The face search engine PimEyes heralds the end of anonymity in public spaces. All it takes is a photo from a cell phone or security camera, and PimEyes provides links to similar or identical faces on the web – all for a monthly fee. The linked pages can then reveal the name, profession or further personal details about a person.
After critical reports from netzpolitik.org in 2020, the once Polish company fled first to the Seychelles, then to Belize – and did no longer respond to any press inquiries. Politicians from Germany and the EU have sharply criticized the search engine. A local German data protection commissioner has initiated proceedings and, according to his own statement, is still waiting for a response from PimEyes.
Now PimEyes has a new owner, who is a 34-year-old security scholar from Georgia. In an interview with netzpolitik.org, Giorgi Gobronidze explains why he, of all people, bought the search engine – and what he intends to do to make PimEyes less attractive to stalkers. (Read the German version of the interview here).
netzpolitik.org: You were in the middle of an academic career as an assistant professor. Then you bought one of the most controversial tech companies on the planet. What got you into this?
Giorgi Gobronidze: As a scientist I was interested in the technology itself. This is not just a project for business. I always wanted to learn more about artificial intelligence, data analysis, facial recognition. I don’t want to say that this is some kind of experiment to me, but at least 50 percent of my motivation is pure academic curiosity.
netzpolitik.org: What is the connection between PimEyes and your academic work?
Giorgi Gobronidze: I’m a professor at two universities in Georgia, International Black Sea University and University of Georgia. Before the war in Ukraine, Georgia had been a target of the Russian army in 2008. So the Russian invasion of Georgia was a main driver for me to study security studies. I started to learn more about technology because the Russian army carried out a massive cyber attack which closed down the whole country for almost three days. Later, I also started to study how artificial intelligence based solutions affect not only the security landscape, but our everyday life.
netzpolitik.org: How much did buying PimEyes cost?
Giorgi Gobronidze: I cannot disclose the amount because I am limited by my contract with the previous owners. I had to sell some real estate. And my brother helped me. My father who is also a business owner wouldn’t give me any money for this. He didn’t even understand what I was talking about. My parents still believe that I am doing something like in the movie „Matrix“ when I mention artificial intelligence. They are waiting for the machine rebellion in my office.
Database with around 2 billion unique faces
netzpolitik.org: Why was PimEyes even for sale?
Giorgi Gobronidze: Some team in Belize owned it. These people were not into business. They thought that it would simply bring some money and that it wouldn’t require any additional work. But if you are not performing bug fixes, not ensuring data security and privacy security, and not trying to meet any kind of regulation, that’s a problem. The company now is much more valuable after we have fixed all the mess that we found.
netzpolitik.org: You now offer a paid service that includes sending out takedown notifications to sites that publish pictures of a customer. How big is the team behind PimEyes?
Giorgi Gobronidze: We are up to twenty people in the core team. For takedown services we have a group of ten people. They hardly have any time to take a break. It’s a full-time job. They work with our support team and data security team. We have several people working on data security because we don’t want the images to be leaked that our customers submit to us.
netzpolitik.org: How many unique faces does PimEyes have hashed in its database?
Giorgi Gobronidze: I can’t give you the exact number, but it is approximately 2.1 billion faces maximum. However, I want to underline that PimEyes is not big company and it doesn’t have as many customers as media reports imply. Especially in the case of the European Union, there are countries where we have less than 15 subscribers. In Germany for instance, we have 86 subscribers, if I remember correctly.
netzpolitik.org: How do you feel about the media attention?
Giorgi Gobronidze: I work 17 hours per day, so it’s not always very comfortable to be the centre of attention like this. I don’t know what I could have done in the past twelve years of my academic career in order to attract that much of attention.
„I was very concerned“
netzpolitik.org: Is PimEyes a tool for stalkers?
Giorgi Gobronidze: There will always be curious people who are looking for someone specific. If I am stalking someone I will do it with or without PimEyes. It is the user who is the stalker, not the search engine. If someone kills another person with a gun, not the one who made the gun is guilty but the one who used it to commit a crime. Yes, we have to ensure that the risks are minimized, this is our responsibility. But there is also the responsibility of the user.
netzpolitik.org: How do you minimize the risk that PimEyes is used for stalking?
Giorgi Gobronidze: We are a paid service. That means that each account is associated with billing information as provided by the customer. If a PimEyes account is used to commit something wrong, we will, of course, disclose it to law enforcement. That’s our main concern: to make our service less attractive to stalkers.
When we acquired this project, I was very concerned, to put it mildly, because I know about the capacity of the technology. It was used at 60 percent of its capacity, now we use it at 40 percent. We set up the boundaries and limit our search capacities. Technologically, PimEyes has the capacity to start crawling the dark web. But we are not doing this and we will never do this.
netzpolitik.org: When PimEyes was founded, search results were open for everyone. Today they are behind a paywall and do not include results from social media.
