what it had with the OKCupid database, it may have created a much more powerful facial recognition system. Moreover, according to the plaintiffs, OKCupid users had no control over how Clarifai used their photos for purposes of training Clarifai’s AI algorithms.

Here is what AI companies can learn from the Clarifai case. Organizations should consider sources of AI training data in their risk management plans, and  should obtain any needed consents from data subjects. Moreover, if original consents occurred for one specific use, they should analyze whether it is necessary to obtain new consents from the data subject for AI training purposes. Deidentification of personal data will help, although the personal data source may want indemnities from the data user about its effectiveness. Moreover, there should be contractual assurances of not bridging contexts, with perhaps an indemnity for any violations. These measures will reduce liability risks associated with obtaining personal data from another business.