Best Buy is one of hundreds of clients listed in leaked documents about Clearview AI’s client base. | Ma Jun/Visual China Group via Getty Images

Clearview said it only sold facial recognition tech to cops. Its leaked client list says otherwise.

Open Sourced logo

Clearview AI, the controversial and secretive facial recognition company, recently experienced its first major data breach — a scary prospect considering the sheer amount and scope of personal information in its database, as well as the fact that access to it is supposed to be restricted to law enforcement agencies. BuzzFeed News says it gained access to the leaked documents, and indeed, it looks like Clearview was working with everyone from US Immigration and Customs Enforcement (ICE) to Best Buy.

The new BuzzFeed report paints a chilling picture of Clearview’s scope and ambition to market its all-powerful facial recognition technology. Not only does the client list revealed in the leaked documents include hundreds of local police departments as well as federal agencies like ICE, Customs and Border Patrol (CBP), and the US Attorney’s Office for the Southern District of New York, but it also shows that employees retail companies like Best Buy, Walmart, and Macy’s have conducted trials with Clearview. There are also international entities like Interpol and a research center in Saudi Arabia in the mix.

All this information flies in the face of Clearview’s previous claims that only worked with domestic law enforcement agencies. It also raises questions about Clearview’s plans to make a publicly available facial recognition app, which experts have described as dangerous. BuzzFeed News reports:

For a company that maintains its tools are for law enforcement, Clearview’s client list includes a startling number of private companies in industries like entertainment (Madison Square Garden and Eventbrite), gaming (Las Vegas Sands and Pechanga Resort Casino), sports (the National Basketball Association), fitness (Equinox), and even cryptocurrency (Coinbase). The logs also show that the startup is particularly interested in banking and finance, with 46 financial institutions trying the facial recognition tool.

There’s more:

The documents reviewed by BuzzFeed News also indicate that the company has provided its software to private investigators and security firms. Among them is Gavin de Becker and Associates, a private security agency, which appears as a paid Clearview customer with more than 3,600 searches, and SilverSEAL Global Security, a New York firm that engages in private investigation and surveillance, according to its website.

A day before these details emerged, the Daily Beast reported that an intruder gained “unauthorized access” to Clearview’s client list, its number of user accounts, and a number of searches its customers have conducted. That client list now appears to be particularly sensitive, especially since it contradicts Clearview’s earlier statements about working with a limited number of law enforcement agencies.

For now, there is no evidence that Clearview’s database of 3 billion photos was hacked. But the fact that the company could be breached at all is worrisome enough. Clearview says it obtained these photos by scraping publicly available images from all over the internet. The company’s software uses proprietary facial recognition technology to help law enforcement agencies identify suspects by matching their images with those in the database.

Clearview’s lawyer, Tor Ekeland, seemed blasé about the news in his response to Recode.

“Security is Clearview’s top priority,” he said. “Unfortunately, data breaches are part of life in the 21st century. Our servers were never accessed. We patched the flaw, and continue to work to strengthen our security.”

Sen. Edward J. Markey, who has been highly critical of the company, said in his own statement that Clearview’s comments would be “laughable” if its “failure to safeguard its information wasn’t so disturbing and threatening to the public’s privacy.”

“This is a company whose entire business model relies on collecting incredibly sensitive and personal information, and this breach is yet another sign that the potential benefits of Clearview’s technology do not outweigh the grave privacy risks it poses,” Markey said.

Though Clearview is playing the breach off as a minor and quickly solved problem, it brings up larger issues that have been bubbling under the surface since Clearview’s existence was made widely known last month in a New York Times report. Those include worries about what would happen should Clearview’s data fall into the wrong hands, and how much confidence we should really have in the cybersecurity practices of a private company we know little about and have no reason to trust.

If security is indeed Clearview’s top priority, this data breach doesn’t bode well. If the client list really does represent the number and type of companies and agencies with access to Clearview’s powerful technologies, this situation might be much more serious than previously thought.

Update, February 27, 2020, 4:30 pm: Updated to include details from a BuzzFeed News report on the contents of the breach.

Open Sourced is made possible by Omidyar Network. All Open Sourced content is editorially independent and produced by our journalists.

Author: Sara Morrison

Read More