Clustering images by features seems to be pretty fundamental, and if it runs afoul of this law, then the law needs to be changed.
I upload photos to Google Photos because I want them to be grouped and categorized so I can easily find them. That is, if I click on a picture of my daughter, or my wife, I want to see ALL pictures of I took of them grouped together.
Looking at the text of the law itself, it seems to exclude photographs, here's the relevant section:
" (740 ILCS 14/10)
Sec. 10. Definitions. In this Act:
"Biometric identifier" means a retina or iris scan, fingerprint, voiceprint, or scan of hand or face geometry. Biometric identifiers do not include writing samples, written signatures, photographs, human biological samples used for valid scientific testing or screening, demographic data, tattoo descriptions, or physical descriptions such as height, weight, hair color, or eye color."
I'm not really sure what they mean by "face geometry" whereas at the same time, excluding photographs. Does this mean if my service measures the distance between the eyes, and the width of the mouth, and clusters photos by that, or by eye or hair color by using say, segmentation or histogram clustering, all of a sudden it's illegal? That would seem to be a fairly absurd and broad definition of biometric security information.
In theory, I suppose, the computation of the features, could be done on the client, and then have the features cloud-synced and replicated to all clients, but this would make for a shitty search experience, especially if the machine learning or feature extraction technique improvements overtime, and all of a sudden, you've got to download 20,000 photos and recompute everything on your phone.
There’s a difference between offering facial recognition as a feature to users of the software and collecting biometric data as a additional revenue source. In one case the user owns their biometric data and is granting the company access to it for the limited use of tagging photos. In the other case the company owns the biometric data and is using it for god knows what.
That's what court cases are about, and why we don't declare innocent or guilty before the verdict. The evidence (or lack of) will come up during the court proceedings, you'd expect.
They are not one and the same - there is still the _presumption_ of innocence when being found not guilty. Not guilty means that you were not _proven_ to be guilty, not that you have been proven to be innocent. You are equally not guilty even if it's pretty clear you did it but there is not quite enough prove, or if proven you didn't do it. You are free from liability under the law, but you are not necessarily factually innocent.
Incidentally, this is largely why Scots law verdicts of acquittal -- "not guilty" and "not proven" -- reflecting the two standards of not guilty. "Not proven" carries the implication that the jury is not convinced of the defendant's innocent, but there is not enough evidence for conviction.
"there is still the _presumption_ of innocence" means that the law treats the accused as innocent, with an extra protection that re-trial is more restricted.
That's roughly what I'm saying - the law treats the accused as innocent, but it does not mean this person is _proven_ innocent. Legally, they are innocent, but there is no declaration made on whether the person is _factually_ innocent or not.
Actually, because you can't be retried for the same crime you are in a very meaningful way declared though not found innocent.
A hung trial is closer in meaning to not being found guilty or innocent.
Arguably, a semantic difference does apply in that you may still be found liable in a civil case. However, civil cases don't declare people guilty only liable.
You're the only one here talking about civil suits. The rest of us were having a fairly intelligent conversation about guilty verdicts. I suggest you read more closely before you contribute next time.
Whether it's a revenue source or not, fb still owns the biometric data and is using it for god knows what (and asking "evidence?" like this comes off as a way of avoiding the point)
I have to admit, I don't intentionally upload photos to Google Photos because I want them categorized. It seemed to be the default on my phone, and it seems like a pretty neat feature when I noticed it, but the reason it's being used is because I'm too apathetic to prevent it.
It makes me kind of sad, not for the lack of privacy, but for the feeling of getting older and just not caring about fighting the technology to make it do what I want.
If the core value proposition of a piece of software, that it's marketed for, is automatic photo organization, it kind of defeats to purpose to have to configure something to make it do what you want. Most people don't want to configure software, they want it to make their lives easier out of the box as much as possible.
If the only thing you care about is backup, Dropbox and other services offer that (e.g. Keepsafe). I use Google Photos because of peace of mind. I know I never have to worry about losing photos, and when I need to find them, it's easy. I've got like 20 years of photos backup. Just yesterday, I wanted to show someone a picture of my daughter from a trip we took in 2012, and I found it in about 5 seconds. When I take photos of my kids, they are automatically shared with my wife, instead of having to constantly manually be asked for them, and manually select them. I focus on just taking pictures and spending time with my kids, I never worry about photo backup, or photo organizing anymore.
