VI. DATA AND INFORMATION-DRIVEN TECHNOLOGY ABUSE

VI. DATA AND INFORMATION-DRIVEN TECHNOLOGY ABUSE
1. A. Current Abuses of Data-Driven Technology
2. B. Future Abuses of Data-Driven Technology

VI. DATA AND INFORMATION-DRIVEN TECHNOLOGY ABUSE

One area of technology-based abuse is harm derived from an abuser’s access to their partner’s personal data.¹¹⁸In cyberstalking cases, abusers often obtain online data about their partners for monitoring or harassment purposes. This method may be done by hacking into a partner’s email and

¹⁰⁹ Baddam, supra note 101, at 77.

¹¹⁰ *Id. *

¹¹¹ Documentation Tips for Survivors of Technology Abuse & Stalking, TECH. SAFETY, NAT’L NETWORK TO END DOMESTIC VIOLENCE (2014), https://www.techsafety.org/documentationtips [https://perma.cc/QP3R-6UTU].

¹¹² Nellie Bowles, *Thermostats, Locks and Lights: Digital Tools of Domestic Abuse, *N.Y. TIMES (Jun. 23, 2018), https://www.nytimes.com/2018/06/23/technology/smart-home-devices-domesticabuse.html [https://perma.cc/DM54-P2EA].

¹¹³ See e.g. Freed et al., supra note 107, at 17 (“[W]hile an order of protection can be used to legally restrict abusers from contacting clients via Facebook, abusive messages on Facebook are not recognized as a form of abuse that warrants an order of protection.”); Christine Hauser, $6.4 Million Judgment in Revenge Porn Case Is Among Largest Ever, N.Y. TIMES (Apr. 11, 2018), https://www.nytimes.com/2018/04/11/us/revenge-porn-california.html [https://perma.cc/6HB2-86EX] (“The law in [nonconsensual distribution of intimate images] is imperfect and has been for some time… [It is] lagging behind technology.”).

¹¹⁴ King-Ries, supra note 7, at 141.

¹¹⁵ Kaofeng Lee & Jane Anderson, *The Internet and Intimate Partner Violence Technology Changes, Abuse Doesn’t, *31 CRIM. JUST. 28, 28-29 (2016).

¹¹⁶ Id.

¹¹⁷ Shimizu,* supra* note 10, at 121–22.

¹¹⁸ Lee & Anderson, supra note 115, at 28-29.

social media accounts and using that information to locate and further harass their partner.

A. Current Abuses of Data-Driven Technology

A nightmare scenario of data-driven technology-based abuse is presented in Remsburg v. Docusearch, Inc., where a New Hampshire customer paid an Internet-based investigation service to look up the date of birth, address, social security number, and employment information for a woman.¹¹⁹ The company obtained and transferred the requested information to the customer, who then used the information to track down the woman at her job where he fatally shot her and then himself.¹²⁰ Today, rather than paying an investigation service to look for private information, many companies can directly sell the information they have on hand to consumers as more personally identifiable information becomes available on the Internet.¹²¹

Data brokers are companies that primarily collect and sell personal consumer information.¹²² In Remsburg, the investigation company obtained the victim’s employment information by giving her a telephone call. ¹²³ Data brokers would instead obtain this information from harvesting the Internet for publicly available data, such as public records, social networking content, and blogs as well as from purchasing private data from digital services that buy data from social media companies, ¹²⁴ and from online retailers, including eBay and Amazon. ¹²⁵ The ease in obtaining personal data, its lucrative market value, and the lack of preventative legal measures could likely make situations like Remsburg easy to replicate. Domestic violence survivors are more at risk of having their data harvested, especially where the data of women consumers are abundant and highly valued in the big data industry¹²⁶ and where the majority of domestic violence victims are women. ¹²⁷

¹¹⁹ Remsburg v. Docusearch, Inc., 149 N.H. 148, 152, 816 A.2d 1001 (2003).

