Breach of Clearview AI Source Code Renews Concerns About Law Enforcement Facial Recognition Programs

Increasingly widespread adoption of facial recognition technology for law enforcement purposes has sparked a heated global debate over the past year or two. Clearview AI has been one of the central points of contention, becoming something of a poster child for potential abuses and lack of transparency in such programs. The embattled facial recognition startup’s road is becoming no easier as an exposed server has been found that contained the source code for the company’s facial recognition database along with confidential keys and credentials that would grant a disturbing level of access to the company’s internal network.

Clearview AI: No longer just for law enforcement

Clearview AI attempts to sell acceptance of its product to the public by promising that only vetted law enforcement agencies are given access to it. A breachjust two months ago revealed that to not be the case. The company’s client list was exposed, revealing that it has also been doing business with retail chains such as Best Buy and Macy’s. Retailers have an interest in facial recognition technology for everything from collecting marketing data to tracking potential shoplifters; customers would likely not be comfortable with just about any of these uses, but are also by and large not aware that some stores have been doing this for at least a couple of years now.

The software is now available to anyone who happened upon the exposed server during the breach window. The breach was discovered by Dubai-based cybersecurity firm SpiderSilk. As is common with these sorts of breaches, the culprit was a misconfigured cloud-based database. The server was allowing anyone who registered as a new user to access it.

In addition to the facial recognition source code, the security researchers found credentials and keys that provided access to other cloud storage buckets maintained by the company. These buckets contained complete copies of the retail apps that Clearview AI provides to its customers along with earlier versions meant for developer testing.

As if that wasn’t enough, the database also contained Slack tokens that would allow anyone to access the company’s internal communications without a password. And it contained 70,000 security camera videos from an apparent facial recognition trial program run in the lobby of a residential building in New York, showing residents entering and leaving the premises.