I mean, at some point you take the first photo of your kid. If it threw that away, then when you take the second photo, there's nothing to group with and it throws that away too.
IIRC, it is opt-in for Google Photos (something like Photos -> Settings -> Group Faces), but that's you the uploader consenting, not the person whose's face it is opting in. The person in the photo need not even have an online presence at all, so there's no way to actually ask them for permission. (In FB's case, they can do it if the other person is a FB user)
What's your definition of biometric data? if I cluster by eye-color, is that biometric data? "Show me everyone with green eyes". Have a run afoul?
> Clustering images by features seems to be pretty fundamental, and if it runs afoul of this law, then the law needs to be changed.
Fundamental to what, though? This court case is not about somehow criminalizing the existence or the use of this particular tech.
> I upload photos to Google Photos because I want them to be grouped and categorized so I can easily find them. That is, if I click on a picture of my daughter, or my wife, I want to see ALL pictures of I took of them grouped together.
Facebook is not Google Photos. The former is a social network, the latter is a service for storing, organizing and sharing photos. In my opinion, even Google Photos should implement a setting that disables this.
> Does this mean if my service measures the distance between the eyes, and the width of the mouth, and clusters photos by that, or by eye or hair color by using say, segmentation or histogram clustering, all of a sudden it's illegal? That would seem to be a fairly absurd and broad definition of biometric security information.
Come on, if you made the effort to read that part of the law, why did you stop there? No, it's not "suddenly illegal" to measure and gather that information. It's illegal to do without following certain rules about retention, destruction and usage of that information. It's in the very next section, here's an excerpt:
"(740 ILCS 14/15) Sec. 15. Retention; collection; disclosure; destruction.
(a) A private entity in possession of biometric identifiers or biometric information must develop a written policy, made available to the public, establishing a retention schedule and guidelines for permanently destroying biometric identifiers and biometric information when the initial purpose for collecting or obtaining such identifiers or information has been satisfied or within 3 years of the individual's last interaction with the private entity, whichever occurs first. Absent a valid warrant or subpoena issued by a court of competent jurisdiction, a private entity in possession of biometric identifiers or biometric information must comply with its established retention schedule and destruction guidelines."
Yes, but it doesn't scale as your photo collection scales up, since if the algorithm is updated, you need all the data on device to reprocess every photo.
You need something like CryptoDL: deep learning over homomorphic encryption, that would let the photos stay encrypted in the cloud, but still allow DL computations to be run.
Apple has the same functionality and does all processing locally, though I'm not sure if that's an argument for or against your assertion that it doesn't scale.
It does work, but it's not nearly as seamless as Google's cloud implementation. I have many tens of thousands of photos in my Apple Photos library and I think it takes over a month to process everything if I start from scratch on a new computer. Somehow it seems much faster on the phone, and I'm not sure if that's because the processing is better hidden from me, it's much more efficient on the custom chip, or maybe a bit of both.
Regardless of how it's done, I treasure my iPhone performing the facial recognition of my Photos library locally (10+ years of photos) as I continue to extricate my data from Google services.
The problem isn't ondevice training. The problem is, if I "free up space" by deleting my local copy, and I have 10 years of photos backed up in the cloud, then an update to the ML model requires redownloading all of those photos and running the inference on them.
It doesn't matter how clever you are: if you disallow processing the photos on the server, then any index you have on the client that is cached will be invalidated by an algorithm update, and there is no way to rebuild the index without downloading all the photos once again.
I'm not talking about federated learning, that's a different problem. Let's say we solved that problem using on-device learning and differential privacy. The problem still remains that retrained/updated models on devices require the photos to be processed locally again.
So if for example, you can now detect "hugs" in photos, and I search for "photos of my me hugging my daughter", Google Photos gives me what I want, and your local-only model means I have to wait a long time to redownload and reindex my entire collection. It's a huge user problem.
A workable solution to this problem has to somehow entail homomorphic encryption, if you somehow want to keep the photos encrypted on the server.
"Clustering images by features seems to be pretty fundamental, and if it runs afoul of this law, then the law needs to be changed."
Absolutely not. Companies should not be able to do this without explicit opt in. They need to learn that they are not free to do whatever they want, whenever they want, users be damned.
