Clearview AI leak names businesses using its facial recognition database

Thousands of organizations from around the globe gave the software a try.

One of the most vehement arguments against Clearview AI's practice of scraping billions of photos from millions of public websites to build its facial recognition database was that the company's data storage and security protocols were both untested and unregulated. On Wednesday, Clearview AI claimed that its facial recognition database was hacked, giving intruders access the the company's full client list, which Buzzfeed News has acquired.

Thousands of public law enforcement agencies and private companies are named in the client logs including Best Buy and Macy's, the Department of Justice including ICE, the CBP, Interpol, and the US Attorney's Office for the Southern District of New York, as well as a number of foreign states like the UAE.

Facial recognition software isn't exactly new, machine learning researchers have been hammering away at the challenge since the early '60s. But recent advances in processing systems as well as an explosion of available training data have rapidly advanced the state of the art in the past few years. Today, thanks to advanced machine learning and computer vision algorithms, facial recognition systems like Clearview AI are able to identify subjects -- even from grainy low-res security cam footage -- with startlingly high degrees of accuracy.

But while many of these autonomous systems are limited in capacity to mugshot databases that number in the hundreds of thousands of images, such as the one used in the one used in the 2018 ACLU test of Amazon's Rekognition software, Clearview has scraped 3 billion photos from millions of the internet's most popular social media and commerce sites -- from Facebook and YouTube to LinkedIn and PayPal. According to the documents acquired and verified by Buzzfeed, some 2,900 institutions in total have utilized the service since its launch. Out of those, 2,228 entities have performed nearly 500,000 searches.

The Department of Homeland Security for example, which runs the CBP, has more than 280 registered accounts which have run 7,500 searches. That's nothing compared to ICE, which racked up 8,000 searches from just 60 accounts associated with an El Paso, TX Homeland Security field office. The US Secret Service and FBI are also heavy users of the service with 5,600 and 5,700 searches respectively.

More than 200 private companies have also created accounts with the service. The list includes Las Vegas casinos, Madison Square Garden, the NBA, Wells Fargo, Bank of America, Kohl's, Albertson's and even Equinox. Yeah, the gym. Macy's tops the list with 6,000 searches from a paid account.

Despite the intrusion, the company remains nonplussed about its data system security. "Unfortunately, data breaches are part of life in the 21st century. Our servers were never accessed," Tor Ekeland, an attorney for the company, told the Daily Beast. "We patched the flaw, and continue to work to strengthen our security."

Update 2/27/2020 9:30pm ET: A representative from Madison Square Garden has clarified that MSG was never a Clearview AI customer saying, "We demoed the product last year and didn't even move forward with a trial."

Update 2/28/2020 2:08pm ET: A representative of the National Basketball Association has clarified that "While we conducted a limited test as we do with an array of potential vendors, we are not and have never been a client of this company."