This story is part of a group of stories called
Uncovering and explaining how our digital world is changing — and changing us.
Clearview AI, the controversial and secretive facial recognition company, recently experienced its first major data breach — a scary prospect considering the sheer amount and scope of personal information in its database, as well as the fact that access to it is supposed to be restricted to law enforcement agencies. BuzzFeed News says it gained access to the leaked documents, and indeed, it looks like Clearview was working with everyone from US Immigration and Customs Enforcement (ICE) to the NBA.
The new BuzzFeed report paints a chilling picture of Clearview’s scope and ambition to market its all-powerful facial recognition technology. Not only does the client list revealed in the leaked documents include references hundreds of local police departments as well as federal agencies like ICE, Customs and Border Patrol (CBP), and the US Attorney’s Office for the Southern District of New York, but it also shows that retail companies like Best Buy, Walmart, and Macy’s have conducted trials with Clearview. There are also international entities like Interpol and a research center in Saudi Arabia not to mention some private investigators in the mix.
All this information flies in the face of Clearview’s previous claims that it only worked with domestic law enforcement agencies. It also raises questions about Clearview’s plans to make a publicly available facial recognition app, which experts have described as dangerous. BuzzFeed News reports:
There’s more:
Several of the companies listed above have distanced themselves from Clearview. Others, like the NBA and Coinbase, admitted to conducting trials of the software.
“While we conducted a limited test as we do with an array of potential vendors, we are not and have never been a client of this company,” the NBA said in a statement to Recode.
“We are not Clearview AI clients,” Best Buy said in an email to Recode, “We don’t use Clearview AI and don’t plan on using it in the future.”
Meanwhile, privacy advocates are very concerned about the consequences of the Clearview’s technology as well as its security issues.
“This list, if confirmed, is a privacy, security, and civil liberties nightmare,” Nathan Freed Wessler, a staff attorney with the ACLU, told Recode. “Government agents should not be running our faces against a shadily assembled database of billions of our photos in secret and with no safeguards against abuse.”
Following the breach, Gizmodo managed to get its hands on a version of Clearview’s Android app, which was stored on a publicly accessible Amazon server. While a login was needed to access Clearview’s facial recognition system, Gizmodo was able to see some code that indicated features under development including voice search, the ability to take photos in the app that could be matched to Clearview’s database, and the ability to scan drivers license barcodes. CEO Hoan Ton-That told Gizmodo that the latter feature “doesn’t scan drivers licenses,” despite the fact that the file is named “Barcode$DriverLicense.smali.”
Before these details emerged, the Daily Beast reported that an intruder gained “unauthorized access” to Clearview’s client list, its number of user accounts, and a number of searches its customers have conducted. That client list now appears to be particularly sensitive, especially since it contradicts Clearview’s earlier statements about working with a limited number of law enforcement agencies.
For now, there is no evidence that Clearview’s database of 3 billion photos was hacked. But the fact that the company could be breached at all is worrisome enough. Clearview says it obtained these photos by scraping publicly available images from all over the internet. The company’s software uses proprietary facial recognition technology to help law enforcement agencies identify suspects by matching their images with those in the database.
Clearview’s lawyer, Tor Ekeland, seemed blasé about the news in his response to Recode.
“Security is Clearview’s top priority,” he said. “Unfortunately, data breaches are part of life in the 21st century. Our servers were never accessed. We patched the flaw, and continue to work to strengthen our security.”
Sen. Edward J. Markey, who has been highly critical of the company, said in his own statement that Clearview’s comments would be “laughable” if its “failure to safeguard its information wasn’t so disturbing and threatening to the public’s privacy.”
“This is a company whose entire business model relies on collecting incredibly sensitive and personal information, and this breach is yet another sign that the potential benefits of Clearview’s technology do not outweigh the grave privacy risks it poses,” Markey said.
Though Clearview is playing the breach off as a minor and quickly solved problem, it brings up larger issues that have been bubbling under the surface since Clearview’s existence was made widely known last month in a New York Times report. Those include worries about what would happen should Clearview’s data fall into the wrong hands, and how much confidence we should really have in the cybersecurity practices of a private company we know little about and have no reason to trust.
If security is indeed Clearview’s top priority, this data breach doesn’t bode well. If the client list really does represent the number and type of companies and agencies with access to Clearview’s powerful technologies, this situation might be much more serious than previously thought.
Update, February 28, 2020, 1:40 pm ET: Updated to include new details from a Gizmodo report as well as statements from Best Buy, the NBA, and the ACLU.
Open Sourced is made possible by Omidyar Network. All Open Sourced content is editorially independent and produced by our journalists.
Sourse: vox.com