This is being done under the Illinois Biometric Privacy Act (2008), but Illinois and a number of other states also have some similar (and pretty forward thinking) rules in place regarding data breaches of biometric data [1]
If facial recognition becomes legally recognized as a "biometric marker" (no reason it shouldn't) - I think we'll see all sorts of other suits come out of this.
If facial recognition was considered a bio metric, would I Phone users have to click through a screen that says "I will not use this in Illinois". I don't see how this would accomplish much more than coffee causing cancer in the state of California
What it changes are the results of a breach / how the data is to be considered. It's the difference between "oh, we had a data breach" and "oh crap why is the Attorney General of Illinois calling our office."
As an aside: Google's Arts and Culture app (that matches your face to historic artwork) doesn't show up in Illinois - the feature within the app for face matching is geolocated out.
How could Facebook ever lose this case in a country where Equifax faced no punishment? Regardless of what you think about Facebook, DeepFace is seemingly mostly theoretical harm whereas Equifax definitely provably harmed people’s privacy and then (initially) charged those same people to help them protect themselves (via credit freezes). Not saying I don’t want Facebook held to the law, just thought of the comparison.
How about intent for a start? Facebook's feature broke the law by design (albeit perhaps unknowingly), while Equifax never meant for people's data to leak.
Yes, there is a difference between being reckless (which should absolutely be punishable, too) and knowing what you're doing but thinking you're above the law.
Theoretical harm? It's only theoretical because we maybe haven't seen direct negative consequences. However, there are plenty of examples where actions without negative consequences can still be prosecuted.
The analogy for this regarding physical altercations would be assault vs. battery.
Getting punched in the face is "theoretical harm" until the fist connects with the nose. The connection of fist and face is battery. The swinging of the arm is assault (even if the fist doesn't connect).
However, I think the point is moot as the tagging itself is an invasion of privacy. You may not see a problem but it's not difficult to imagine some. What if someone posts and tags me in a picture with revealing information and my stalker sees it and hunts me down? If I'm someone that has had a stalker, a boss that has no boundaries, or an unaccepting family, knowing this feature exists would cause anxiety.
I remember thinking the tagging feature was incredibly creepy when it came out, but it seems to have become normalized in society.
Well said. What Equifax did was much much worse than Facebook's "alleged" privacy invasion. Losing the SSN's of over 100 million Americans must be a new record.
Having read through the latest filings, it looks like the District Court judge is pretty upset with Facebook and its tactics, and was willing to give no leeway to their request to stay the case as a result. He wanted a trial, and soon.
"ORDER. In light of the circuit court's order, all remaining pre-trial and trial dates are vacated. Signed by Judge James Donato on 5/29/2018. (This is a text-only entry generated by the court. There is no document associated with this entry.) (jdlc3S, COURT STAFF) (Filed on 5/29/2018)"
This is what having infinite cash buys you in the American legal system.
Appealing to a higher court is literally how the system is intended to work and gas absolutely nothing to do with infinite money. The Judge ruled and the 9th overturned him. That means the system is working.
NYT had a nice profile of one of the lawyers a few years ago [1]. It had this quote from Sam Altman:
>Asked to sum up the tech community’s feelings about Mr. Edelson, Sam Altman, president of Y Combinator, a technology incubator that invests in very young companies, said the lawyer was regarded as “a leech tarted up as a freedom fighter.”
Facebook has a very Uber-like mentality in regards to breaking the laws to make a profit. In the EU it was opting people in by default for its automatic facial recognition feature only weeks before the GDPR.
I still can't decide whether FB (and others) think they can get away with being non compliant or just accepted violating GDPR is the cost of doing business.
>I still can't decide whether FB (and others) think they can get away with being non compliant
There's zero precedent to suggest that they won't get away with it. All Facebook has to do is go undercover with their data collection and hope that it's never revealed that they're still doing it, or when it does leak, they pay some fine equivalent to half a percent of 3 minutes' profits.
RGPD has a max fine of 4% of world revenue exactly because the previous maximum fine was a joke to google and facebook who just paid and went about their day.
How yould facebook go undercover with their data collection ? every thing they do is provide an infrastructure for data collection.
Facebook will keep collecting data for organizations like the NSA and it's silly to think that they wouldn't. At best, they won't be sharing data or storing it in the EU. Most likely, they'll be gathering and sharing data with EU governments for surveillance purposes but not for public organizations. And really, my concern is more with governments building digital profiles of everyone rather than advertisers.
