We’re used to hearing that data is the new oil, however, another theory views it as the new kryptonite. In the wrong hands, it can be deadly!
The AI technology company, Clearview AI Inc. gained notoriety when its practices were exposed by the New York Times and BuzzFeed in January this year. The story of Clearview highlights the urgent need for federal regulation of privacy in the United States.
Clearview is an artificial intelligence technology start-up that used facial recognition, purportedly, to assist law enforcement to solve crimes. It is also branching into live facial recognition CCTV. It has amassed over 3 billion photos scraped from websites such as Facebook, Twitter and Google. Those companies responded by issuing ‘cease and desist’ letters demanding that they stop scraping photos and delete the banks of photos they already possess.
It’s telling that Clearview themselves prohibit scraping in their own terms of service, showing that they must be aware that it’s questionable if not illegal, to do so. The CEO of Clearview, Hoan Ton-That, previously used a fake name on LinkedIn to advertise the company and has been accused of creating phishing scams in the past.
Perhaps unsurprisingly, ethical hackers took aim at Clearview on 27th February 2020. It had transpired that Clearview misled the public about their client list, adopting an apparently scatter gun-approach to seeking clients and were selling their technology to non-law enforcement companies such as Macys and Walmart. According to research by BuzzFeed, they have thousands of companies on their books across the world, from Texas, Saudi Arabia to Australia.
Furthermore, The New York Times has just exposed that before they sold the technology to the law enforcement agencies, Clearview sold it to billionaires and celebrities as a plaything. The paper reports that a select few millionaires, such as the investor, Ashton Kutcher, have had access to this app for months and have used it as a party game.
The company informed its clients by email that an “intruder” hacked into their client list. The information leaked also included the number of accounts and the number of searches conducted.
They did not elaborate on the nature of the hack. However, it is worth exploring further.
There are three scenarios;
Scenario 1. The databases and servers were hacked. In which case, that would be a data breach on an unprecedented scale. The risks of abuse, for example identity theft, are huge.
Scenario 2. They think they are telling the truth. Their servers were hacked, but they are not even aware of it themselves.
Scenario 3. They are actually telling the truth and what appears to be an ethical hacker, targeted them for a reason we can only speculate on.
It is not clear what motivates ethical hackers. Perhaps an anonymous superhero swooped into Clearview systems in disguise to expose the truth behind their manoeuvres and deals. Perhaps he or she felt Clearview had a cavalier attitude to privacy, dignity and human rights. Perhaps they thought what Clearview did was an affront to the privacy and dignity of citizens across the globe. Perhaps they considered that the idea of individuals walking down the street, minding their own business, with their details exposed at the whim of a police officer, is a travesty of justice and moral bankruptcy.
The identity of these ethical hackers, or hacktivists, is unknown. It’s unknown who, if anyone, regulates them. Where are they registered? What’s in their constitution? Are they chartered or unionised? Most importantly, from which school of thought do they derive their ethics? The public have no idea what they base their ethics on, whether it be religion or philosophy or human rights. It’s an uncomfortable thought, but perhaps they only take action on a whim.
The regulation of data extraction, privacy and data protection in the United States is patchy at best. In a statement sent to news outlets, Tor Ekeland, Clearview’s attorney, claimed that they couldn’t comment because there was a federal investigation into the firm. This begs the question, which federal body could undertake such on investigation impartially? Especially when Clearview’s clients include; the FBI, the Department of Justice, Interpol, ICE or any of the 600 law enforcement agencies they have on their books in America.
Clearly, that would present an insurmountable conflict of interest because for one of their clients to investigate the company whose technology they are utilising. Not even the Attorney General would be in a position to investigate, because the Attorney General of Southern New York is using the technology. Two Senators have independently written to the company with questions. What kind of meaningful outcome from the so-called investigation could be expected when merely two Senators have written letters? Surely, that does not constitute a federal investigation.
After the breach was exposed, Clearview stated,
Unfortunately for the company, data breach notification laws exist in almost every state in America, and every country that ratified the GDPR. GDPR and some state laws also provide a private right of action. Ironically, a new stricter data breach law will be coming into force in New York on 21st March 2020. This time the hacker got his or her timing a bit wrong. They could have waited, and the company would have been subject to stricter sanctions. However, the company would have to report the breach to the Attorney General, who is using their technology.
The GDPR contains a data breach notification obligation and in cases where there is a high risk to the data subject, breaches should be reported to the Supervisory Authority of each country. However, Clearview claim their databases hold three billion photos, so one would have to question whether they even know what they hold. It would require sorting through the photos and linking them to online accounts to identify the nationality of each citizen from the EU, which would seem almost impossible and another intrusion into their privacy.
Today, no one, except perhaps the hacker or users of the dark web, knows what the banks of photographs contain.
The only safeguard is an anonymous, self-proclaimed ethical hacker with unknown motivation, who may or may not decide to save the day. This story reinforces the idea that the US urgently needs a watertight federal privacy law with a stubbornly independent regulator.
Kazient Privacy Experts offer bespoke Data Protection, Privacy and GDPR compliance solutions in a language you understand to UK and international organisations, and has received positive media coverage across Europe. Kazient’s GDPR consultants are fully certified to be your outsourced Data Protection Officer or EU Representative. Get in touch to find out how we can help your business by visiting our website www.kazient.co.uk or calling us on 0330 022 9009.