Server screw-up exposes Clearview’s facial recognition AI software
A data repository exposed the company's apps, security keys and files.
Clearview AI is widely seen as a privacy nightmare by the public and is even looked down on privacy-challenged tech giants like Google. Now, the company has shown that it can’t even take care of its own data, according to a report from TechCrunch. It managed to expose its source code to anyone with an internet connection due to a server misconfiguration, a flaw spotted by a security researcher at the Dubai-based firm SpiderSilk.
The repository held app source code that’s used to compile apps. The company also stored its Windows, Mac, iOS and Android apps on the server, including pre-release developer apps used for testing, according to SpiderSilk research chief Mossab Hussein. It also exposed Clearview’s Slack tokens which would let anyone access the company’s internal messages without a password.
The leak also revealed Clearview’s prototype “Insight” camera that has since been discontinued. As TechCrunch showed in a video, SpiderSilk reportedly found 70,000 videos in one storage bucket that were taken from an Insight camera installed in a residential building in Manhattan. The company said it “collected some raw video strictly for debugging purposes, with the permission of the building management.”
Clearview’s facial recognition AI that can identify a person using data from Facebook, Instagram and other public-facing internet services. It obtains this data by “scraping” billions of photos from social media sites and elsewhere. The company markets its service to law-enforcement agencies and other businesses, which can use it to identify a person simply by uploading their photo. Clearview was breached earlier when a list of businesses using its services was leaked.
Clearview CEO Hoan Ton-That has defended the company’s practices, saying that it should be allowed to store any publicly-available information, just as Google and others do. However, the company has shown that it not only exposes the public to privacy violations, it can’t even protect its own data.