Give it a couple years and there'll likely be a leak revealing that nothing has significantly affected the main meat of the mega corps' data gathering, someone will say "mistakes were made but we're looking into it", a year later some investigators will say that they can't really do anything because it's technically outside the scope of the law, and it'll vanish until another leak happens the next year.
And who is going to enforce they pay that? If the EU tries to flex its muscles FB could just pull out. And highly doubt the EU is going to do anything controversial in the near future with the Union begining to fragment
Is running a photo hosting service a violation of GDPR itself? That is, if I take a photo of someone else (not myself) and upload it without consent of that person to AcmePhoto.com, and AcmePhoto.com now has personal information stored about someone without their consent, is the site liable? Do I need to get the consent of every person of every photo I upload?
Where do you draw the line? If the site processes the EXIF metadata are they in violation? If they use a neutral clustering algorithm to group visually similar images, are they in violation (be it humans, cars, or chairs)? if I take a visually clustered group of images and tagthem "a_imho", have I now made the site have biometric data related to you?
I mean, a lot of people say "well, as long as you're in the spirit of the GDPR, don't worry", but lawyers don't care whether you're in the spirit of something, they only care if they can win a case, and when the law is vague, "spirit" seems like one judge could hang you, and another judge could free you depending on the luck of the draw.
This is were you draw the line. Taking pictures of people without their consent (and a good reason) is a big no-no in most parts of the world.
This is either because it's not considered appropriate or because it's condemnable [1] or both.
It is also nothing new and not some effect of GDPR, but deeply rooted in culture. Germany, Austria, Switzerland, Italy long had strong laws regarding the right of persons to their own likeness. There is also a big rift, not only legally but primarily culturally, between Anglo-Saxon culture and mostly the rest of the world.
GDPR and other laws concerning informational self-determination[2] never can be interpreted without context. They are always limited by other rights and freedoms, like the right of artistic freedom. So a lot depends on your intent and if you can justify what you do.
I'm not saying this is all well and good. As kind of a street photographer wannabe I'm very sympathetic to the position that the UK and the USA take on this. I'm just saying that the rest of the world has very different ideas about this and this has consequences if you operate globally.
The link you referenced counters your point that its a big no-no in most parts of the world to take a photo of someone without their consent. In the majority of the countries listed on that wiki page no consent is required with certain exceptions.
I'd personally say taking pictures of people without their consent is a big no-no in some parts of the world, but not all.
I have never personally had any issues with my street photography in the UK, it boils down to being respectful and not behaving in a harassing manor. If there is a reasonable expectation of privacy then one should consider taking an unsolicited photo as an invasion of privacy.
> The link you referenced counters your point that its a big no-no in most parts of the world to take a photo of someone without their consent. In the majority of the countries listed on that wiki page no consent is required with certain exceptions.
I added the reference to the list as support for my thesis that it can have legal consequences, a fact that in my experience people from the USA or the UK are often oblivious about. Just because it is not forbidden doesn't mean it is acceptable though.
I think it is no coincidence that we see strictest regulation in central Europe because these countries are around the border line between the different attitudes. Go farther east and there is no need to regulate the culturally obvious.
> I have never personally had any issues with my street photography in the UK,
Of course not, UK is one of the best countries for shooting street.
> it boils down to being respectful and not behaving in a harassing manor. If there is a reasonable expectation of privacy then one should consider taking an unsolicited photo as an invasion of privacy.
AS far as I can tell, the law usually permits public photography simply because it is quite difficult to tell whether you are searching for a frame, using wide or zoom lens, etc.. So the "take photo" as in "press the shutter button" action is probably legal in most parts of the world, as you say. One will face consequences when they publish photos or transfer them to third party - more or less self incriminate.
But that's the rub. The system doesn't identify the photo, the user does. Imagine a photo service with Gmail-like filters, and I create a filter which says "If Photo Longitude/Latitude within this bounds, then photo is #GrangarsHouse". I've now turned a system with a general purpose EXIF metadata filter function into a system which can categorize locations that identify people's dwellings with high probability.
"Identifying" a purpose could range from simply clustering visually similar photos using any number of non-machine-learning, non-biometrically-aware image processing algorithms, to using DNNs like FaceNet, or using the old eigenvector facial recognition algorithms of the 90s.
As soon as I upload a photo I took of you to a photo hosting system that has any kind of search functionality at all, the risk is raised that you can be categorized and identified somehow. Really, "consent" was broken not by the company, but by the uploader.
