Clearview AI: Data Breaches, Facial Recognition, & Protests

Hopefully, you’ve heard of Clearview AI.

Clearview AI is a New York-based company that provides facial recognition software powered by a database of more than 3 billion images that it scraped from across the Internet (including social media).

Clearview AI has received cease-and-desist letters from major platforms for this scraping, including Twitter (letter sent in January of 2020), YouTube (February of 2020) and Facebook (also February 2020). These cease-and-desist letters ask Clearview to stop scraping users publicly available data, and delete all the currently-collected data. Currently, Clearview AI has not complied.

A small bit of good news, though, as the ACLU recently announced that they are taking Clearview AI to court in Illinois.


The ACLU is suing Clearview AI for violating the Illinois Biometric Information Privacy Act (BIPA). BIPA requires that “companies that collect, capture, or obtain an Illinois resident’s biometric identifier — such as a fingerprint, faceprint, or iris scan — to first notify that individual and obtain their written consent”.

It probably goes without saying that since Clearview AI was scraping these social media sites in secret, it never obtained written permission from Illinois residents.

Clearview AI claims that it’s scraping actions are protected by the First Amendment. It seems strange to argue that collecting faceprints is speech, but I don’t have the legal training to determine the validity of that argument.

You can read the ACLU’s press release here.

Clearview AI Customers

Of course, Clearview AI has said that there massive facial recognition database was for law enforcement only (more on that later), but one of the two recent data breaches showed that’s not the case.

The February 2020 data breach of Clearview AI’s system showed that some of Clearview AI’s “law enforcement” customers include:

  • T-Mobile
  • Verizon
  • AT&T
  • Best Buy
  • Bank of America
  • Macy’s
  • The University of Alabama
  • The NBA
  • Equinox Fitness

There are dozens of Clearview AI “clients” who – far from being law enforcement – aren’t even in the security business. I don’t think a retail chain, phone company, or state school need access to law enforcement-grade facial recognition.

As an aside, Clearview AI also had a second data breach in April of 2020.

This one exposed internal files, source code, security credentials, apps (even beta apps), and even stored video footage. It’s not comforting that a company with access to so much potentially dangerous data can’t even manage to keep their virtual doors locked.

Clearview AI and Law Enforcement

One of the indisputable good things about the overwhelming prevalance of camera phones is that police brutality is being exposed more and more often.

It’s become especially important now, after the murders of George Floyd, Ahmaud Arbery, Breonna Taylor, David McAtee, and countless others at the hands of law enforcement. However, all these videos could have a big downside.

Since many of these videos are easily available on Facebook, Instagram, and Twitter, and since Clearview AI is already known to scrape these sites it seems trivial for law enforcement to use this tool to easily identify hundreds or thousands of protestors using a relatively short video clip.

This kind of danger has come to the attention of at least one senator, Edward Markey (D-Mass), who recently demanded that Clearview AI answer several questions related to recent protests, including:

  • Has search traffic on Clearview AI increased during the week of May 25 and June 1?
  • How does Clearview AI verify the indentiy of a client requesting a trial of Clearview AI?
  • Does Clearview AI consider “whether law enforcement agencies have a history of unlawful or discriminatory practices” when it offers them a trial or service?

I’m very glad that at least one senator is asking these questions. I hope (but have my doubts) that this could be a bipartisan effort, but we will see.

Protecting Your Digital Data

There are lots of things that you should do when you’re going to protest, but here are a few technology-related things you may not think of:

  • Wear a mask. Not only for COVID-19, but it will help obfuscate your face from facial recognition software.
  • Make sure your devices have a strong PIN or password. TURN OFF BIOMETRIC LOGINS (fingerprint or facial recognition). This will be a pain, but you can turn it back on after the protest.
  • Turn off all your cell phone’s radios. The best thing to do is have your phone in airplane mode – this will prevent geolocation features (Wi-Fi, Bluetooth, cell towers) from tracking you. If this isn’t feasable, at least disable Bluetooth (here’s why) and Wi-Fi.
  • Use a secure messaging app (like Signal). Telegram is more popular, but it’s security features are less out-of-the-box.

More information on protecting yourself while protesting is also available at the ACLU’s website.