Clearview AI Breach Heightens Concerns Over Security and Privacy Implications of Facial Recognition Technology

Posted on by Tony Kontzer

One of the cybersecurity world’s most controversial emerging technologies, facial recognition, got a serious black eye this week.

Clearview AI, a New York-based startup that’s drawn the ire of privacy advocates and members of U.S. Congress, was breached this week and its entire client list stolen.

Not only does the attack call into question the security profile of a company that has amassed huge amounts of sensitive data, including nearly 3 billion images recently scraped from social media sites, the client list itself reveals that the company has been less than forthcoming about the full scope of its ambitions.

Despite previous claims that it only worked with domestic law enforcement agencies, it appears Clearview AI has actually been selling its technology to hundreds of other organizations, including the likes of the U.S. Immigration and Customs Enforcement, Best Buy and Macy’s, according a report from Buzzfeed.

Having obtained and reviewed the leaked documents, Buzzfeed didn’t hold any punches in its report of its findings.

“Clearview has taken a flood-the-zone approach to seeking out new clients, providing access not just to organizations, but to individuals within those organizations — sometimes with little or no oversight or awareness from their own management,” the Buzzfeed post reads. “This data provides the most complete picture to date of who has used the controversial technology and reveals what some observers have previously feared: Clearview AI’s facial recognition has been deployed at every level of American society and is making its way around the world.”

This strikes at the heart of what has made facial recognition such a double-edged sword, groundbreaking technology with profoundly disturbing privacy implications.

Among its many capabilities, Clearview AI’s app enables users to capture and upload photos of strangers, analyze the subjects’ biometric data, and access existing images and personal information of those who are photographed.

The threat to privacy and anonymity is clear, and U.S. Sen. Ed Markey, D-Mass., who last month sent a letter to Clearview AI querying CEO Hoan Ton-That about the company’s technology, responded to the breach with a searing statement that deserves to be shared in its entirety:

“Clearview’s statement that security is its ‘top priority’ would be laughable if the company’s failure to safeguard its information wasn’t so disturbing and threatening to the public’s privacy,” Markey said. “If your password gets breached, you can change your password. If your credit card number gets breached, you can cancel your card. But you can’t change biometric information like your facial characteristics if a company like Clearview fails to keep that data secure. This is a company whose entire business model relies on collecting incredibly sensitive and personal information, and this breach is yet another sign that the potential benefits of Clearview’s technology do not outweigh the grave privacy risks it poses."

A statement that a company attorney, Tor Ekeland, sent to the Daily Beast, seemed a bit off-handed for such a serious event.

After insisting that security is Clearview AI’s “top priority,” Ekeland said something shockingly ho-hum.

“Unfortunately, data breaches are a part of life in the 21st century,” his statement read.

While that may be true, several things are not a part of life in 2020, at least not yet. These would include widespread use of facial recognition, misleading markets about a company’s customer base, and congressional queries.

Facial recognition is clearly an amazingly powerful technology; if it wasn’t, the industry’s largest player, China’s SenseTime, wouldn’t be worth $4.5 billion just four years after its founding.

But if facial recognition companies want to put the world at ease about their potentially society-changing innovations, they’re going to have to prove that they not only can keep their massive amounts of data safe, but that they take the privacy of individuals seriously.

Clearview AI’s breach is evidence that this is not the case today.

Tony Kontzer

, RSA Conference

RSAC Insights Hackers & Threats

Blogs posted to the website are intended for educational purposes only and do not replace independent professional judgment.  Statements of fact and opinions expressed are those of the blog author individually and, unless expressly stated to the contrary, are not the opinion or position of RSA® Conference, RSA Security LLC or any other co-sponsors. RSA Conference does not endorse or approve, and assumes no responsibility for, the content, accuracy or completeness of the information presented in this blog.

Share With Your Community