¹²⁰ *Id. *

¹²¹ Theodore Rostow, What Happens When an Acquaintance Buys Your Data?: A New Privacy Harm in the Age of Data Brokers, 34 YALE J. ON REG. 667, 669 (2017).

¹²² Id.

¹²³ See Remsburg, 149 N.H. at 152-53.

¹²⁴ Id.

¹²⁵ Id. at 676.

¹²⁶ Ann Bartow, Our Data, Ourselves: Privacy, Propertization, and Gender, 34 U.S.F. L. REV. 633, 634–35 (2000) (“Women do most of the shopping in real space and will inevitably do the same in cyberspace, where we are appearing in ever increasing numbers. Women control 80 to 85% of all personal and household goods spending and are reportedly the fastest-growing audience on the web.”).

¹²⁷ Statistics, NAT’L COAL. AGAINST DOMESTIC VIOLENCE, https://ncadv.org/statistics [https://perma.cc/BL8D-M94F]

The New Hampshire Supreme Court held that the investigation company was liable for selling a person’s work address obtained by a pretextual phone call. ¹²⁸ Nevertheless, it found no cause of action for appropriation because the company sold the information for its value.¹²⁹ The investigation company had a duty to exercise reasonable care in disclosing personal information because the risk of criminal misconduct was sufficiently foreseeable, even though employment information is not considered privileged. ¹³⁰ However, the court noted that this narrow exception runs against the general presumption that “a private citizen has no general duty to protect others from the criminal attacks of third parties.”¹³¹ The courts have yet to restrict the sale of data under common or statutory law.¹³²

B. Future Abuses of Data-Driven Technology

Domestic violence survivors and advocates need to be aware of the new threats arising as a result of the high-speed and unregulated growth of new technology. New technologies are constantly being released to the public without a full assessment of their collateral impact on vulnerable populations. ¹³³ One particular tool that is concerning for domestic violence survivors is facial recognition systems fueled by artificial intelligence (AI) technology. AI-enabled systems are “fed” large amounts of data so that the system can “learn” from the data in order to recognize, identify, and target a specific subject.¹³⁴ One example of an AI-enabled system is predictive policing software that calculates an individual’s likelihood to commit a crime based on their social media activities and criminal history that the software has scraped off the internet and analyzed through a proprietary algorithm. ¹³⁵

1) Clearview and Facial Recognition Technology

While AI-enabled facial recognition technology has been utilized as early as 2011, the tech industry has not explored it further as the system is acknowledged to be too dangerous for mass distribution without further

¹²⁸ Remsburg v. Docusearch, Inc., 149 N.H. 148, 155, 816 A.2d 1001 (2003).

¹²⁹ Id. at 158.

¹³⁰ Id. at 160.

¹³¹ Id. at 153.

¹³² Rostow, supra note 121, at 680.

¹³³ MEREDITH WHITTAKER ET AL., AI NOW INSTITUTE, AI NOW REPORT 2018 11 (2018), https://ainowinstitute.org/AI_Now_2018_Report.pdf [https://perma.cc/W5W7-5BBR].

¹³⁴ Id. at 12.

¹³⁵ Ali Winston, Palantir Has Secretly Been Using New Orleans to Test Its Predictive Policing Technology, VERGE (Feb. 27, 2018, 3:25 PM), https://www.theverge.com/2018/2/27/17054740/palantirpredictive-policing-tool-new-orleans-nopd [https://perma.cc/YN64-GB8J].

studies on its impact or accompanied regulations to reduce risks of harmful use. ¹³⁶ If technology companies are required to understand how its products can be used consciously and unconsciously to harm survivors, particularly those from Black and immigrant communities, ¹³⁷ policymakers and law enforcement can more adequately craft targeted and instructive laws and regulations to effectively prevent and prosecute technology-based abuse. This requirement may also force companies to conduct a more thoughtful risk assessment on its products before releasing it to market. However, a company called Clearview decided to ignore this industry acknowledgement by not only engineering its own facial recognition tool (which works by scraping images on the internet to “learn” an image and performing a Google search on a person’s face) but also by selling it on the open market. ¹³⁸ Surprisingly, Clearview’s application of its technology was found not in violation of any existing federal laws.¹³⁹

