Nearly three million people uploaded photos to the dating site OkCupid. They did so looking for dates (obviously).

Yet their faces ended up training a facial recognition system that now sells to police departments, government agencies, and the military.

How did that happen?

The U.S. Federal Trade Commission (FTC) alleged that OkCupid shared users’ photos, location data, and demographic profiles with Clarifai, a “computer vision company”. They did so without user consent and in direct violation of its own privacy policy. OkCupid’s founders were personally invested in Clarifai, and one of them sent the photos from his personal email account, bypassing any corporate oversight.

No contract governed the data handoff. And no restrictions were placed on what Clarifai could do with the misappropriated data.

Clarifai ended up using the images to build technology capable of identifying the age, sex, and race of faces. The company has since secured contracts with the U.S. Air Force Research Laboratory and partnered with defense firms supplying AI to the Army’s intelligence community.

So dating profile pictures became raw material for defense contractors. The people in those photos had no idea, and were never asked.

Share

The FTC settled the case in March 2026.

The good: The settlement permanently bars Match Group and OkCupid from misrepresenting their data practices and requires compliance reporting for a decade.

The bad: Match Group did not admit wrongdoing.

The ugly: The settlement carries no financial penalty. And the FTC did not require Clarifai to delete any of the data it received.

Twelve years of willfully misusing people’s images, and the regulatory consequence is a promise to tell the truth going forward.

The OkCupid Story Isn’t Really About OkCupid

Most people process news like this as a company-specific scandal. OkCupid was reckless with customer data, OkCupid got caught, but you don’t use OkCupid, so you’re fine.

That’s the superficial take. As is usually the case with these stories, there’s a deeper level.

Every site where you’ve uploaded photos, whether LinkedIn, Facebook, Instagram, a fitness app, a medical portal, or a real estate platform, operates under a privacy policy that its legal team wrote. And they wrote it to maximize the company’s flexibility, not yours. I’ve written before about why reading those policies is a waste of time. 👇

Reading Website Privacy Notices is a Waste of Time

Secrets of Privacy

·

May 17, 2024

Read full story

What the OkCupid case illustrates is the specific mechanisms that makes privacy policies useless:

Privacy policies are often inaccurate, either out of negligence or intentional bad behavior (as appears to be the case with OKCupid). Or a company can change the policy at any time, usually without notice, to make their privacy infringing practices legit. And in almost all cases privacy policies are drafted to provide broad rights and discretion to use your data, which means most people don’t know what they’re supposedly consenting to.

Unfortunately the OKCupid incident isn’t a one-time failure by a company with bad intentions. It’s a repeatable playbook.

Many people now understand that tech companies design features specifically to get you to hand over your face voluntarily. It’s been going on since the dawn of the internet but AI companies have taken it to a whole new level. The best example is when OpenAI/ChatGPT pushed an anime filter, the Ghibli-style portrait, which allowed users to see themselves as a cartoon.

Users got a quick dopamine hit from doing that. And OpenAI received valuable data to bolster their facial recognition capabilities without paying anything. That’s about as lopsided of a trade as you can find.

OkCupid’s founders didn’t need a clever feature to capture valuable biometric data because they already had three million photos sitting in a database. But the outcome is the same:

your face, in a training set, with no restrictions on what gets built from it.

The enforcement consequence for any of this is, apparently, a compliance checklist. Which shouldn’t be surprising to anyone following these incidents. Penalties handed down by regulators are usually small compared to company revenues. Businesses then calculate the cost of protecting (or not protecting) your privacy, and when the answer is zero (or near zero) dollars in penalties, the math doesn’t work in favor of your privacy.

What McDonalds Hot Coffee Can Teach You About Protecting Your Data

April 11, 2025

Read full story

For photos specifically, the only meaningful control you still have is upload discipline. Review which apps have access to your Google, Apple, or Facebook account, and think carefully before handing your face to the next platform that makes it seem fun or convenient. The photos you never put up can’t be handed to anyone.

You can't un-upload a photo, and you can't control where it goes once a company has it. Knowing that your photos can move from a dating app to a defense contractor through a personal email and a handshake should change how you evaluate the next platform that asks for your face. While the next platform asking for your photo isn't OkCupid, the incentive structure is identical.

One more thing: I've been sharing the behind-the-scenes of building DoxxScore over on Substack Notes. Things like the thinking behind the product, what I've learned about digital privacy along the way, and where it's headed. If that interests you, a sample post is below. DoxxScore goes live next week, so stay tuned for more information. ⌛

Looking for help with a privacy issue or privacy concern? Chances are we’ve covered it already or will soon. Follow us on X and LinkedIn for updates on this topic and other internet privacy related topics.

Disclaimer: None of the above is to be deemed legal advice of any kind. These are *opinions* written by a privacy and tech attorney with years of working for, with and against Big Tech and Big Data. And this post is for informational purposes only and is not intended for use in furtherance of any unlawful activity. This post may also contain affiliate links, which means that at no additional cost to you, we earn a commission if you click through and make a purchase.

• Privacy freedom is more affordable than you think. We tackle the top Big Tech digital services and price out privacy friendly competitors here. The results may surprise you.

• Check out our new, free username generator to help you create unique usernames for different accounts. Reusing usernames is convenient, but terrible for your privacy. This tool makes it easy to create unique usernames on the fly.

  Share Secrets of Privacy