European AI company’s ‘reputation reports’ are inaccurate and illegal, watchdog claims
The European digital privacy nonprofit noyb has filed a complaint with Lithuanian data protection authorities over allegedly illegal practices by a large data broker that sells “reputation reports” on individuals based on information scraped from the internet.
Lithuania-based Whitebridge AI collects data on anyone with an online presence, noyb says, including by harvesting information from social media platforms. The company then promotes its product as “kinda scary” in a bid to get report subjects to pay to access their contents, the watchdog group says.
The reports are not always factual, noyb alleges, often including AI-generated inaccuracies.
They allegedly include lists of personality traits, photos, “hidden profiles,” “negative press” and background checks which show if an individual has shared religious, adult or political content on social media.
Under Europe’s General Data Protection Regulation (GDPR), citizens have the right to access their data from companies for free, a law Whitebridge AI is allegedly breaking by attempting to sell reports to those who have been profiled, noyb says.
“Whitebridge AI just has a very shady business model aimed at scaring people into paying for their own, unlawfully collected data,” Lisa Steinfeld, data protection lawyer at noyb, said in a prepared statement.
The company is also breaking the law by selling data from social media profiles, noyb says.
Reports noyb purchased for two complainants included warnings for “sexual nudity” and “dangerous political content” even though the reports did not contain such information, noyb says. When the complainants sought to have the errors fixed, Whitebridge allegedly told them they needed a “qualified electronic signature” to make the request.
The GDPR does not require electronic signatures for such personal data requests.
Whitebridge AI did not immediately respond to a request for comment.
Noyb has asked Lithuanian data protection authorities to force Whitebridge to give individuals free access to the reports, stop illegally processing data and notify the complainants that it has rectified the false reports. It also is asking authorities to fine the company.
Under the GDPR, complaints are filed directly with regulators in the member states where companies are based.
Suzanne Smalley
is a reporter covering privacy, disinformation and cybersecurity policy for The Record. She was previously a cybersecurity reporter at CyberScoop and Reuters. Earlier in her career Suzanne covered the Boston Police Department for the Boston Globe and two presidential campaign cycles for Newsweek. She lives in Washington with her husband and three children.