Clearview hacked: your face is a giveaway!
Every person who has been working on security and has attempted to build a classification system for documents got to the same conclusions: a combination of public data is not necessarily public data. Collecting, analyzing and classifying data has a cost, thus generates an added value. Things are worse when this high value-added information is closely related to the privacy of each of us and gets hacked.
Clearview is a US-based company that proposes image identification services to law enforcement agencies. The business model of the company consists in scraping images from Facebook, YouTube, Twitter, Instagram and more generally everywhere on the internet to build their 3 billion images database and use AI to cross-identify people between different pictures. The structure of the database is not public, but one may suppose Clearview’s AI has means to establish relations between pictures representing the same person in different contexts and coming from different apps and websites. Clearview is also able to identify people being in pictures together and aggregate data, thus to rebuild relationship networks. Then, Clearview sells a service to law enforcement agencies that allow them to identify people from pictures coming from crime scenes.
Clearview has a quite contrasted image. For instance, it is called a “creepy facial-recognition company (…) stealing Facebook photos” by Mashable and “the world’s scariest facial recognition company” by Vox. “The end of privacy as we know it? An unregulated facial recognition app can probably tell the police your name and help them find out where you live and who your friends are,” writes The New York Times. With Clearview, governments can find out on political opponents or participants in a demonstration. Anyone having access to the service can build a list of targets just from a simple image. Businesses can build a list of unwanted customers or use the system to inquire about potential customers. Hiring companies can get into the personal life of candidates. Rapists can use the system to find their preys. The risks of such a system are endless..
On the other hand, Clearview says it only searches the open web and only accesses public information. Consequently, the company defends itself from any surveillance attempt. They have a well-built speech that only elaborates on positive values: everyone is supportive of criminals such as child molesters, murderers or terrorists being arrested, and innocents exonerated from any suspicion.
According to The Guardian, Clearview is a very small organization: Hoan Ton-That, a co-founder of the company started by hiring two hackers: one in charge of building software for scraping images from open sources, and the other in charge of building a facial recognition algorithm that would allow to connect images with each other.
The latest news is that Clearview has been hacked in February 2020. According to reports, Clearview’s entire client list was exposed. While Clearview said it was selling its services to around 600 law enforcement agencies and police forces, the hack has revealed 2,200 organizations in 27 countries have interacted with the company, according to Buzzfeed. This list includes major retailers, mobile network operators, financial institutions, universities, sport leagues, and several international government agencies. Commenting on the breach, the company said it fixed the problem that caused the data breach, and that safety was its top priority.
While we blame governments for spying on their citizens, a company like Clearview, with limited means, makes this available to numerous organizations. Back in 1999, Scott McNealy, CEO of Sun Microsystems already said: “You have zero privacy anyway. Get over it.”