I really think the genie's out of the bottle on photos now. So many people are constantly photographing on their phones, and so many are uploading them to publicly accessible feeds all over the internet, that a federated crawler could already be built to track you, in fact, I think there's already some social media monitoring services that offer this.
If you're out in public, you should pretty much assume you have no privacy with regards to your imagery, GDPR isn't gonna save you. You can control your own photos, but you can't control what other people do of photos taken of you.
I see people on this thread suggesting that it's the culture in many countries in continental Europe, for example, against having identifiable photos of them posted without permission. I'd suggest that there are probably billions of such photos online on Facebook, Flickr, and countless news sites, blogs, etc. I know I've posted plenty of them even just myself.
I suppose you can object and campaign for the EU to setup its own Great Firewall or something along those lines and only allow companies to operate within its borders which adhere to stringent rules around posted imagery. Good luck with that.
> I suppose you can object and campaign for the EU to setup its own Great Firewall or something along those lines and only allow companies to operate within its borders which adhere to stringent rules around posted imagery. Good luck with that.
Europe isn't China, and the distribution of those photos isn't an existential threat to the government, so a Great Firewall is overkill.
Facebook has assets, operations, and revenue that originates in Europe that could be easily targeted with little controversy to gain compliance. If that doesn't work, Europle could always try to make the executive decision-makers personally liable. I'm sure Zuckerberg wants to be able to visit Europe in the future without being arrested.
I actually tend to agree. At this point, I don't think there's so much space between the US and the EU's positions on privacy issues that large corporations can't find ways to reconcile.
That said, I don't take it as a given that will always be the case. I can imagine future US companies offering services that run sufficiently afoul of current or future regulations in the EU and other jurisdictions that it makes sense to just not offer them there.
I agree. At this point, FB and others are just to big to be able to subject them to policy. Even how they handled the GDPR just right before May 25 is a joke. They have billions of cash on hand to fight all the lawsuits whicht might come.
> I agree. At this point, FB and others are just to big to be able to subject them to policy. Even how they handled the GDPR just right before May 25 is a joke. They have billions of cash on hand to fight all the lawsuits whicht might come.
I don't think we're quite to the dystopian vision of international megacorps being totally above the law, yet. No matter how much cash Facebook has to fight lawsuits, the government has more and actually makes the laws to boot. Facebook is also clearly a non-essential service, if it was run out of business, most people who don't have the last name of Zuckerberg would adapt and get over it in a couple of months.
I wonder - to what extent does cooperating with gov’t on data collection act as insurance against being sued out of existence. IE - if you play nice and install a backdoor for nsa to query your data, will they influence trials? Obviously they would need to keep up appearances by allowing the trials to move naturally, but perhaps a well timed visit or phone call at the last minute could instruct a judge to go easy on damages — ostensibly for national security’s sake.
> Donato previously rejected Facebook’s argument that the case had to be dismissed because the attempt to enforce Illinois law runs afoul of its user agreement that requires disputes to be resolved under the laws of California, where it’s based.
Could someone please elaborate on this? I feel like I've seen clauses like this all over the place. Are they really unenforceable? What is the judge's reasoning?
IANAL, but his reasoning would probably be in the summary judgement denial that's on the docket:
ORDER re Summary Judgment Motions ([257], [299], [307]). Signed by Judge James Donato on 5/14/2018. (jdlc3S, COURT STAFF) (Filed on 5/14/2018)
Unfortunately, I don't really have access to PACER or money to gamble on opening random documents to see which one has the actual info. The US "public access to court electronic records" isn't very "public"-friendly.
I haven't had to deal with choice of law stuff in maybe 15 years, but basically it's that choice of law clauses are not the equivalent of get-out-of-Illinois-free cards. Just because you want some place to have jurisdiction doesn't mean that any other jurisdiction is required to comply automatically.
Choice of law ... law is not always straight forward.
You shouldn't rely on it as any sort of guarantee that you'll get to be haled into court only on your home turf.
What a total cluster f@. Facebook must have an army of lawyers to deal with both domestic and foreign lawsuits.
This country's legal system is like a swiss cheese with holes everywhere. Dealing with states, federal governments and municipalities costs our businesses billions of dollars each year.
