A security breach at a face-recognition startup, already embattled over its unfettered collection of Americans’ personal data on behalf of its hundreds of law enforcement clients, further underscores the potential hazards faced by consumers at the hands of a controversial and largely-unregulated surveillance technology, federal officials said on Wednesday.
Clearview AI, which has drawn criticism for scraping billions of photographs from public websites like Facebook and Google in an effort to train face recognition software for law enforcement to use when searching for suspects. This week, it notified its customers that an unidentified intruder had gained “unauthorized access” to its internal client list and the number of database searches performed by each client.
The Daily Beast first reported the news. Tor Ekeland, an attorney for Clearview AI, confirmed the breach in a statement to Gizmodo. Security remains Clearview’s “top priority,” said Ekeland, adding: “Unfortunately, data breaches are part of life in the 21st century. Our servers were never accessed. We patched the flaw, and continue to work to strengthen our security.”
Clearview said that the breach did not grant the intruder access to its platform nor the search histories of any law enforcement client. Nevertheless, U.S. lawmakers quickly took issue with Clearview’s response, which they perceived as dismissive.
“Shrugging and saying data breaches happen is cold comfort for Americans who could have their information spilled out to hackers without their consent or knowledge,” said Sen. Ron Wyden, a constant privacy hawk in Congress and author of the Mind Your Own Business Act, a bill aimed at making it tougher for tech companies to amass huge databases of consumers’ personal data.
“Companies that scoop up and market vast troves of information, including facial recognition products, should be held accountable if they don’t keep that information safe,” Wyden told Gizmodo.
Clearview, whose services are reportedly being tested by the FBI and the Department of Homeland Security, according to the New York Times, has been sharply criticized over its data collection process. The company claims to have scraped more than three billion images from the likes of Facebook, Google, and YouTube—all of which served Clearview with cease and desist letter this month, claiming that the scraping violates their company policies.
Clearview CEO and founder Hoan Ton-That defended his company’s practices this month in an interview with CBS This Morning by comparing its collection of data to Google and saying Clearview has a “First Amendment right to public information.”
Alex Joseph, a YouTube spokesperson, later responded to Ton-That’s remarks by arguing that, as opposed to the individuals whose photos are added to Clearview’s database, most websites want to be included in Google Search. “Clearview secretly collected image data of individuals without their consent, and in violation of rules explicitly forbidding them from doing so,” he said.
FCC Commissioner Geoffrey Starks told Gizmodo that face recognition technology raises “serious issues of privacy and civil liberties, particularly when it comes to communities of color.”
In December, the National Institute of Standards and Technology, a branch of the Commerce Department, released a study of 189 facial recognition systems that found—among other issues centered on the age of subjects—that people of African and Asian descent were misidentified by the systems at a rate 100 times higher than white faces.
“As I’ve long said, the handling of our data is one of the most defining civil rights issues of our generation, and facial recognition is currently one of the most troubling. Facial recognition is being used to determine whether you can enter your housing, whether law enforcement can stop you on the street, and even whether you can enter the country,” Starks said. “Now we’re learning that, having gathered such an unprecedented amount of personal images, Clearview can’t even protect its own systems. How we can trust a company with massive privacy responsibilities when it can’t even protect its own corporate data?”
Sen. Ed Markey, a member of the Commerce, Science and Transportation Committee, also took aim at Clearview’s response this morning, saying its claim that security is its top priority “would be laughable if the company’s failure to safeguard its information wasn’t so disturbing and threatening to the public’s privacy.”
“If your password gets breached, you can change your password. If your credit card number gets breached, you can cancel your card. But you can’t change biometric information like your facial characteristics if a company like Clearview fails to keep that data secure,” he said. “This is a company whose entire business model relies on collecting incredibly sensitive and personal information, and this breach is yet another sign that the potential benefits of Clearview’s technology do not outweigh the grave privacy risks it poses.”