Giorgi Gobronidze: Indeed, when we started to make these first steps, we lost part of our customers. And for me that was absolutely okay. Because we became less attractive to some type of audience. I would rather sacrifice a part of our customers than let something bad happen.
netzpolitik.org: There are bots on Telegram that offer to search for faces via PimEyes. According to our research, at least one of them is mostly used by men who try to find and stalk women.
Giorgi Gobronidze: Those Telegram Bots use our name and are operating from underground. This is illegal. We have taken down five of them recently.
„That means a guy is stalking girls“
netzpolitik.org: PimEyes offers an Advanced Plan with unlimited searches for about 370 Euros per month. Who is this designed for?
Giorgi Gobronidze: We don’t have many Advanced Plan users, there are approximately 150 of them. Some of them are investigative journalists, some others are leading media agencies. We are also working with several organizations – one of them is UK based, another one is based in the USA – who work against human trafficking and child predators. And we have a very good practice of cooperation with several organizations whose goal it is to find missing people.
Among our clients are also porn actresses and sex workers. There was one person who had a career as an actor in adult films who wanted to find out where the images spread to and remove them from the Internet. Since the beginning of 2022 we have already taken down more than 10.000 images on other websites. The porn industry is growing like a hydra. You cut off one head and ten others rise. We have a database of more than 7.000 websites that publish these images.
netzpolitik.org: How do you make sure that the AdvancedPlan is not abused by stalkers?
Giorgi Gobronidze: Stalkers don’t use that service because no one is willing to pay 370 Euros a month for information that is publicly available on the Internet. The Advanced Plans are monitored very closely. We have recently suspended 25 Advanced Plan users and banned their accounts permanently because we noticed suspicious activity.
netzpolitik.org: How do you spot suspicious activity of PimEyes users?
Giorgi Gobronidze: We have several methods to determine that, but I will start with the easiest one: search numbers. It’s impossible to perform 1,200 searches in a single day if you are a regular human being doing a regular job. High numbers like this are an indicator to us that the account is shared.
The second method registers when pictures are changing frequently that a user is loading up for alerts. For example: If a guy named „David Nicolson“ is a customer and we register that he uploads ten pictures of different women within a single day, we would then conclude that this guy is stalking women.
We also see images of children being uploaded. In these cases we also suspend this activity because it is dangerous. On a weekly basis our data security team monitors these kinds of images to reveal if there are minors among them. Just recently we have suspended 15 accounts due to suspicious activity.
„Why would you even search for your image if you don’t want to find something?“
netzpolitik.org: I still don’t quite get it. Let’s imagine I have a PimEyes account running on my name and I search for three of my friends. How would you know I’d have their permission?
Giorgi Gobronidze: We don’t know this and we don’t check it. We were also discussing this. But if we did start to verify your identity than you would have to submit way more information about yourself than just a photograph and that would turn us into a data accumulating monster and we don’t want that.
netzpolitik.org: To summarize: As long as I am not too obviously stalking people, you won’t notice.
Giorgi Gobronidze: We may notice, for instance if you are stalking children. I can look up my grandfather or neighbour, that’s not a problem. We had a case where a husband was trying to take down photos of his wife that leaked from his laptop.
netzpolitik.org: How do you know, that I am not looking for my own children?
Giorgi Gobronidze: We ask questions.
netzpolitik.org: So someone from your support team would get in touch with me?
Giorgi Gobronidze: Yes. In some cases the pictures were removed after we got in touch. So it’s not every time parents looking for their children.
netzpolitik.org: The internet is like a giant haystack. An image may be like a needle, that is very hard to find. But PimEyes is like a magnet. Doesn’t PimEyes help to create the danger that it wants to protect its users from?
Giorgi Gobronidze: It depends how you look at the case. Indeed, you can now find that image through PimEyes. But why would you even search for your image if you don’t want to find anything, if you don’t suspect that there might be something wrong? People might say: Life was much better before I knew an image existed. But we cannot criticize a search engine because it is searching. People have a right to know if their pictures exist online. Whether they like the results, or not.
„People have a right not to be found“
netzpolitik.org: Would you say, if I my face pops up online, I have lost the right not to be found by a face search engine?
Giorgi Gobronidze: No, people have a right not to be found. Every search result on PimEyes has an option to be excluded from the database and be blocked from future proceeding. We implement such requests within a single working day. If you want to block all search results, you can use our opt-out form. We give this opportunity to every Internet user, not just to our subscribers.
netzpolitik.org: PimEyes has more opt-out-options than before. But what if I simply never heard of PimEyes – shouldn’t I have the right to be asked in advance if my face may become part of a biometric face search engine?