While I'm a big proponent of States' Rights and a strict reading of the 10th Amendment, in the case of Facebook which, by it's nature is not only national but international, I have a hard time understanding how a State law can have jurisdiction over Facebook in this case. It seems to me that Federal Law should have original jurisdiction by virtue of the Interstate Commerce clause in this case UNLESS it can be shown that residents of Illinois were targeted or all of the servers and logic for doing facial recognition, analysis, and storage of biometrics were in the State of Illinois. That said, I am not a constitutional lawyers...
The Interstate Commerce Claus doesn't pertain to jurisdiction, but to authority. On paper, the federal government only has the powers that we have expressly enumerated to it in the Constitution. One of those powers is to regulate commerce among the several states. Originally, this was so that a person in one state would have a venue to sue a company in another state that it did business with and have a fair judiciary, but has since expanded to encompass regulatory authority.
It is due to the Interstate Commerce Clause that the government might pass a law, not that it entitles them to sole jurisdiction over a company breaking a state law. Put simply, if there's a law against killing puppies in Georgia, but there's no law against killing puppies at the federal level, that doesn't mean that Facebook can kill puppies in Georgia and get away with it.
If there is also a federal law against killing puppies, and Facebook kills puppies in Georgia, then either Georgia or the federal government can file charges, and jurisdiction would be settled then.
In this case, because it was an Illinois law, only people who have used Facebook in Illinois may be plaintiffs.
They've got jurisdiction over Facebook's relationship with Illinois residents. Same reasons Amazon has to collect sales tax in states they're not necessarily headquartered in.
>Same reasons Amazon has to collect sales tax in states they're not necessarily headquartered in.
The current law is that they need to have some sort of physical nexus in a state such as an office or a distribution center. Which Amazon probably has in most states at this point and, in any case, they've agreed to collect sales tax in most if not all states. That said, the relevant Supreme Court decision (Quill) [ADDED: that doesn't require collection absent a physical nexus] is being revisited because of another case this term and the betting money seems to be on it being partially or completely overturned.
Facebook has extensive location history available for most users, so just a EULA clause probably wouldn't do the trick. They'd probably have to show a more active attempt to block Illinois residents from the system.
I'm not worried about Facebook or Google, because they spend millions on lawyers, but this seems potentially terrifying for startups. Any U.S. state can make a law making some part of their service illegal, and someone can sue the startup even if their company wasn't operating in that state. A startup would need to know and obey all laws in all states, and have enough money to fight legal cases.
I wonder if the golden age of startups is over. It would be impossible to navigate through these regulations if you just wanted to create a side project for fun.
While I see your point, as a EU citizen it baffles me how anyone is allowed to generate and store biometric data without consent and face no legal trouble - it's not like this is some nitpicking on a highly specific legal detail...
As an American it baffles me that the EU has regulated themselves out of the growth that is occurring almost everywhere else. It's just a difference in cultural beliefs and preferences
Considering GDP growth is the normal metric for economic health, growth is the economy. And while you can't assign a number for each policy the EU has, the Q1 differences between America and the EU can paint the picture
To the degree a photo is biometric data--and it's hard to see how it wouldn't be by any reasonable definition--how can that be reasonably prohibited at this point in history?
I upload photos to Google Photos because I want them to be grouped and categorized so I can easily find them. That is, if I click on a picture of my daughter, or my wife, I want to see ALL pictures of I took of them grouped together.
Looking at the text of the law itself, it seems to exclude photographs, here's the relevant section:
" (740 ILCS 14/10) Sec. 10. Definitions. In this Act: "Biometric identifier" means a retina or iris scan, fingerprint, voiceprint, or scan of hand or face geometry. Biometric identifiers do not include writing samples, written signatures, photographs, human biological samples used for valid scientific testing or screening, demographic data, tattoo descriptions, or physical descriptions such as height, weight, hair color, or eye color."
I'm not really sure what they mean by "face geometry" whereas at the same time, excluding photographs. Does this mean if my service measures the distance between the eyes, and the width of the mouth, and clusters photos by that, or by eye or hair color by using say, segmentation or histogram clustering, all of a sudden it's illegal? That would seem to be a fairly absurd and broad definition of biometric security information.
In theory, I suppose, the computation of the features, could be done on the client, and then have the features cloud-synced and replicated to all clients, but this would make for a shitty search experience, especially if the machine learning or feature extraction technique improvements overtime, and all of a sudden, you've got to download 20,000 photos and recompute everything on your phone.