ProBackend
facial recognition privacy
3 hours ago5 min read

The Developer Who Stole Your Face: How One App Builder Scraped Millions of Photos Into a Surveillance Database

An app developer secretly scraped millions of social media photos to construct a facial recognition database, raising serious privacy concerns about unauthorized biometric data collection and the ethical implications of building surveillance technology without user consent.

Here's the thing about facial recognition that keeps me up at night: you probably already live in someone else's database. Not the government's. Not a corporation's. Just some guy with a laptop and a grudge against privacy.

About ten years ago, an app developer named Hoan Ton-That did something that should've been impossible. He scraped your social media photos—millions of them, without asking—and built a facial recognition database from scratch. You didn't know it at the time. None of us did.

This isn't a hypothetical scenario. This actually happened. And it should terrify everyone who's ever posted a selfie.

How the Scraping Actually Worked

Ton-That didn't hack anything. He didn't breach a server or crack an encryption key. What he did was worse, in some ways: he exploited the fact that social media platforms make your photos publicly available.

Here's how it went down. He wrote scripts—basic web scraping tools, nothing fancy—that systematically pulled images from social media profiles. Millions of them. Every public photo, every tagged image, every snapshot you'd uploaded and forgotten about.

The creepy part? He didn't just collect the images. He processed them. Ran facial recognition algorithms against each one, creating a searchable database where any face could be matched to a name, a profile, a digital identity.

Think about that for a second. A single developer, working alone, built what amounts to a mass surveillance tool using nothing but publicly available photos and some code he wrote in his spare time.

The Privacy Violation Nobody Talked About

When this story broke, most people reacted with the same confusion I felt: wait, is this even legal?

The answer, unfortunately, is complicated. In many jurisdictions at the time, there were no specific laws against scraping publicly available data for facial recognition purposes. The legal framework just hadn't caught up with the technology.

But here's what bothers me: even if it was technically legal, it was morally bankrupt. These were real people's photos—images they'd shared with friends and family, not with some anonymous developer building a surveillance database.

The violation wasn't just about data collection. It was about consent. About the basic expectation that when you post a photo on social media, it stays within your social circle. That expectation got trampled.

Why This Matters More Than You Think

Most people hear about facial recognition and think about airport security or police investigations. They don't think about what happens when a single developer can build their own database, independent of any government or corporation.

This is the democratization of surveillance. And that's a problem.

When governments build facial recognition systems, there are (theoretical) checks and balances. Courts can issue warrants. Legislatures can pass oversight laws. But when some guy in his apartment builds a database of millions of faces, who's watching him?

The implications are staggering. This technology could be used for stalking. For harassment. For blackmail. For any number of things that don't involve public safety at all.

The Technical Feasibility Problem

What makes Ton-That's case so disturbing is how easy it was. You don't need a team of engineers. You don't need millions in funding. You don't even need that much technical skill.

Web scraping tools are freely available. Facial recognition APIs exist—some of them free, some cheap. A motivated individual can put together a system like this in their garage.

This is the fundamental problem with facial recognition technology: it's too easy to build, and not hard enough to stop.

The barrier to entry is so low that we're essentially playing catch-up with bad actors. Every time we pass a regulation, someone finds a way around it. Every time we shut down one database, three more pop up somewhere else.

After Ton-That's case became public, there was a lot of hand-wringing. A lot of op-eds about privacy and ethics. And then... not much happened.

Some jurisdictions tightened their data protection laws. A few courts ruled that scraping personal data without consent could constitute a privacy violation. But the legal landscape remains fragmented at best.

In the United States, there's no comprehensive federal privacy law. What we have is a patchwork of state regulations that vary wildly from one jurisdiction to another. This makes it nearly impossible to hold someone like Ton-That accountable, especially if they're operating from a jurisdiction with weak privacy protections.

The European Union's GDPR came later, and it does provide some recourse. But even there, enforcement is spotty, and penalties often don't match the scale of the violation.

What This Means for Your Photos

Here's what I want you to understand: if you've ever posted a photo on social media, your face is probably in someone else's database. Maybe not Ton-That's specifically—his case was isolated, and he was caught—but the technology exists. The methods are known.

Every public photo you've ever uploaded is a potential data point in someone else's facial recognition system. And there's no way to know which ones have been scraped, or who has them, or what they're being used for.

This isn't paranoia. It's the reality of living in a world where facial recognition technology has outpaced both regulation and public awareness.

The Path Forward

So what do we do? How do we protect ourselves when the technology is this pervasive and the regulations are this weak?

First, we need to acknowledge that "publicly available" doesn't mean "free to use." Just because you can scrape something doesn't mean you should. There's a difference between accessing public data and building surveillance tools from it.

Second, we need stronger privacy laws. Not the watered-down regulations that get passed after a scandal fades from the news cycle. Real, enforceable laws with meaningful penalties.

Third, we need to rethink how social media platforms handle user data. If your photos are being used to build facial recognition databases, the platforms need to be held accountable. They're enabling this by making your data too easily accessible.

The Bigger Picture

Ton-That's case isn't an anomaly. It's a preview of what's coming.

As facial recognition technology becomes more accurate and more accessible, we're going to see more cases like this. More developers building databases without consent. More violations of privacy that slip through the cracks of outdated regulations.

The question isn't whether this will happen again. It's whether we'll do anything about it.

I'm not optimistic. But I am angry. And I think that anger should drive us to demand better protections, stronger regulations, and a fundamental shift in how we think about digital privacy.

Your face is yours. Not some developer's. Not a corporation's. Yours. And it's time we started acting like it.

How the Scraping Actually Worked

More blogs