Clearview AI, the controversial and secretive facial recognition company, just experienced its first major data breach — a scary prospect considering the sheer amount and scope of personal information in its database, as well as the fact that access to it is supposed to be restricted to law enforcement agencies.
According to a memo sent to its customers which was obtained by the Daily Beast, an intruder gained “unauthorized access” to the company’s client list, its number of user accounts, and a number of searches its customers have conducted. That client list might be particularly sensitive, as Clearview claims it works with hundreds of federal and state law enforcement agencies. (A BuzzFeed News report said those numbers are inflated.)
The good news is that there is no evidence that Clearview’s database of 3 billion photos was hacked. But the fact that the company could be breached at all is worrisome enough. Clearview says it obtained these photos by scraping publicly available images from all over the internet. The company’s software uses proprietary facial recognition technology to help law enforcement agencies identify suspects by matching their images with those in the database.
Clearview’s lawyer, Tor Ekeland, seemed blasé about the news in his response to Recode.
“Security is Clearview’s top priority,” he said. “Unfortunately, data breaches are part of life in the 21st century. Our servers were never accessed. We patched the flaw, and continue to work to strengthen our security.”
Sen. Edward J. Markey, who has been highly critical of the company, said in his own statement that Clearview’s comments would be “laughable” if its “failure to safeguard its information wasn’t so disturbing and threatening to the public’s privacy.”
“This is a company whose entire business model relies on collecting incredibly sensitive and personal information, and this breach is yet another sign that the potential benefits of Clearview’s technology do not outweigh the grave privacy risks it poses,” Markey said.
Though Clearview is playing the breach off as a minor and quickly solved problem, it brings up larger issues that have been bubbling under the surface since Clearview’s existence was made widely known last month in a New York Times report. Those include worries about what would happen should Clearview’s data fall into the wrong hands, and how much confidence we should really have in the cybersecurity practices of a private company we know little about and have no reason to trust. If security is indeed Clearview’s top priority, this data breach doesn’t bode well.
Update, February 26, 2020, 2:17 pm: Updated to include comment from Clearview’s lawyer.
Open Sourced is made possible by Omidyar Network. All Open Sourced content is editorially independent and produced by our journalists.
Sara Morrison Sara Morrison https://cdn.vox-cdn.com/community_logos/52517/voxv.png Read More