Clearview initially sold its technology to law enforcement agencies to identify suspects (such as shoplifters)from surveillance cameras or smartphone recordings, with an expressed interest in expanding its market to private companies and consumers. ¹⁴⁰ Clearview has since sold its technology to government entities such as public schools, the Department of Justice, (which oversee immigration enforcement), and private companies. ¹⁴¹ These private companies include Macy’s, the National Basketball Association (NBA), and a sovereign wealth fund in the United Arab Emirates, where homosexuality is criminalized. ¹⁴² In addition, Clearview has provided individual friends and investors access to its technology; these friends and investorsthen share the technology with their own networks. ¹⁴³ The lack of regulation and oversight over Clearview’s potential buyers reveals the technology’s immediate harm to vulnerable groups like children, undocumented immigrants, LBGTQ+ individuals, as well as potential harm to women and domestic violence survivors.

¹³⁶ Kashmir Hill, The Secretive Company That Might End Privacy as We Know It, N.Y. TIMES (Jan. 18, 2020), https://www.nytimes.com/2020/01/18/technology/clearview-privacy-facial-recognition.html [https://perma.cc/HPT3-UQ94] [hereinafter Hill, Secretive Company].

¹³⁷ Malkia Devich-Cyril, Defund Facial Recognition, ATLANTIC (July 5, 2020), https://www.theatlantic.com/technology/archive/2020/07/defund-facial-recognition/613771/ [https://perma.cc/45RJWZA6].

¹³⁸ Hill, Secretive Company, supra note 136.

¹³⁹ Id.

¹⁴⁰*Id. *

¹⁴¹ Ryan Mac, Caroline Haskins & Logan McDonald, Clearview’s Facial Recognition App Has Been Used by the Justice Department, ICE, Macy’s Walmart, and the NBA, BUZZFEED NEWS (Feb. 27, 2020, 11:37 PM), https://www.buzzfeednews.com/article/ryanmac/clearview-ai-fbi-ice-global-lawenforcement [https://perma.cc/RSG3-U45D].

¹⁴² *Id. *

¹⁴³ Kashmir Hill, Before Clearview Became a Police Tool, It Was a Secret Plaything of the Rich, N.Y. TIMES (Mar. 5, 2020, 9:27 AM), https://www.nytimes.com/2020/03/05/technology/clearview-investors.html [https://perma.cc/L9DX-JXW7] [hereinafter Hill, Clearview Police Tool].

Providing unregulated access to facial recognition technology poses a clear danger, where a stranger can take a photo of someone, feed it through the software, and identify the person based on their internet foottraffic. ¹⁴⁴ John Catsimatidis, the owner of New York City-based grocery chain Gristedes, tested Clearview’s app at his stores to identify shoplifters.¹⁴⁵ He also used the app to identify an unknown man, who went on a date with his daughter without either person’s consent, and discovered the man’s name, age, and profession. ¹⁴⁶ If this app fell in the hands of an abuser who is stalking their partner, escape from an abuser would be impossible.

2) Threat from Lack of Regulations and Oversight

The lack of legal restrictions over the creation or application of new technologies is troubling, particularly with the knowledge that new tools that can potentially harm vulnerable people, including intimate partners, can be freely funded. For example, Clearview has received $7 million in venture capital funding to develop its technology. ¹⁴⁷ Currently, no laws or regulations exist that can prevent private investors from investing in controversial technological advances. ¹⁴⁸ Additionally, there are no laws, regulations, or oversight that address how government agencies can utilize new technologies such as facial recognition without much familiarity with either the vendor or the technology. ¹⁴⁹ In addition, no existing laws or regulations seem capable of forcing Clearview or other AI companies to comply with requests from social media companies to stop scraping images from its websites.¹⁵⁰ Too much regulation in technology development can

¹⁴⁴ The Daily Podcast: The End of Privacy as We Know It?, N.Y. TIMES (Feb. 2, 2020), https://www.nytimes.com/2020/02/10/podcasts/the-daily/facial-recognition-surveillance.html?showTranscript=1 [https://perma.cc/5BX9-AD28].