Giorgi Gobronidze: Good question. Should everyone be asked if they can be googled every day? That data exists on the internet. People are simply getting informed about their online presence by our service. European regulators always like to say: You are gathering data about European citizens. But artificial intelligence is indeterministic. We might be searching a Japanese website where a photograph of a white person is found. How is a an artificial intelligence supposed to know if this person comes from Europe, the United States or somewhere else? There is no way.
netzpolitik.org: That is a technical explanation. I was focussing on the ethical point of view: Does a search engine have the right to use faces for a biometrical search, if many users don’t even know they can opt out?
Giorgi Gobronidze: Yes. Because once they know that PimEyes exists, they can opt out. If I was doing it to sell some product, it would be unethical. But we have already performed takedowns of leaked images. I can’t share with you all the letters from our customers that thank us because we do a life-saving job. So from an ethical point of view I think it is better to crawl the open internet and help these people.
We also want to present our official non-profit program that will be available for every organisation that works against child sexual violence and human trafficking. Because we believe that this technology can be used for good, to help people. And not only to satisfy curiosity.
„The absolute majority of our users is female“
netzpolitik.org: Companies like Amazon, Google, Microsoft, IBM also have the ability to build face search engines, but did not open this kind of technology to the public. Did this give you pause to think?
Giorgi Gobronidze: Companies like Amazon or Google are gathering way more information about individuals than PimEyes could ever dream of to collect. These companies keep this data for marketing purposes. In contrast, we have made it publicly available. And I think that was the right decision. Once technology is within the circle of a narrow group, that increases the risk to turn it into something very dangerous, I believe that there is nothing bad if we make this technology publicly accessible. Because no harm can come from this technology as long as people are simply looking for public websites and their photos.
netzpolitik.org: PimEyes can be used as a measure of defence for victims and as a weapon for stalkers. But victims belong to a vulnerable group. Won’t PimEyes always be more useful to stalkers than it will be for victims?
Giorgi Gobronidze: That’s an interesting point of view. Maybe theoretically the offensive side of PimEyes is stronger than the defensive. But in practice, I can look into the statistics of my customers. I know their gender, their age range, from which countries they are and what service they are interested in. The absolute majority of our users is female. We have performed more than 10,000 takedowns, 90 percent of it is revenge porn. How many crimes are committed via PimEyes? There are zero cases, because if we were asked by law enforcement we would disclose the information it demands.
netzpolitik.org: Did you receive the letter from the data protection officer in Germany, Mr. Brink? You’ve told the New York Times that you are „eager“ to reply to his questions. He told us afterwards that he tried to reach you, but received no answer.
Giorgi Gobronidze: No notification has reached our legal team. As soon as we receive such notifications, our lawyers will comprehensively reply to it. I was reading all this criticism when I obtained the company. Criticism is helping us to improve. In democratic societies criticism should exist and it’s very welcome. We are not always right in everything.
„We didn’t want Russia to search the pictures of Ukrainian soldiers“
netzpolitik.org: Do you allow PimEyes to be used in authoritarian regimes?
Giorgi Gobronidze: We cannot simply take the Freedom House report and say: Oh, this is an authoritarian country, we cannot offer our product there. We only have to say that if a regime is explicitly despotic or a country is dangerous. Because our services are used to find missing people and in many dictatorships people go missing.
We blocked access to PimEyes from Russia when the invasion into Ukraine started. After the war started we noticed that requests from Russia were increasing. We didn’t want Russia to search the pictures of Ukrainian soldiers.
We are also not accessible in Iran or Syria. We barred Iran because it might use PimEyes to chase political dissidents and I don’t want to help the Iranian government with anything. I also don’t want to help Bashar al-Assad. We don’t have any subscribers from Belarus or other former Soviet countries right now. And if we noticed that these numbers are rising we also might ban Belarus.
netzpolitik.org: Another face search engine, Clearview AI, is being sharply criticized by countries like the UK and Canada, with fines looming. Why do you think PimEyes will not suffer the same fate?
Giorgi Gobronidze: I am not a lawyer, so my opinion won’t be legally valid, but there are several major differences in my view. First, Clearview AI gathers data for investigative authorities. They openly cooperate with the FBI and so on. Secondly, they don’t answer opt-out requests. So Clearview AI might have your photo, but you cannot remove it if you wanted to.
netzpolitik.org: Clearview AI has an opt-out-form online. However, communication can get very bumpy, as the case of an affected person from Germany shows. What would happen if PimEyes were shut down?
Giorgi Gobronidze: If we were able to invent this, why would others not be able to do the same? The technology is already out there. It’s not something exclusive. We can disappear from the market. But there will still be copies out there.
A question I would have liked to be answered is how they want to ensure that they have the legal right of use for each picture they process?
I reckon they would argue that having the right to view the pictures is also giving them the right to process them.
Is it a philosophical question if I have to allow the content related processing of an image based on my personal rights?