Clearview AI loses entire database of faceprint-buying clients to hackers

Clearview AI, the controversial facial recognition startup that’s gobbled up more than three billion of our photos by scraping social media sites and any other publicly accessible nook and cranny it can find, has lost its entire list of clients to hackers – including details about its many law enforcement clients.

In a notification that The Daily Beast reviewed, the company told its customers that an intruder “gained unauthorized access” to its list of customers, to the number of user accounts they’ve set up, and to the number of searches they’ve run.

The disclosure also claimed that Clearview’s servers hadn’t been breached and that there was “no compromise of Clearview’s systems or network.” The company said that it’s patched the unspecified hole that let the intruder in, and that whoever it was didn’t manage to get their hands on customers’ search histories.

Tor Ekeland, an attorney for Clearview, sent a statement to news outlets saying that breaches are just a fact of life nowadays:

Security is Clearview’s top priority. Unfortunately, data breaches are part of life in the 21st century. Our servers were never accessed. We patched the flaw, and continue to work to strengthen our security.

Clearview, which has sold access to its gargantuan faceprint database to hundreds of law enforcement agencies, first came to the public’s attention in January when the New York Times ran a front-page article suggesting that the “secretive company […] might end privacy as we know it.”

In its exposé, the Times revealed that Clearview has quietly sold access to faceprints and facial recognition software to more than 600 law enforcement agencies across the US, claiming that it can identify a person based on a single photo, reveal their real name and far more.

Within a few weeks of the Times article, Clearview found itself being sued in a potential class action lawsuit that claims the company amassed the photos out of “pure greed” to sell to law enforcement, thereby violating the nation’s strictest biometrics privacy law – the Biometric Information Privacy Act (BIPA).

Among the many online sources that Clearview has scraped to get all the biometric data it’s selling (or giving away), Twitter, Facebook, Google and YouTube have ordered the company to stop its scraping – a practice that violates the social media giants’ policies.

In a followup report, the Times noted that there’s a strong use case for Clearview’s technology: finding victims of child abuse. Investigators told the newspaper that Clearview’s tools have enabled them to identify the victims featured in child abuse videos and photos, leading them to names or locations of victims whom they may never have been able to identify otherwise. One retired chief of police said that running images of 21 victims of the same offender returned 14 minors’ IDs, the youngest of whom was 13.

Following the Times’ exposé, New Jersey barred police from using the Clearview app. Canada’s privacy agencies are also investigating Clearview to determine if its technology violates the country’s privacy laws, the agencies said on Friday.

David Forscey, the managing director of the non-profit Aspen Cybersecurity Group, told the Daily Beast that Clearview’s breach should be worrying for its customers:

If you’re a law-enforcement agency, it’s a big deal, because you depend on Clearview as a service provider to have good security, and it seems like they don’t.

Put another way by tech policy advocate Jevan Hutson:

Clearview continues to give us a clear view of why biometric surveillance is an unsalvageable trash fire.

Latest Naked Security podcast


Click-and-drag on the soundwaves below to skip to any point in the podcast. You can also listen directly on Soundcloud.