¹⁴⁵ Hill, Clearview Police Tool, supra note 143.

¹⁴⁶ *Id. *

¹⁴⁷Hill, Secretive Company, supra note 136.

¹⁴⁸ See generally Rick DeLucco & Juliyen Davis, The Companies Venture Capital Isn’t Allowed to Invest In, SUPERMAKER (Nov. 7, 2019), https://supermaker.com/articles/the-companies-venture-capital-isnt-allowed-to-invest-in [https://perma.cc/KC4Q-L3AK]; Nathan Heller, Is Venture Capital Worth the Risk?, NEW YORKER (Jan. 27, 2020), https://www.newyorker.com/magazine/2020/01/27/is-venture-capital-worth-the-risk [https://perma.cc/8HTK-FBLU]; Ethics and the Investment Industry, CFA INSTITUTE (Oct. 2017), https://www.cfainstitute.org/en/ethics-standards/codes/standards-of-practice-guidance/ethics-and-investement-industry [https://perma.cc/W4U6- VEWX]; Merkley, Booker Introduce Legislation to Prohibit Irresponsible Government Use of Facial Recognition Technology, JEFF MERKLEY: UNITED STATES SENATOR FOR OREGON (Feb. 12, 2020), https://www.merkley.senate.gov/news/press-releases/merkley-booker-introduce-legislation-to-prohibit-irresponsible-government-use-of-facial-recognition-technology-2020 [https://perma.cc/PL48- TATL].

¹⁴⁹ Hill, Secretive Company, supra note 136.

¹⁵⁰ Id.

stifle innovation and growth of groundbreaking products.¹⁵¹ However, the lack of minimum regulation and oversight on how new technology is funded, distributed, and used is worrisome, particularly when analyzing technology-based abuse in intimate relationships.

3) Threat from Unauthorized Access to Private Data

One reason the public knows as much as it does about Clearview AI is due to a data breach that resulted in the publicization of its customers list.¹⁵² Clearview’s attorney explained that “data breaches are part of life in the twenty-first century.”¹⁵³ However, the fact that Clearview not only holds a massive volume of private information but can also give its powerful clients access to this data with no oversight cannot justify this reality. If such information gets in the hands of data brokers or the illegal online marketplace, we can expect more devastating cases like Remsburg to become normal occurrences.

However, there is already an organization that holds massive amounts of private data on domestic violence survivors: the government. Courts have used sophisticated, centralized case management systems to ensure efficiency and accuracy in domestic violence cases. These systems synchronize important information on domestic violence cases between judges, attorneys, clients, and other involved community members, including law enforcement, domestic violence advocates, health care workers, and batterers’ intervention programs. ¹⁵⁴ The Brooklyn Felony Domestic Violence Court of New York State uses its own proprietary data management system which allows instantaneous sharing of information between multiple parties. ¹⁵⁵ The courts’ reliance on case management systems creates a security concern because of the amount of personal data in a singular source, especially in the event of a data breach that may jeopardize a victim’s safety.¹⁵⁶

Limiting access to personal data held by the government is critical in protecting the safety of survivors. However, the ability to prevent unlawful

¹⁵¹ William D. Eggers et al., The Future of Regulation: Principles for Regulating Emerging Technologies, DELOITTE (June 19, 2018), https://www2.deloitte.com/us/en/insights/industry/public-sector/future-of-regulation/regulating-emerging-technology.html [https://perma.cc/PPH3-W2LJ].

¹⁵² Betsy Swan, Facial-Recognition Company That Works with Law Enforcement Says Entire Client List Was Stolen, DAILY BEAST (Feb. 26, 2020), https://www.thedailybeast.com/clearview-ai-facialrecognition-company-that-works-with-law-enforcement-says-entire-client-list-was-stolen [https://perma.cc/5D5S-F3S7].

