A facial-recognition company that contracts with powerful law-enforcement agencies just reported that an intruder stole its entire client list, according to a notification the company sent to its customers.
In the notification, which The Daily Beast reviewed, the startup Clearview AI disclosed to its customers that an intruder âgained unauthorized accessâ to its list of customers, to the number of user accounts those customers had set up, and to the number of searches its customers have conducted. The notification said the companyâs servers were not breached and that there was âno compromise of Clearviewâs systems or network.â The company also said it fixed the vulnerability and that the intruder did not obtain any law-enforcement agenciesâ search histories.
Tor Ekeland, an attorney for the company, said Clearview prioritizes security.
âSecurity is Clearviewâs top priority,â he said in a statement provided to The Daily Beast. âUnfortunately, data breaches are part of life in the 21st century. Our servers were never accessed. We patched the flaw, and continue to work to strengthen our security.â
The firm drew national attention when The New York Times ran a front-page story about its work with law-enforcement agencies. The Times reported that the company scraped 3 billion images from the internet, including from Facebook, YouTube, and Venmo. That process violated Facebookâs terms of service, according to the paper. It also created a resource that drew the attention of hundreds of law-enforcement agencies, including the FBI and the Department of Homeland Security, according to that report. In a follow-up story, the Times reported that law-enforcement officials have used the tools to identify children who are victims of sexual abuse. One anonymous Canadian law-enforcement official told the paper that Clearview was âthe biggest breakthrough in the last decadeâ for investigations of those crimes.
The notification did not describe the breach as a hack. David Forscey, the managing director of the no-profit Aspen Cybersecurity Group, said the breach is concerning.
âIf youâre a law-enforcement agency, itâs a big deal, because you depend on Clearview as a service provider to have good security, and it seems like they donât,â Forscey said.
Facial-recognition technologyâwhich matches photos of unidentified victims or suspects against enormous databases of photosâhas long drawn intense criticism from privacy advocates. They argue it could essentially mean the end of personal privacy, especially given the proliferation of security cameras in public places. Some law-enforcement officials, meanwhile, see it as a tool with enormous potential value.
