Incident: Clearview AI Database Hacked, Exposing Client List and Privacy Concerns

Published Date: 2020-02-27

Postmortem Analysis
Timeline 1. The software failure incident of Clearview AI being hacked happened in February 2020 as per the article published on February 27, 2020 [95954].
System 1. Clearview AI's facial-recognition technology system [95954]
Responsible Organization 1. Hackers [95954]
Impacted Organization 1. Clearview AI's database [95954]
Software Causes 1. The software cause of the failure incident was a hack that allowed unauthorized access to Clearview AI's client list, compromising the security and privacy of the data [95954].
Non-software Causes 1. Unauthorized access by hackers to Clearview AI's client list [95954]
Impacts 1. The software failure incident involving Clearview AI being hacked resulted in unauthorized access to its client list, raising concerns about the privacy and security of the data [95954].
Preventions 1. Implementing robust cybersecurity measures such as regular security audits, penetration testing, and encryption to prevent unauthorized access to the database [95954]. 2. Ensuring strict access controls and authentication mechanisms to protect sensitive client information [95954]. 3. Conducting thorough vetting of third-party sources for data collection to avoid potential security vulnerabilities [95954].
Fixes 1. Implementing stronger security measures to prevent unauthorized access to the database [95954] 2. Conducting regular security audits and assessments to identify and patch vulnerabilities 3. Obtaining explicit consent from individuals before using their facial recognition data 4. Complying with requests from social media platforms to stop using photos from their platforms
References 1. Clearview AI company statement to BBC News [95954] 2. Tim Mackey, principal analyst with security company Synopsys [95954] 3. Report in the Daily Beast [95954] 4. New York Times investigation [95954] 5. Twitter, YouTube, and Facebook statements demanding Clearview AI to stop using photos on their platforms [95954] 6. US senator Ron Wyden's tweet [95954]

Software Taxonomy of Faults

Category Option Rationale
Recurring one_organization (a) The software failure incident related to Clearview AI being hacked is an example of a similar incident happening again within the same organization. Clearview AI had faced a security breach where hackers gained access to its client list, although the company stated that its servers were not breached. This incident highlights a vulnerability in Clearview AI's system, indicating a failure in their security measures [95954]. (b) There is no specific information in the provided article about a similar incident happening at other organizations or with their products and services.
Phase (Design/Operation) design, operation (a) The software failure incident related to the design phase can be seen in the Clearview AI hack incident. The breach allowed hackers to gain access to Clearview AI's client list, indicating a security flaw in the design or implementation of their system [95954]. (b) The software failure incident related to the operation phase is evident in the unauthorized access that occurred in Clearview AI's system. Despite the company stating that their servers were not breached, an intruder managed to gain unauthorized access to their lists of customers, highlighting a failure in the operation or misuse of the system [95954].
Boundary (Internal/External) within_system, outside_system (a) within_system: The software failure incident in the Clearview AI case was due to a hack where hackers gained unauthorized access to the company's client list. The breach occurred within the system, indicating a vulnerability in Clearview AI's security measures [95954]. (b) outside_system: The incident also involved external factors as the hackers were able to access the database by exploiting a flaw in Clearview AI's system. Additionally, concerns were raised about the company's use of images scraped from the internet, indicating external sources of data being used in the system, which could have contributed to the failure [95954].
Nature (Human/Non-human) non-human_actions (a) The software failure incident in the Clearview AI case was due to non-human actions, specifically a hack. The company's database was hacked, allowing unauthorized access to its client list. Clearview AI stated that its servers were not breached, indicating that the breach was not due to human error but rather a security vulnerability that was exploited by hackers [95954].
Dimension (Hardware/Software) software (a) The software failure incident related to hardware: - The article does not mention any hardware-related issues contributing to the software failure incident. Therefore, there is no information provided regarding hardware-related factors in this incident [95954]. (b) The software failure incident related to software: - The software failure incident in this case was due to a hack on Clearview AI's database, which is a software-related issue. Hackers gained unauthorized access to the client list of Clearview AI, a company known for its facial-recognition technology [95954].
Objective (Malicious/Non-malicious) malicious (a) The software failure incident in this case is malicious. Clearview AI's database was hacked, allowing unauthorized access to its client list by hackers. The attack was intentional and aimed at gaining access to sensitive information stored by the company. The incident was described as an intrusion where an unauthorized party gained access to customer lists, indicating malicious intent [95954].
Intent (Poor/Accidental Decisions) poor_decisions (a) The software failure incident related to the hacking of Clearview AI's database can be attributed to poor decisions. Clearview AI's practice of scraping billions of photos from social media platforms without explicit consent raised privacy concerns and led to the unauthorized access of its client list by hackers. Additionally, the incident highlighted the problematic nature of combining facial recognition data with data from other sources like social media, enabling detailed user profiling without consent [95954].
Capability (Incompetence/Accidental) accidental (a) The software failure incident related to development incompetence is not explicitly mentioned in the provided article. Therefore, it is unknown whether the failure was due to contributing factors introduced due to lack of professional competence by humans or the development organization. (b) The software failure incident related to an accidental factor is evident in the article. Clearview AI's database was hacked, allowing unauthorized access to its client list. The company stated that its servers were not breached, indicating that the breach was accidental and not due to intentional actions to compromise the servers [95954].
Duration unknown The software failure incident reported in the article about Clearview AI being hacked does not specify the duration of the incident as being permanent or temporary. The article mainly focuses on the fact that Clearview AI's database was hacked, leading to unauthorized access to its client list, but it does not provide details on whether the effects of the hack were permanent or temporary [95954].
Behaviour value, other (a) crash: The article does not mention a crash incident related to the software failure. (b) omission: The software failure incident in the article is not related to the system omitting to perform its intended functions at an instance(s). (c) timing: The software failure incident in the article is not related to the system performing its intended functions correctly, but too late or too early. (d) value: The software failure incident in the article is related to the system performing its intended functions incorrectly. Clearview AI's database was hacked, allowing unauthorized access to its client list, which is a critical failure in terms of protecting sensitive data and privacy [95954]. (e) byzantine: The software failure incident in the article is not related to the system behaving erroneously with inconsistent responses and interactions. (f) other: The software failure incident in the article involves a security breach where hackers gained access to Clearview AI's client list, indicating a failure in maintaining the security and integrity of the system [95954].

IoT System Layer

Layer Option Rationale
Perception None None
Communication None None
Application None None

Other Details

Category Option Rationale
Consequence property, theoretical_consequence (d) property: People's material goods, money, or data was impacted due to the software failure The software failure incident involving Clearview AI being hacked resulted in unauthorized access to its client list, which could potentially impact the privacy and security of the individuals on that list [95954]. Additionally, the incident raised concerns about the use of facial recognition technology and the collection of data from social media platforms without explicit consent, indicating a potential impact on individuals' data privacy and security.
Domain information, government (a) The software failure incident reported in the article is related to the information industry. Clearview AI's facial-recognition technology, which was hacked, is primarily used by US law enforcement agencies to identify suspects by analyzing the vast database of photographs collected from social media platforms like Facebook, YouTube, and Twitter [95954].

Sources

Back to List