¹⁵³Id.

¹⁵⁴ PAMELA YOUNG, CTR. FOR COURT INNOVATION, NEW YORK STATE UNIFIED COURT SYSTEM, AN INFORMED RESPONSE: AN OVERVIEW OF THE DOMESTIC VIOLENCE COURT TECHNOLOGY APPLICATION AND RESOURCE LINK 1-2 (2001), http://www.courtinnovation.org/sites/default/files/ccid6-legacy-files/pdf/info_response.pdf [https://perma.cc/HJQ5-KQGG].

¹⁵⁵ *Id. *

¹⁵⁶ Hulse, supra note 23, at 280.

access is made more difficult by data breaches in private data-driven products used by public agencies as well as by direct cyberattacks on the government. In 2019, there were 140 ransomware attacks targeting state and local government that exposed sensitive public data to danger. ¹⁵⁷ While ransomware works by preventing access to computer systems and public databases, such as online payment sites or crime data statistics, it is not difficult to believe attackers could easily access these databases and sell the information within them. ¹⁵⁸ Even if public agencies were able to protect their data from ransomware, they would not be able to protect data held by a vendor in the event of a data breach on the vendor’s end. ¹⁵⁹ A potential data breach on any private or public domestic violence case management system could expose domestic violence survivors to grave danger.¹⁶⁰

Another data-related problem illustrated by Clearview’s business practices is the unfettered access to powerful technological tools coupled with the underlying data that companies are willing to give to individuals. Abusers are numerous and come in different shapes and forms. If a vendor gives broad access to its technology to its buyers without implementing safety measures regarding who can use the technology, their level of use, or mitigation plans for unauthorized usage, they may unknowingly give access to an abuser who can then use the technology to harm their partners. For example, law enforcement officers are likely to have access to highly sensitive databases, including domestic violence case management systems. Law enforcement officers have also been found to commit higher rates of intimate partner violence compared to the general public. ¹⁶¹ Police abuse of confidential information to retaliate against an intimate partner is

¹⁵⁷ Allen Kim, In the Last 10 Months, 140 Local Governments, Police Stations and Hospitals Have Been Held Hostage by Ransomware Attacks, CNN (Oct. 8, 2019, 5:51 PM), https://www.cnn.com/2019/10/08/business/ransomware-attacks-trnd/index.html [https://perma.cc/SH38-2KEE].

¹⁵⁸ *Id. *

¹⁵⁹ See e.g. Mark Scott & Connor Murphy, Swedish ministers resign amid data security breach scandal, POLITICO (Jan. 28, 2018, 10:21 PM), https://www.politico.eu/article/sweden-data-breach-privacy-security-stefan-lofven/ [https://perma.cc/9F9Q-PGN5] (The Swedish government’s transport agency outsourced its IT operations to IBM Sweden, where a data breach occurred that exposed Swedish driving license records and military vehicle data); Andy Greenberg, The Year of the Mega Data Breach, FORBES (Nov. 24, 2009, 7:00 PM), https://www.forbes.com/2009/11/24/security-hackersdata-technology-cio-network-breaches.html [https://perma.cc/9R4A-8634] (“46% of all lost files last year” was traced to contractors).

¹⁶⁰ See e.g. Zack Whittaker, *A domestic violence prevention app backed by Dr. Phil expoed victims’ distress recordings, *TECH CRUNCH (June 25, 2020, 8:00 AM), https://techcrunch.com/2020/06/25/aspire-app-dr-phil/ [https://perma.cc/LAN8-R5M4].

¹⁶¹ GOODMARK,* supra* note 34, at 238. See also Conor Friedersdorf,* Police Have a Much Bigger Domestic-Abuse Problem than the NFL Does*, ATLANTIC (Sept. 19, 2014), https://www.theatlantic.com/national/archive/2014/09/police-officers-who-hit-their-wives-or-girlfriends/380329/ [https://perma.cc/UF2E-9EAG].

not new phenomenon.¹⁶² The lack of restrictions on consensual access to new technology and its data is problematic.